devise 1.1.rc2 → 1.1.0

data/CHANGELOG.rdoc

@@ -1,3 +1,23 @@
+== 1.1.0
+
+* enhancements
+  * Rememberable module allows user to be remembered across browsers and is enabled by default (by github.com/trevorturk)
+  * Rememberable module allows you to activate the period the remember me token is extended (by github.com/trevorturk)
+  * devise_for can now be used together with scope method in routes but with a few limitations (check the documentation)
+  * Support `as` or `devise_scope` in the router to specify controller access scope
+  * HTTP Basic Auth can now be disabled/enabled for xhr(ajax) requests using http_authenticatable_on_xhr option (by github.com/pellja)
+
+* bug fix
+  * Fix a bug in Devise::TestHelpers where current_user was returning a Response object for non active accounts
+  * Devise should respect script_name and path_info contracts
+  * Fix a bug when accessing a path with (.:format) (by github.com/klacointe)
+  * Do not add unlock routes unless unlock strategy is email or both
+  * Email should be case insensitive
+  * Store classes as string in session, to avoid serialization and stale data issues
+
+* deprecations
+  * use_default_scope is deprecated and has no effect. Use :as or :devise_scope in the router instead
+
 == 1.1.rc2
 
 * enhancements
@@ -16,7 +36,7 @@
   * devise.mailer.user.confirmations_instructions now should be devise.mailer.confirmations_instructions.user_subject
   * Generators now use Rails 3 syntax (devise:install) instead of devise_install
 
-== 1.1.rc
+== 1.1.rc1
 
 * enhancements
   * Rails 3 compatibility
@@ -29,7 +49,7 @@
   * E-mails now use any template available in the filesystem. Easy to create multipart e-mails
   * E-mails asks headers_for in the model to set the proper headers
   * Allow to specify haml in devise_views
-  * Compatibility with Datamapper and Mongoid
+  * Compatibility with Mongoid
   * Make config.devise available on config/application.rb
   * TokenAuthenticatable now works with HTTP Basic Auth
   * Allow :unlock_strategy to be :none and add :lock_strategy which can be :failed_attempts or none. Setting those values to :none means that you want to handle lock and unlocking by yourself

data/Gemfile

@@ -1,7 +1,11 @@
 source "http://rubygems.org"
 
-# Need to install Rails from source
-gem "rails", "3.0.0.beta4"
+if File.exist? File.expand_path('../../rails', __FILE__)
+  gem "rails", :path => "../rails"
+else
+  gem "rails", :git => "git://github.com/rails/rails.git"
+end
+
 gem "warden", "0.10.7"
 gem "sqlite3-ruby"
 gem "webrat", "0.7.0"
@@ -16,14 +20,4 @@ group :mongoid do
   gem "mongo"
   gem "mongoid", :git => "git://github.com/durran/mongoid.git"
   gem "bson_ext"
-end
-
-group :data_mapper do
-  gem 'dm-core',           '~> 1.0.0', :git => 'git://github.com/datamapper/dm-core'
-  gem 'dm-migrations',     '~> 1.0.0', :git => 'git://github.com/datamapper/dm-migrations'
-  gem 'dm-sqlite-adapter', '~> 1.0.0', :git => 'git://github.com/datamapper/dm-sqlite-adapter'
-  gem 'dm-validations',    '~> 1.0.0', :git => 'git://github.com/datamapper/dm-validations'
-  gem 'dm-serializer',     '~> 1.0.0', :git => 'git://github.com/datamapper/dm-serializer'
-  gem 'dm-timestamps',     '~> 1.0.0', :git => 'git://github.com/datamapper/dm-timestamps'
-  gem 'dm-rails',          '~> 1.0.0', :git => 'git://github.com/datamapper/dm-rails'
-end
+end

data/Gemfile.lock

@@ -0,0 +1,118 @@
+GIT
+  remote: git://github.com/durran/mongoid.git
+  revision: a5abe21
+  specs:
+    mongoid (2.0.0.beta9)
+      activemodel (~> 3.0.0.beta)
+      bson (~> 1.0.3)
+      mongo (~> 1.0.3)
+      tzinfo (~> 0.3.22)
+      will_paginate (~> 3.0.pre)
+
+PATH
+  remote: /Users/jose/Work/github/rails
+  specs:
+    actionmailer (3.0.0.beta4)
+      actionpack (= 3.0.0.beta4)
+      mail (~> 2.2.5)
+    actionpack (3.0.0.beta4)
+      activemodel (= 3.0.0.beta4)
+      activesupport (= 3.0.0.beta4)
+      builder (~> 2.1.2)
+      erubis (~> 2.6.6)
+      i18n (~> 0.4.1)
+      rack (~> 1.2.1)
+      rack-mount (~> 0.6.9)
+      rack-test (~> 0.5.4)
+      tzinfo (~> 0.3.22)
+    activemodel (3.0.0.beta4)
+      activesupport (= 3.0.0.beta4)
+      builder (~> 2.1.2)
+      i18n (~> 0.4.1)
+    activerecord (3.0.0.beta4)
+      activemodel (= 3.0.0.beta4)
+      activesupport (= 3.0.0.beta4)
+      arel (~> 0.4.0)
+      tzinfo (~> 0.3.22)
+    activeresource (3.0.0.beta4)
+      activemodel (= 3.0.0.beta4)
+      activesupport (= 3.0.0.beta4)
+    activesupport (3.0.0.beta4)
+    rails (3.0.0.beta4)
+      actionmailer (= 3.0.0.beta4)
+      actionpack (= 3.0.0.beta4)
+      activerecord (= 3.0.0.beta4)
+      activeresource (= 3.0.0.beta4)
+      activesupport (= 3.0.0.beta4)
+      bundler (>= 1.0.0.beta.10)
+      railties (= 3.0.0.beta4)
+    railties (3.0.0.beta4)
+      actionpack (= 3.0.0.beta4)
+      activesupport (= 3.0.0.beta4)
+      rake (>= 0.8.3)
+      thor (~> 0.14.0)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    abstract (1.0.0)
+    arel (0.4.0)
+      activesupport (>= 3.0.0.beta)
+    bcrypt-ruby (2.1.2)
+    bson (1.0.4)
+    bson_ext (1.0.4)
+    builder (2.1.2)
+    columnize (0.3.1)
+    erubis (2.6.6)
+      abstract (>= 1.0.0)
+    i18n (0.4.1)
+    linecache (0.43)
+    mail (2.2.5)
+      activesupport (>= 2.3.6)
+      mime-types
+      treetop (>= 1.4.5)
+    mime-types (1.16)
+    mocha (0.9.8)
+      rake
+    mongo (1.0.5)
+      bson (>= 1.0.4)
+    nokogiri (1.4.2)
+    polyglot (0.3.1)
+    rack (1.2.1)
+    rack-mount (0.6.9)
+      rack (>= 1.0.0)
+    rack-test (0.5.4)
+      rack (>= 1.0)
+    rake (0.8.7)
+    ruby-debug (0.10.3)
+      columnize (>= 0.1)
+      ruby-debug-base (~> 0.10.3.0)
+    ruby-debug-base (0.10.3)
+      linecache (>= 0.3)
+    sqlite3-ruby (1.3.1)
+    thor (0.14.0)
+    treetop (1.4.8)
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.22)
+    warden (0.10.7)
+      rack (>= 1.0.0)
+    webrat (0.7.0)
+      nokogiri (>= 1.2.0)
+      rack (>= 1.0)
+      rack-test (>= 0.5.3)
+    will_paginate (3.0.pre)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  bcrypt-ruby
+  bson_ext
+  mocha
+  mongo
+  mongoid!
+  rails!
+  ruby-debug (>= 0.10.3)
+  sqlite3-ruby
+  warden (= 0.10.7)
+  webrat (= 0.7.0)

data/README.rdoc

@@ -22,19 +22,11 @@ Right now it's composed of 11 modules:
 
 == Installation
 
-=== Rails 3 beta 4
+Devise 1.1 supports Rails 3 and is NOT backward compatible. You can use the latest Rails 3 beta gem with Devise latest gem:
 
-To use Devise with Rails 3 beta 4, please use it straight from the git repository, by adding it to your Gemfile:
+  gem install devise --version=1.1.rc2
 
-  gem "devise", :git => "git://github.com/plataformatec/devise.git"
-
-Then follow the same steps as below.
-
-=== Rails 3 beta 3
-
-Devise master branch now supports Rails 3 and is NOT backward compatible. You can use the latest Rails 3 beta gem with Devise latest gem:
-
-  gem install devise --version=1.1.rc1
+If you want to use Rails master (from git repository) you need to use Devise from git repository and vice-versa.
 
 After you install Devise and add it to your Gemfile, you need to run the generator:
 
@@ -46,11 +38,11 @@ The generator will install an initializer which describes ALL Devise's configura
 
 Replace MODEL by the class name you want to add devise, like User, Admin, etc. This will create a model (if one does not exist) and configure it with default Devise modules. The generator will also create a migration file (if your ORM support them) and configure your routes. Continue reading this file to understand exactly what the generator produces and how to use it.
 
-=== Rails 2.3
+== Rails 2.3
 
 If you want to use the Rails 2.3.x version, you should do:
 
-  gem install devise --version=1.0.7
+  gem install devise --version=1.0.8
 
 And please check the README at the v1.0 branch since this one is based on Rails 3:
 
@@ -283,6 +275,16 @@ Please consult their respective documentation for more information and requireme
 
 Please refer to TODO file.
 
+== Security
+
+Needless to say, security is extremely important to Devise. If you find yourself in a possible security issue with Devise, please go through the following steps, trying to reproduce the bug:
+
+1) Look at the source code a bit to find out whether your assumptions are correct;
+2) If possible, provide a way to reproduce the bug: a small app on Github or a step-by-step to reproduce;
+3) E-mail us or send a Github private message instead of using the normal issues;
+
+Being able to reproduce the bug is the first step to fix it. Thanks for your understanding.
+
 == Maintainers
 
 * José Valim (http://github.com/josevalim)

data/app/controllers/devise/unlocks_controller.rb

@@ -1,5 +1,4 @@
 class Devise::UnlocksController < ApplicationController
-  prepend_before_filter :ensure_email_as_unlock_strategy
   prepend_before_filter :require_no_authentication
   include Devise::Controllers::InternalHelpers
 
@@ -32,10 +31,4 @@ class Devise::UnlocksController < ApplicationController
       render_with_scope :new
     end
   end
-
-  protected
-
-  def ensure_email_as_unlock_strategy
-    raise ActionController::UnknownAction unless resource_class.unlock_strategy_enabled?(:email)
-  end
 end

data/app/mailers/devise/mailer.rb

@@ -22,14 +22,11 @@ class Devise::Mailer < ::ActionMailer::Base
     @devise_mapping = Devise.mappings[@scope_name]
     @resource       = instance_variable_set("@#{@devise_mapping.name}", record)
 
-    template_path = ["devise/mailer"]
-    template_path.unshift "#{@devise_mapping.plural}/mailer" if self.class.scoped_views?
-
     headers = {
       :subject => translate(@devise_mapping, action),
       :from => mailer_sender(@devise_mapping),
       :to => record.email,
-      :template_path => template_path
+      :template_path => template_paths
     }
 
     headers.merge!(record.headers_for(action)) if record.respond_to?(:headers_for)
@@ -44,6 +41,12 @@ class Devise::Mailer < ::ActionMailer::Base
     end
   end
 
+  def template_paths
+    template_path = [self.class.mailer_name]
+    template_path.unshift "#{@devise_mapping.plural}/mailer" if self.class.scoped_views?
+    template_path
+  end
+
   # Setup a subject doing an I18n lookup. At first, it attemps to set a subject
   # based on the current mapping:
   #

data/app/views/devise/confirmations/new.html.erb

@@ -1,6 +1,6 @@
 <h2>Resend confirmation instructions</h2>
 
-<%= form_for(resource, :as => resource_name, :url => confirmation_path(resource_name)) do |f| %>
+<%= form_for(resource, :as => resource_name, :url => confirmation_path(resource_name), :html => { :method => :post }) do |f| %>
   <%= devise_error_messages! %>
 
   <p><%= f.label :email %><br />

data/app/views/devise/passwords/new.html.erb

@@ -1,6 +1,6 @@
 <h2>Forgot your password?</h2>
 
-<%= form_for(resource, :as => resource_name, :url => password_path(resource_name)) do |f| %>
+<%= form_for(resource, :as => resource_name, :url => password_path(resource_name), :html => { :method => :post }) do |f| %>
   <%= devise_error_messages! %>
 
   <p><%= f.label :email %><br />

data/app/views/devise/unlocks/new.html.erb

@@ -1,6 +1,6 @@
 <h2>Resend unlock instructions</h2>
 
-<%= form_for(resource, :as => resource_name, :url => unlock_path(resource_name)) do |f| %>
+<%= form_for(resource, :as => resource_name, :url => unlock_path(resource_name), :html => { :method => :post }) do |f| %>
   <%= devise_error_messages! %>
 
   <p><%= f.label :email %><br />

data/lib/devise.rb

@@ -69,6 +69,10 @@ module Devise
   mattr_accessor :http_authenticatable
   @@http_authenticatable = true
 
+  # If http authentication is used for ajax requests.  True by default.
+  mattr_accessor :http_authenticatable_on_xhr
+  @@http_authenticatable_on_xhr = true
+
   # If params authenticatable is enabled by default.
   mattr_accessor :params_authenticatable
   @@params_authenticatable = true
@@ -85,10 +89,18 @@ module Devise
   mattr_accessor :password_length
   @@password_length = 6..20
 
-  # Time interval where the remember me token is valid.
+  # The time the user will be remembered without asking for credentials again.
   mattr_accessor :remember_for
   @@remember_for = 2.weeks
 
+  # If true, a valid remember token can be re-used between multiple browsers.
+  mattr_accessor :remember_across_browsers
+  @@remember_across_browsers = true
+
+  # If true, extends the user's remember period when remembered via cookie.
+  mattr_accessor :extend_remember_period
+  @@extend_remember_period = false
+
   # Time interval you can access your account before confirming your account.
   mattr_accessor :confirm_within
   @@confirm_within = 0.days
@@ -133,10 +145,6 @@ module Devise
   mattr_accessor :unlock_in
   @@unlock_in = 1.hour
 
-  # Tell when to use the default scope, if one cannot be found from routes.
-  mattr_accessor :use_default_scope
-  @@use_default_scope = false
-
   # The default scope which is used by warden.
   mattr_accessor :default_scope
   @@default_scope = nil
@@ -149,6 +157,7 @@ module Devise
   mattr_accessor :token_authentication_key
   @@token_authentication_key = :auth_token
 
+  # Which formats should be treated as navigational.
   mattr_accessor :navigational_formats
   @@navigational_formats = [:html]
 
@@ -157,6 +166,17 @@ module Devise
   @@warden_config = nil
   @@warden_config_block = nil
 
+  # When set to true, signing out an user signs out all other scopes.
+  mattr_accessor :sign_out_all_scopes
+  @@sign_out_all_scopes = false
+
+  def self.use_default_scope=(*)
+    ActiveSupport::Deprecation.warn "config.use_default_scope is deprecated and removed from Devise. " <<
+      "If you are using non conventional routes in Devise, all you need to do is to pass the devise " <<
+      "scope in the router DSL:\n\n  as :user do\n    get \"sign_in\", :to => \"devise/sessions\"\n  end\n\n" <<
+      "The method :as is also aliased to :devise_scope. Choose the one you prefer.", caller
+  end
+
   # Default way to setup Devise. Run rails generate devise_install to create
   # a fresh initializer with all configuration values.
   def self.setup
@@ -174,10 +194,8 @@ module Devise
   end
   self.mailer = "Devise::Mailer"
 
-  # Register a model in Devise. You can call this manually if you don't want
-  # to use devise routes. Check devise_for in routes to know which options
-  # are available.
-  def self.add_model(resource, options)
+  # Small method that adds a mapping to Devise.
+  def self.add_mapping(resource, options)
     mapping = Devise::Mapping.new(resource, options)
     self.mappings[mapping.name] = mapping
     self.default_scope ||= mapping.name

data/lib/devise/controllers/helpers.rb

@@ -64,6 +64,16 @@ module Devise
         warden.logout(scope)
       end
 
+      # Sign out all active users or scopes. This helper is useful for signing out all roles
+      # in one click.
+      def sign_out_all_scopes
+        # Not "warden.logout" since we need to sign_out only devise-defined scopes.
+        scopes = Devise.mappings.keys
+        scopes.each { |scope| warden.user(scope) }
+        warden.raw_session.inspect
+        warden.logout(*scopes)
+      end
+
       # Returns and delete the url stored in the session for the given scope. Useful
       # for giving redirect backs after sign up:
       #
@@ -86,13 +96,13 @@ module Devise
       #
       #   map.user_root '/users', :controller => 'users' # creates user_root_path
       #
-      #   map.resources :users do |users|
-      #     users.root # creates user_root_path
+      #   map.namespace :user do |user|
+      #     user.root :controller => 'users' # creates user_root_path
       #   end
       #
       #
-      # If none of these are defined, root_path is used. However, if this default
-      # is not enough, you can customize it, for example:
+      # If the resource root path is not defined, root_path is used. However,
+      # if this default is not enough, you can customize it, for example:
       #
       #   def after_sign_in_path_for(resource)
       #     if resource.is_a?(User) && resource.can_publish?
@@ -164,7 +174,11 @@ module Devise
       # after_sign_out_path_for.
       def sign_out_and_redirect(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        sign_out(scope)
+        if Devise.sign_out_all_scopes
+          sign_out_all_scopes
+        else
+          sign_out(scope)
+        end
         redirect_to after_sign_out_path_for(scope)
       end
 

data/lib/devise/controllers/internal_helpers.rb

@@ -8,7 +8,6 @@ module Devise
       include Devise::Controllers::ScopedViews
 
       included do
-        unloadable
         helper DeviseHelper
 
         helpers = %w(resource scope_name resource_name
@@ -38,11 +37,7 @@ module Devise
 
       # Attempt to find the mapped route for devise based on request path
       def devise_mapping
-        @devise_mapping ||= begin
-          mapping   = Devise::Mapping.find_by_path(request.path)
-          mapping ||= Devise.mappings[Devise.default_scope] if Devise.use_default_scope
-          mapping
-        end
+        @devise_mapping ||= request.env["devise.mapping"]
       end
 
       # Overwrites devise_controller? to return true
@@ -54,8 +49,7 @@ module Devise
 
       # Checks whether it's a devise mapped resource or not.
       def is_devise_resource? #:nodoc:
-        raise ActionController::UnknownAction unless devise_mapping &&
-          devise_mapping.allowed_controllers.include?(controller_path)
+        raise ActionController::UnknownAction unless devise_mapping
       end
 
       # Sets the resource creating an instance variable