devise 1.0.11 → 1.1.pre

data/CHANGELOG.rdoc

@@ -1,78 +1,13 @@
-== 1.0.11
-
-* bug fix
-  * Make sure xhr requests do not store urls for redirect
-  * Squeeze break lines from cookies to avoid duplicated break lines
-
-== 1.0.10
-
-* bug fix
-  * Use secure compare when comparing passwords
-  * Improve email regexp
-  * Implement handle_unverified_request for Rails 2.3.11
-
-== 1.0.9
+== 1.1.pre
 
 * enhancements
-  * Extracted redirect path from Devise failure app to a new method, allowing override in custom failure apps
-  * Added sign_out_via
-
-* bug fix
-  * Email is now case insensitive
-  * Avoid session fixation attacks
-
-== 1.0.8
-
-* enhancements
-  * Support for latest MongoMapper
-  * Added anybody_signed_in? helper (by github.com/SSDany)
-
-* bug fix
-  * confirmation_required? is properly honored on active? calls. (by github.com/paulrosania)
-
-== 1.0.7
-
-* bug fix
-  * Ensure password confirmation is always required
+  * Rails 3 compatibility.
+  * All controllers and views are namespaced, for example: Devise::SessionsController and "devise/sessions".
+  * You can specify the controller in routes and have specific controllers for each role.
 
 * deprecations
-  * authenticatable was deprecated and renamed to database_authenticatable
-  * confirmable is not included by default on generation
-
-== 1.0.6
-
-* bug fix
-  * Do not allow unlockable strategies based on time to access a controller.
-  * Do not send unlockable email several times.
-  * Allow controller to upstram custom! failures to Warden.
-
-== 1.0.5
-
-* bug fix
-  * Use prepend_before_filter in require_no_authentication.
-  * require_no_authentication on unlockable.
-  * Fix a bug when giving an association proxy to devise.
-  * Do not use lock! on lockable since it's part of ActiveRecord API.
-
-== 1.0.4
-
-* bug fix
-  * Fixed a bug when deleting an account with rememberable
-  * Fixed a bug with custom controllers
-
-== 1.0.3
-
-* enhancements
-  * HTML e-mails now have proper formatting
-  * Do not remove MongoMapper options in find
-
-== 1.0.2
-
-* enhancements
-  * Allows you set mailer content type (by github.com/glennr)
-
-* bug fix
-  * Uses the same content type as request on http authenticatable 401 responses
+  * Rails 3 compatible only.
+  * Scoped views are no longer "sessions/users/new". Now use "users/sessions/new".
 
 == 1.0.1
 
@@ -93,7 +28,6 @@
   * Added Http Basic Authentication support
   * Allow scoped_views to be customized per controller/mailer class
   * [#99] Allow authenticatable to used in change_table statements
-  * Add mailer_content_type configuration parameter (by github.com/glennr)
 
 == 0.9.2
 

data/Gemfile

@@ -0,0 +1,18 @@
+source "http://gemcutter.org"
+
+gem "rails", "3.0.0.beta"
+gem "warden", "0.9.3"
+gem "sqlite3-ruby", :require => "sqlite3"
+gem "webrat", "0.7"
+gem "mocha", :require => false
+gem "bcrypt-ruby", :require => "bcrypt"
+
+if RUBY_VERSION < '1.9'
+  gem "ruby-debug", ">= 0.10.3"
+end
+
+group :mongo_mapper do
+  gem "mongo",        "0.18.3"
+  gem "mongo_ext",    "0.18.3", :require => false
+  gem "mongo_mapper", "0.7.0"
+end

data/README.rdoc

@@ -9,7 +9,7 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 
 Right now it's composed of 12 modules:
 
-* Database Authenticatable: responsible for encrypting password and validating authenticity of a user while signing in.
+* Authenticatable: responsible for encrypting password and validating authenticity of a user while signing in.
 * Token Authenticatable: validates authenticity of a user while signing in using an authentication token (also known as "single access token").
 * HttpAuthenticatable: sign in users using basic HTTP authentication.
 * Confirmable: responsible for verifying whether an account is already confirmed to sign in, and to send emails with confirmation instructions.
@@ -30,30 +30,32 @@ Devise is based on Warden (http://github.com/hassox/warden), a Rack Authenticati
 
 == Installation
 
-Install warden gem if you don't have it installed:
+Devise master branch now supports Rails 3 and is NOT backward compatible. You can install it as:
 
-  gem install warden
+  sudo gem install devise --version=1.1.pre
 
-Install devise gem:
+After installing them, you need configure warden and devise gems inside your gemfile:
 
-  gem install devise --version=1.0.10
+  gem 'warden'
+  gem 'devise'
 
-Configure warden and devise gems inside your app:
+And run the generator:
 
-  config.gem 'warden'
-  config.gem 'devise'
+	rails generate devise_install
 
-Run the generator:
+And you're ready to go. The generator will install an initializer which describes ALL Devise's configuration options, so be sure to take a look at it and at the documentation as well:
 
-	ruby script/generate devise_install
+  http://rdoc.info/projects/plataformatec/devise
 
-And you're ready to go. The generator will install an initializer which describes ALL Devise's configuration options, so be sure to take a look at it and the documentation as well:
+== Rails 2.3
 
-  http://rdoc.info/projects/plataformatec/devise
+If you want to use the Rails 2.3.x version, you should do:
 
-If you want to use Devise with bundler on Rails 2.3, you need to follow the instructions here:
+  sudo gem install devise --version=1.0.1
 
-  http://github.com/carlhuda/bundler/issues/issue/83
+Or checkout from the v1.0 branch:
+
+  http://github.com/plataformatec/devise/tree/v1.0
 
 == Basic Usage
 
@@ -64,13 +66,13 @@ Devise must be set up within the model (or models) you want to use, and devise r
 We're assuming here you want a User model with some modules, as outlined below:
 
   class User < ActiveRecord::Base
-    devise :database_authenticatable, :confirmable, :recoverable, :rememberable, :trackable, :validatable
+    devise :authenticatable, :confirmable, :recoverable, :rememberable, :trackable, :validatable
   end
 
 After you choose which modules to use, you need to setup your migrations. Luckily, devise has some helpers to save you from this boring work:
 
   create_table :users do |t|
-    t.database_authenticatable
+    t.authenticatable
     t.confirmable
     t.recoverable
     t.rememberable
@@ -82,13 +84,13 @@ Remember that Devise don't rely on _attr_accessible_ or _attr_protected_ inside
 
 The next setup after setting up your model is to configure your routes. You do this by opening up your config/routes.rb and adding:
 
-  map.devise_for :users
+  devise_for :users
 
 This is going to look inside you User model and create a set of needed routes (you can see them by running `rake routes`).
 
 There are also some options available for configuring your routes, as :class_name (to set the class for that route), :path_prefix, :as and :path_names, where the last two have the same meaning as in common routes. The available :path_names are:
 
-  map.devise_for :users, :as => "usuarios", :path_names => { :sign_in => 'login', :sign_out => 'logout', :password => 'secret', :confirmation => 'verification', :unlock => 'unblock' }
+  devise_for :users, :as => "usuarios", :path_names => { :sign_in => 'login', :sign_out => 'logout', :password => 'secret', :confirmation => 'verification', :unlock => 'unblock' }
 
 Be sure to check devise_for documentation for detailed description.
 
@@ -114,7 +116,7 @@ You have also access to the session for this scope:
 
 After signing in a user, confirming it's account or updating it's password, devise will look for a scoped root path to redirect. Example: For a :user resource, it will use user_root_path if it exists, otherwise default root_path will be used. This means that you need to set the root inside your routes:
 
-  map.root :controller => 'home'
+  root :to => "home"
 
 You can also overwrite after_sign_in_path_for and after_sign_out_path_for to customize better your redirect hooks.
 
@@ -128,16 +130,16 @@ Devise let's you setup as many roles as you want, so let's say you already have
 
   # Create a migration with the required fields
   create_table :admins do |t|
-    t.database_authenticatable
+    t.authenticatable
     t.lockable
     t.trackable
   end
 
   # Inside your Admin model
-  devise :database_authenticatable, :trackable, :timeoutable, :lockable
+  devise :authenticatable, :trackable, :timeoutable, :lockable
 
   # Inside your routes
-  map.devise_for :admin
+  devise_for :admin
 
   # Inside your protected controller
   before_filter :authenticate_admin!
@@ -151,33 +153,48 @@ Devise let's you setup as many roles as you want, so let's say you already have
 
 Devise comes with some generators to help you start:
 
-  ruby script/generate devise_install
+  rails generate devise_install
 
 This will generate an initializer, with a description of all configuration values. You can also generate models through:
 
-  ruby script/generate devise Model
+  rails generate devise Model
 
 A model configured with all devise modules and attr_accessible for default fields will be created. The generator will also create the migration and configure your routes for devise.
 
 == Model configuration
 
-The devise method in your models also accept some options to configure its modules. For example, you can chose which encryptor to use in database_authenticatable:
+The devise method in your models also accept some options to configure its modules. For example, you can chose which encryptor to use in authenticatable simply doing:
+
+  devise :authenticatable, :confirmable, :recoverable, :encryptor => :bcrypt
+
+Besides :encryptor, you can provide :pepper, :stretches, :confirm_within, :remember_for, :timeout_in, :unlock_in and others. All those are described in the initializer created when you invoke the devise_install generator describer above.
+
+== Configuring controllers and views
+
+One of Devise goals is to help you bootstrap your application with authentication really fast. Another goal is to not be in your way when you need to customize it.
+
+Since devise is an engine, it has all default views inside the gem. They are good to get you started, but you will want to customize them at some point. And Devise has a generator to copy them all to your application:
 
-  devise :database_authenticatable, :confirmable, :recoverable, :encryptor => :bcrypt
+  rails generate devise_views
 
-Besides :encryptor, you can provide :pepper, :stretches, :confirm_within, :remember_for, :timeout_in, :unlock_in and others. All those are describer in the initializer created when you invoke the devise_install generator describer above.
+If you have more than one role in your application, you will notice that Devise uses the same views for all roles you have. But what if you need so different views to each of them? Devise also has an easy way to accomplish it: just setup config.scoped_views to true inside "config/initializers/devise.rb".
 
-== Views
+After doing so you will be able to have views based on the scope like "users/sessions/new" and "admins/sessions/new". If no view is found within the scope, Devise will fallback to the default view at "devise/sessions/new".
 
-Since devise is an engine, it has all default views inside the gem. They are good to get you started, but you will want to customize them at some point. And Devise has a generator to make copy them all to your application:
+Finally, if the customization at the views level is not enough, you can customize each controller by following these steps:
 
-  ruby script/generate devise_views
+  1) Create your custom controller, for example a Admins::SessionsController:
 
-By default Devise will use the same views for all roles you have. But what if you need so different views to each of them? Devise also has an easy way to accomplish it: just setup config.scoped_views to true inside "config/initializers/devise.rb".
+    class Admins::SessionsController < Devise::SessionsController
+    end
 
-After doing so you will be able to have views based on the scope like 'sessions/users/new' and 'sessions/admin/new'. If no view is found within the scope, Devise will fallback to the default view.
+  2) Tell the router to use this controller:
 
-Devise uses flash messages to let users know if their login is successful or not. Devise expects your application to call 'flash[:notice]' and 'flash[:alert]' as appropriate.
+    devise_for :admins, :controllers => { :sessions = "admin/sessions" }
+
+  3) And finally, since we changed the controller, it won't use "devise/sessions" as views anymore, so remember to make a copy of "devise/sessions" to "admin/sessions".
+
+Remember that Devise uses flash messages to let users know if sign in wass successful or not. Devise expects your application to call "flash[:notice]" and "flash[:alert]" as appropriate.
 
 == I18n
 
@@ -240,16 +257,6 @@ Devise supports both ActiveRecord (default) and MongoMapper, and has experimenta
 
 Please refer to TODO file.
 
-== Security
-
-Needless to say, security is extremely important to Devise. If you find yourself in a possible security issue with Devise, please go through the following steps, trying to reproduce the bug:
-
-1) Look at the source code a bit to find out whether your assumptions are correct;
-2) If possible, provide a way to reproduce the bug: a small app on Github or a step-by-step to reproduce;
-3) E-mail us or send a Github private message instead of using the normal issues;
-
-Being able to reproduce the bug is the first step to fix it. Thanks for your understanding.
-
 == Maintainers
 
 * José Valim (http://github.com/josevalim)
@@ -257,9 +264,7 @@ Being able to reproduce the bug is the first step to fix it. Thanks for your und
 
 == Contributors
 
-We have a long running list of contributors. Check them all here:
-
-http://github.com/plataformatec/devise/contributors
+We have a long running list of contributors. Check them in the CHANGELOG or do `git shortlog -s -n` in the cloned repository.
 
 == Bugs and Feedback
 

data/Rakefile

@@ -37,17 +37,18 @@ begin
   require 'jeweler'
   Jeweler::Tasks.new do |s|
     s.name = "devise"
-    s.version = Devise::VERSION.dup
+    s.version = Devise::VERSION
     s.summary = "Flexible authentication solution for Rails with Warden"
     s.email = "contact@plataformatec.com.br"
     s.homepage = "http://github.com/plataformatec/devise"
     s.description = "Flexible authentication solution for Rails with Warden"
     s.authors = ['José Valim', 'Carlos Antônio']
-    s.files =  FileList["[A-Z]*", "{app,config,generators,lib}/**/*", "rails/init.rb"]
-    s.add_dependency("warden", "~> 0.10.3")
+    s.files =  FileList["[A-Z]*", "{app,config,lib}/**/*"]
+    s.extra_rdoc_files = FileList["[A-Z]*"] - %w(Gemfile Rakefile)
+    s.add_dependency("warden", "~> 0.9.3")
   end
 
   Jeweler::GemcutterTasks.new
 rescue LoadError
-  puts "Jeweler, or one of its dependencies, is not available. Install it with: gem install jeweler"
+  puts "Jeweler, or one of its dependencies, is not available. Install it with: sudo gem install technicalpickles-jeweler -s http://gems.github.com"
 end

data/app/controllers/{confirmations_controller.rb → devise/confirmations_controller.rb}

@@ -1,4 +1,4 @@
-class ConfirmationsController < ApplicationController
+class Devise::ConfirmationsController < ApplicationController
   include Devise::Controllers::InternalHelpers
 
   # GET /resource/confirmation/new
@@ -21,7 +21,7 @@ class ConfirmationsController < ApplicationController
 
   # GET /resource/confirmation?confirmation_token=abcdef
   def show
-    self.resource = resource_class.confirm_by_token(params[:confirmation_token])
+    self.resource = resource_class.confirm!(:confirmation_token => params[:confirmation_token])
 
     if resource.errors.empty?
       set_flash_message :notice, :confirmed

data/app/controllers/{passwords_controller.rb → devise/passwords_controller.rb}

@@ -1,7 +1,8 @@
-class PasswordsController < ApplicationController
-  prepend_before_filter :require_no_authentication
+class Devise::PasswordsController < ApplicationController
   include Devise::Controllers::InternalHelpers
 
+  before_filter :require_no_authentication
+
   # GET /resource/password/new
   def new
     build_resource
@@ -29,7 +30,7 @@ class PasswordsController < ApplicationController
 
   # PUT /resource/password
   def update
-    self.resource = resource_class.reset_password_by_token(params[resource_name])
+    self.resource = resource_class.reset_password!(params[resource_name])
 
     if resource.errors.empty?
       set_flash_message :notice, :updated

data/app/controllers/{registrations_controller.rb → devise/registrations_controller.rb}

@@ -1,19 +1,21 @@
-class RegistrationsController < ApplicationController
-  prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
-  prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
+class Devise::RegistrationsController < ApplicationController
   include Devise::Controllers::InternalHelpers
 
-  # GET /resource/sign_up
+  before_filter :require_no_authentication, :only => [ :new, :create ]
+  before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
+
+  # GET /resource/sign_in
   def new
     build_resource
     render_with_scope :new
   end
 
-  # POST /resource
+  # POST /resource/sign_up
   def create
     build_resource
 
     if resource.save
+      flash[:"#{resource_name}_signed_up"] = true
       set_flash_message :notice, :signed_up
       sign_in_and_redirect(resource_name, resource)
     else
@@ -32,6 +34,8 @@ class RegistrationsController < ApplicationController
       set_flash_message :notice, :updated
       redirect_to after_sign_in_path_for(self.resource)
     else
+      build_resource
+      send(:"current_#{resource_name}").reload
       render_with_scope :edit
     end
   end
@@ -48,6 +52,6 @@ class RegistrationsController < ApplicationController
     # Authenticates the current scope and dup the resource
     def authenticate_scope!
       send(:"authenticate_#{resource_name}!")
-      self.resource = send(:"current_#{resource_name}").dup
+      self.resource = send(:"current_#{resource_name}")
     end
-end
+end

data/app/controllers/{sessions_controller.rb → devise/sessions_controller.rb}

@@ -1,10 +1,11 @@
-class SessionsController < ApplicationController
-  prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
+class Devise::SessionsController < ApplicationController
   include Devise::Controllers::InternalHelpers
 
+  before_filter :require_no_authentication, :only => [ :new, :create ]
+
   # GET /resource/sign_in
   def new
-    unless flash[:notice].present?
+    unless resource_just_signed_up?
       Devise::FLASH_MESSAGES.each do |message|
         set_now_flash_message :alert, message if params.try(:[], message) == "true"
       end
@@ -19,8 +20,6 @@ class SessionsController < ApplicationController
     if resource = authenticate(resource_name)
       set_flash_message :notice, :signed_in
       sign_in_and_redirect(resource_name, resource, true)
-    elsif [:custom, :redirect].include?(warden.result)
-      throw :warden, :scope => resource_name
     else
       set_now_flash_message :alert, (warden.message || :invalid)
       clean_up_passwords(build_resource)
@@ -36,7 +35,11 @@ class SessionsController < ApplicationController
 
   protected
 
-    def clean_up_passwords(object)
-      object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
-    end
+  def resource_just_signed_up?
+    flash[:"#{resource_name}_signed_up"]
+  end
+
+  def clean_up_passwords(object)
+    object.clean_up_passwords if object.respond_to?(:clean_up_passwords)
+  end
 end