devise 1.4.1 → 1.4.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.

This version of devise might be problematic. Click here for more details.

Files changed (16) hide show
  1. data/CHANGELOG.rdoc +6 -0
  2. data/Gemfile.lock +2 -2
  3. data/lib/devise/models/authenticatable.rb +3 -14
  4. data/lib/devise/models/serializable.rb +43 -0
  5. data/lib/devise/strategies/rememberable.rb +8 -2
  6. data/lib/devise/version.rb +1 -1
  7. data/lib/generators/devise/views_generator.rb +1 -1
  8. data/lib/generators/{devise → templates}/simple_form_for/confirmations/new.html.erb +1 -1
  9. data/lib/generators/{devise → templates}/simple_form_for/passwords/edit.html.erb +1 -1
  10. data/lib/generators/{devise → templates}/simple_form_for/passwords/new.html.erb +1 -1
  11. data/lib/generators/{devise → templates}/simple_form_for/registrations/edit.html.erb +0 -0
  12. data/lib/generators/{devise → templates}/simple_form_for/registrations/new.html.erb +0 -0
  13. data/lib/generators/{devise → templates}/simple_form_for/sessions/new.html.erb +0 -0
  14. data/lib/generators/{devise → templates}/simple_form_for/unlocks/new.html.erb +1 -1
  15. data/test/models/serializable_test.rb +38 -0
  16. metadata +14 -11
data/CHANGELOG.rdoc CHANGED
@@ -1,3 +1,9 @@
1
+ == 1.4.2
2
+
3
+ * bug fix
4
+ * Improve Rails 3.1 compatibility
5
+ * Provide a more robust behavior to serializers and add :force_except option
6
+
1
7
  == 1.4.1
2
8
 
3
9
  * enhancements
data/Gemfile.lock CHANGED
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: .
3
3
  specs:
4
- devise (1.4.0)
4
+ devise (1.4.1)
5
5
  bcrypt-ruby (~> 2.1.2)
6
6
  orm_adapter (~> 0.0.3)
7
7
  warden (~> 1.0.3)
@@ -91,7 +91,7 @@ GEM
91
91
  oauth2 (0.1.1)
92
92
  faraday (~> 0.5.0)
93
93
  multi_json (~> 0.0.4)
94
- orm_adapter (0.0.4)
94
+ orm_adapter (0.0.5)
95
95
  polyglot (0.3.1)
96
96
  rack (1.2.2)
97
97
  rack-mount (0.6.14)
data/lib/devise/models/authenticatable.rb CHANGED
@@ -1,4 +1,5 @@
1
1
  require 'devise/hooks/activatable'
2
+ require 'devise/models/serializable'
2
3
 
3
4
  module Devise
4
5
  module Models
@@ -46,6 +47,8 @@ module Devise
46
47
  module Authenticatable
47
48
  extend ActiveSupport::Concern
48
49
 
50
+ include Devise::Models::Serializable
51
+
49
52
  included do
50
53
  class_attribute :devise_modules, :instance_writer => false
51
54
  self.devise_modules ||= []
@@ -76,20 +79,6 @@ module Devise
76
79
  def authenticatable_salt
77
80
  end
78
81
 
79
- # TODO: to_xml does not call serializable_hash. Hopefully someone will fix this in AR.
80
- %w(to_xml serializable_hash).each do |method|
81
- class_eval <<-RUBY, __FILE__, __LINE__
82
- def #{method}(options={})
83
- if self.class.respond_to?(:accessible_attributes)
84
- options = { :only => self.class.accessible_attributes.to_a }.merge(options || {})
85
- super(options)
86
- else
87
- super
88
- end
89
- end
90
- RUBY
91
- end
92
-
93
82
  module ClassMethods
94
83
  Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys, :case_insensitive_keys, :http_authenticatable, :params_authenticatable)
95
84
 
data/lib/devise/models/serializable.rb ADDED
@@ -0,0 +1,43 @@
1
+ module Devise
2
+ module Models
3
+ # This module redefine to_xml and serializable_hash in models for more
4
+ # secure defaults. By default, it removes from the serializable model
5
+ # all attributes that are *not* accessible. You can remove this default
6
+ # by using :force_except and passing a new list of attributes you want
7
+ # to exempt. All attributes given to :except will simply add names to
8
+ # exempt to Devise internal list.
9
+ module Serializable
10
+ extend ActiveSupport::Concern
11
+
12
+ # TODO: to_xml does not call serializable_hash. Hopefully someone will fix this in AR.
13
+ %w(to_xml serializable_hash).each do |method|
14
+ class_eval <<-RUBY, __FILE__, __LINE__
15
+ def #{method}(options=nil)
16
+ options ||= {}
17
+ if options.key?(:force_except)
18
+ options[:except] = options.delete(:force_except)
19
+ super(options)
20
+ elsif self.class.blacklist_keys?
21
+ except = Array(options[:except])
22
+ super(options.merge(:except => except + self.class.blacklist_keys))
23
+ else
24
+ super
25
+ end
26
+ end
27
+ RUBY
28
+ end
29
+
30
+ module ClassMethods
31
+ # Return true if we can retrieve blacklist keys from the record.
32
+ def blacklist_keys?
33
+ @has_except_keys ||= respond_to?(:accessible_attributes) && !accessible_attributes.to_a.empty?
34
+ end
35
+
36
+ # Returns keys that should be removed when serializing the record.
37
+ def blacklist_keys
38
+ @blacklist_keys ||= to_adapter.column_names.map(&:to_s) - accessible_attributes.to_a.map(&:to_s)
39
+ end
40
+ end
41
+ end
42
+ end
43
+ end
data/lib/devise/strategies/rememberable.rb CHANGED
@@ -9,14 +9,15 @@ module Devise
9
9
  class Rememberable < Authenticatable
10
10
  # A valid strategy for rememberable needs a remember token in the cookies.
11
11
  def valid?
12
- cookies.key?(remember_key)
12
+ @remember_cookie = nil
13
+ remember_cookie.present?
13
14
  end
14
15
 
15
16
  # To authenticate a user we deserialize the cookie and attempt finding
16
17
  # the record in the database. If the attempt fails, we pass to another
17
18
  # strategy handle the authentication.
18
19
  def authenticate!
19
- resource = mapping.to.serialize_from_cookie(*cookies.signed[remember_key])
20
+ resource = mapping.to.serialize_from_cookie(*remember_cookie)
20
21
 
21
22
  if validate(resource)
22
23
  success!(resource)
@@ -40,6 +41,11 @@ module Devise
40
41
  def remember_key
41
42
  "remember_#{scope}_token"
42
43
  end
44
+
45
+ def remember_cookie
46
+ @remember_cookie ||= cookies.signed[remember_key]
47
+ end
48
+
43
49
  end
44
50
  end
45
51
  end
data/lib/devise/version.rb CHANGED
@@ -1,3 +1,3 @@
1
1
  module Devise
2
- VERSION = "1.4.1".freeze
2
+ VERSION = "1.4.2".freeze
3
3
  end
data/lib/generators/devise/views_generator.rb CHANGED
@@ -52,7 +52,7 @@ module Devise
52
52
 
53
53
  class SimpleFormForGenerator < Rails::Generators::Base #:nodoc:
54
54
  include ViewPathTemplates
55
- source_root File.expand_path("../simple_form_for", __FILE__)
55
+ source_root File.expand_path("../../templates/simple_form_for", __FILE__)
56
56
  desc "Copies simple form enabled views to your application."
57
57
  end
58
58
 
data/lib/generators/{devise → templates}/simple_form_for/confirmations/new.html.erb RENAMED
@@ -4,7 +4,7 @@
4
4
  <%= f.error_notification %>
5
5
 
6
6
  <div class="inputs">
7
- <%= f.input :email %>
7
+ <%= f.input :email, :required => true %>
8
8
  </div>
9
9
 
10
10
  <div class="actions">
data/lib/generators/{devise → templates}/simple_form_for/passwords/edit.html.erb RENAMED
@@ -7,7 +7,7 @@
7
7
  <%= f.full_error :reset_password_token %>
8
8
 
9
9
  <div class="inputs">
10
- <%= f.input :password, :label => "New password" %>
10
+ <%= f.input :password, :label => "New password", :required => true %>
11
11
  <%= f.input :password_confirmation, :label => "Confirm your new password", :required => true %>
12
12
  </div>
13
13
 
data/lib/generators/{devise → templates}/simple_form_for/passwords/new.html.erb RENAMED
@@ -4,7 +4,7 @@
4
4
  <%= f.error_notification %>
5
5
 
6
6
  <div class="inputs">
7
- <%= f.input :email %>
7
+ <%= f.input :email, :required => true %>
8
8
  </div>
9
9
 
10
10
  <div class="actions">
data/lib/generators/{devise → templates}/simple_form_for/unlocks/new.html.erb RENAMED
@@ -4,7 +4,7 @@
4
4
  <%= f.error_notification %>
5
5
 
6
6
  <div class="inputs">
7
- <%= f.input :email %>
7
+ <%= f.input :email, :required => true %>
8
8
  </div>
9
9
 
10
10
  <div class="actions">
data/test/models/serializable_test.rb ADDED
@@ -0,0 +1,38 @@
1
+ require 'test_helper'
2
+
3
+ class SerializableTest < ActiveSupport::TestCase
4
+ setup do
5
+ @user = create_user
6
+ end
7
+
8
+ test 'should not include unsafe keys on XML' do
9
+ assert_match /email/, @user.to_xml
10
+ assert_no_match /confirmation-token/, @user.to_xml
11
+ end
12
+
13
+ test 'should not include unsafe keys on XML even if a new except is provided' do
14
+ assert_no_match /email/, @user.to_xml(:except => :email)
15
+ assert_no_match /confirmation-token/, @user.to_xml(:except => :email)
16
+ end
17
+
18
+ test 'should include unsafe keys on XML if a force_except is provided' do
19
+ assert_no_match /email/, @user.to_xml(:force_except => :email)
20
+ assert_match /confirmation-token/, @user.to_xml(:force_except => :email)
21
+ end
22
+
23
+ test 'should not include unsafe keys on JSON' do
24
+ assert_match /"email":/, @user.to_json
25
+ assert_no_match /"confirmation_token":/, @user.to_json
26
+ end
27
+
28
+ test 'should not include unsafe keys on JSON even if a new except is provided' do
29
+ assert_no_match /"email":/, @user.to_json(:except => :email)
30
+ assert_no_match /"confirmation_token":/, @user.to_json(:except => :email)
31
+ end
32
+
33
+ test 'should include unsafe keys on JSON if a force_except is provided' do
34
+ assert_no_match /"email":/, @user.to_json(:force_except => :email)
35
+ assert_match /"confirmation_token":/, @user.to_json(:force_except => :email)
36
+ end
37
+
38
+ end
metadata CHANGED
@@ -1,13 +1,13 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
- hash: 5
4
+ hash: 3
5
5
  prerelease:
6
6
  segments:
7
7
  - 1
8
8
  - 4
9
- - 1
10
- version: 1.4.1
9
+ - 2
10
+ version: 1.4.2
11
11
  platform: ruby
12
12
  authors:
13
13
  - "Jos\xC3\xA9 Valim"
@@ -16,7 +16,7 @@ autorequire:
16
16
  bindir: bin
17
17
  cert_chain: []
18
18
 
19
- date: 2011-06-29 00:00:00 -03:00
19
+ date: 2011-06-30 00:00:00 -03:00
20
20
  default_executable:
21
21
  dependencies:
22
22
  - !ruby/object:Gem::Dependency
@@ -137,6 +137,7 @@ files:
137
137
  - lib/devise/models/recoverable.rb
138
138
  - lib/devise/models/registerable.rb
139
139
  - lib/devise/models/rememberable.rb
140
+ - lib/devise/models/serializable.rb
140
141
  - lib/devise/models/timeoutable.rb
141
142
  - lib/devise/models/token_authenticatable.rb
142
143
  - lib/devise/models/trackable.rb
@@ -164,17 +165,17 @@ files:
164
165
  - lib/generators/devise/devise_generator.rb
165
166
  - lib/generators/devise/install_generator.rb
166
167
  - lib/generators/devise/orm_helpers.rb
167
- - lib/generators/devise/simple_form_for/confirmations/new.html.erb
168
- - lib/generators/devise/simple_form_for/passwords/edit.html.erb
169
- - lib/generators/devise/simple_form_for/passwords/new.html.erb
170
- - lib/generators/devise/simple_form_for/registrations/edit.html.erb
171
- - lib/generators/devise/simple_form_for/registrations/new.html.erb
172
- - lib/generators/devise/simple_form_for/sessions/new.html.erb
173
- - lib/generators/devise/simple_form_for/unlocks/new.html.erb
174
168
  - lib/generators/devise/views_generator.rb
175
169
  - lib/generators/mongoid/devise_generator.rb
176
170
  - lib/generators/templates/README
177
171
  - lib/generators/templates/devise.rb
172
+ - lib/generators/templates/simple_form_for/confirmations/new.html.erb
173
+ - lib/generators/templates/simple_form_for/passwords/edit.html.erb
174
+ - lib/generators/templates/simple_form_for/passwords/new.html.erb
175
+ - lib/generators/templates/simple_form_for/registrations/edit.html.erb
176
+ - lib/generators/templates/simple_form_for/registrations/new.html.erb
177
+ - lib/generators/templates/simple_form_for/sessions/new.html.erb
178
+ - lib/generators/templates/simple_form_for/unlocks/new.html.erb
178
179
  - test/controllers/helpers_test.rb
179
180
  - test/controllers/internal_helpers_test.rb
180
181
  - test/controllers/sessions_controller_test.rb
@@ -211,6 +212,7 @@ files:
211
212
  - test/models/lockable_test.rb
212
213
  - test/models/recoverable_test.rb
213
214
  - test/models/rememberable_test.rb
215
+ - test/models/serializable_test.rb
214
216
  - test/models/timeoutable_test.rb
215
217
  - test/models/token_authenticatable_test.rb
216
218
  - test/models/trackable_test.rb
@@ -348,6 +350,7 @@ test_files:
348
350
  - test/models/lockable_test.rb
349
351
  - test/models/recoverable_test.rb
350
352
  - test/models/rememberable_test.rb
353
+ - test/models/serializable_test.rb
351
354
  - test/models/timeoutable_test.rb
352
355
  - test/models/token_authenticatable_test.rb
353
356
  - test/models/trackable_test.rb