devise 1.4.9 → 1.5.0.rc1

data/.travis.yml

@@ -5,8 +5,8 @@ rvm:
   - ree
   - rbx
   - rbx-2.0
-  - jruby
 notifications:
   recipients:
     - jose.valim@plataformatec.com.br
     - carlos@plataformatec.com.br
+    - rodrigo.flores@plataformatec.com.br

data/CHANGELOG.rdoc

@@ -1,3 +1,24 @@
+== 1.5.0.rc
+
+* enhancements
+  * Timeoutable also skips tracking if skip_trackable is given
+  * devise_for now accepts :failure_app as an option
+  * Models can select the proper mailer via devise_mailer method (by github.com/locomotivecms)
+  * Migration generator now uses the change method (by github.com/nashby)
+  * Support to markerb templates on the mailer generator (by github.com/sbounmy)
+  * Support for Omniauth 1.0 (older versions are no longer supported) (by github.com/TamiasSibiricus)
+
+* bug fix
+  * Allow idempotent API requests
+  * Fix bug where logs did not show 401 as status code
+  * Change paranoid settings to behave as success instead of as failure
+  * Fix bug where activation messages were shown first than the credentials error message
+  * Instance variables are expired after sign out
+
+* deprecation
+  * redirect_location is deprecated, please use after_sign_in_path_for
+  * after_sign_in_path_for now redirects to session[scope_return_to] if any value is stored in it
+
 == 1.4.9
 
 * bug fix

data/Gemfile

@@ -3,18 +3,20 @@ source "http://rubygems.org"
 gemspec
 
 gem "rails", "~> 3.1.0"
-gem "oa-oauth", '~> 0.2.0', :require => "omniauth/oauth"
-gem "oa-openid", '~> 0.2.0', :require => "omniauth/openid"
+gem 'omniauth', '~> 1.0.0'
+gem 'omniauth-oauth2', '~> 1.0.0'
 
 gem "rdoc"
 
 group :test do
+  gem 'omniauth-facebook'
+  gem 'omniauth-openid', '~> 1.0.1'
   gem "webrat", "0.7.2", :require => false
   gem "mocha", :require => false
 end
 
 platforms :jruby do
-  gem 'activerecord-jdbc-adapter', :git => 'https://github.com/nicksieger/activerecord-jdbc-adapter.git'
+  gem 'activerecord-jdbc-adapter'
   gem 'activerecord-jdbcsqlite3-adapter'
   gem 'jruby-openssl'
 end

data/README.rdoc

@@ -1,5 +1,7 @@
 == Devise
 
+{<img src="https://secure.travis-ci.org/plataformatec/devise.png" />}[http://travis-ci.org/plataformatec/devise]
+
 Devise is a flexible authentication solution for Rails based on Warden. It:
 
 * Is Rack based;
@@ -28,13 +30,13 @@ It's comprised of 12 modules:
 
 The Devise Wiki has lots of additional information about Devise including many "how-to" articles and answers to the most frequently asked questions. Please browse the Wiki after finishing this README:
 
-http://wiki.github.com/plataformatec/devise
+https://wiki.github.com/plataformatec/devise
 
 === Bug reports
 
 If you discover a problem with Devise, we would like to know about it. However, we ask that you please review these guidelines before submitting a bug report:
 
-http://github.com/plataformatec/devise/wiki/Bug-reports
+https://github.com/plataformatec/devise/wiki/Bug-reports
 
 If you found a security bug, do *NOT* use the GitHub issue tracker. Send email or a private GitHub message to the maintainers listed at the bottom of the README.
 
@@ -42,7 +44,7 @@ If you found a security bug, do *NOT* use the GitHub issue tracker. Send email o
 
 If you have any questions, comments, or concerns, please use the Google Group instead of the GitHub issue tracker:
 
-http://groups.google.com/group/plataformatec-devise
+https://groups.google.com/group/plataformatec-devise
 
 === RDocs
 
@@ -56,19 +58,19 @@ If you need to use Devise with Rails 2.3, you can always run `gem server` from t
 
 There are a few example applications available on GitHub that demonstrate various features of Devise with different versions of Rails. You can view them here:
 
-http://github.com/plataformatec/devise/wiki/Example-Applications
+https://github.com/plataformatec/devise/wiki/Example-Applications
 
 === Extensions
 
 Our community has created a number of extensions that add functionality above and beyond what is included with Devise. You can view a list of available extensions and add your own here:
 
-http://github.com/plataformatec/devise/wiki/Extensions
+https://github.com/plataformatec/devise/wiki/Extensions
 
 === Contributing
 
 We hope that you will consider contributing to Devise. Please read this short overview for some information about how to get started:
 
-http://github.com/plataformatec/devise/wiki/Contributing
+https://github.com/plataformatec/devise/wiki/Contributing
 
 You will usually want to write tests for your changes.  To run the test suite, `cd` into Devise's top-level directory and run `bundle install` and `rake`.  For the tests to pass, you will need to have a MongoDB server (version 1.6 or newer) running on your system.
 
@@ -289,7 +291,7 @@ The Devise mailer uses a similar pattern to create subject messages:
 
 Take a look at our locale file to check all available messages. You may also be interested in one of the many translations that are available on our wiki:
 
-http://github.com/plataformatec/devise/wiki/I18n
+https://github.com/plataformatec/devise/wiki/I18n
 
 === Test helpers
 
@@ -313,7 +315,7 @@ If you're using RSpec and want the helpers automatically included within all +de
     config.include Devise::TestHelpers, :type => :controller
   end
 
-Do not use such helpers for integration tests such as Cucumber or Webrat. Instead, fill in the form or explicitly set the user in session. For more tips, check the wiki (http://wiki.github.com/plataformatec/devise).
+Do not use such helpers for integration tests such as Cucumber or Webrat. Instead, fill in the form or explicitly set the user in session. For more tips, check the wiki (https://wiki.github.com/plataformatec/devise).
 
 === Omniauth
 
@@ -329,25 +331,35 @@ Devise supports ActiveRecord (default) and Mongoid. To choose other ORM, you jus
 
 Devise implements encryption strategies for Clearance, Authlogic and Restful-Authentication. To make use of these strategies, you need set the desired encryptor in the encryptor initializer config option and add :encryptable to your model. You might also need to rename your encrypted password and salt columns to match Devise's fields (encrypted_password and password_salt).
 
+== Troubleshooting
+
+=== Heroku
+
+Using devise on Heroku with Ruby on Rails 3.1 requires setting:
+
+  config.assets.initialize_on_precompile = false
+
+Read more about the potential issues at http://guides.rubyonrails.org/asset_pipeline.html
+
 == Additional information
 
 === Warden
 
 Devise is based on Warden, which is a general Rack authentication framework created by Daniel Neighman. We encourage you to read more about Warden here:
 
-http://github.com/hassox/warden
+https://github.com/hassox/warden
 
 === Contributors
 
 We have a long list of valued contributors. Check them all at:
 
-http://github.com/plataformatec/devise/contributors
+https://github.com/plataformatec/devise/contributors
 
 === Maintainers
 
-* José Valim (http://github.com/josevalim)
-* Carlos Antônio da Silva (http://github.com/carlosantoniodasilva)
+* José Valim (https://github.com/josevalim)
+* Carlos Antônio da Silva (https://github.com/carlosantoniodasilva)
 
 == License
 
-MIT License. Copyright 2010 Plataforma Tecnologia. http://blog.plataformatec.com.br
+MIT License. Copyright 2011 Plataforma Tecnologia. http://blog.plataformatec.com.br

data/app/controllers/devise/confirmations_controller.rb

@@ -11,8 +11,7 @@ class Devise::ConfirmationsController < ApplicationController
   def create
     self.resource = resource_class.send_confirmation_instructions(params[resource_name])
 
-    if successful_and_sane?(resource)
-      set_flash_message(:notice, :send_instructions) if is_navigational_format?
+    if successfully_sent?(resource)
       respond_with({}, :location => after_resending_confirmation_instructions_path_for(resource_name))
     else
       respond_with_navigational(resource){ render_with_scope :new }
@@ -41,7 +40,7 @@ class Devise::ConfirmationsController < ApplicationController
 
     # The path used after confirmation.
     def after_confirmation_path_for(resource_name, resource)
-      redirect_location(resource_name, resource)
+      after_sign_in_path_for(resource)
     end
 
 end

data/app/controllers/devise/passwords_controller.rb

@@ -12,8 +12,7 @@ class Devise::PasswordsController < ApplicationController
   def create
     self.resource = resource_class.send_reset_password_instructions(params[resource_name])
 
-    if successful_and_sane?(resource)
-      set_flash_message(:notice, :send_instructions) if is_navigational_format?
+    if successfully_sent?(resource)
       respond_with({}, :location => after_sending_reset_password_instructions_path_for(resource_name))
     else
       respond_with_navigational(resource){ render_with_scope :new }
@@ -35,7 +34,7 @@ class Devise::PasswordsController < ApplicationController
       flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
       set_flash_message(:notice, flash_message) if is_navigational_format?
       sign_in(resource_name, resource)
-      respond_with resource, :location => redirect_location(resource_name, resource)
+      respond_with resource, :location => after_sign_in_path_for(resource)
     else
       respond_with_navigational(resource){ render_with_scope :edit }
     end

data/app/controllers/devise/registrations_controller.rb

@@ -17,7 +17,7 @@ class Devise::RegistrationsController < ApplicationController
       if resource.active_for_authentication?
         set_flash_message :notice, :signed_up if is_navigational_format?
         sign_in(resource_name, resource)
-        respond_with resource, :location => redirect_location(resource_name, resource)
+        respond_with resource, :location => after_sign_up_path_for(resource)
       else
         set_flash_message :notice, :inactive_signed_up, :reason => inactive_reason(resource) if is_navigational_format?
         expire_session_data_after_sign_in!
@@ -83,11 +83,6 @@ class Devise::RegistrationsController < ApplicationController
       after_sign_in_path_for(resource)
     end
 
-    # Overwrite redirect_for_sign_in so it takes uses after_sign_up_path_for.
-    def redirect_location(scope, resource)
-      stored_location_for(scope) || after_sign_up_path_for(resource)
-    end
-
     # Returns the inactive reason translated.
     def inactive_reason(resource)
       reason = resource.inactive_message.to_s
@@ -103,13 +98,7 @@ class Devise::RegistrationsController < ApplicationController
     # The default url to be used after updating a resource. You need to overwrite
     # this method in your own RegistrationsController.
     def after_update_path_for(resource)
-      if defined?(super)
-        ActiveSupport::Deprecation.warn "Defining after_update_path_for in ApplicationController " <<
-          "is deprecated. Please add a RegistrationsController to your application and define it there."
-        super
-      else
-        after_sign_in_path_for(resource)
-      end
+      signed_in_root_path(resource)
     end
 
     # Authenticates the current scope and gets the current resource from the session.

data/app/controllers/devise/sessions_controller.rb

@@ -15,10 +15,10 @@ class Devise::SessionsController < ApplicationController
     resource = warden.authenticate!(:scope => resource_name, :recall => "#{controller_path}#new")
     set_flash_message(:notice, :signed_in) if is_navigational_format?
     sign_in(resource_name, resource)
-    respond_with resource, :location => redirect_location(resource_name, resource)
+    respond_with resource, :location => after_sign_in_path_for(resource)
   end
 
-  # GET /resource/sign_out
+  # DELETE /resource/sign_out
   def destroy
     signed_in = signed_in?(resource_name)
     Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)

data/app/controllers/devise/unlocks_controller.rb

@@ -12,8 +12,7 @@ class Devise::UnlocksController < ApplicationController
   def create
     self.resource = resource_class.send_unlock_instructions(params[resource_name])
 
-    if successful_and_sane?(resource)
-      set_flash_message :notice, :send_instructions if is_navigational_format?
+    if successfully_sent?(resource)
       respond_with({}, :location => new_session_path(resource_name))
     else
       respond_with_navigational(resource){ render_with_scope :new }
@@ -27,7 +26,7 @@ class Devise::UnlocksController < ApplicationController
     if resource.errors.empty?
       set_flash_message :notice, :unlocked if is_navigational_format?
       sign_in(resource_name, resource)
-      respond_with_navigational(resource){ redirect_to redirect_location(resource_name, resource) }
+      respond_with_navigational(resource){ redirect_to after_sign_in_path_for(resource) }
     else
       respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render_with_scope :new }
     end

data/config/locales/en.yml

@@ -1,4 +1,4 @@
-# Additional translations at http://github.com/plataformatec/devise/wiki/I18n
+# Additional translations at https://github.com/plataformatec/devise/wiki/I18n
 
 en:
   errors:

data/devise.gemspec

@@ -19,7 +19,7 @@ Gem::Specification.new do |s|
   s.executables   = `git ls-files -- bin/*`.split("\n").map{ |f| File.basename(f) }
   s.require_paths = ["lib"]
 
-  s.add_dependency("warden", "~> 1.0.3")
+  s.add_dependency("warden", "~> 1.1")
   s.add_dependency("orm_adapter", "~> 0.0.3")
   s.add_dependency("bcrypt-ruby", "~> 3.0")
 end

data/lib/devise.rb

@@ -6,10 +6,12 @@ require 'set'
 require 'securerandom'
 
 module Devise
-  autoload :FailureApp, 'devise/failure_app'
-  autoload :OmniAuth, 'devise/omniauth'
+  autoload :Delegator,   'devise/delegator'
+  autoload :FailureApp,  'devise/failure_app'
+  autoload :OmniAuth,    'devise/omniauth'
+  autoload :ParamFilter, 'devise/param_filter'
   autoload :PathChecker, 'devise/path_checker'
-  autoload :Schema, 'devise/schema'
+  autoload :Schema,      'devise/schema'
   autoload :TestHelpers, 'devise/test_helpers'
 
   module Controllers
@@ -407,7 +409,7 @@ module Devise
   # block.
   def self.configure_warden! #:nodoc:
     @@warden_configured ||= begin
-      warden_config.failure_app   = Devise::FailureApp
+      warden_config.failure_app   = Devise::Delegator.new
       warden_config.default_scope = Devise.default_scope
       warden_config.intercept_401 = false
 

data/lib/devise/controllers/helpers.rb

@@ -8,6 +8,13 @@ module Devise
         helper_method :warden, :signed_in?, :devise_controller?
       end
 
+      module ClassMethods
+        def log_process_action(payload)
+          payload[:status] ||= 401 unless payload[:exception]
+          super
+        end
+      end
+
       # Define authentication filters and accessor helpers based on mappings.
       # These filters should be used inside the controllers as before_filters,
       # so you can control the scope of the user who should be signed in to
@@ -37,11 +44,6 @@ module Devise
 
         class_eval <<-METHODS, __FILE__, __LINE__ + 1
           def authenticate_#{mapping}!(opts={})
-            if !opts.is_a?(Hash)
-              opts = { :force => opts }
-              ActiveSupport::Deprecation.warn "Passing a boolean to authenticate_#{mapping}! " \
-                "is deprecated, please use :force => \#{opts[:force]} instead", caller
-            end
             opts[:scope] = :#{mapping}
             warden.authenticate!(opts) if !devise_controller? || opts.delete(:force)
           end
@@ -86,7 +88,7 @@ module Devise
       # Return true if the given scope is signed in session. If no scope given, return
       # true if any scope is signed in. Does not run authentication hooks.
       def signed_in?(scope=nil)
-        [ scope || Devise.mappings.keys ].flatten.any? do |scope| 
+        [ scope || Devise.mappings.keys ].flatten.any? do |scope|
           warden.authenticate?(:scope => scope)
         end
       end
@@ -105,7 +107,7 @@ module Devise
       #   sign_in @user                             # sign_in(resource)
       #   sign_in @user, :event => :authentication  # sign_in(resource, options)
       #   sign_in @user, :bypass => true            # sign_in(resource, options)
-      # 
+      #
       def sign_in(resource_or_scope, *args)
         options  = args.extract_options!
         scope    = Devise::Mapping.find_scope!(resource_or_scope)
@@ -137,6 +139,7 @@ module Devise
         warden.user(scope) # Without loading user here, before_logout hook is not called
         warden.raw_session.inspect # Without this inspect here. The session does not clear.
         warden.logout(scope)
+        instance_variable_set(:"@current_#{scope}", nil)
       end
 
       # Sign out all active users or scopes. This helper is useful for signing out all roles
@@ -145,6 +148,7 @@ module Devise
         Devise.mappings.keys.each { |s| warden.user(s) }
         warden.raw_session.inspect
         warden.logout
+        expire_devise_cached_variables!
       end
 
       # Returns and delete the url stored in the session for the given scope. Useful
@@ -159,12 +163,21 @@ module Devise
         session.delete("#{scope}_return_to")
       end
 
+      # The scope root url to be used when he's signed in. By default, it first
+      # tries to find a resource_root_path, otherwise it uses the root_path.
+      def signed_in_root_path(resource_or_scope)
+        scope = Devise::Mapping.find_scope!(resource_or_scope)
+        home_path = "#{scope}_root_path"
+        respond_to?(home_path, true) ? send(home_path) : root_path
+      end
+
       # The default url to be used after signing in. This is used by all Devise
       # controllers and you can overwrite it in your ApplicationController to
       # provide a custom hook for a custom resource.
       #
-      # By default, it first tries to find a resource_root_path, otherwise it
-      # uses the root path. For a user scope, you can define the default url in
+      # By default, it first tries to find a valid resource_return_to key in the
+      # session, then it fallbacks to resource_root_path, otherwise it uses the
+      # root path. For a user scope, you can define the default url in
       # the following way:
       #
       #   map.user_root '/users', :controller => 'users' # creates user_root_path
@@ -173,22 +186,20 @@ module Devise
       #     user.root :controller => 'users' # creates user_root_path
       #   end
       #
-      #
       # If the resource root path is not defined, root_path is used. However,
       # if this default is not enough, you can customize it, for example:
       #
       #   def after_sign_in_path_for(resource)
-      #     if resource.is_a?(User) && resource.can_publish?
-      #       publisher_url
-      #     else
-      #       super
-      #     end
+      #     stored_location_for(resource) ||
+      #       if resource.is_a?(User) && resource.can_publish?
+      #         publisher_url
+      #       else
+      #         signed_in_root_path(resource)
+      #       end
       #   end
       #
       def after_sign_in_path_for(resource_or_scope)
-        scope = Devise::Mapping.find_scope!(resource_or_scope)
-        home_path = "#{scope}_root_path"
-        respond_to?(home_path, true) ? send(home_path) : root_path
+        stored_location_for(resource_or_scope) || signed_in_root_path(resource_or_scope)
       end
 
       # Method used by sessions controller to sign out a user. You can overwrite
@@ -209,11 +220,16 @@ module Devise
         scope    = Devise::Mapping.find_scope!(resource_or_scope)
         resource = args.last || resource_or_scope
         sign_in(scope, resource, options)
-        redirect_to redirect_location(scope, resource)
+        redirect_to after_sign_in_path_for(resource)
       end
 
       def redirect_location(scope, resource) #:nodoc:
-        stored_location_for(scope) || after_sign_in_path_for(resource)
+        ActiveSupport::Deprecation.warn "redirect_location in Devise is deprecated. Please use after_sign_in_path_for instead.", caller
+        after_sign_in_path_for(resource)
+      end
+
+      def expire_session_data_after_sign_in!
+        session.keys.grep(/^devise\./).each { |k| session.delete(k) }
       end
 
       # Sign out a user and tries to redirect to the url specified by
@@ -224,20 +240,20 @@ module Devise
         redirect_to after_sign_out_path_for(scope)
       end
 
-      # A hook called to expire session data after sign up/in. All keys
-      # stored under "devise." namespace are removed after sign in.
-      def expire_session_data_after_sign_in!
-        session.keys.grep(/^devise\./).each { |k| session.delete(k) }
-      end
-
       # Overwrite Rails' handle unverified request to sign out all scopes,
       # clear run strategies and remove cached variables.
       def handle_unverified_request
         sign_out_all_scopes
         warden.clear_strategies_cache!
-        Devise.mappings.each { |_,m| instance_variable_set("@current_#{m.name}", nil) }
+        expire_devise_cached_variables!
         super # call the default behaviour which resets the session
       end
+
+      private
+
+      def expire_devise_cached_variables!
+        Devise.mappings.each { |_,m| instance_variable_set("@current_#{m.name}", nil) }
+      end
     end
   end
 end