devise 2.1.0 → 2.1.2

data/CHANGELOG.rdoc

@@ -1,15 +1,46 @@
-== trunk (2.1.0.rc2)
+== 2.1.2
+
+* Enhancements
+  * Handle backwards incompatibility between Rails 3.2.6 and Thor 0.15.x
+
+* bug fix
+  * Fix regression on strategy validation on previous release
+
+== 2.1.1 (yanked)
 
 * enhancements
+  * `sign_out_all_scopes` now locks warden and does not allow new logins in the same action
+  * `Devise.omniauth_path_prefix` is available to configure omniauth path prefix
+  * Redirect to sign in page when trying to access password#edit without a token (by @gbataille)
+  * Allow a lambda in authenticate(d) routes helpers to further select the scope
+  * Removed warnings on Rails 3.2.6 (by @nashby)
+
+* bug fix
+  * `update_with_password` now relies on assign_attributes and forwards the :as option (by @wtn)
+  * Do not trigger timeout on sign in related actions
+  * Timeout does not explode when reset_authentication_token! is accidentally defined by Active Model (by @remomueller)
+
+* deprecations
+  * Strategy#validate() no longer validates nil resources
+
+== 2.1.0
+
+* enhancements
+  * Add `check_fields!(model_class)` method on Devise::Models to check if the model includes the fields that Devise uses
+  * Add `skip_reconfirmation!` to skip reconfirmation
   * Devise model generator now works with engines
   * Devise encryptable was moved to its new gem (http://github.com/plataformatec/devise-encryptable)
 
 * deprecations
   * Deprecations warnings added on Devise 2.0 are now removed with their features
-  * use_salt_as_remember_token and apply_schema does not have any effect since 2.0 and are now deprecated
-  * valid_for_authentication? must now return a boolean
+  * All devise modules should now have a `required_fields(klass)` module method to help gathering missing attributes
+  * `use_salt_as_remember_token` and `apply_schema` does not have any effect since 2.0 and are now deprecated
+  * `valid_for_authentication?` must now return a boolean
 
 * bug fix
+  * Ensure after sign in hook is not called without a resource
+  * Fix a term: now on Omniauth related flash messages, we say that we're authenticating from an omniauth provider instead of authorizing
+  * Fixed redirect when authenticated mounted apps (by @hakanensari)
   * Ensure the failure app still respects config.relative_url_root
   * `/users/sign_in` doesn't choke on protected attributes used to select sign in scope (by @Paymium)
   * `failed_attempts` is set to zero after any sign in (including via reset password) (by @rodrigoflores)
@@ -18,20 +49,6 @@
   * Better support for custom strategies on test helpers (by @mattconnolly)
   * Return `head :no_content` in SessionsController now that most JS libraries handle it (by @julianvargasalvarez)
 
-== 2.1.0.rc
-
-* enhancements
-  * Add check_fields! method on Devise::Models to check if the model includes the fields that Devise uses
-  * Add `skip_reconfirmation!` to skip reconfirmation
-
-* bug fix
-  * Ensure after sign in hook is not called without a resource
-  * Fix a term: now on Omniauth related flash messages, we say that we're authenticating from an omniauth provider instead of authorizing
-  * Fixed redirect when authenticated mounted apps (by @hakanensari)
-
-* deprecation
-  * All devise modules should have a required_fields(klass) module method to help gathering missing attributes
-
 == 2.0.4
 
 Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0

data/Gemfile

@@ -2,7 +2,7 @@ source "http://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 3.2.0"
+gem "rails", "~> 3.2.6"
 gem "omniauth", "~> 1.0.0"
 gem "omniauth-oauth2", "~> 1.0.0"
 gem "rdoc"

data/Gemfile.lock

@@ -1,44 +1,44 @@
 PATH
   remote: .
   specs:
-    devise (2.1.0)
+    devise (2.1.2)
       bcrypt-ruby (~> 3.0)
-      orm_adapter (~> 0.0.7)
+      orm_adapter (~> 0.1)
       railties (~> 3.1)
-      warden (~> 1.1.1)
+      warden (~> 1.2.1)
 
 GEM
   remote: http://rubygems.org/
   specs:
-    actionmailer (3.2.0)
-      actionpack (= 3.2.0)
-      mail (~> 2.4.0)
-    actionpack (3.2.0)
-      activemodel (= 3.2.0)
-      activesupport (= 3.2.0)
+    actionmailer (3.2.6)
+      actionpack (= 3.2.6)
+      mail (~> 2.4.4)
+    actionpack (3.2.6)
+      activemodel (= 3.2.6)
+      activesupport (= 3.2.6)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
-      journey (~> 1.0.0)
+      journey (~> 1.0.1)
       rack (~> 1.4.0)
-      rack-cache (~> 1.1)
+      rack-cache (~> 1.2)
       rack-test (~> 0.6.1)
-      sprockets (~> 2.1.2)
-    activemodel (3.2.0)
-      activesupport (= 3.2.0)
+      sprockets (~> 2.1.3)
+    activemodel (3.2.6)
+      activesupport (= 3.2.6)
       builder (~> 3.0.0)
-    activerecord (3.2.0)
-      activemodel (= 3.2.0)
-      activesupport (= 3.2.0)
-      arel (~> 3.0.0)
+    activerecord (3.2.6)
+      activemodel (= 3.2.6)
+      activesupport (= 3.2.6)
+      arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.2.0)
-      activemodel (= 3.2.0)
-      activesupport (= 3.2.0)
-    activesupport (3.2.0)
+    activeresource (3.2.6)
+      activemodel (= 3.2.6)
+      activesupport (= 3.2.6)
+    activesupport (3.2.6)
       i18n (~> 0.6)
       multi_json (~> 1.0)
     addressable (2.2.6)
-    arel (3.0.0)
+    arel (3.0.2)
     bcrypt-ruby (3.0.1)
     bson (1.5.1)
     bson_ext (1.3.1)
@@ -52,16 +52,16 @@ GEM
     hashie (1.2.0)
     hike (1.2.1)
     i18n (0.6.0)
-    journey (1.0.0)
-    json (1.6.5)
+    journey (1.0.4)
+    json (1.7.3)
     linecache (0.46)
       rbx-require-relative (> 0.0.4)
-    mail (2.4.1)
+    mail (2.4.4)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     metaclass (0.0.1)
-    mime-types (1.17.2)
+    mime-types (1.18)
     mocha (0.10.0)
       metaclass (~> 0.0.1)
     mongo (1.3.1)
@@ -87,10 +87,10 @@ GEM
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
-    orm_adapter (0.0.7)
+    orm_adapter (0.1.0)
     polyglot (0.3.3)
     rack (1.4.1)
-    rack-cache (1.1)
+    rack-cache (1.2)
       rack (>= 0.4)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
@@ -99,21 +99,21 @@ GEM
       rack
     rack-test (0.6.1)
       rack (>= 1.0)
-    rails (3.2.0)
-      actionmailer (= 3.2.0)
-      actionpack (= 3.2.0)
-      activerecord (= 3.2.0)
-      activeresource (= 3.2.0)
-      activesupport (= 3.2.0)
+    rails (3.2.6)
+      actionmailer (= 3.2.6)
+      actionpack (= 3.2.6)
+      activerecord (= 3.2.6)
+      activeresource (= 3.2.6)
+      activesupport (= 3.2.6)
       bundler (~> 1.0)
-      railties (= 3.2.0)
-    railties (3.2.0)
-      actionpack (= 3.2.0)
-      activesupport (= 3.2.0)
+      railties (= 3.2.6)
+    railties (3.2.6)
+      actionpack (= 3.2.6)
+      activesupport (= 3.2.6)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
-      thor (~> 0.14.6)
+      thor (>= 0.14.6, < 2.0)
     rake (0.9.2.2)
     rbx-require-relative (0.0.5)
     rdoc (3.12)
@@ -124,18 +124,18 @@ GEM
     ruby-debug-base (0.10.4)
       linecache (>= 0.3)
     ruby-openid (2.1.8)
-    sprockets (2.1.2)
+    sprockets (2.1.3)
       hike (~> 1.2)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.5)
-    thor (0.14.6)
+    thor (0.15.2)
     tilt (1.3.3)
     treetop (1.4.10)
       polyglot
       polyglot (>= 0.3.1)
-    tzinfo (0.3.31)
-    warden (1.1.1)
+    tzinfo (0.3.33)
+    warden (1.2.1)
       rack (>= 1.0)
     webrat (0.7.2)
       nokogiri (>= 1.2.0)
@@ -158,7 +158,7 @@ DEPENDENCIES
   omniauth-facebook
   omniauth-oauth2 (~> 1.0.0)
   omniauth-openid (~> 1.0.1)
-  rails (~> 3.2.0)
+  rails (~> 3.2.6)
   rdoc
   ruby-debug (>= 0.10.3)
   sqlite3

data/README.md

@@ -1,12 +1,10 @@
 *IMPORTANT:* Devise 2.1 is out. If you are upgrading, please read: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.1
 
-*IMPORTANT:* Devise 2.0 is out. If you are upgrading, please read: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0
-
 ## Devise
 
 INFO: This README is [also available in a friendly navigable format](http://devise.plataformatec.com.br/).
 
-[![Build Status](https://secure.travis-ci.org/plataformatec/devise.png)](http://travis-ci.org/plataformatec/devise)
+[![Build Status](https://secure.travis-ci.org/plataformatec/devise.png)](http://travis-ci.org/plataformatec/devise) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/plataformatec/devise)
 
 Devise is a flexible authentication solution for Rails based on Warden. It:
 
@@ -15,11 +13,11 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 * Allows you to have multiple roles (or models/scopes) signed in at the same time;
 * Is based on a modularity concept: use just what you really need.
 
-It's comprised of 12 modules:
+It's composed of 12 modules:
 
 * [Database Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/DatabaseAuthenticatable): encrypts and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
 * [Token Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/TokenAuthenticatable): signs in a user based on an authentication token (also known as "single access token"). The token can be given both through query string or HTTP Basic Authentication.
-* [Omniauthable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds Omniauth (github.com/intridea/omniauth) support;
+* [Omniauthable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds Omniauth (https://github.com/intridea/omniauth) support;
 * [Confirmable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
 * [Recoverable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Recoverable): resets the user password and sends reset instructions.
 * [Registerable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Registerable): handles signing up users through a registration process, also allowing them to edit and destroy their account.
@@ -306,17 +304,7 @@ https://github.com/plataformatec/devise/wiki/I18n
 
 ### Test helpers
 
-Devise includes some tests helpers for functional specs. To use them, you just need to include Devise::TestHelpers in your test class and use the sign_in and sign_out method. Such methods have the same signature as in controllers:
-
-```ruby
-sign_in :user, @user   # sign_in(scope, resource)
-sign_in @user          # sign_in(resource)
-
-sign_out :user         # sign_out(scope)
-sign_out @user         # sign_out(resource)
-```
-
-You can include the Devise Test Helpers in all of your tests by adding the following to the bottom of your test/test_helper.rb file:
+Devise includes some tests helpers for functional specs. In other to use them, you need to include Devise in your functional tests by adding the following to the bottom of your `test/test_helper.rb` file:
 
 ```ruby
 class ActionController::TestCase
@@ -324,7 +312,7 @@ class ActionController::TestCase
 end
 ```
 
-If you're using RSpec and want the helpers automatically included within all `describe` blocks, add a file called spec/support/devise.rb with the following contents:
+If you're using RSpec, you can put the following inside a file named `spec/support/devise.rb`:
 
 ```ruby
 RSpec.configure do |config|
@@ -332,7 +320,24 @@ RSpec.configure do |config|
 end
 ```
 
-Do not use such helpers for integration tests such as Cucumber or Webrat. Instead, fill in the form or explicitly set the user in session. For more tips, check the wiki (https://wiki.github.com/plataformatec/devise).
+Now you are ready to use the `sign_in` and `sign_out` methods. Such methods have the same signature as in controllers:
+
+```ruby
+sign_in :user, @user   # sign_in(scope, resource)
+sign_in @user          # sign_in(resource)
+
+sign_out :user         # sign_out(scope)
+sign_out @user         # sign_out(resource)
+```
+
+There are two things that is important to keep in mind:
+
+1) These helpers are not going to work for integration tests driven by Capybara or Webrat. They are meant to be used with functional tests only. Instead, fill in the form or explicitly set the user in session;
+
+2) If you are testing Devise internal controllers or a controller that inherits from Devise's, you need to tell Devise which mapping should be used before a request. This is necessary because Devise gets this information from router, but since functional tests do not pass through the router, it needs to be told explicitly. For example, if you are testing the user scope, simply do:
+
+    @request.env["devise.mapping"] = Devise.mappings[:user]
+    get :new
 
 ### Omniauth
 

data/Rakefile

@@ -29,6 +29,6 @@ Rake::RDocTask.new(:rdoc) do |rdoc|
   rdoc.rdoc_dir = 'rdoc'
   rdoc.title    = 'Devise'
   rdoc.options << '--line-numbers' << '--inline-source'
-  rdoc.rdoc_files.include('README.rdoc')
+  rdoc.rdoc_files.include('README.md')
   rdoc.rdoc_files.include('lib/**/*.rb')
 end

data/app/controllers/devise/omniauth_callbacks_controller.rb

@@ -1,4 +1,10 @@
 class Devise::OmniauthCallbacksController < DeviseController
+  prepend_before_filter { request.env["devise.skip_timeout"] = true }
+
+  def passthru
+    render :status => 404, :text => "Not found. Authentication passthru."
+  end
+
   def failure
     set_flash_message :alert, :failure, :kind => failed_strategy.name.to_s.humanize, :reason => failure_message
     redirect_to after_omniauth_failure_path_for(resource_name)

data/app/controllers/devise/passwords_controller.rb

@@ -1,5 +1,7 @@
 class Devise::PasswordsController < DeviseController
   prepend_before_filter :require_no_authentication
+  # Render the #edit only if coming from a reset password email link
+  append_before_filter :assert_reset_token_passed, :only => :edit
 
   # GET /resource/password/new
   def new
@@ -44,4 +46,11 @@ class Devise::PasswordsController < DeviseController
       new_session_path(resource_name)
     end
 
+    # Check if a reset_password_token is provided in the request
+    def assert_reset_token_passed
+      if params[:reset_password_token].blank?
+        set_flash_message(:error, :no_token)
+        redirect_to new_session_path(resource_name)
+      end
+    end
 end

data/app/controllers/devise/sessions_controller.rb

@@ -1,6 +1,7 @@
 class Devise::SessionsController < DeviseController
   prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
   prepend_before_filter :allow_params_authentication!, :only => :create
+  prepend_before_filter { request.env["devise.skip_timeout"] = true }
 
   # GET /resource/sign_in
   def new

data/app/controllers/devise_controller.rb

@@ -43,8 +43,11 @@ class DeviseController < Devise.parent_controller.constantize
   end
 
   # Override prefixes to consider the scoped view.
+  # Notice we need to check for the request due to a bug in
+  # Action Controller tests that forces _prefixes to be
+  # loaded before even having a request object.
   def _prefixes #:nodoc:
-    @_prefixes ||= if self.class.scoped_views? && devise_mapping
+    @_prefixes ||= if self.class.scoped_views? && request && devise_mapping
       super.unshift("#{devise_mapping.scoped_path}/#{controller_name}")
     else
       super
@@ -59,11 +62,19 @@ class DeviseController < Devise.parent_controller.constantize
   def assert_is_devise_resource! #:nodoc:
     unknown_action! <<-MESSAGE unless devise_mapping
 Could not find devise mapping for path #{request.fullpath.inspect}.
-Maybe you forgot to wrap your route inside the scope block? For example:
+This may happen for two reasons:
+
+1) You forgot to wrap your route inside the scope block. For example:
+
+  devise_scope :user do
+    match "/some/route" => "some_devise_controller"
+  end
+
+2) You are testing a Devise controller bypassing the router.
+   If so, you can explicitly tell Devise which mapping to use:
+   
+   @request.env["devise.mapping"] = Devise.mappings[:user]
 
-devise_scope :user do
-  match "/some/route" => "some_devise_controller"
-end
 MESSAGE
   end
 

data/app/views/devise/confirmations/new.html.erb

@@ -9,4 +9,4 @@
   <div><%= f.submit "Resend confirmation instructions" %></div>
 <% end %>
 
-<%= render :partial => "devise/shared/links" %>
+<%= render "devise/shared/links" %>

data/app/views/devise/passwords/edit.html.erb

@@ -13,4 +13,4 @@
   <div><%= f.submit "Change my password" %></div>
 <% end %>
 
-<%= render :partial => "devise/shared/links" %>
+<%= render "devise/shared/links" %>

data/app/views/devise/passwords/new.html.erb

@@ -9,4 +9,4 @@
   <div><%= f.submit "Send me reset password instructions" %></div>
 <% end %>
 
-<%= render :partial => "devise/shared/links" %>
+<%= render "devise/shared/links" %>

data/app/views/devise/registrations/edit.html.erb

@@ -20,6 +20,6 @@
 
 <h3>Cancel my account</h3>
 
-<p>Unhappy? <%= link_to "Cancel my account", registration_path(resource_name), :confirm => "Are you sure?", :method => :delete %>.</p>
+<p>Unhappy? <%= link_to "Cancel my account", registration_path(resource_name), :data => { :confirm => "Are you sure?" }, :method => :delete %>.</p>
 
 <%= link_to "Back", :back %>

data/app/views/devise/registrations/new.html.erb

@@ -15,4 +15,4 @@
   <div><%= f.submit "Sign up" %></div>
 <% end %>
 
-<%= render :partial => "devise/shared/links" %>
+<%= render "devise/shared/links" %>