RubyGems - devise - Versions diffs - 2.2.5 → 2.2.6 - Mend

devise 2.2.5 → 2.2.6

Potentially problematic release.

This version of devise might be problematic. Click here for more details.

Files changed (11) hide show

data/CHANGELOG.rdoc +5 -0
data/Gemfile.lock +3 -3
data/gemfiles/Gemfile.rails-3.1.x.lock +3 -3
data/lib/devise/controllers/rememberable.rb +1 -0
data/lib/devise/rails/warden_compat.rb +9 -2
data/lib/devise/version.rb +1 -1
data/test/controllers/helpers_test.rb +1 -1
data/test/integration/authenticatable_test.rb +1 -1
data/test/integration/http_authenticatable_test.rb +1 -1
data/test/integration/rememberable_test.rb +15 -13
metadata +24 -25

data/CHANGELOG.rdoc CHANGED

@@ -1,3 +1,8 @@
+== 2.2.6
+* bug fix
+  * Skip storage for cookies on unverified requests
 == 2.2.5
 * bug fix

data/Gemfile.lock CHANGED

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (2.2.4)
+    devise (2.2.6)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (~> 3.1)
@@ -38,7 +38,7 @@ GEM
       i18n (= 0.6.1)
       multi_json (~> 1.0)
     arel (3.0.2)
-    bcrypt-ruby (3.0.1)
+    bcrypt-ruby (3.1.1)
     builder (3.0.4)
     erubis (2.7.0)
     faraday (0.8.7)
@@ -129,7 +129,7 @@ GEM
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.37)
-    warden (1.2.1)
+    warden (1.2.3)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)

data/gemfiles/Gemfile.rails-3.1.x.lock CHANGED

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    devise (2.2.4)
+    devise (2.2.6)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (~> 3.1)
@@ -39,7 +39,7 @@ GEM
     activesupport (3.1.12)
       multi_json (~> 1.0)
     arel (2.2.3)
-    bcrypt-ruby (3.0.1)
+    bcrypt-ruby (3.1.1)
     builder (3.0.4)
     columnize (0.3.6)
     erubis (2.7.0)
@@ -139,7 +139,7 @@ GEM
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.37)
-    warden (1.2.1)
+    warden (1.2.3)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)

data/lib/devise/controllers/rememberable.rb CHANGED

@@ -21,6 +21,7 @@ module Devise
       # Remembers the given resource by setting up a cookie
       def remember_me(resource)
+        return if env["devise.skip_storage"]
         scope = Devise::Mapping.find_scope!(resource)
         resource.remember_me!(resource.extend_remember_period)
         cookies.signed[remember_key(resource, scope)] = remember_cookie_values(resource)

data/lib/devise/rails/warden_compat.rb CHANGED

@@ -3,9 +3,16 @@ module Warden::Mixins::Common
     @request ||= ActionDispatch::Request.new(env)
   end
-  # This is called internally by Warden on logout
+  NULL_STORE =
+    defined?(ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash) ?
+      ActionController::RequestForgeryProtection::ProtectionMethods::NullSession::NullSessionHash : nil
   def reset_session!
-    request.reset_session
+    # Calling reset_session on NULL_STORE causes it fail.
+    # This is a bug that needs to be fixed in Rails.
+    unless NULL_STORE && request.session.is_a?(NULL_STORE)
+      request.reset_session
+    end
   end
   def cookies

data/lib/devise/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "2.2.5".freeze
+  VERSION = "2.2.6".freeze
 end

data/test/controllers/helpers_test.rb CHANGED

@@ -202,7 +202,7 @@ class ControllerAuthenticatableTest < ActionController::TestCase
   test 'sign in and redirect uses the stored location' do
     user = User.new
-    @controller.session[:"user_return_to"] = "/foo.bar"
+    @controller.session[:user_return_to] = "/foo.bar"
     @mock_warden.expects(:user).with(:user).returns(nil)
     @mock_warden.expects(:set_user).with(user, :scope => :user).returns(true)
     @controller.expects(:redirect_to).with("/foo.bar")

data/test/integration/authenticatable_test.rb CHANGED

@@ -433,7 +433,7 @@ end
 class AuthenticationOthersTest < ActionDispatch::IntegrationTest
   test 'handles unverified requests gets rid of caches' do
-    swap UsersController, :allow_forgery_protection => true do
+    swap ApplicationController, :allow_forgery_protection => true do
       post exhibit_user_url(1)
       assert_not warden.authenticated?(:user)

data/test/integration/http_authenticatable_test.rb CHANGED

@@ -2,7 +2,7 @@ require 'test_helper'
 class HttpAuthenticationTest < ActionDispatch::IntegrationTest
   test 'handles unverified requests gets rid of caches but continues signed in' do
-    swap UsersController, :allow_forgery_protection => true do
+    swap ApplicationController, :allow_forgery_protection => true do
       create_user
       post exhibit_user_url(1), {}, "HTTP_AUTHORIZATION" => "Basic #{Base64.encode64("user@test.com:12345678")}"
       assert warden.authenticated?(:user)

data/test/integration/rememberable_test.rb CHANGED

@@ -30,8 +30,8 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     assert_nil request.cookies["remember_user_cookie"]
   end
-  test 'handles unverified requests gets rid of caches' do
-    swap UsersController, :allow_forgery_protection => true do
+  test 'handle unverified requests gets rid of caches' do
+    swap ApplicationController, :allow_forgery_protection => true do
       post exhibit_user_url(1)
       assert_not warden.authenticated?(:user)
@@ -42,9 +42,21 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     end
   end
+  test 'handle unverified requests does not create cookies on sign in' do
+    swap ApplicationController, :allow_forgery_protection => true do
+      get new_user_session_path
+      assert request.session[:_csrf_token]
+      post user_session_path, :authenticity_token => "oops", :user =>
+           { :email => "jose.valim@gmail.com", :password => "123456", :remember_me => "1" }
+      assert_not warden.authenticated?(:user)
+      assert_not request.cookies['remember_user_token']
+    end
+  end
   test 'generate remember token after sign in' do
     sign_in_as_user :remember_me => true
-    assert request.cookies["remember_user_token"]
+    assert request.cookies['remember_user_token']
   end
   test 'generate remember token after sign in setting cookie options' do
@@ -90,16 +102,6 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     assert_redirected_to root_path
   end
-  test 'cookies are destroyed on unverified requests' do
-    swap ApplicationController, :allow_forgery_protection => true do
-      create_user_and_remember
-      get users_path
-      assert warden.authenticated?(:user)
-      post root_path, :authenticity_token => 'INVALID'
-      assert_not warden.authenticated?(:user)
-    end
-  end
   test 'does not extend remember period through sign in' do
     swap Devise, :extend_remember_period => true, :remember_for => 1.year do
       user = create_user

metadata CHANGED

@@ -1,8 +1,8 @@
 --- !ruby/object:Gem::Specification
 name: devise
 version: !ruby/object:Gem::Version
+  version: 2.2.6
   prerelease:
-  version: 2.2.5
 platform: ruby
 authors:
 - José Valim
@@ -10,72 +10,72 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2013-08-02 00:00:00.000000000 Z
+date: 2013-08-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
-  version_requirements: !ruby/object:Gem::Requirement
+  name: warden
+  requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: 1.2.1
-    none: false
-  name: warden
   type: :runtime
   prerelease: false
-  requirement: !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: 1.2.1
-    none: false
 - !ruby/object:Gem::Dependency
-  version_requirements: !ruby/object:Gem::Requirement
+  name: orm_adapter
+  requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '0.1'
-    none: false
-  name: orm_adapter
   type: :runtime
   prerelease: false
-  requirement: !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '0.1'
-    none: false
 - !ruby/object:Gem::Dependency
-  version_requirements: !ruby/object:Gem::Requirement
+  name: bcrypt-ruby
+  requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '3.0'
-    none: false
-  name: bcrypt-ruby
   type: :runtime
   prerelease: false
-  requirement: !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '3.0'
-    none: false
 - !ruby/object:Gem::Dependency
-  version_requirements: !ruby/object:Gem::Requirement
+  name: railties
+  requirement: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '3.1'
-    none: false
-  name: railties
   type: :runtime
   prerelease: false
-  requirement: !ruby/object:Gem::Requirement
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
         version: '3.1'
-    none: false
 description: Flexible authentication solution for Rails with Warden
 email: contact@plataformatec.com.br
 executables: []
@@ -301,17 +301,17 @@ rdoc_options: []
 require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-  none: false
 required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
   requirements:
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
-  none: false
 requirements: []
 rubyforge_project: devise
 rubygems_version: 1.8.23
@@ -427,4 +427,3 @@ test_files:
 - test/test_helper.rb
 - test/test_helpers_test.rb
 - test/test_models.rb
-has_rdoc: