devise 2.2.8 → 3.0.0.rc

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 24879e2076bf59ff1858c4127a2160531fc36db0
+  data.tar.gz: a2999767bbfb525a1c54dc89b28123cf0b1754a2
+SHA512:
+  metadata.gz: 67c36076ebacd8fa889c34ad979d64f1559f88fda310c9ed485bc6b8cf9c8028249784042fa1cce4685050f2d8ae00fac648bc93272a9ae0aa2a5b37e589fd23
+  data.tar.gz: 34a6913c9ab6c546e8867d53b5573d606bf895cf194fe107375dc61dd5597635dd434bd92cb0095dfe51fd183b0f2310ee060b7eb6a27bb46bf3612522963f5a

data/.travis.yml

@@ -1,28 +1,13 @@
 language: ruby
 script: "bundle exec rake test"
 rvm:
-  - 1.8.7
-  - 1.9.2
   - 1.9.3
+  - 2.0.0
 env:
   - DEVISE_ORM=mongoid
   - DEVISE_ORM=active_record
-matrix:
-  exclude:
-    - rvm: 1.8.7
-      env: DEVISE_ORM=mongoid
-      gemfile: Gemfile
-    - rvm: 1.8.7
-      env: DEVISE_ORM=mongoid
-      gemfile: gemfiles/Gemfile.rails-3.1.x
-    - rvm: 1.9.2
-      env: DEVISE_ORM=mongoid
-      gemfile: Gemfile
-    - rvm: 1.9.2
-      env: DEVISE_ORM=mongoid
-      gemfile: gemfiles/Gemfile.rails-3.1.x
 gemfile:
-  - gemfiles/Gemfile.rails-3.1.x
+  - gemfiles/Gemfile.rails-3.2.x
   - Gemfile
 services:
   - mongodb

data/CHANGELOG.rdoc

@@ -1,24 +1,8 @@
-== 2.2.8
+== 3.0.0.rc
 
-Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
-
-* bug fix
-  * Avoid e-mail enumeration on sign in when in paranoid mode
-
-== 2.2.7
-
-* bug fix
-  * Do not confirm account after reset password
-
-== 2.2.6
-
-* bug fix
-  * Skip storage for cookies on unverified requests
-
-== 2.2.5
-
-* bug fix
-  * Clean up CSRF token after authentication (by @homakov). Notice this change will clean up the CSRF Token after authentication (sign in, sign up, etc). So if you are using AJAX for such features, you will need to fetch a new CSRF token from the server.
+* enhancements
+  * Rails 4 and Strong Parameters compatibility. (@carlosantoniodasilva, @josevalim, @latortuga, @lucasmazza, @nashby, @rafaelfranca, @spastorino)
+  * Drop support for Rails < 3.2 and Ruby < 1.9.3.
 
 == 2.2.4
 

data/Gemfile

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 3.2.6"
+gem "rails", "~> 4.0.0.rc1"
 gem "omniauth", "~> 1.0.0"
 gem "omniauth-oauth2", "~> 1.0.0"
 gem "rdoc"
@@ -24,9 +24,8 @@ platforms :ruby do
   gem "sqlite3"
 end
 
-
-platforms :mri_19 do
+platforms :mri_19, :mri_20 do
   group :mongoid do
-    gem "mongoid", "~> 3.0"
+    gem "mongoid", github: "mongoid/mongoid", branch: "master"
   end
 end

data/Gemfile.lock

@@ -1,53 +1,61 @@
+GIT
+  remote: git://github.com/mongoid/mongoid.git
+  revision: fe7f43430580860db6d1d89cea27eda24ab60ab1
+  branch: master
+  specs:
+    mongoid (4.0.0)
+      activemodel (~> 4.0.0.rc1)
+      moped (~> 1.4.2)
+      origin (~> 1.0)
+      tzinfo (~> 0.3.22)
+
 PATH
   remote: .
   specs:
-    devise (2.2.8)
+    devise (3.0.0.rc)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (~> 3.1)
+      railties (>= 3.2.6, < 5)
       warden (~> 1.2.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (3.2.13)
-      actionpack (= 3.2.13)
+    actionmailer (4.0.0.rc1)
+      actionpack (= 4.0.0.rc1)
       mail (~> 2.5.3)
-    actionpack (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
-      builder (~> 3.0.0)
+    actionpack (4.0.0.rc1)
+      activesupport (= 4.0.0.rc1)
+      builder (~> 3.1.0)
       erubis (~> 2.7.0)
-      journey (~> 1.0.4)
-      rack (~> 1.4.5)
-      rack-cache (~> 1.2)
-      rack-test (~> 0.6.1)
-      sprockets (~> 2.2.1)
-    activemodel (3.2.13)
-      activesupport (= 3.2.13)
-      builder (~> 3.0.0)
-    activerecord (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
-      arel (~> 3.0.2)
-      tzinfo (~> 0.3.29)
-    activeresource (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
-    activesupport (3.2.13)
-      i18n (= 0.6.1)
-      multi_json (~> 1.0)
-    arel (3.0.2)
-    bcrypt-ruby (3.1.2)
-    builder (3.0.4)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    activemodel (4.0.0.rc1)
+      activesupport (= 4.0.0.rc1)
+      builder (~> 3.1.0)
+    activerecord (4.0.0.rc1)
+      activemodel (= 4.0.0.rc1)
+      activerecord-deprecated_finders (~> 1.0.2)
+      activesupport (= 4.0.0.rc1)
+      arel (~> 4.0.0)
+    activerecord-deprecated_finders (1.0.2)
+    activesupport (4.0.0.rc1)
+      i18n (~> 0.6, >= 0.6.4)
+      minitest (~> 4.2)
+      multi_json (~> 1.3)
+      thread_safe (~> 0.1)
+      tzinfo (~> 0.3.37)
+    arel (4.0.0)
+    atomic (1.1.8)
+    bcrypt-ruby (3.0.1)
+    builder (3.1.4)
     erubis (2.7.0)
     faraday (0.8.7)
       multipart-post (~> 1.1)
     hashie (1.2.0)
     hike (1.2.2)
     httpauth (0.2.0)
-    i18n (0.6.1)
-    journey (1.0.4)
+    i18n (0.6.4)
     json (1.7.7)
     jwt (0.1.8)
       multi_json (>= 1.5)
@@ -56,14 +64,10 @@ GEM
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     metaclass (0.0.1)
-    mime-types (1.22)
+    mime-types (1.23)
+    minitest (4.7.4)
     mocha (0.13.3)
       metaclass (~> 0.0.1)
-    mongoid (3.1.2)
-      activemodel (~> 3.2)
-      moped (~> 1.4.2)
-      origin (~> 1.0)
-      tzinfo (~> 0.3.22)
     moped (1.4.5)
     multi_json (1.7.2)
     multipart-post (1.2.0)
@@ -85,51 +89,51 @@ GEM
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
-    origin (1.0.11)
+    origin (1.1.0)
     orm_adapter (0.4.0)
     polyglot (0.3.3)
-    rack (1.4.5)
-    rack-cache (1.2)
-      rack (>= 0.4)
+    rack (1.5.2)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
-    rack-ssl (1.3.3)
-      rack
     rack-test (0.6.2)
       rack (>= 1.0)
-    rails (3.2.13)
-      actionmailer (= 3.2.13)
-      actionpack (= 3.2.13)
-      activerecord (= 3.2.13)
-      activeresource (= 3.2.13)
-      activesupport (= 3.2.13)
-      bundler (~> 1.0)
-      railties (= 3.2.13)
-    railties (3.2.13)
-      actionpack (= 3.2.13)
-      activesupport (= 3.2.13)
-      rack-ssl (~> 1.3.2)
+    rails (4.0.0.rc1)
+      actionmailer (= 4.0.0.rc1)
+      actionpack (= 4.0.0.rc1)
+      activerecord (= 4.0.0.rc1)
+      activesupport (= 4.0.0.rc1)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.0.0.rc1)
+      sprockets-rails (~> 2.0.0.rc4)
+    railties (4.0.0.rc1)
+      actionpack (= 4.0.0.rc1)
+      activesupport (= 4.0.0.rc1)
       rake (>= 0.8.7)
-      rdoc (~> 3.4)
-      thor (>= 0.14.6, < 2.0)
+      thor (>= 0.18.1, < 2.0)
     rake (10.0.4)
-    rdoc (3.12.2)
+    rdoc (4.0.1)
       json (~> 1.4)
     ruby-openid (2.2.3)
-    sprockets (2.2.2)
+    sprockets (2.9.3)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
+    sprockets-rails (2.0.0.rc4)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (~> 2.8)
     sqlite3 (1.3.7)
     thor (0.18.1)
-    tilt (1.3.7)
+    thread_safe (0.1.0)
+      atomic
+    tilt (1.4.0)
     treetop (1.4.12)
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.37)
-    warden (1.2.3)
+    warden (1.2.1)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -145,12 +149,12 @@ DEPENDENCIES
   devise!
   jruby-openssl
   mocha (~> 0.13.1)
-  mongoid (~> 3.0)
+  mongoid!
   omniauth (~> 1.0.0)
   omniauth-facebook
   omniauth-oauth2 (~> 1.0.0)
   omniauth-openid (~> 1.0.1)
-  rails (~> 3.2.6)
+  rails (~> 4.0.0.rc1)
   rdoc
   sqlite3
   webrat (= 0.7.3)

data/README.md

@@ -57,7 +57,7 @@ You can view the Devise documentation in RDoc format here:
 
 http://rubydoc.info/github/plataformatec/devise/master/frames
 
-If you need to use Devise with Rails 2.3, you can always run "gem server" from the command line after you install the gem to access the old documentation.
+If you need to use Devise with previous versions of Rails, you can always run "gem server" from the command line after you install the gem to access the old documentation.
 
 ### Example applications
 
@@ -90,7 +90,7 @@ Once you have solidified your understanding of Rails and authentication mechanis
 
 ## Getting started
 
-Devise 2.0 works with Rails 3.1 onwards. You can add it to your Gemfile with:
+Devise 3.0 works with Rails 3.2 onwards. You can add it to your Gemfile with:
 
 ```ruby
 gem 'devise'
@@ -143,7 +143,7 @@ user_session
 After signing in a user, confirming the account or updating the password, Devise will look for a scoped root path to redirect. Example: For a :user resource, it will use `user_root_path` if it exists, otherwise default `root_path` will be used. This means that you need to set the root inside your routes:
 
 ```ruby
-root :to => "home#index"
+root to: "home#index"
 ```
 
 You can also overwrite `after_sign_in_path_for` and `after_sign_out_path_for` to customize your redirect hooks.
@@ -176,34 +176,31 @@ devise :database_authenticatable, :registerable, :confirmable, :recoverable, :st
 
 Besides :stretches, you can define :pepper, :encryptor, :confirm_within, :remember_for, :timeout_in, :unlock_in and other values. For details, see the initializer file that was created when you invoked the "devise:install" generator described above.
 
-### Configuring multiple models
+### Strong Parameters
 
-Devise allows you to set up as many roles as you want. For example, you may have a User model and also want an Admin model with just authentication and timeoutable features. If so, just follow these steps:
+When you customize your own views, you may end up adding new attributes to forms. Rails 4 moved the parameter sanitization from the model to the controller, causing Devise to handle this concern at the controller as well.
 
-```ruby
-# Create a migration with the required fields
-create_table :admins do |t|
-  t.string :email
-  t.string :encrypted_password
-  t.timestamps
-end
+There are just three actions in Devise that allows any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permited parameters by default are:
 
-# Inside your Admin model
-devise :database_authenticatable, :timeoutable
+* `sign_in` (`Devise::SessionsController#new`) - Permits only the authentication keys (like `email`)
+* `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`
+* `account_update` (`Devise::RegistrationsController#update`) - Permits authentication keys plus `password`, `password_confirmation` and `current_password`
 
-# Inside your routes
-devise_for :admins
+In case you want to customize the permitted parameters (the lazy way™) you can do with a simple before filter in your `ApplicationController`:
 
-# Inside your protected controller
-before_filter :authenticate_admin!
+```ruby
+class ApplicationController < ActionController::Base
+  before_filter :configure_permitted_parameters, if: :devise_controller?
 
-# Inside your controllers and views
-admin_signed_in?
-current_admin
-admin_session
+  protected
+
+  def configure_permitted_parameters
+    devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:username, :email) }
+  end
+end
 ```
 
-On the other hand, you can simply run the generator!
+The example above overrides the permitted parameters for the user to be both `:username` and `:email`. The non-lazy way to configure parameters would be by defining the before filter above in a custom controller. We detail how to configure and customize controllers in some sections below.
 
 ### Configuring views
 
@@ -353,15 +350,40 @@ You can read more about Omniauth support in the wiki:
 
 * https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
 
-### Other ORMs
+### Configuring multiple models
 
-Devise supports ActiveRecord (default) and Mongoid. To choose other ORM, you just need to require it in the initializer file.
+Devise allows you to set up as many roles as you want. For example, you may have a User model and also want an Admin model with just authentication and timeoutable features. If so, just follow these steps:
 
-### Migrating from other solutions
+```ruby
+# Create a migration with the required fields
+create_table :admins do |t|
+  t.string :email
+  t.string :encrypted_password
+  t.timestamps
+end
+
+# Inside your Admin model
+devise :database_authenticatable, :timeoutable
+
+# Inside your routes
+devise_for :admins
+
+# Inside your protected controller
+before_filter :authenticate_admin!
 
-Devise implements encryption strategies for Clearance, Authlogic and Restful-Authentication. To make use of these strategies, you need set the desired encryptor in the encryptor initializer config option and add :encryptable to your model. You might also need to rename your encrypted password and salt columns to match Devise's fields (encrypted_password and password_salt).
+# Inside your controllers and views
+admin_signed_in?
+current_admin
+admin_session
+```
+
+On the other hand, you can simply run the generator!
 
-## Troubleshooting
+### Other ORMs
+
+Devise supports ActiveRecord (default) and Mongoid. To choose other ORM, you just need to require it in the initializer file.
+
+## Additional information
 
 ### Heroku
 
@@ -373,8 +395,6 @@ config.assets.initialize_on_precompile = false
 
 Read more about the potential issues at http://guides.rubyonrails.org/asset_pipeline.html
 
-## Additional information
-
 ### Warden
 
 Devise is based on Warden, which is a general Rack authentication framework created by Daniel Neighman. We encourage you to read more about Warden here:

data/app/controllers/devise/confirmations_controller.rb

@@ -1,7 +1,7 @@
 class Devise::ConfirmationsController < DeviseController
   # GET /resource/confirmation/new
   def new
-    build_resource({})
+    self.resource = resource_class.new
   end
 
   # POST /resource/confirmation
@@ -39,5 +39,4 @@ class Devise::ConfirmationsController < DeviseController
     def after_confirmation_path_for(resource_name, resource)
       after_sign_in_path_for(resource)
     end
-
 end

data/app/controllers/devise/passwords_controller.rb

@@ -5,7 +5,7 @@ class Devise::PasswordsController < DeviseController
 
   # GET /resource/password/new
   def new
-    build_resource({})
+    self.resource = resource_class.new
   end
 
   # POST /resource/password

data/app/controllers/devise/registrations_controller.rb

@@ -4,13 +4,13 @@ class Devise::RegistrationsController < DeviseController
 
   # GET /resource/sign_up
   def new
-    resource = build_resource({})
-    respond_with resource
+    build_resource({})
+    respond_with self.resource
   end
 
   # POST /resource
   def create
-    build_resource
+    self.resource = build_resource(sign_up_params)
 
     if resource.save
       if resource.active_for_authentication?
@@ -40,7 +40,7 @@ class Devise::RegistrationsController < DeviseController
     self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
     prev_unconfirmed_email = resource.unconfirmed_email if resource.respond_to?(:unconfirmed_email)
 
-    if resource.update_with_password(resource_params)
+    if resource.update_with_password(account_update_params)
       if is_navigational_format?
         flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?
           :update_needs_confirmation : :updated
@@ -83,8 +83,7 @@ class Devise::RegistrationsController < DeviseController
   # Build a devise resource passing in the session. Useful to move
   # temporary session data to the newly created user.
   def build_resource(hash=nil)
-    hash ||= resource_params || {}
-    self.resource = resource_class.new_with_session(hash, session)
+    self.resource = resource_class.new_with_session(hash || {}, session)
   end
 
   # Signs in a user on sign up. You can overwrite this method in your own
@@ -116,4 +115,12 @@ class Devise::RegistrationsController < DeviseController
     send(:"authenticate_#{resource_name}!", :force => true)
     self.resource = send(:"current_#{resource_name}")
   end
+
+  def sign_up_params
+    devise_parameter_sanitizer.for(:sign_up)
+  end
+
+  def account_update_params
+    devise_parameter_sanitizer.for(:account_update)
+  end
 end