devise 3.0.0 → 3.0.1

data/CHANGELOG.rdoc

@@ -1,3 +1,12 @@
+== 3.0.1
+
+* enhancements
+  * Add after_confirmation callback
+
+* bug fix
+  * When using rails 3.2, the generator adds 'attr_accessible' to the model (by @jcoyne)
+  * Clean up CSRF token after authentication (by @homakov). Notice this change will clean up the CSRF Token after authentication (sign in, sign up, etc). So if you are using AJAX for such features, you will need to fetch a new CSRF token from the server.
+
 == 3.0.0
 
 * enhancements

data/Gemfile.lock

@@ -12,7 +12,7 @@ GIT
 PATH
   remote: .
   specs:
-    devise (3.0.0.rc)
+    devise (3.0.0)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)

data/README.md

@@ -12,7 +12,7 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 
 * Is Rack based;
 * Is a complete MVC solution based on Rails engines;
-* Allows you to have multiple roles (or models/scopes) signed in at the same time;
+* Allows you to have multiple models signed in at the same time;
 * Is based on a modularity concept: use just what you really need.
 
 It's composed of 11 modules:
@@ -202,7 +202,7 @@ class ApplicationController < ActionController::Base
 end
 ```
 
-If you have multiple roles, you may want to set up different parameter sanitizer per role. In this case, we recommend inheriting from `Devise::ParameterSanitizer` and add your own logic:
+If you have multiple Devise models, you may want to set up different parameter sanitizer per model. In this case, we recommend inheriting from `Devise::ParameterSanitizer` and add your own logic:
 
 ```ruby
 class User::ParameterSanitizer < Devise::ParameterSanitizer
@@ -240,7 +240,7 @@ Since Devise is an engine, all its views are packaged inside the gem. These view
 rails generate devise:views
 ```
 
-If you have more than one role in your application (such as "User" and "Admin"), you will notice that Devise uses the same views for all roles. Fortunately, Devise offers an easy way to customize views. All you need to do is set "config.scoped_views = true" inside "config/initializers/devise.rb".
+If you have more than one Devise model in your application (such as "User" and "Admin"), you will notice that Devise uses the same views for all models. Fortunately, Devise offers an easy way to customize views. All you need to do is set "config.scoped_views = true" inside "config/initializers/devise.rb".
 
 After doing so, you will be able to have views based on the role like "users/sessions/new" and "admins/sessions/new". If no view is found within the scope, Devise will use the default view at "devise/sessions/new". You can also use the generator to generate scoped views:
 
@@ -384,7 +384,7 @@ You can read more about Omniauth support in the wiki:
 
 ### Configuring multiple models
 
-Devise allows you to set up as many roles as you want. For example, you may have a User model and also want an Admin model with just authentication and timeoutable features. If so, just follow these steps:
+Devise allows you to set up as many Devise models as you want. If you want to have an Admin model with just authentication and timeout features, in addition to the User model above, just run:
 
 ```ruby
 # Create a migration with the required fields
@@ -409,7 +409,9 @@ current_admin
 admin_session
 ```
 
-On the other hand, you can simply run the generator!
+Alternatively, you can simply run the Devise generator.
+
+Keep in mind that those models will have completely different routes. They **do not** and **cannot** share the same controller for sign in, sign out and so on. In case you want to have different roles sharing the same actions, we recommend you to use a role-based approach, by either providing a role column or using [CanCan](https://github.com/ryanb/cancan).
 
 ### Other ORMs
 

data/gemfiles/Gemfile.rails-3.2.x.lock

@@ -1,11 +1,11 @@
 PATH
   remote: ..
   specs:
-    devise (3.0.0.rc)
+    devise (3.0.0)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
-      warden (~> 1.2.1)
+      warden (~> 1.2.3)
 
 GEM
   remote: https://rubygems.org/
@@ -38,7 +38,7 @@ GEM
       i18n (= 0.6.1)
       multi_json (~> 1.0)
     arel (3.0.2)
-    bcrypt-ruby (3.0.1)
+    bcrypt-ruby (3.1.1)
     builder (3.0.4)
     erubis (2.7.0)
     faraday (0.8.7)
@@ -129,7 +129,7 @@ GEM
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.37)
-    warden (1.2.1)
+    warden (1.2.3)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)

data/lib/devise.rb

@@ -223,6 +223,10 @@ module Devise
   mattr_accessor :omniauth_path_prefix
   @@omniauth_path_prefix = nil
 
+  # Set if we should clean up the CSRF Token on authentication
+  mattr_accessor :clean_up_csrf_token_on_authentication
+  @@clean_up_csrf_token_on_authentication = true
+
   def self.encryptor=(value)
     warn "\n[DEVISE] To select a encryption which isn't bcrypt, you should use devise-encryptable gem.\n"
   end

data/lib/devise/hooks/csrf_cleaner.rb

@@ -0,0 +1,5 @@
+Warden::Manager.after_authentication do |record, warden, options|
+  if Devise.clean_up_csrf_token_on_authentication
+    warden.request.session.try(:delete, :_csrf_token)
+  end
+end

data/lib/devise/models/authenticatable.rb

@@ -1,4 +1,5 @@
 require 'devise/hooks/activatable'
+require 'devise/hooks/csrf_cleaner'
 
 module Devise
   module Models

data/lib/devise/models/confirmable.rb

@@ -66,7 +66,7 @@ module Devise
           self.confirmation_token = nil
           self.confirmed_at = Time.now.utc
 
-          if self.class.reconfirmable && unconfirmed_email.present?
+          saved = if self.class.reconfirmable && unconfirmed_email.present?
             skip_reconfirmation!
             self.email = unconfirmed_email
             self.unconfirmed_email = nil
@@ -76,6 +76,9 @@ module Devise
           else
             save(:validate => false)
           end
+
+          after_confirmation if saved
+          saved
         end
       end
 
@@ -264,6 +267,9 @@ module Devise
           confirmation_required? && !@skip_confirmation_notification && !self.email.blank?
         end
 
+        def after_confirmation
+        end
+
       module ClassMethods
         # Attempt to find a user by its email. If a record is found, send new
         # confirmation instructions to it. If not, try searching for a user by unconfirmed_email

data/lib/devise/models/timeoutable.rb

@@ -37,7 +37,7 @@ module Devise
       private
 
       def remember_exists_and_not_expired?
-        return false unless respond_to?(:remember_created_at)
+        return false unless respond_to?(:remember_created_at) && respond_to?(:remember_expired?)
         remember_created_at && !remember_expired?
       end
 

data/lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.0.0".freeze
+  VERSION = "3.0.1".freeze
 end

data/lib/generators/devise/orm_helpers.rb

@@ -2,7 +2,7 @@ module Devise
   module Generators
     module OrmHelpers
       def model_contents
-<<-CONTENT
+        buffer = <<-CONTENT
   # Include default devise modules. Others available are:
   # :token_authenticatable, :confirmable,
   # :lockable, :timeoutable and :omniauthable
@@ -10,16 +10,36 @@ module Devise
          :recoverable, :rememberable, :trackable, :validatable
 
 CONTENT
+        buffer += <<-CONTENT if needs_attr_accessible?
+  # Setup accessible (or protected) attributes for your model
+  attr_accessible :email, :password, :password_confirmation, :remember_me
+
+CONTENT
+        buffer
+      end
+
+      def needs_attr_accessible?
+        rails_3? && !strong_parameters_enabled?
+      end
+
+      def rails_3?
+        Rails::VERSION::MAJOR == 3
       end
 
+      def strong_parameters_enabled?
+        defined?(ActionController::StrongParameters)
+      end
+
+      private
+
       def model_exists?
         File.exists?(File.join(destination_root, model_path))
       end
-      
+
       def migration_exists?(table_name)
         Dir.glob("#{File.join(destination_root, migration_path)}/[0-9]*_*.rb").grep(/\d+_add_devise_to_#{table_name}.rb$/).first
       end
-      
+
       def migration_path
         @migration_path ||= File.join("db", "migrate")
       end
@@ -29,4 +49,4 @@ CONTENT
       end
     end
   end
-end
+end

data/lib/generators/mongoid/devise_generator.rb

@@ -22,7 +22,7 @@ module Mongoid
   ## Database authenticatable
   field :email,              :type => String, :default => ""
   field :encrypted_password, :type => String, :default => ""
-  
+
   ## Recoverable
   field :reset_password_token,   :type => String
   field :reset_password_sent_at, :type => Time
@@ -54,4 +54,4 @@ RUBY
       end
     end
   end
-end
+end

data/lib/generators/templates/devise.rb

@@ -76,6 +76,12 @@ Devise.setup do |config|
   # passing :skip => :sessions to `devise_for` in your config/routes.rb
   config.skip_session_storage = [:http_auth]
 
+  # By default, Devise cleans up the CSRF token on authentication to
+  # avoid CSRF token fixation attacks. This means that, when using AJAX
+  # requests for sign in and sign up, you need to get a new CSRF token
+  # from the server. You can disable this option at your own risk.
+  # config.clean_up_csrf_token_on_authentication = true
+
   # ==> Configuration for :database_authenticatable
   # For bcrypt, this is the cost for hashing the password and defaults to 10. If
   # using other encryptors, it sets how many times you want the password re-encrypted.

data/test/generators/active_record_generator_test.rb

@@ -62,11 +62,41 @@ if DEVISE_ORM == :active_record
     destination File.expand_path("../../tmp", __FILE__)
     setup :prepare_destination
 
-    test "all files are properly created" do
+    test "all files are properly created in rails 4.0" do
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:rails_3?).returns(false)
       simulate_inside_engine(RailsEngine::Engine, RailsEngine) do
         run_generator ["monster"]
 
         assert_file "app/models/rails_engine/monster.rb", /devise/
+        assert_file "app/models/rails_engine/monster.rb" do |content|
+          assert_no_match /attr_accessible :email/, content
+        end
+      end
+    end
+
+    test "all files are properly created in rails 3.2 when strong_parameters gem is not installed" do
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:rails_3?).returns(true)
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:strong_parameters_enabled?).returns(false)
+      simulate_inside_engine(RailsEngine::Engine, RailsEngine) do
+        run_generator ["monster"]
+
+        assert_file "app/models/rails_engine/monster.rb", /devise/
+        assert_file "app/models/rails_engine/monster.rb" do |content|
+          assert_match /attr_accessible :email/, content
+        end
+      end
+    end
+
+    test "all files are properly created in rails 3.2 when strong_parameters gem is installed" do
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:rails_3?).returns(true)
+      ActiveRecord::Generators::DeviseGenerator.any_instance.stubs(:strong_parameters_enabled?).returns(true)
+      simulate_inside_engine(RailsEngine::Engine, RailsEngine) do
+        run_generator ["monster"]
+
+        assert_file "app/models/rails_engine/monster.rb", /devise/
+        assert_file "app/models/rails_engine/monster.rb" do |content|
+          assert_no_match /attr_accessible :email/, content
+        end
       end
     end
   end

data/test/integration/authenticatable_test.rb

@@ -327,6 +327,20 @@ class AuthenticationSessionTest < ActionDispatch::IntegrationTest
     assert_redirected_to new_user_session_path
   end
 
+  test 'refreshes _csrf_token' do
+    ApplicationController.allow_forgery_protection = true
+
+    begin
+      get new_user_session_path
+      token = request.session[:_csrf_token]
+
+      sign_in_as_user
+      assert_not_equal request.session[:_csrf_token], token
+    ensure
+      ApplicationController.allow_forgery_protection = false
+    end
+  end
+
   test 'allows session to be set for a given scope' do
     sign_in_as_user
     get '/users'

data/test/models/confirmable_test.rb

@@ -312,6 +312,27 @@ class ConfirmableTest < ActiveSupport::TestCase
     user.ensure_confirmation_token!
     assert_equal user.confirmation_token, old
   end
+
+  test 'should call after_confirmation if confirmed' do
+    user = create_user
+    user.define_singleton_method :after_confirmation do
+      self.username = self.username.to_s + 'updated'
+    end
+    old = user.username
+    assert user.confirm!
+    assert_not_equal user.username, old
+  end
+
+  test 'should not call after_confirmation if not confirmed' do
+    user = create_user
+    assert user.confirm!
+    user.define_singleton_method :after_confirmation do
+      self.username = self.username.to_s + 'updated'
+    end
+    old = user.username
+    assert_not user.confirm!
+    assert_equal user.username, old
+  end
 end
 
 class ReconfirmableTest < ActiveSupport::TestCase

data/test/models/timeoutable_test.rb

@@ -43,4 +43,9 @@ class TimeoutableTest < ActiveSupport::TestCase
   test 'required_fields should contain the fields that Devise uses' do
     assert_same_content Devise::Models::Timeoutable.required_fields(User), []
   end
+
+  test 'should not raise error if remember_created_at is not empty and rememberable is disabled' do
+    user = create_admin(remember_created_at: Time.current)
+    assert user.timedout?(31.minutes.ago)
+  end
 end

metadata

@@ -2,7 +2,7 @@
 name: devise
 version: !ruby/object:Gem::Version
   prerelease: 
-  version: 3.0.0
+  version: 3.0.1
 platform: ruby
 authors:
 - José Valim
@@ -10,7 +10,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-07-14 00:00:00.000000000 Z
+date: 2013-08-02 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   version_requirements: !ruby/object:Gem::Requirement
@@ -132,6 +132,7 @@ files:
 - lib/devise/delegator.rb
 - lib/devise/failure_app.rb
 - lib/devise/hooks/activatable.rb
+- lib/devise/hooks/csrf_cleaner.rb
 - lib/devise/hooks/forgetable.rb
 - lib/devise/hooks/lockable.rb
 - lib/devise/hooks/rememberable.rb