devise 3.1.0.rc2 → 3.1.0
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of devise might be problematic. Click here for more details.
- data/CHANGELOG.md +8 -5
- data/Gemfile.lock +1 -1
- data/README.md +0 -1
- data/app/controllers/devise/confirmations_controller.rb +6 -2
- data/app/controllers/devise/registrations_controller.rb +7 -1
- data/config/locales/en.yml +2 -1
- data/gemfiles/Gemfile.rails-3.2.x.lock +1 -1
- data/lib/devise/hooks/lockable.rb +1 -1
- data/lib/devise/models/rememberable.rb +6 -2
- data/lib/devise/version.rb +1 -1
- data/lib/generators/active_record/devise_generator.rb +2 -5
- data/lib/generators/active_record/templates/migration.rb +0 -1
- data/lib/generators/active_record/templates/migration_existing.rb +0 -1
- data/lib/generators/devise/orm_helpers.rb +1 -2
- data/lib/generators/templates/devise.rb +1 -1
- data/test/integration/confirmable_test.rb +13 -1
- data/test/models/rememberable_test.rb +8 -0
- metadata +5 -5
data/CHANGELOG.md
CHANGED
@@ -1,11 +1,11 @@
|
|
1
|
-
== 3.1.0
|
1
|
+
== 3.1.0
|
2
2
|
|
3
3
|
Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
|
4
4
|
|
5
5
|
* backwards incompatible changes
|
6
6
|
* Do not store confirmation, unlock and reset password tokens directly in the database. This means tokens previously stored in the database are no longer valid. You can reenable this temporarily by setting `config.allow_insecure_tokens_lookup = true` in your configuration file. It is recommended to keep this configuration set to true just temporarily in your production servers only to aid migration
|
7
|
-
* The Devise mailer and its views were changed to explicitly receive a token as
|
8
|
-
* Sanitization of parameters should be done by calling `
|
7
|
+
* The Devise mailer and its views were changed to explicitly receive a token argument as `@token`. You will need to update your mailers and re-copy the views to your application with `rails g devise:views`
|
8
|
+
* Sanitization of parameters should be done by calling `devise_parameter_sanitizer.sanitize(:action)` instead of `devise_parameter_sanitizer.for(:action)`
|
9
9
|
|
10
10
|
* deprecations
|
11
11
|
* Token authentication is deprecated
|
@@ -15,7 +15,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-w
|
|
15
15
|
* Allow easier customization of parameter sanitizer (by @alexpeattie)
|
16
16
|
|
17
17
|
* bug fix
|
18
|
-
* Do not confirm e-mail after password reset
|
18
|
+
* Do not confirm e-mail after password reset (by @moll)
|
19
19
|
* Do not sign in after confirmation
|
20
20
|
* Do not store confirmation, unlock and reset password tokens directly in the database
|
21
21
|
* Do not compare directly against confirmation, unlock and reset password tokens
|
@@ -42,11 +42,14 @@ Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixat
|
|
42
42
|
* enhancements
|
43
43
|
* Rails 4 and Strong Parameters compatibility (by @carlosantoniodasilva, @josevalim, @latortuga, @lucasmazza, @nashby, @rafaelfranca, @spastorino)
|
44
44
|
* Drop support for Rails < 3.2 and Ruby < 1.9.3
|
45
|
-
* Enable to skip sending reconfirmation email when reconfirmable is on and skip_confirmation_notification
|
45
|
+
* Enable to skip sending reconfirmation email when reconfirmable is on and `skip_confirmation_notification!` is invoked (by @tkhr)
|
46
46
|
|
47
47
|
* bug fix
|
48
48
|
* Errors on unlock are now properly reflected on the first `unlock_keys`
|
49
49
|
|
50
|
+
* backwards incompatible changes
|
51
|
+
* Changes on session storage will expire all existing sessions on upgrade
|
52
|
+
|
50
53
|
== 2.2.4
|
51
54
|
|
52
55
|
* enhancements
|
data/Gemfile.lock
CHANGED
data/README.md
CHANGED
@@ -2,7 +2,6 @@
|
|
2
2
|
|
3
3
|
By [Plataformatec](http://plataformatec.com.br/).
|
4
4
|
|
5
|
-
[![Gem Version](https://fury-badge.herokuapp.com/rb/devise.png)](http://badge.fury.io/rb/devise)
|
6
5
|
[![Build Status](https://api.travis-ci.org/plataformatec/devise.png?branch=master)](http://travis-ci.org/plataformatec/devise)
|
7
6
|
[![Code Climate](https://codeclimate.com/github/plataformatec/devise.png)](https://codeclimate.com/github/plataformatec/devise)
|
8
7
|
|
@@ -20,8 +20,12 @@ class Devise::ConfirmationsController < DeviseController
|
|
20
20
|
self.resource = resource_class.confirm_by_token(params[:confirmation_token])
|
21
21
|
|
22
22
|
if resource.errors.empty?
|
23
|
-
|
24
|
-
|
23
|
+
if Devise.allow_insecure_sign_in_after_confirmation
|
24
|
+
set_flash_message(:notice, :confirmed_and_signed_in) if is_navigational_format?
|
25
|
+
sign_in(resource_name, resource)
|
26
|
+
else
|
27
|
+
set_flash_message(:notice, :confirmed) if is_navigational_format?
|
28
|
+
end
|
25
29
|
respond_with_navigational(resource){ redirect_to after_confirmation_path_for(resource_name, resource) }
|
26
30
|
else
|
27
31
|
respond_with_navigational(resource.errors, :status => :unprocessable_entity){ render :new }
|
@@ -40,7 +40,7 @@ class Devise::RegistrationsController < DeviseController
|
|
40
40
|
self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
|
41
41
|
prev_unconfirmed_email = resource.unconfirmed_email if resource.respond_to?(:unconfirmed_email)
|
42
42
|
|
43
|
-
if resource
|
43
|
+
if update_resource(resource, account_update_params)
|
44
44
|
if is_navigational_format?
|
45
45
|
flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?
|
46
46
|
:update_needs_confirmation : :updated
|
@@ -80,6 +80,12 @@ class Devise::RegistrationsController < DeviseController
|
|
80
80
|
previous != resource.unconfirmed_email
|
81
81
|
end
|
82
82
|
|
83
|
+
# By default we want to require a password checks on update.
|
84
|
+
# You can overwrite this method in your own RegistrationsController.
|
85
|
+
def update_resource(resource, params)
|
86
|
+
resource.update_with_password(params)
|
87
|
+
end
|
88
|
+
|
83
89
|
# Build a devise resource passing in the session. Useful to move
|
84
90
|
# temporary session data to the newly created user.
|
85
91
|
def build_resource(hash=nil)
|
data/config/locales/en.yml
CHANGED
@@ -3,7 +3,8 @@
|
|
3
3
|
en:
|
4
4
|
devise:
|
5
5
|
confirmations:
|
6
|
-
confirmed: "Your account was successfully confirmed.
|
6
|
+
confirmed: "Your account was successfully confirmed. Please sign in."
|
7
|
+
confirmed_and_signed_in: "Your account was successfully confirmed. You are now signed in."
|
7
8
|
send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes."
|
8
9
|
send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes."
|
9
10
|
failure:
|
@@ -2,6 +2,6 @@
|
|
2
2
|
# This is only triggered when the user is explicitly set (with set_user)
|
3
3
|
Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
|
4
4
|
if record.respond_to?(:failed_attempts) && warden.authenticated?(options[:scope])
|
5
|
-
record.update_attribute(:failed_attempts, 0) unless record.failed_attempts.zero?
|
5
|
+
record.update_attribute(:failed_attempts, 0) unless record.failed_attempts.to_i.zero?
|
6
6
|
end
|
7
7
|
end
|
@@ -110,12 +110,16 @@ module Devise
|
|
110
110
|
# Recreate the user based on the stored cookie
|
111
111
|
def serialize_from_cookie(id, remember_token)
|
112
112
|
record = to_adapter.get(id)
|
113
|
-
record if record &&
|
113
|
+
record if record && !record.remember_expired? &&
|
114
|
+
Devise.secure_compare(record.rememberable_value, remember_token)
|
114
115
|
end
|
115
116
|
|
116
117
|
# Generate a token checking if one does not already exist in the database.
|
117
118
|
def remember_token #:nodoc:
|
118
|
-
|
119
|
+
loop do
|
120
|
+
token = Devise.friendly_token
|
121
|
+
break token unless to_adapter.find_first({ :remember_token => token })
|
122
|
+
end
|
119
123
|
end
|
120
124
|
|
121
125
|
Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options)
|
data/lib/devise/version.rb
CHANGED
@@ -50,7 +50,7 @@ module ActiveRecord
|
|
50
50
|
t.datetime :remember_created_at
|
51
51
|
|
52
52
|
## Trackable
|
53
|
-
t.integer :sign_in_count, :default => 0
|
53
|
+
t.integer :sign_in_count, :default => 0, :null => false
|
54
54
|
t.datetime :current_sign_in_at
|
55
55
|
t.datetime :last_sign_in_at
|
56
56
|
t.string :current_sign_in_ip
|
@@ -63,12 +63,9 @@ module ActiveRecord
|
|
63
63
|
# t.string :unconfirmed_email # Only if using reconfirmable
|
64
64
|
|
65
65
|
## Lockable
|
66
|
-
# t.integer :failed_attempts, :default => 0 # Only if lock strategy is :failed_attempts
|
66
|
+
# t.integer :failed_attempts, :default => 0, :null => false # Only if lock strategy is :failed_attempts
|
67
67
|
# t.string :unlock_token # Only if unlock strategy is :email or :both
|
68
68
|
# t.datetime :locked_at
|
69
|
-
|
70
|
-
## Token authenticatable
|
71
|
-
# t.string :authentication_token
|
72
69
|
RUBY
|
73
70
|
end
|
74
71
|
end
|
@@ -14,6 +14,5 @@ class DeviseCreate<%= table_name.camelize %> < ActiveRecord::Migration
|
|
14
14
|
add_index :<%= table_name %>, :reset_password_token, :unique => true
|
15
15
|
# add_index :<%= table_name %>, :confirmation_token, :unique => true
|
16
16
|
# add_index :<%= table_name %>, :unlock_token, :unique => true
|
17
|
-
# add_index :<%= table_name %>, :authentication_token, :unique => true
|
18
17
|
end
|
19
18
|
end
|
@@ -15,7 +15,6 @@ class AddDeviseTo<%= table_name.camelize %> < ActiveRecord::Migration
|
|
15
15
|
add_index :<%= table_name %>, :reset_password_token, :unique => true
|
16
16
|
# add_index :<%= table_name %>, :confirmation_token, :unique => true
|
17
17
|
# add_index :<%= table_name %>, :unlock_token, :unique => true
|
18
|
-
# add_index :<%= table_name %>, :authentication_token, :unique => true
|
19
18
|
end
|
20
19
|
|
21
20
|
def self.down
|
@@ -4,8 +4,7 @@ module Devise
|
|
4
4
|
def model_contents
|
5
5
|
buffer = <<-CONTENT
|
6
6
|
# Include default devise modules. Others available are:
|
7
|
-
# :
|
8
|
-
# :lockable, :timeoutable and :omniauthable
|
7
|
+
# :confirmable, :lockable, :timeoutable and :omniauthable
|
9
8
|
devise :database_authenticatable, :registerable,
|
10
9
|
:recoverable, :rememberable, :trackable, :validatable
|
11
10
|
|
@@ -98,7 +98,7 @@ Devise.setup do |config|
|
|
98
98
|
config.stretches = Rails.env.test? ? 1 : 10
|
99
99
|
|
100
100
|
# Setup a pepper to generate the encrypted password.
|
101
|
-
# config.pepper = <%= SecureRandom.hex(64)
|
101
|
+
# config.pepper = '<%= SecureRandom.hex(64) %>'
|
102
102
|
|
103
103
|
# ==> Configuration for :confirmable
|
104
104
|
# A period that the user is allowed to access the website even without
|
@@ -56,12 +56,24 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
|
|
56
56
|
assert_not user.confirmed?
|
57
57
|
visit_user_confirmation_with_token(user.raw_confirmation_token)
|
58
58
|
|
59
|
-
assert_contain 'Your account was successfully confirmed.'
|
59
|
+
assert_contain 'Your account was successfully confirmed. Please sign in.'
|
60
60
|
assert_current_url '/users/sign_in'
|
61
61
|
assert user.reload.confirmed?
|
62
62
|
end
|
63
63
|
end
|
64
64
|
|
65
|
+
test 'user should be signed in after confirmation if allow_insecure_sign_in_after_confirmation is enabled' do
|
66
|
+
swap Devise, :confirm_within => 3.days, :allow_insecure_sign_in_after_confirmation => true do
|
67
|
+
user = create_user(:confirm => false, :confirmation_sent_at => 2.days.ago)
|
68
|
+
assert_not user.confirmed?
|
69
|
+
visit_user_confirmation_with_token(user.raw_confirmation_token)
|
70
|
+
|
71
|
+
assert_contain 'Your account was successfully confirmed. You are now signed in.'
|
72
|
+
assert_current_url root_url
|
73
|
+
assert user.reload.confirmed?
|
74
|
+
end
|
75
|
+
end
|
76
|
+
|
65
77
|
test 'user should be redirected to a custom path after confirmation' do
|
66
78
|
Devise::ConfirmationsController.any_instance.stubs(:after_confirmation_path_for).returns("/?custom=1")
|
67
79
|
|
@@ -22,6 +22,14 @@ class RememberableTest < ActiveSupport::TestCase
|
|
22
22
|
user.forget_me!
|
23
23
|
end
|
24
24
|
|
25
|
+
test 'can generate remember token' do
|
26
|
+
user = create_user
|
27
|
+
user.singleton_class.send(:attr_accessor, :remember_token)
|
28
|
+
User.to_adapter.expects(:find_first).returns(nil)
|
29
|
+
user.remember_me!
|
30
|
+
assert user.remember_token
|
31
|
+
end
|
32
|
+
|
25
33
|
test 'serialize into cookie' do
|
26
34
|
user = create_user
|
27
35
|
user.remember_me!
|
metadata
CHANGED
@@ -1,8 +1,8 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: devise
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 3.1.0
|
5
|
-
prerelease:
|
4
|
+
version: 3.1.0
|
5
|
+
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
8
8
|
- José Valim
|
@@ -10,7 +10,7 @@ authors:
|
|
10
10
|
autorequire:
|
11
11
|
bindir: bin
|
12
12
|
cert_chain: []
|
13
|
-
date: 2013-
|
13
|
+
date: 2013-09-05 00:00:00.000000000 Z
|
14
14
|
dependencies:
|
15
15
|
- !ruby/object:Gem::Dependency
|
16
16
|
name: warden
|
@@ -337,9 +337,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
|
|
337
337
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
338
338
|
none: false
|
339
339
|
requirements:
|
340
|
-
- - ! '
|
340
|
+
- - ! '>='
|
341
341
|
- !ruby/object:Gem::Version
|
342
|
-
version:
|
342
|
+
version: '0'
|
343
343
|
requirements: []
|
344
344
|
rubyforge_project: devise
|
345
345
|
rubygems_version: 1.8.23
|