devise 3.2.1 → 3.2.2

Sign up to get free protection for your applications and to get access to all the features.

Potentially problematic release.


This version of devise might be problematic. Click here for more details.

@@ -1,3 +1,10 @@
1
+ ### 3.2.2
2
+
3
+ * bug fix
4
+ * Ensure timeoutable works when `sign_out_all_scopes` is false (by @louman)
5
+ * Keep the query string when storing location (by @csexton)
6
+ * Require rails generator base class in devise generators
7
+
1
8
  ### 3.2.1
2
9
 
3
10
  Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
@@ -12,7 +12,7 @@ GIT
12
12
  PATH
13
13
  remote: .
14
14
  specs:
15
- devise (3.2.1)
15
+ devise (3.2.2)
16
16
  bcrypt-ruby (~> 3.0)
17
17
  orm_adapter (~> 0.1)
18
18
  railties (>= 3.2.6, < 5)
data/README.md CHANGED
@@ -180,7 +180,7 @@ Besides :stretches, you can define :pepper, :encryptor, :confirm_within, :rememb
180
180
 
181
181
  When you customize your own views, you may end up adding new attributes to forms. Rails 4 moved the parameter sanitization from the model to the controller, causing Devise to handle this concern at the controller as well.
182
182
 
183
- There are just three actions in Devise that allows any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permited parameters by default are:
183
+ There are just three actions in Devise that allows any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permitted parameters by default are:
184
184
 
185
185
  * `sign_in` (`Devise::SessionsController#new`) - Permits only the authentication keys (like `email`)
186
186
  * `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`
@@ -1,7 +1,7 @@
1
1
  PATH
2
2
  remote: ..
3
3
  specs:
4
- devise (3.2.1)
4
+ devise (3.2.2)
5
5
  bcrypt-ruby (~> 3.0)
6
6
  orm_adapter (~> 0.1)
7
7
  railties (>= 3.2.6, < 5)
@@ -33,7 +33,10 @@ module Devise
33
33
  #
34
34
  def store_location_for(resource_or_scope, location)
35
35
  session_key = stored_location_key_for(resource_or_scope)
36
- session[session_key] = URI.parse(location).path if location
36
+ if location
37
+ uri = URI.parse(location)
38
+ session[session_key] = [uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
39
+ end
37
40
  end
38
41
 
39
42
  private
@@ -12,7 +12,7 @@ Warden::Manager.after_set_user do |record, warden, options|
12
12
  proxy = Devise::Hooks::Proxy.new(warden)
13
13
 
14
14
  if record.timedout?(last_request_at) && !env['devise.skip_timeout']
15
- Devise.sign_out_all_scopes ? proxy.sign_out : sign_out(scope)
15
+ Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
16
16
 
17
17
  if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout
18
18
  record.reset_authentication_token!
@@ -393,13 +393,13 @@ and you have set #{mapping.fullpath.inspect}. You can work around by passing
393
393
  `skip: :omniauth_callbacks` and manually defining the routes. Here is an example:
394
394
 
395
395
  match "/users/auth/:provider",
396
- :constraints => { :provider => /\Agoogle|facebook\z/ },
396
+ :constraints => { :provider => /\A(google|facebook)\z/ },
397
397
  :to => "devise/omniauth_callbacks#passthru",
398
398
  :as => :omniauth_authorize,
399
399
  :via => [:get, :post]
400
400
 
401
401
  match "/users/auth/:action/callback",
402
- :constraints => { :action => /\Agoogle|facebook\z/ },
402
+ :constraints => { :action => /\A(google|facebook)\z/ },
403
403
  :to => "devise/omniauth_callbacks",
404
404
  :as => :omniauth_callback,
405
405
  :via => [:get, :post]
@@ -1,3 +1,3 @@
1
1
  module Devise
2
- VERSION = "3.2.1".freeze
2
+ VERSION = "3.2.2".freeze
3
3
  end
@@ -1,3 +1,5 @@
1
+ require 'rails/generators/named_base'
2
+
1
3
  module Devise
2
4
  module Generators
3
5
  class DeviseGenerator < Rails::Generators::NamedBase
@@ -1,3 +1,4 @@
1
+ require 'rails/generators/base'
1
2
  require 'securerandom'
2
3
 
3
4
  module Devise
@@ -1,3 +1,5 @@
1
+ require 'rails/generators/base'
2
+
1
3
  module Devise
2
4
  module Generators
3
5
  # Include this module in your generator to generate Devise views.
@@ -1,3 +1,4 @@
1
+ require 'rails/generators/named_base'
1
2
  require 'generators/devise/orm_helpers'
2
3
 
3
4
  module Mongoid
@@ -198,10 +198,16 @@ class ControllerAuthenticatableTest < ActionController::TestCase
198
198
  assert_equal "/foo.bar", @controller.stored_location_for(User.new)
199
199
  end
200
200
 
201
- test 'store location for stores only paths' do
202
- assert_nil @controller.stored_location_for(:user)
201
+ test 'store location for stores paths' do
203
202
  @controller.store_location_for(:user, "//host/foo.bar")
204
203
  assert_equal "/foo.bar", @controller.stored_location_for(:user)
204
+ @controller.store_location_for(:user, "///foo.bar")
205
+ assert_equal "/foo.bar", @controller.stored_location_for(:user)
206
+ end
207
+
208
+ test 'store location for stores query string' do
209
+ @controller.store_location_for(:user, "/foo?bar=baz")
210
+ assert_equal "/foo?bar=baz", @controller.stored_location_for(:user)
205
211
  end
206
212
 
207
213
  test 'after sign in path defaults to root path if none by was specified for the given scope' do
@@ -35,14 +35,19 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
35
35
  assert warden.authenticated?(:user)
36
36
  end
37
37
 
38
- test 'time out user session after default limit time' do
39
- user = sign_in_as_user
40
- get expire_user_path(user)
41
- assert_not_nil last_request_at
38
+ test 'time out user session after default limit time when sign_out_all_scopes is false' do
39
+ swap Devise, sign_out_all_scopes: false do
40
+ sign_in_as_admin
42
41
 
43
- get users_path
44
- assert_redirected_to users_path
45
- assert_not warden.authenticated?(:user)
42
+ user = sign_in_as_user
43
+ get expire_user_path(user)
44
+ assert_not_nil last_request_at
45
+
46
+ get users_path
47
+ assert_redirected_to users_path
48
+ assert_not warden.authenticated?(:user)
49
+ assert warden.authenticated?(:admin)
50
+ end
46
51
  end
47
52
 
48
53
  test 'time out all sessions after default limit time when sign_out_all_scopes is true' do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: devise
3
3
  version: !ruby/object:Gem::Version
4
- version: 3.2.1
4
+ version: 3.2.2
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -10,7 +10,7 @@ authors:
10
10
  autorequire:
11
11
  bindir: bin
12
12
  cert_chain: []
13
- date: 2013-11-13 00:00:00.000000000 Z
13
+ date: 2013-11-25 00:00:00.000000000 Z
14
14
  dependencies:
15
15
  - !ruby/object:Gem::Dependency
16
16
  name: warden