devise 3.5.2 → 3.5.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: b12e8ad372d99f51b3ad7363a604025e4b4351d3
-  data.tar.gz: 2f532aa8b4538594a5dd1429a4613546dbd9f76a
+  metadata.gz: 1258976e4bec4149281c7764cf903ced83632766
+  data.tar.gz: 57096bdcca6de6c67b0fa26aee8251c446571c39
 SHA512:
-  metadata.gz: c695e4e9960fb2acbc37047b3ec769d30d5a0adfd4925dc886ada51a386f7153ddaec12ea0181bb641f4aec815d7d356474fccf6dd8d19739593c880d5f5e544
-  data.tar.gz: eae590deac848317c9db083a373efacd7f95f8ad84c93bee465d7fbe5a8a3c54b8f12f7a34d7cd602f215458bc9817247ff1eff8f6ad3d7bda6653a25a75f73e
+  metadata.gz: e3839e95f5c831805b43974ef72f7e6beca86d37c6c0177dec83ae5e8cc6ebcc5922da78cc505f413157ecdb0ed8b56c3c3499c061743a6ac25708e473ec035c
+  data.tar.gz: 59eb1f8398ddf1f4bd05a493a6ff4e41fb3f3580d0f3b143ffefed385b435fd3f521b1aaaaf0e8eee97838a1bc81d992081597738c743becfc4b651aa051b97f

data/.travis.yml

@@ -38,8 +38,7 @@ script: "bundle exec rake test"
 
 notifications:
   email: false
-  campfire:
+  slack:
     on_success: change
     on_failure: always
-    rooms:
-      - secure: "TRiqvuM4i/QmRDWjUSNitE5/P91BOzDkNl53+bZjjtxcISCswZtmECWBR7n9\n3xwqCOU1o2lfohxZ32OHOj/Nj7o+90zWJfWxcv+if0hIXRiil62M5pg0lZUd\nyJ4M5VQ0lSWo5he1OUrXhSabPJeaK3B8yT/tdh+qO5yzR+vb/jc="
+    secure: Q3M+kmude3FjisibEeeGe0wSMXgvwLH+vL7Zrx9//q4QtkfnrQ/BBMvY9KXxPEsNF+eys4YopYjTkJ8uRmeboUATW/oQ4Jrv3+u3zkIHK2sFn/Q2cQWpK5w+CbgEnHPjKYnUu34b09njXTgDlr/mqtbPqrKeZ1dLlpKXCB/q4GY=

data/CHANGELOG.md

@@ -1,13 +1,29 @@
+### Unreleased
+
+### 3.5.3 - 2015-12-10
+
+* bug fixes
+  * Fix password reset for records where `confirmation_required?` is disabled and
+    `confirmation_sent_at` is nil. (by @andygeers)
+  * Allow resources with no `email` field to be recoverable (and do not clear the
+    reset password token if the model was already persisted). (by @seddy, @stanhu)
+
+* enhancements
+  * Upon setting `Devise.send_password_change_notification = true` a user will receive notification when their password has been changed.
+
 ### 3.5.2 - 2015-08-10
 
 * enhancements
   * Perform case insensitive basic authorization matching
 
-* Big fixes
+* bug fixes
   * Do not use digests for password confirmation token
   * Fix infinite redirect in Rails 4.2 authenticated routes
   * Autoload Devise::Encryptor to avoid errors on thread-safe mode
 
+* deprecations
+  * `config.expire_auth_token_on_timeout` was removed
+
 ### 3.5.1 - 2015-05-24
 
 Note: 3.5.0 has been yanked due to a regression

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,22 @@
+# Contributor Code of Conduct
+
+As contributors and maintainers of this project, and in the interest of fostering an open and welcoming community, we pledge to respect all people who contribute through reporting issues, posting feature requests, updating documentation, submitting pull requests or patches, and other activities.
+
+We are committed to making participation in this project a harassment-free experience for everyone, regardless of level of experience, gender, gender identity and expression, sexual orientation, disability, personal appearance, body size, race, ethnicity, age, religion, or nationality.
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery
+* Personal attacks
+* Trolling or insulting/derogatory comments
+* Public or private harassment
+* Publishing other's private information, such as physical or electronic addresses, without explicit permission
+* Other unethical or unprofessional conduct.
+
+Project maintainers have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct. By adopting this Code of Conduct, project maintainers commit themselves to fairly and consistently applying these principles to every aspect of managing this project. Project maintainers who do not follow or enforce the Code of Conduct may be permanently removed from the project team.
+
+This code of conduct applies both within project spaces and in public spaces when an individual is representing the project or its community.
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by sending an email to [conduct@plataformatec.com.br](conduct@plataformatec.com.br) or contacting one or more of the project maintainers.
+
+This Code of Conduct is adapted from the [Contributor Covenant](http://contributor-covenant.org), version 1.2.0, available at [http://contributor-covenant.org/version/1/2/0/](http://contributor-covenant.org/version/1/2/0/)

data/CONTRIBUTING.md

@@ -8,6 +8,8 @@
 
 4) When reporting an issue, include Rails, Devise and Warden versions. If you are getting exceptions, please include the full backtrace.
 
+5) Notice that all of your interactions in the project are expected to follow our [Code of Conduct](CODE_OF_CONDUCT.md)
+
 That's it! The more information you give, the easier it becomes for us to track it down and fix it.
 Ideally, you should provide an application that reproduces the error or a test case to Devise's suite.
 

data/Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (3.5.2)
+    devise (3.5.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -153,7 +153,7 @@ GEM
     thread_safe (0.3.5)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.3)
+    warden (1.2.4)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)

data/app/controllers/devise/passwords_controller.rb

@@ -43,6 +43,7 @@ class Devise::PasswordsController < DeviseController
       end
       respond_with resource, location: after_resetting_password_path_for(resource)
     else
+      set_minimum_password_length
       respond_with resource
     end
   end

data/app/mailers/devise/mailer.rb

@@ -16,5 +16,9 @@ if defined?(ActionMailer)
       @token = token
       devise_mail(record, :unlock_instructions, opts)
     end
+
+    def password_change(record, opts={})
+      devise_mail(record, :password_change, opts)
+    end
   end
 end

data/app/views/devise/mailer/password_change.html.erb

@@ -0,0 +1,3 @@
+<p>Hello <%= @resource.email %>!</p>
+
+<p>We're contacting you to notify you that your password has been changed.</p>

data/app/views/devise/shared/_links.html.erb

@@ -20,6 +20,6 @@
 
 <%- if devise_mapping.omniauthable? %>
   <%- resource_class.omniauth_providers.each do |provider| %>
-    <%= link_to "Sign in with #{provider.to_s.titleize}", omniauth_authorize_path(resource_name, provider) %><br />
+    <%= link_to "Sign in with #{OmniAuth::Utils.camelize(provider)}", omniauth_authorize_path(resource_name, provider) %><br />
   <% end -%>
 <% end -%>

data/config/locales/en.yml

@@ -23,6 +23,8 @@ en:
         subject: "Reset password instructions"
       unlock_instructions:
         subject: "Unlock instructions"
+      password_change:
+        subject: "Password Changed"
     omniauth_callbacks:
       failure: "Could not authenticate you from %{kind} because \"%{reason}\"."
       success: "Successfully authenticated from %{kind} account."

data/gemfiles/Gemfile.rails-3.2-stable.lock

@@ -49,7 +49,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.4.1)
+    devise (3.5.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -142,7 +142,7 @@ GEM
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.43)
-    warden (1.2.3)
+    warden (1.2.4)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -167,3 +167,6 @@ DEPENDENCIES
   rdoc
   sqlite3
   webrat (= 0.7.3)
+
+BUNDLED WITH
+   1.10.6

data/gemfiles/Gemfile.rails-4.0-stable.lock

@@ -43,7 +43,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.4.1)
+    devise (3.5.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -136,7 +136,7 @@ GEM
     thread_safe (0.3.5)
     tilt (1.4.1)
     tzinfo (0.3.43)
-    warden (1.2.3)
+    warden (1.2.4)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -161,3 +161,6 @@ DEPENDENCIES
   rdoc
   sqlite3
   webrat (= 0.7.3)
+
+BUNDLED WITH
+   1.10.6

data/gemfiles/Gemfile.rails-4.1-stable.lock

@@ -48,7 +48,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.4.1)
+    devise (3.5.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -142,7 +142,7 @@ GEM
     tilt (1.4.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.3)
+    warden (1.2.4)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -167,3 +167,6 @@ DEPENDENCIES
   rdoc
   sqlite3
   webrat (= 0.7.3)
+
+BUNDLED WITH
+   1.10.6

data/gemfiles/Gemfile.rails-4.2-stable.lock

@@ -58,7 +58,7 @@ GIT
 PATH
   remote: ..
   specs:
-    devise (3.4.1)
+    devise (3.5.3)
       bcrypt (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -164,7 +164,7 @@ GEM
     tilt (1.4.1)
     tzinfo (1.2.2)
       thread_safe (~> 0.1)
-    warden (1.2.3)
+    warden (1.2.4)
       rack (>= 1.0)
     webrat (0.7.3)
       nokogiri (>= 1.2.0)
@@ -189,3 +189,6 @@ DEPENDENCIES
   rdoc
   sqlite3
   webrat (= 0.7.3)
+
+BUNDLED WITH
+   1.10.6

data/lib/devise.rb

@@ -150,6 +150,10 @@ module Devise
   mattr_accessor :pepper
   @@pepper = nil
 
+  # Used to enable sending notification to user when their password is changed
+  mattr_accessor :send_password_change_notification
+  @@send_password_change_notification = false
+
   # Scoped views. Since it relies on fallbacks to render default views, it's
   # turned off by default.
   mattr_accessor :scoped_views
@@ -325,7 +329,12 @@ module Devise
     mapping
   end
 
-  # Make Devise aware of an 3rd party Devise-module (like invitable). For convenience.
+  # Register available devise modules. For the standard modules that Devise provides, this method is
+  # called from lib/devise/modules.rb. Third-party modules need to be added explicitly using this method.
+  #
+  # Note that adding a module using this method does not cause it to be used in the authentication
+  # process. That requires that the module be listed in the arguments passed to the 'devise' method
+  # in the model class definition.
   #
   # == Options:
   #
@@ -433,8 +442,8 @@ module Devise
     Devise::Controllers::UrlHelpers.generate_helpers!
   end
 
-  # A method used internally to setup warden manager from the Rails initialize
-  # block.
+  # A method used internally to complete the setup of warden manager after routes are loaded.
+  # See lib/devise/rails/routes.rb - ActionDispatch::Routing::RouteSet#finalize_with_devise!
   def self.configure_warden! #:nodoc:
     @@warden_configured ||= begin
       warden_config.failure_app   = Devise::Delegator.new

data/lib/devise/controllers/helpers.rb

@@ -7,7 +7,9 @@ module Devise
       include Devise::Controllers::StoreLocation
 
       included do
-        helper_method :warden, :signed_in?, :devise_controller?
+        if respond_to?(:helper_method)
+          helper_method :warden, :signed_in?, :devise_controller?
+        end
       end
 
       module ClassMethods
@@ -69,7 +71,9 @@ module Devise
               end.compact
             end
 
-            helper_method "current_#{group_name}", "current_#{group_name.to_s.pluralize}", "#{group_name}_signed_in?"
+            if respond_to?(:helper_method)
+              helper_method "current_#{group_name}", "current_#{group_name.to_s.pluralize}", "#{group_name}_signed_in?"
+            end
           METHODS
         end
 
@@ -126,7 +130,9 @@ module Devise
         METHODS
 
         ActiveSupport.on_load(:action_controller) do
-          helper_method "current_#{mapping}", "#{mapping}_signed_in?", "#{mapping}_session"
+          if respond_to?(:helper_method)
+            helper_method "current_#{mapping}", "#{mapping}_signed_in?", "#{mapping}_session"
+          end
         end
       end
 
@@ -190,10 +196,10 @@ module Devise
       # root path. For a user scope, you can define the default url in
       # the following way:
       #
-      #   map.user_root '/users', controller: 'users' # creates user_root_path
+      #   get '/users' => 'users#index', as: :user_root # creates user_root_path
       #
-      #   map.namespace :user do |user|
-      #     user.root controller: 'users' # creates user_root_path
+      #   namespace :user do
+      #     root 'users#index' # creates user_root_path
       #   end
       #
       # If the resource root path is not defined, root_path is used. However,

data/lib/devise/failure_app.rb

@@ -22,9 +22,12 @@ module Devise
       @respond.call(env)
     end
 
+    # Try retrieving the URL options from the parent controller (usually 
+    # ApplicationController). Instance methods are not supported at the moment,
+    # so only the class-level attribute is used.
     def self.default_url_options(*args)
-      if defined?(ApplicationController)
-        ApplicationController.default_url_options(*args)
+      if defined?(Devise.parent_controller.constantize)
+        Devise.parent_controller.constantize.try(:default_url_options) || {}
       else
         {}
       end
@@ -48,7 +51,18 @@ module Devise
     end
 
     def recall
-      env["PATH_INFO"]  = attempted_path
+      config = Rails.application.config
+
+      if config.try(:relative_url_root)
+        base_path = Pathname.new(config.relative_url_root)
+        full_path = Pathname.new(attempted_path)
+
+        env["SCRIPT_NAME"] = config.relative_url_root
+        env["PATH_INFO"] = '/' + full_path.relative_path_from(base_path).to_s
+      else
+        env["PATH_INFO"]  = attempted_path
+      end
+
       flash.now[:alert] = i18n_message(:invalid) if is_flashing_format?
       self.response = recall_app(warden_options[:recall]).call(env)
     end

data/lib/devise/hooks/timeoutable.rb

@@ -7,7 +7,8 @@ Warden::Manager.after_set_user do |record, warden, options|
   scope = options[:scope]
   env   = warden.request.env
 
-  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) && options[:store] != false
+  if record && record.respond_to?(:timedout?) && warden.authenticated?(scope) &&
+     options[:store] != false && !env['devise.skip_timeoutable']
     last_request_at = warden.session(scope)['last_request_at']
 
     if last_request_at.is_a? Integer

data/lib/devise/models.rb

@@ -12,7 +12,7 @@ module Devise
 
     # Creates configuration values for Devise and for the given module.
     #
-    #   Devise::Models.config(Devise::Authenticatable, :stretches, 10)
+    #   Devise::Models.config(Devise::DatabaseAuthenticatable, :stretches)
     #
     # The line above creates:
     #

data/lib/devise/models/confirmable.rb

@@ -24,7 +24,7 @@ module Devise
     #     By default allow_unconfirmed_access_for is zero, it means users always have to confirm to sign in.
     #   * +reconfirmable+: requires any email changes to be confirmed (exactly the same way as
     #     initial account confirmation) to be applied. Requires additional unconfirmed_email
-    #     db field to be setup (t.reconfirmable in migrations). Until confirmed new email is
+    #     db field to be setup (t.reconfirmable in migrations). Until confirmed, new email is
     #     stored in unconfirmed email column, and copied to email column on successful
     #     confirmation.
     #   * +confirm_within+: the time before a sent confirmation token becomes invalid.
@@ -216,7 +216,7 @@ module Devise
         #   confirmation_period_expired?  # will always return false
         #
         def confirmation_period_expired?
-          self.class.confirm_within && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
+          self.class.confirm_within && self.confirmation_sent_at && (Time.now > self.confirmation_sent_at + self.class.confirm_within)
         end
 
         # Checks whether the record requires any confirmation.

data/lib/devise/models/database_authenticatable.rb

@@ -12,7 +12,7 @@ module Devise
     #
     # == Options
     #
-    # DatabaseAuthenticable adds the following options to devise_for:
+    # DatabaseAuthenticatable adds the following options to devise_for:
     #
     #   * +pepper+: a random string used to provide a more secure hash. Use
     #     `rake secret` to generate new keys.
@@ -27,6 +27,8 @@ module Devise
       extend ActiveSupport::Concern
 
       included do
+        after_update :send_password_change_notification, if: :send_password_change_notification?
+
         attr_reader :password, :current_password
         attr_accessor :password_confirmation
       end
@@ -133,6 +135,10 @@ module Devise
         encrypted_password[0,29] if encrypted_password
       end
 
+      def send_password_change_notification
+        send_devise_notification(:password_change)
+      end
+
     protected
 
       # Digests the password using bcrypt. Custom encryption should override
@@ -144,8 +150,12 @@ module Devise
         Devise::Encryptor.digest(self.class, password)
       end
 
+      def send_password_change_notification?
+        self.class.send_password_change_notification && encrypted_password_changed?
+      end
+
       module ClassMethods
-        Devise::Models.config(self, :pepper, :stretches)
+        Devise::Models.config(self, :pepper, :stretches, :send_password_change_notification)
 
         # We assume this method already gets the sanitized values from the
         # DatabaseAuthenticatable strategy. If you are using this method on