devise 4.5.0 → 4.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA256:
-  metadata.gz: 4dc3a8679abb65b4043adcff5725822be38a9bfd7e686ac8c75b72ea2a705d12
-  data.tar.gz: de207546fe24041c7986acbe23ad9f672ff1086a71ed8e6b749b6c3e648097ab
+SHA1:
+  metadata.gz: f89e0e322bb87fda7dfb21c558c38138065368ba
+  data.tar.gz: 88f2a5d3e8aeddaf2dd1a9dc6f6a366cf4b3a3ef
 SHA512:
-  metadata.gz: fc02654fdc90c761e56a0aac94eebcadf605c92bfaf57821c305dd73f76ac7670a3da408ee757dba5726b25911c391d28df940cd76e098b4b8e370785d9749f5
-  data.tar.gz: 28f0415a206541711baa0b0d23e718e13d12e22f712eae84309ddf2f9b76feace59ffbc6fdacd70f48e4bcb8c574492d076105154a4ab4f47f9be3e33e58d69b
+  metadata.gz: 40734474103c3aabd38dfae149a0f38d690d30ac2aa465510869616338a2968ab9f5a128f3263ca34009fb98b7bbb3b4bcd344119532bb56f459d23b3e6d326c
+  data.tar.gz: 80a1ef0816372c91f91ad27389b1abbe21c80d76ade44f9afce5ef1221b21b195466b1fe74a8a78bc20e70772eeacda06f7b7d06a208355fbf0f858ad3de33e7

data/CHANGELOG.md

@@ -1,5 +1,34 @@
 ### Unreleased
 
+### 4.6.0 - 2019-02-07
+
+* enhancements
+  * Allow to skip email and password change notifications (by @iorme1)
+  * Include the use of `nil` for `allow_unconfirmed_access_for` in the docs (by @joaumg)
+  * Ignore useless files into the `.gem` file (by @huacnlee)
+  * Explain the code that prevents enumeration attacks inside `Devise::Strategies::DatabaseAuthenticatable` (by @tegon)
+  * Refactor the `devise_error_messages!` helper to render a partial (by @prograhamer)
+  * Add an option (`Devise.sign_in_after_change_password`) to not automatically sign in a user after changing a password (by @knjko)
+
+* bug fixes
+  * Fix missing comma in Simple Form generator (by @colinross)
+  * Fix error with migration generator in Rails 6 (by @oystersauce8)
+  * Set `encrypted_password` to `nil` when `password` is set to `nil` (by @sivagollapalli)
+  * Consider whether the request supports flash messages inside `Devise::Controllers::Helpers#is_flashing_format?` (by @colinross)
+  * Fix typo inside `Devise::Generators::ControllersGenerator` (by @kopylovvlad)
+  * Sanitize parameters inside `Devise::Models::Authenticatable#find_or_initialize_with_errors` (by @rlue)
+  * `#after_database_authentication` callback was not called after authentication on password reset (by @kanmaniselvan)
+  * Fix corner case when `#confirmation_period_valid?` was called at the same second as `confirmation_sent_at` was set. Mostly true for date types that only have second precisions. (by @stanhu)
+  * Fix unclosed `li` tag in `error_messages` partial (by @mracos)
+  * Fix Routes issue when devise engine is mounted in another engine on Rails versions lower than 5.1 (by @a-barbieri)
+  * Make `#increment_failed_attempts` concurrency safe (by @tegon)
+  * Apply Test Helper fix to Rails 6.0 as well as 5.x (by @matthewrudy)
+
+
+* deprecations
+  * The second argument of `DatabaseAuthenticatable`'s `#update_with_password` and `#update_without_password` is deprecated and will be removed in the next major version. It was added to support a feature deprecated in Rails 4, so you can safely remove it from your code. (by @ihatov08)
+  * The `DeviseHelper.devise_error_messages!` is deprecated and will be removed in the next major version. Use the `devise/shared/error_messages` partial instead. (by @mracos)
+
 ### 4.5.0 - 2018-08-15
 
 * enhancements
@@ -255,7 +284,7 @@ configured (by @joshpencheon)
     end
     ```
 
-    You can check more examples and explanations on the [README section](/plataformatec/devise#strong-parameters)
+    You can check more examples and explanations on the [README section](README.md#strong-parameters)
     and on the [ParameterSanitizer docs](lib/devise/parameter_sanitizer.rb).
 
 Please check [3-stable](https://github.com/plataformatec/devise/blob/3-stable/CHANGELOG.md)

data/MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright 2009-2017 Plataformatec. http://plataformatec.com.br
+Copyright 2009-2019 Plataformatec. http://plataformatec.com.br
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

data/README.md

@@ -149,6 +149,24 @@ BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable bundle install
 BUNDLE_GEMFILE=gemfiles/Gemfile.rails-4.1-stable DEVISE_ORM=mongoid bin/test
 ```
 
+### Running tests
+Devise uses [Mini Test](https://github.com/seattlerb/minitest) as test framework.
+
+* Running all tests:
+```bash
+bin/test
+```
+
+* Running tests for an specific file:
+```bash
+bin/test test/models/trackable_test.rb
+```
+
+* Running a specific test given a regex:
+```bash
+bin/test test/models/trackable_test.rb:16
+```
+
 ## Starting with Rails?
 
 If you are building your first Rails application, we recommend you *do not* use Devise. Devise requires a good understanding of the Rails Framework. In such cases, we advise you to start a simple authentication system from scratch. Today, we have three resources that should help you get started:

data/app/controllers/devise/passwords_controller.rb

@@ -39,6 +39,7 @@ class Devise::PasswordsController < DeviseController
       if Devise.sign_in_after_reset_password
         flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
         set_flash_message!(:notice, flash_message)
+        resource.after_database_authentication
         sign_in(resource_name, resource)
       else
         set_flash_message!(:notice, :updated_not_active)

data/app/controllers/devise/registrations_controller.rb

@@ -50,12 +50,9 @@ class Devise::RegistrationsController < DeviseController
     resource_updated = update_resource(resource, account_update_params)
     yield resource if block_given?
     if resource_updated
-      if is_flashing_format?
-        flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?
-          :update_needs_confirmation : :updated
-        set_flash_message :notice, flash_key
-      end
-      bypass_sign_in resource, scope: resource_name
+      set_flash_message_for_update(resource, prev_unconfirmed_email)
+      bypass_sign_in resource, scope: resource_name if sign_in_after_change_password?
+
       respond_with resource, location: after_update_path_for(resource)
     else
       clean_up_passwords resource
@@ -127,7 +124,7 @@ class Devise::RegistrationsController < DeviseController
   # The default url to be used after updating a resource. You need to overwrite
   # this method in your own RegistrationsController.
   def after_update_path_for(resource)
-    signed_in_root_path(resource)
+    sign_in_after_change_password? ? signed_in_root_path(resource) : new_session_path(resource_name)
   end
 
   # Authenticates the current scope and gets the current resource from the session.
@@ -147,4 +144,25 @@ class Devise::RegistrationsController < DeviseController
   def translation_scope
     'devise.registrations'
   end
+
+  private
+
+  def set_flash_message_for_update(resource, prev_unconfirmed_email)
+    return unless is_flashing_format?
+
+    flash_key = if update_needs_confirmation?(resource, prev_unconfirmed_email)
+                  :update_needs_confirmation
+                elsif sign_in_after_change_password?
+                  :updated
+                else
+                  :updated_but_not_signed_in
+                end
+    set_flash_message :notice, flash_key
+  end
+
+  def sign_in_after_change_password?
+    return true if account_update_params[:password].blank?
+
+    Devise.sign_in_after_change_password
+  end
 end

data/app/helpers/devise_helper.rb

@@ -1,27 +1,18 @@
 # frozen_string_literal: true
 
 module DeviseHelper
-  # A simple way to show error messages for the current devise resource. If you need
-  # to customize this method, you can either overwrite it in your application helpers or
-  # copy the views to your application.
-  #
-  # This method is intended to stay simple and it is unlikely that we are going to change
-  # it to add more behavior or options.
+  # Retain this method for backwards compatibility, deprecated in favour of modifying the
+  # devise/shared/error_messages partial
   def devise_error_messages!
-    return "" if resource.errors.empty?
-
-    messages = resource.errors.full_messages.map { |msg| content_tag(:li, msg) }.join
-    sentence = I18n.t("errors.messages.not_saved",
-                      count: resource.errors.count,
-                      resource: resource.class.model_name.human.downcase)
+    ActiveSupport::Deprecation.warn <<-DEPRECATION.strip_heredoc
+      [Devise] `DeviseHelper.devise_error_messages!`
+      is deprecated and it will be removed in the next major version.
+      To customize the errors styles please run `rails g devise:views` and modify the
+      `devise/shared/error_messages` partial.
+    DEPRECATION
 
-    html = <<-HTML
-    <div id="error_explanation">
-      <h2>#{sentence}</h2>
-      <ul>#{messages}</ul>
-    </div>
-    HTML
+    return "" if resource.errors.empty?
 
-    html.html_safe
+    render "devise/shared/error_messages", resource: resource
   end
 end

data/app/views/devise/confirmations/new.html.erb

@@ -1,7 +1,7 @@
 <h2>Resend confirmation instructions</h2>
 
 <%= form_for(resource, as: resource_name, url: confirmation_path(resource_name), html: { method: :post }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />

data/app/views/devise/passwords/edit.html.erb

@@ -1,7 +1,7 @@
 <h2>Change your password</h2>
 
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :put }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
   <%= f.hidden_field :reset_password_token %>
 
   <div class="field">

data/app/views/devise/passwords/new.html.erb

@@ -1,7 +1,7 @@
 <h2>Forgot your password?</h2>
 
 <%= form_for(resource, as: resource_name, url: password_path(resource_name), html: { method: :post }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />

data/app/views/devise/registrations/edit.html.erb

@@ -1,7 +1,7 @@
 <h2>Edit <%= resource_name.to_s.humanize %></h2>
 
 <%= form_for(resource, as: resource_name, url: registration_path(resource_name), html: { method: :put }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />

data/app/views/devise/registrations/new.html.erb

@@ -1,7 +1,7 @@
 <h2>Sign up</h2>
 
 <%= form_for(resource, as: resource_name, url: registration_path(resource_name)) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />

data/app/views/devise/sessions/new.html.erb

@@ -11,12 +11,12 @@
     <%= f.password_field :password, autocomplete: "current-password" %>
   </div>
 
-  <% if devise_mapping.rememberable? -%>
+  <% if devise_mapping.rememberable? %>
     <div class="field">
       <%= f.check_box :remember_me %>
       <%= f.label :remember_me %>
     </div>
-  <% end -%>
+  <% end %>
 
   <div class="actions">
     <%= f.submit "Log in" %>

data/app/views/devise/shared/_error_messages.html.erb

@@ -0,0 +1,15 @@
+<% if resource.errors.any? %>
+  <div id="error_explanation">
+    <h2>
+      <%= I18n.t("errors.messages.not_saved",
+                 count: resource.errors.count,
+                 resource: resource.class.model_name.human.downcase)
+       %>
+    </h2>
+    <ul>
+      <% resource.errors.full_messages.each do |message| %>
+        <li><%= message %></li>
+      <% end %>
+    </ul>
+  </div>
+<% end %>

data/app/views/devise/shared/_links.html.erb

@@ -1,25 +1,25 @@
 <%- if controller_name != 'sessions' %>
   <%= link_to "Log in", new_session_path(resource_name) %><br />
-<% end -%>
+<% end %>
 
 <%- if devise_mapping.registerable? && controller_name != 'registrations' %>
   <%= link_to "Sign up", new_registration_path(resource_name) %><br />
-<% end -%>
+<% end %>
 
 <%- if devise_mapping.recoverable? && controller_name != 'passwords' && controller_name != 'registrations' %>
   <%= link_to "Forgot your password?", new_password_path(resource_name) %><br />
-<% end -%>
+<% end %>
 
 <%- if devise_mapping.confirmable? && controller_name != 'confirmations' %>
   <%= link_to "Didn't receive confirmation instructions?", new_confirmation_path(resource_name) %><br />
-<% end -%>
+<% end %>
 
 <%- if devise_mapping.lockable? && resource_class.unlock_strategy_enabled?(:email) && controller_name != 'unlocks' %>
   <%= link_to "Didn't receive unlock instructions?", new_unlock_path(resource_name) %><br />
-<% end -%>
+<% end %>
 
 <%- if devise_mapping.omniauthable? %>
   <%- resource_class.omniauth_providers.each do |provider| %>
     <%= link_to "Sign in with #{OmniAuth::Utils.camelize(provider)}", omniauth_authorize_path(resource_name, provider) %><br />
-  <% end -%>
-<% end -%>
+  <% end %>
+<% end %>

data/app/views/devise/unlocks/new.html.erb

@@ -1,7 +1,7 @@
 <h2>Resend unlock instructions</h2>
 
 <%= form_for(resource, as: resource_name, url: unlock_path(resource_name), html: { method: :post }) do |f| %>
-  <%= devise_error_messages! %>
+  <%= render "devise/shared/error_messages", resource: resource %>
 
   <div class="field">
     <%= f.label :email %><br />

data/config/locales/en.yml

@@ -44,6 +44,7 @@ en:
       signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please follow the link to activate your account."
       update_needs_confirmation: "You updated your account successfully, but we need to verify your new email address. Please check your email and follow the confirm link to confirm your new email address."
       updated: "Your account has been updated successfully."
+      updated_but_not_signed_in: "Your account has been updated successfully, but since your password was changed, you need to sign in again"
     sessions:
       signed_in: "Signed in successfully."
       signed_out: "Signed out successfully."

data/lib/devise.rb

@@ -293,6 +293,10 @@ module Devise
   mattr_accessor :token_generator
   @@token_generator = nil
 
+  # When set to false, changing a password does not automatically sign in a user
+  mattr_accessor :sign_in_after_change_password
+  @@sign_in_after_change_password = true
+
   def self.rails51? # :nodoc:
     Rails.gem_version >= Gem::Version.new("5.1.x")
   end

data/lib/devise/controllers/helpers.rb

@@ -268,7 +268,7 @@ module Devise
       # Check if flash messages should be emitted. Default is to do it on
       # navigational formats
       def is_flashing_format?
-        is_navigational_format?
+        request.respond_to?(:flash) && is_navigational_format?
       end
 
       private

data/lib/devise/failure_app.rb

@@ -144,11 +144,20 @@ module Devise
 
       opts[:format] = request_format unless skip_format?
 
-      opts[:script_name] = relative_url_root if relative_url_root?
-
       router_name = Devise.mappings[scope].router_name || Devise.available_router_name
       context = send(router_name)
 
+      if relative_url_root?
+        opts[:script_name] = relative_url_root
+
+      # We need to add the rootpath to `script_name` manually for applications that use a Rails
+      # version lower than 5.1. Otherwise, it is going to generate a wrong path for Engines
+      # that use Devise. Remove it when the support of Rails 5.0 is droped.
+      elsif root_path_defined?(context) && rails_5_and_down?
+        rootpath = context.routes.url_helpers.root_path
+        opts[:script_name] = rootpath.chomp('/') if rootpath.length > 1
+      end
+
       if context.respond_to?(route)
         context.send(route, opts)
       elsif respond_to?(:root_url)
@@ -242,7 +251,7 @@ module Devise
     # Check if flash messages should be emitted. Default is to do it on
     # navigational formats
     def is_flashing_format?
-      is_navigational_format?
+      request.respond_to?(:flash) && is_navigational_format?
     end
 
     def request_format
@@ -262,5 +271,21 @@ module Devise
     end
 
     ActiveSupport.run_load_hooks(:devise_failure_app, self)
+
+    private
+
+    def root_path_defined?(context)
+      defined?(context.routes) && context.routes.url_helpers.root_path.present?
+    end
+
+    def rails_5_and_down?
+      return false if rails_5_up?
+
+      Rails::VERSION::MAJOR >= 4
+    end
+
+    def rails_5_up?
+      Rails::VERSION::MAJOR >= 5 && Rails::VERSION::MINOR > 0
+    end
   end
 end

data/lib/devise/models/authenticatable.rb

@@ -283,28 +283,20 @@ module Devise
 
         # Find or initialize a record with group of attributes based on a list of required attributes.
         def find_or_initialize_with_errors(required_attributes, attributes, error=:invalid) #:nodoc:
-          attributes = if attributes.respond_to? :permit!
-            attributes.slice(*required_attributes).permit!.to_h.with_indifferent_access
-          else
-            attributes.with_indifferent_access.slice(*required_attributes)
-          end
-          attributes.delete_if { |key, value| value.blank? }
+          attributes.try(:permit!)
+          attributes = attributes.to_h.with_indifferent_access
+                                 .slice(*required_attributes)
+                                 .delete_if { |key, value| value.blank? }
 
           if attributes.size == required_attributes.size
-            record = find_first_by_auth_conditions(attributes)
+            record = find_first_by_auth_conditions(attributes) and return record
           end
 
-          unless record
-            record = new
-
+          new(devise_parameter_filter.filter(attributes)).tap do |record|
             required_attributes.each do |key|
-              value = attributes[key]
-              record.send("#{key}=", value)
-              record.errors.add(key, value.present? ? error : :blank)
+              record.errors.add(key, attributes[key].blank? ? :blank : error)
             end
           end
-
-          record
         end
 
         protected

data/lib/devise/models/confirmable.rb

@@ -211,7 +211,10 @@ module Devise
         #   confirmation_period_valid?   # will always return true
         #
         def confirmation_period_valid?
-          self.class.allow_unconfirmed_access_for.nil? || (confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago)
+          return true if self.class.allow_unconfirmed_access_for.nil?
+          return false if self.class.allow_unconfirmed_access_for == 0.days
+
+          confirmation_sent_at && confirmation_sent_at.utc >= self.class.allow_unconfirmed_access_for.ago
         end
 
         # Checks if the user confirmation happens before the token becomes invalid