devise_invitable 1.2.1 → 1.3.0

data/CHANGELOG

@@ -0,0 +1,5 @@
+= 1.3.0
+Now devise 3.1 compatible, @token must be used instead of @resource.invitation_token in mail views
+
+= 1.2.0
+Add invitation_created_at column which is set when invitation is created even when sending is skipped. This new field is used to check invitation period valid

data/README.rdoc

@@ -3,11 +3,9 @@
 
 It adds support to devise[http://github.com/plataformatec/devise] for send invitations by email (it requires to be authenticated) and accept the invitation setting the password.
 
-DeviseInvitable currently only support Rails 3, if you want to use it with Rails 2.3 you must install version {0.2.3}[http://rubygems.org/gems/devise_invitable/versions/0.2.3]
+DeviseInvitable currently supports Rails 3 and 4, if you want to use it with Rails 2.3 you must install version {0.2.3}[http://rubygems.org/gems/devise_invitable/versions/0.2.3]
 
-If you want to use Rails 4 or devise 3, you must use git:
-
-  gem 'devise_invitable', :github => 'scambra/devise_invitable'
+If you want to use devise 3.0.x, you must use 1.2.1, newer versions require devise >= 3.1.0
 
 == Installation
 
@@ -49,7 +47,7 @@ Add t.invitable to your Devise model migration:
   create_table :users do
     ...
       ## Invitable
-      t.string   :invitation_token, :limit => 60
+      t.string   :invitation_token
       t.datetime :invitation_created_at
       t.datetime :invitation_sent_at
       t.datetime :invitation_accepted_at
@@ -62,15 +60,15 @@ Add t.invitable to your Devise model migration:
 
 or for a model that already exists, define a migration to add DeviseInvitable to your model:
 
-  change_table :users do |t|
-      t.string   :invitation_token, :limit => 60
-      t.datetime :invitation_created_at
-      t.datetime :invitation_sent_at
-      t.datetime :invitation_accepted_at
-      t.integer  :invitation_limit
-      t.integer  :invited_by_id
-      t.string   :invited_by_type
-
+  def change
+      add_column :users, :invitation_token, :string
+      add_column :users, :invitation_created_at, :datetime
+      add_column :users, :invitation_sent_at, :datetime 
+      add_column :users, :invitation_accepted_at, :datetime
+      add_column :users, :invitation_limit, :integer
+      add_column :users, :invited_by_id, :integer
+      add_column :users, :invited_by_type, :string
+      add_index :users, :invitation_token, :unique => true
   end
 
   # Allow null encrypted_password
@@ -78,6 +76,16 @@ or for a model that already exists, define a migration to add DeviseInvitable to
   # Allow null password_salt (add it if you are using Devise's encryptable module)
   change_column :users, :password_salt, :string, :null => true
 
+If you previously used devise_invitable with a :limit on :invitation_token, remove it:
+
+  def up
+    change_column :users, :invitation_token, :string, :limit => nil
+  end
+  
+  def down
+    change_column :users, :invitation_token, :string, :limit => 60
+  end
+
 == Mongoid Field Definitions
 If you are using Mongoid, define the following fields and indexes within your invitable model:
 
@@ -164,6 +172,15 @@ be sure that you generate the views and put them into the controller that you ge
 
   rails generate devise_invitable:views users/invitations
 
+== Strong Parameters
+
+When you customize your own views, you may end up adding new attributes to forms. Rails 4 moved the parameter sanitization from the model to the controller, causing DeviseInvitable to handle this concern at the controller as well. Read about it in {devise README}[http://github.com/plataformatec/devise#strong-parameters]
+
+There are just two actions in DeviseInvitable that allows any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permited parameters by default are:
+
+* invite (Devise::InvitationsController#create) - Permits only the authentication keys (like email)
+* accept_invitation (Devise::InvitationsController#update) - Permits invitation_token plus password and password_confirmation
+
 == Usage
 
 === Send an invitation

data/app/controllers/devise/invitations_controller.rb

@@ -14,7 +14,7 @@ class Devise::InvitationsController < DeviseController
 
   # POST /resource/invitation
   def create
-    self.resource = resource_class.invite!(invite_params, current_inviter)
+    self.resource = invite_resource
 
     if resource.errors.empty?
       set_flash_message :notice, :send_instructions, :email => self.resource.email if self.resource.invitation_sent_at
@@ -26,6 +26,7 @@ class Devise::InvitationsController < DeviseController
 
   # GET /resource/invitation/accept?invitation_token=abcdef
   def edit
+    resource.invitation_token = params[:invitation_token]
     render :edit
   end
 
@@ -51,6 +52,11 @@ class Devise::InvitationsController < DeviseController
   end
 
   protected
+
+  def invite_resource
+    resource_class.invite!(invite_params, current_inviter)
+  end
+
   def current_inviter
     @current_inviter ||= authenticate_inviter!
   end
@@ -64,18 +70,18 @@ class Devise::InvitationsController < DeviseController
   end
   
   def resource_from_invitation_token
-    unless params[:invitation_token] && self.resource = resource_class.to_adapter.find_first(params.slice(:invitation_token))
+    unless params[:invitation_token] && self.resource = resource_class.find_by_invitation_token(params[:invitation_token], true)
       set_flash_message(:alert, :invitation_token_invalid)
       redirect_to after_sign_out_path_for(resource_name)
     end
   end
 
   def invite_params
-    devise_parameter_sanitizer.for(:invite)
+    devise_parameter_sanitizer.sanitize(:invite)
   end
 
   def update_resource_params
-    devise_parameter_sanitizer.for(:accept_invitation)
+    devise_parameter_sanitizer.sanitize(:accept_invitation)
   end
   
 end

data/app/views/devise/mailer/invitation_instructions.html.erb

@@ -2,7 +2,7 @@
 
 <p>Someone has invited you to <%= root_url %>, you can accept it through the link below.</p>
 
-<p><%= link_to 'Accept invitation', accept_invitation_url(@resource, :invitation_token => @resource.invitation_token) %></p>
+<p><%= link_to 'Accept invitation', accept_invitation_url(@resource, :invitation_token => @token) %></p>
 
 <p>If you don't want to accept the invitation, please ignore this email.<br />
 Your account won't be created until you access the link above and set your password.</p>

data/lib/devise_invitable/mailer.rb

@@ -4,13 +4,9 @@ module DeviseInvitable
   module Mailer
 
     # Deliver an invitation email
-    def invitation_instructions(record, opts={})
-      # optional arguments introduced in Devise 2.2.0, remove check once support for < 2.2.0 is dropped.
-      if Gem::Version.new(Devise::VERSION.dup) < Gem::Version.new('2.2.0')
-        devise_mail(record, :invitation_instructions)
-      else
-        devise_mail(record, :invitation_instructions, opts)
-      end
+    def invitation_instructions(record, token, opts={})
+      @token = token
+      devise_mail(record, :invitation_instructions, opts)
     end
   end
 end

data/lib/devise_invitable/model.rb

@@ -64,14 +64,6 @@ module Devise
         fields
       end
 
-      def invitation_fields
-        fields = [:invitation_created_at, :invitation_sent_at, :invited_by_id, :invited_by_type]
-        if Devise.invited_by_class_name
-          fields -= [:invited_by_type]
-        end
-        fields
-      end
-
       # Accept an invitation by clearing invitation token and and setting invitation_accepted_at
       def accept_invitation
         self.invitation_accepted_at = Time.now.utc
@@ -111,11 +103,6 @@ module Devise
         invitation_accepted? || !invited_to_sign_up?
       end
 
-      def invited?
-        ActiveSupport::Deprecation.warn "invited? is deprecated and will be removed from DeviseInvitable 1.1.0 (use invited_to_sign_up? instead)"
-        invited_to_sign_up?
-      end
-
       # Reset invitation token and send invitation again
       def invite!(invited_by = nil)
         was_invited = invited_to_sign_up?
@@ -126,7 +113,7 @@ module Devise
           def self.confirmation_required?; false; end
         end
 
-        generate_invitation_token if self.invitation_token.nil?
+        generate_invitation_token if self.invitation_token.nil? || (!@skip_invitation && @raw_invitation_token.nil?)
         self.invitation_created_at = Time.now.utc
         self.invitation_sent_at = self.invitation_created_at unless @skip_invitation
         self.invited_by = invited_by if invited_by
@@ -158,13 +145,19 @@ module Devise
         accept_invitation! if invited_to_sign_up?
       end
 
-      def invite_key_valid?
-        return true unless self.class.invite_key.is_a? Hash # FIXME: remove this line when deprecation is removed
-        self.class.invite_key.all? do |key, regexp|
-          regexp.nil? || self.send(key).try(:match, regexp)
+      def clear_errors_on_valid_keys
+        self.class.invite_key.each do |key, regexp|
+          self.errors.delete(key) if regexp.nil? || self.send(key).try(:match, regexp)
         end
       end
 
+      # Deliver the invitation email
+      def deliver_invitation
+        generate_invitation_token! unless @raw_invitation_token
+        self.update_attribute :invitation_sent_at, Time.now.utc unless self.invitation_sent_at
+        send_devise_notification(:invitation_instructions, @raw_invitation_token)
+      end
+
       protected
         # Overriding the method in Devise's :validatable module so password is not required on inviting
         def password_required?
@@ -175,12 +168,6 @@ module Devise
           respond_to?(:confirmation_required?, true) && confirmation_required? && invitation_accepted?
         end
 
-        # Deliver the invitation email
-        def deliver_invitation
-          self.update_attribute :invitation_sent_at, Time.now.utc unless self.invitation_sent_at
-          send_devise_notification(:invitation_instructions)
-        end
-
         # Checks if the invitation for the user is within the limit time.
         # We do this by calculating if the difference between today and the
         # invitation sent date does not exceed the invite for time configured.
@@ -208,18 +195,19 @@ module Devise
         # Generates a new random token for invitation, and stores the time
         # this token is being generated
         def generate_invitation_token
-          self.invitation_token   = self.class.invitation_token
+          raw, enc = Devise.token_generator.generate(self.class, :invitation_token)
+          @raw_invitation_token = raw
+          self.invitation_token = enc
+        end
+
+        def generate_invitation_token!
+          generate_invitation_token && save(:validate => false)
         end
 
       module ClassMethods
         # Return fields to invite
         def invite_key_fields
-          if invite_key.is_a? Hash
-            invite_key.keys
-          else
-            ActiveSupport::Deprecation.warn("invite_key should be a hash like {#{invite_key.inspect} => /.../}")
-            Array(invite_key)
-          end
+          invite_key.keys
         end
 
         # Attempt to find a user by its email. If a record is not found,
@@ -243,22 +231,20 @@ module Devise
           invitable.skip_password = true
           invitable.valid? if self.validate_on_invite
           if invitable.new_record?
-            invitable.errors.clear if !self.validate_on_invite and invitable.invite_key_valid?
+            invitable.clear_errors_on_valid_keys if !self.validate_on_invite
           elsif !invitable.invited_to_sign_up? || !self.resend_invitation
             invite_key_array.each do |key|
               invitable.errors.add(key, :taken)
             end
           end
 
-          if invitable.errors.empty?
-            yield invitable if block_given?
-            mail = invitable.invite!
-          end
+          yield invitable if block_given?
+          mail = invitable.invite! if invitable.errors.empty?
           [invitable, mail]
         end
 
         def invite!(attributes={}, invited_by=nil, &block)
-          invitable, mail = _invite(attributes, invited_by, &block)
+          invitable, mail = _invite(attributes.with_indifferent_access, invited_by, &block)
           invitable
         end
 
@@ -273,8 +259,8 @@ module Devise
         # error in invitation_token attribute.
         # Attributes must contain invitation_token, password and confirmation
         def accept_invitation!(attributes={})
-          invitable = find_or_initialize_with_error_by(:invitation_token, attributes.delete(:invitation_token))
-          invitable.errors.add(:invitation_token, :invalid) if invitable.invitation_token && invitable.persisted? && !invitable.valid_invitation?
+          original_token = attributes.delete(:invitation_token)
+          invitable = find_by_invitation_token(original_token, false)
           if invitable.errors.empty?
             invitable.assign_attributes(attributes)
             invitable.accept_invitation!
@@ -282,6 +268,18 @@ module Devise
           invitable
         end
 
+        def find_by_invitation_token(original_token, only_valid)
+          invitation_token = Devise.token_generator.digest(self, :invitation_token, original_token)
+          
+          invitable = find_or_initialize_with_error_by(:invitation_token, invitation_token)
+          if !invitable.persisted? && Devise.allow_insecure_token_lookup
+            invitable = find_or_initialize_with_error_by(:invitation_token, original_token)
+          end
+          invitable.errors.add(:invitation_token, :invalid) if invitable.invitation_token && invitable.persisted? && !invitable.valid_invitation?
+          invitable.invitation_token = original_token
+          invitable unless only_valid && invitable.errors.present?
+        end
+
         # Generate a token checking if one does not already exist in the database.
         def invitation_token
           generate_token(:invitation_token)

data/lib/devise_invitable/version.rb

@@ -1,3 +1,3 @@
 module DeviseInvitable
-  VERSION = '1.2.1'
+  VERSION = '1.3.0'
 end

data/lib/generators/active_record/templates/migration.rb

@@ -21,7 +21,7 @@ class DeviseInvitableAddTo<%= table_name.camelize %> < ActiveRecord::Migration
   def down
     change_table :<%= table_name %> do |t|
       t.remove_references :invited_by, :polymorphic => true
-      t.remove :invitation_limit, :invitation_sent_at, :invitation_accepted_at, :invitation_token
+      t.remove :invitation_limit, :invitation_sent_at, :invitation_accepted_at, :invitation_token, :invitation_created_at
     end
   end
 end

data/test/integration/invitation_remove_test.rb

@@ -1,29 +1,29 @@
 require 'test_helper'
 require 'integration_tests_helper'
 
-class InvitationTest < ActionDispatch::IntegrationTest
+class InvitationRemoveTest < ActionDispatch::IntegrationTest
 
   test 'invited user can choose to remove his account/invite' do
     user = User.invite!(:email => "valid@email.com")
 
     # remove!
-    visit remove_user_invitation_path(:invitation_token => user.invitation_token)
+    visit remove_user_invitation_path(:invitation_token => Thread.current[:token])
     assert_equal root_path, current_path
     assert page.has_css?('p#notice', :text => 'Your invitation was removed.')
     
     # try to remove again!
-    visit remove_user_invitation_path(:invitation_token => user.invitation_token)
+    visit remove_user_invitation_path(:invitation_token => Thread.current[:token])
     assert_equal root_path, current_path
     assert page.has_css?('p#alert', :text => 'The invitation token provided is not valid!')
   end
 
   test 'accepted user cannot remove his account (by using the original invitation token)' do
     user = User.invite!(:email => "valid@email.com")
-    saved_token = user.invitation_token
+    saved_token = Thread.current[:token]
     user.accept_invitation!
     
     visit remove_user_invitation_path(:invitation_token =>  saved_token)
     assert_equal root_path, current_path
     assert page.has_css?('p#alert', :text => 'The invitation token provided is not valid!')
   end
-end
+end

data/test/integration/invitation_test.rb

@@ -75,7 +75,7 @@ class InvitationTest < ActionDispatch::IntegrationTest
 
   test 'not authenticated user with valid invitation token but invalid password should not be able to set his password' do
     user = User.invite!(:email => "valid@email.com")
-    set_password :invitation_token => user.invitation_token do
+    set_password :invitation_token => Thread.current[:token] do
       fill_in 'Password confirmation', :with => 'other_password'
     end
     assert_equal user_invitation_path, current_path
@@ -85,7 +85,7 @@ class InvitationTest < ActionDispatch::IntegrationTest
 
   test 'not authenticated user with valid data should be able to change his password' do
     user = User.invite!(:email => "valid@email.com")
-    set_password :invitation_token => user.invitation_token
+    set_password :invitation_token => Thread.current[:token]
 
     assert_equal root_path, current_path
     assert page.has_css?('p#notice', :text => 'Your password was set successfully. You are now signed in.')
@@ -94,7 +94,7 @@ class InvitationTest < ActionDispatch::IntegrationTest
 
   test 'after entering invalid data user should still be able to set his password' do
     user = User.invite!(:email => "valid@email.com")
-    set_password :invitation_token => user.invitation_token do
+    set_password :invitation_token => Thread.current[:token] do
       fill_in 'Password confirmation', :with => 'other_password'
     end
     assert_equal user_invitation_path, current_path
@@ -108,7 +108,7 @@ class InvitationTest < ActionDispatch::IntegrationTest
 
   test 'sign in user automatically after setting it\'s password' do
     user = User.invite!(:email => "valid@email.com")
-    set_password :invitation_token => user.invitation_token
+    set_password :invitation_token => Thread.current[:token]
     assert_equal root_path, current_path
   end
 
@@ -119,8 +119,7 @@ class InvitationTest < ActionDispatch::IntegrationTest
     fill_in 'user_email', :with => 'valid@email.com'
     click_button 'Send me reset password instructions'
 
-    user.reload
-    visit edit_user_password_path(:reset_password_token => user.reset_password_token)
+    visit edit_user_password_path(:reset_password_token => Thread.current[:token])
     set_password :visit => false, :button => 'Change my password'
 
     user.reload

data/test/mailers/invitation_mail_test.rb

@@ -53,7 +53,17 @@ class InvitationMailTest < ActionMailer::TestCase
 
   test 'body should have link to confirm the account' do
     host = ActionMailer::Base.default_url_options[:host]
-    invitation_url_regexp = %r{<a href=\"http://#{host}/users/invitation/accept\?invitation_token=#{user.invitation_token}">}
-    assert_match invitation_url_regexp, mail.body.decoded
+    body = mail.body.decoded
+    invitation_url_regexp = %r{<a href=\"http://#{host}/users/invitation/accept\?invitation_token=#{Thread.current[:token]}">}
+    assert_match invitation_url_regexp, body
+  end
+
+  test 'body should have link to confirm the account on resend' do
+    host = ActionMailer::Base.default_url_options[:host]
+    user
+    @user = User.find(user.id).invite!
+    body = mail.body.decoded
+    invitation_url_regexp = %r{<a href=\"http://#{host}/users/invitation/accept\?invitation_token=#{Thread.current[:token]}">}
+    assert_match invitation_url_regexp, body
   end
 end

data/test/models/invitable_test.rb

@@ -11,15 +11,17 @@ class InvitableTest < ActiveSupport::TestCase
     assert_nil new_user.invitation_token
   end
 
-  test 'should not regenerate invitation token each time' do
+  test 'should regenerate invitation token each time' do
     user = new_user
     user.invite!
     token = user.invitation_token
     assert_not_nil user.invitation_token
     assert_not_nil user.invitation_created_at
     3.times do
+      user = User.find(user.id)
       user.invite!
-      assert_equal token, user.invitation_token
+      assert_not_equal token, user.invitation_token
+      token = user.invitation_token
     end
   end
 
@@ -32,22 +34,11 @@ class InvitableTest < ActiveSupport::TestCase
     3.times do
       user.invite!
       assert_not_equal old_invitation_sent_at, user.invitation_sent_at
-      assert_not_equal old_invitation_created_at, user.invitation_sent_at
+      assert_not_equal old_invitation_created_at, user.invitation_created_at
       user.update_attributes(:invitation_sent_at => old_invitation_sent_at, :invitation_created_at => old_invitation_created_at)
     end
   end
 
-  test 'should not regenerate invitation token even after the invitation token is not valid' do
-    User.stubs(:invite_for).returns(1.day)
-    user = new_user
-    user.invite!
-    token = user.invitation_token
-    user.invitation_created_at = 3.days.ago
-    user.save
-    user.invite!
-    assert_equal token, user.invitation_token
-  end
-
   test 'should test invitation sent at with invite_for configuration value' do
     user = User.invite!(:email => "valid@email.com")
 
@@ -99,6 +90,8 @@ class InvitableTest < ActiveSupport::TestCase
     user = User.invite!(:email => "valid@email.com")
     assert user.new_record?
     assert user.errors.present?
+    assert user.errors[:username]
+    assert user.errors[:email].empty?
   end
 
   test 'should return mail object' do
@@ -113,14 +106,14 @@ class InvitableTest < ActiveSupport::TestCase
 
   test 'should set password and password confirmation from params' do
     invited_user = User.invite!(:email => "valid@email.com")
-    user = User.accept_invitation!(:invitation_token => invited_user.invitation_token, :password => '123456789', :password_confirmation => '123456789')
+    user = User.accept_invitation!(:invitation_token => Thread.current[:token], :password => '123456789', :password_confirmation => '123456789')
     assert user.valid_password?('123456789')
   end
 
   test 'should set password and save the record' do
     user = User.invite!(:email => "valid@email.com")
     old_encrypted_password = user.encrypted_password
-    user = User.accept_invitation!(:invitation_token => user.invitation_token, :password => '123456789', :password_confirmation => '123456789')
+    user = User.accept_invitation!(:invitation_token => Thread.current[:token], :password => '123456789', :password_confirmation => '123456789')
     assert_not_equal old_encrypted_password, user.encrypted_password
   end
 
@@ -147,10 +140,14 @@ class InvitableTest < ActiveSupport::TestCase
   test 'should clear invitation token while resetting the password' do
     user = User.invite!(:email => "valid@email.com")
     assert user.invited_to_sign_up?
-    user.send(:generate_reset_password_token!)
+    token, user.reset_password_token = Devise.token_generator.generate(User, :reset_password_token)
+    user.reset_password_sent_at = Time.now.utc
+    user.save
+
     assert_present user.reset_password_token
     assert_present user.invitation_token
-    User.reset_password_by_token(:reset_password_token => user.reset_password_token, :password => '123456789', :password_confirmation => '123456789')
+    User.reset_password_by_token(:reset_password_token => token, :password => '123456789', :password_confirmation => '123456789')
+    assert_nil user.reload.reset_password_token
     assert_nil user.reload.invitation_token
     assert !user.invited_to_sign_up?
   end
@@ -158,10 +155,14 @@ class InvitableTest < ActiveSupport::TestCase
   test 'should not accept invitation on failing to reset the password' do
     user = User.invite!(:email => "valid@email.com")
     assert user.invited_to_sign_up?
-    user.send(:generate_reset_password_token!)
+    token, user.reset_password_token = Devise.token_generator.generate(User, :reset_password_token)
+    user.reset_password_sent_at = Time.now.utc
+    user.save
+
     assert_present user.reset_password_token
     assert_present user.invitation_token
-    User.reset_password_by_token(:reset_password_token => user.reset_password_token, :password => '123456789', :password_confirmation => '12345678')
+    User.reset_password_by_token(:reset_password_token => token, :password => '123456789', :password_confirmation => '12345678')
+    assert_present user.reload.reset_password_token
     assert_present user.reload.invitation_token
     assert user.invited_to_sign_up?
   end
@@ -169,10 +170,13 @@ class InvitableTest < ActiveSupport::TestCase
   test 'should not set invitation_accepted_at if just resetting password' do
     user = User.create!(:email => "valid@email.com", :password => "123456780")
     assert !user.invited_to_sign_up?
-    user.send(:generate_reset_password_token!)
+    token, user.reset_password_token = Devise.token_generator.generate(User, :reset_password_token)
+    user.reset_password_sent_at = Time.now.utc
+    user.save
+
     assert_present user.reset_password_token
     assert_nil user.invitation_token
-    User.reset_password_by_token(:reset_password_token => user.reset_password_token, :password => '123456789', :password_confirmation => '123456789')
+    User.reset_password_by_token(:reset_password_token => token, :password => '123456789', :password_confirmation => '123456789')
     assert_nil user.reload.invitation_token
     assert_nil user.reload.invitation_accepted_at
   end
@@ -241,6 +245,9 @@ class InvitableTest < ActiveSupport::TestCase
     user = User.invite!(:email => "valid@email.com")
     assert_equal user, existing_user
     assert_equal ['has already been taken'], user.errors[:email]
+    same_user = User.invite!("email" => "valid@email.com")
+    assert_equal same_user, existing_user
+    assert_equal ['has already been taken'], same_user.errors[:email]
   end
 
   test 'should return a record with errors if user with pending invitation was found by e-mail' do
@@ -297,7 +304,7 @@ class InvitableTest < ActiveSupport::TestCase
   test 'should find a user to set his password based on invitation_token' do
     user = new_user
     user.invite!
-    invited_user = User.accept_invitation!(:invitation_token => user.invitation_token)
+    invited_user = User.accept_invitation!(:invitation_token => Thread.current[:token])
     assert_equal invited_user, user
   end
 
@@ -318,7 +325,7 @@ class InvitableTest < ActiveSupport::TestCase
     invited_user = User.invite!(:email => "valid@email.com")
     invited_user.invitation_created_at = 2.days.ago
     invited_user.save(:validate => false)
-    user = User.accept_invitation!(:invitation_token => invited_user.invitation_token)
+    user = User.accept_invitation!(:invitation_token => Thread.current[:token])
     assert_equal user, invited_user
     assert_equal ["is invalid"], user.errors[:invitation_token]
   end
@@ -336,7 +343,7 @@ class InvitableTest < ActiveSupport::TestCase
     user.invite!
 
     invited_user = User.accept_invitation!(
-      :invitation_token => user.invitation_token,
+      :invitation_token => Thread.current[:token],
       :password => 'new_password',
       :password_confirmation => 'new_password'
     )
@@ -350,16 +357,34 @@ class InvitableTest < ActiveSupport::TestCase
     user.invite!
 
     invited_user = User.accept_invitation!(
-      :invitation_token => user.invitation_token,
+      :invitation_token => Thread.current[:token],
       :password => 'new_password',
       :password_confirmation => 'new_password',
       :username => 'a'*50
     )
     assert invited_user.errors[:username].present?
 
+    user.reload
     assert !user.valid_password?('new_password')
   end
 
+  test 'should set other attributes on accepting invitation' do
+    user = new_user(:password => nil, :password_confirmation => nil)
+    user.invite!
+
+    invited_user = User.accept_invitation!(
+      :invitation_token => Thread.current[:token],
+      :password => 'new_password',
+      :password_confirmation => 'new_password',
+      :username => 'a'
+    )
+    assert invited_user.errors[:username].blank?
+
+    user.reload
+    assert_equal 'a', user.username
+    assert user.valid_password?('new_password')
+  end
+
   test 'should not confirm user on invite' do
     user = new_user
 

data/test/rails_app/app/models/user.rb

@@ -34,7 +34,7 @@ class User < PARENT_MODEL_CLASS
 
   devise :database_authenticatable, :registerable, :validatable, :confirmable, :invitable, :recoverable
 
-  attr_accessor :callback_works, :bio
+  attr_accessor :callback_works, :bio, :token
   validates :username, :length => { :maximum => 20 }
   
   attr_accessor :testing_accepting_or_not_invited
@@ -48,4 +48,9 @@ class User < PARENT_MODEL_CLASS
   after_invitation_accepted do |object|
     object.callback_works = true
   end
+
+  def send_devise_notification(method, raw, *args)
+    Thread.current[:token] = raw
+    super
+  end
 end

data/test/rails_app/config/initializers/devise.rb

@@ -1,9 +1,15 @@
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
+  # The secret key used by Devise. Devise uses this key to generate
+  # random tokens. Changing this key will render invalid all existing
+  # confirmation, reset password and unlock tokens in the database.
+  config.secret_key = 'e5151770530bba4c845256482be72bf598f723bebc057f4b8c15a7e63d7ffb61e7b8a0615e92a78127498ac509c43589b39bd13df397a4a2a7b3796c836e6ef8'
+
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,
-  # note that it will be overwritten if you use your own mailer class with default "from" parameter.
+  # note that it will be overwritten if you use your own mailer class
+  # with default "from" parameter.
   config.mailer_sender = "please-change-me-at-config-initializers-devise@example.com"
 
   # Configure the class responsible to send e-mails.

metadata

@@ -1,13 +1,13 @@
 --- !ruby/object:Gem::Specification 
 name: devise_invitable
 version: !ruby/object:Gem::Version 
-  hash: 29
+  hash: 27
   prerelease: 
   segments: 
   - 1
-  - 2
-  - 1
-  version: 1.2.1
+  - 3
+  - 0
+  version: 1.3.0
 platform: ruby
 authors: 
 - Sergio Cambra
@@ -15,7 +15,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2013-08-22 00:00:00 Z
+date: 2013-10-03 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: bundler
@@ -61,14 +61,14 @@ dependencies:
   requirement: &id003 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
-    - - ~>
+    - - ">="
       - !ruby/object:Gem::Version 
-        hash: 7
+        hash: 3
         segments: 
         - 3
+        - 1
         - 0
-        - 0
-        version: 3.0.0
+        version: 3.1.0
   type: :runtime
   version_requirements: *id003
 description: It adds support for send invitations by email (it requires to be authenticated) and accept the invitation by setting a password.
@@ -108,6 +108,7 @@ files:
 - lib/generators/mongoid/devise_invitable_generator.rb
 - LICENSE
 - README.rdoc
+- CHANGELOG
 - test/functional/controller_helpers_test.rb
 - test/functional/registrations_controller_test.rb
 - test/generators/views_generator_test.rb
@@ -160,8 +161,8 @@ files:
 - test/routes_test.rb
 - test/test_helper.rb
 homepage: https://github.com/scambra/devise_invitable
-licenses: []
-
+licenses: 
+- MIT
 post_install_message: 
 rdoc_options: 
 - --main
@@ -194,7 +195,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: 
-rubygems_version: 1.8.23
+rubygems_version: 1.8.24
 signing_key: 
 specification_version: 3
 summary: An invitation strategy for Devise
@@ -250,4 +251,3 @@ test_files:
 - test/rails_app/script/rails
 - test/routes_test.rb
 - test/test_helper.rb
-has_rdoc: