devise_security_extension 0.6.0 → 0.6.1

data/Gemfile

@@ -2,7 +2,7 @@ source "http://rubygems.org"
 # Add dependencies required to use your gem here.
 # Example:
 gem "rails", ">= 3.1.1"
-gem "devise"
+gem "devise", ">= 2.0.0"
 
 # Add dependencies to develop your gem here.
 # Include everything needed to run rake, tests, features, etc.

data/Gemfile.lock

@@ -1,43 +1,49 @@
 GEM
   remote: http://rubygems.org/
   specs:
-    actionmailer (3.1.3)
-      actionpack (= 3.1.3)
-      mail (~> 2.3.0)
-    actionpack (3.1.3)
-      activemodel (= 3.1.3)
-      activesupport (= 3.1.3)
+    actionmailer (3.2.1)
+      actionpack (= 3.2.1)
+      mail (~> 2.4.0)
+    actionpack (3.2.1)
+      activemodel (= 3.2.1)
+      activesupport (= 3.2.1)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
-      i18n (~> 0.6)
-      rack (~> 1.3.5)
+      journey (~> 1.0.1)
+      rack (~> 1.4.0)
       rack-cache (~> 1.1)
-      rack-mount (~> 0.8.2)
       rack-test (~> 0.6.1)
-      sprockets (~> 2.0.3)
-    activemodel (3.1.3)
-      activesupport (= 3.1.3)
+      sprockets (~> 2.1.2)
+    activemodel (3.2.1)
+      activesupport (= 3.2.1)
       builder (~> 3.0.0)
-      i18n (~> 0.6)
-    activerecord (3.1.3)
-      activemodel (= 3.1.3)
-      activesupport (= 3.1.3)
-      arel (~> 2.2.1)
+    activerecord (3.2.1)
+      activemodel (= 3.2.1)
+      activesupport (= 3.2.1)
+      arel (~> 3.0.0)
       tzinfo (~> 0.3.29)
-    activeresource (3.1.3)
-      activemodel (= 3.1.3)
-      activesupport (= 3.1.3)
-    activesupport (3.1.3)
+    activeresource (3.2.1)
+      activemodel (= 3.2.1)
+      activesupport (= 3.2.1)
+    activesupport (3.2.1)
+      i18n (~> 0.6)
       multi_json (~> 1.0)
-    arel (2.2.1)
+    arel (3.0.0)
     bcrypt-ruby (3.0.1)
     builder (3.0.0)
-    devise (1.5.1)
+    devise (2.0.0)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.0.3)
+      railties (~> 3.1)
       warden (~> 1.1)
-    easy_captcha (0.4.5)
+    diff-lcs (1.1.3)
+    easy_captcha (0.4.7)
+      bundler (~> 1.0.0)
       rails (>= 3.0.0)
+      rmagick (>= 2.13.1)
+      rspec-rails (~> 2.8.1)
+      simplecov (>= 0.3.8)
+      yard (>= 0.7.0)
     erubis (2.7.0)
     git (1.2.5)
     hike (1.2.1)
@@ -46,45 +52,62 @@ GEM
       bundler (~> 1.0.0)
       git (>= 1.2.5)
       rake
-    json (1.6.1)
-    mail (2.3.0)
+    journey (1.0.1)
+    json (1.6.5)
+    mail (2.4.1)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     mime-types (1.17.2)
-    multi_json (1.0.3)
-    orm_adapter (0.0.5)
+    multi_json (1.0.4)
+    orm_adapter (0.0.6)
     polyglot (0.3.3)
-    rack (1.3.5)
+    rack (1.4.1)
     rack-cache (1.1)
       rack (>= 0.4)
-    rack-mount (0.8.3)
-      rack (>= 1.0.0)
     rack-ssl (1.3.2)
       rack
     rack-test (0.6.1)
       rack (>= 1.0)
-    rails (3.1.3)
-      actionmailer (= 3.1.3)
-      actionpack (= 3.1.3)
-      activerecord (= 3.1.3)
-      activeresource (= 3.1.3)
-      activesupport (= 3.1.3)
+    rails (3.2.1)
+      actionmailer (= 3.2.1)
+      actionpack (= 3.2.1)
+      activerecord (= 3.2.1)
+      activeresource (= 3.2.1)
+      activesupport (= 3.2.1)
       bundler (~> 1.0)
-      railties (= 3.1.3)
+      railties (= 3.2.1)
     rails_email_validator (0.1.4)
       activemodel (>= 3.0.0)
-    railties (3.1.3)
-      actionpack (= 3.1.3)
-      activesupport (= 3.1.3)
+    railties (3.2.1)
+      actionpack (= 3.2.1)
+      activesupport (= 3.2.1)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
       thor (~> 0.14.6)
     rake (0.9.2.2)
-    rdoc (3.11)
+    rdoc (3.12)
       json (~> 1.4)
-    sprockets (2.0.3)
+    rmagick (2.13.1)
+    rspec (2.8.0)
+      rspec-core (~> 2.8.0)
+      rspec-expectations (~> 2.8.0)
+      rspec-mocks (~> 2.8.0)
+    rspec-core (2.8.0)
+    rspec-expectations (2.8.0)
+      diff-lcs (~> 1.1.2)
+    rspec-mocks (2.8.0)
+    rspec-rails (2.8.1)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      railties (>= 3.0)
+      rspec (~> 2.8.0)
+    simplecov (0.5.4)
+      multi_json (~> 1.0.3)
+      simplecov-html (~> 0.5.3)
+    simplecov-html (0.5.3)
+    sprockets (2.1.2)
       hike (~> 1.2)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
@@ -96,13 +119,14 @@ GEM
     tzinfo (0.3.31)
     warden (1.1.0)
       rack (>= 1.0)
+    yard (0.7.5)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
   bundler (~> 1.0.0)
-  devise
+  devise (>= 2.0.0)
   easy_captcha
   jeweler (~> 1.5.2)
   rails (>= 3.1.1)

data/README.rdoc

@@ -76,39 +76,41 @@ That's it!
 === Password expirable
 
   create_table :the_resources do |t|
-    t.password_expirable
+    # other devise fields
+
+    t.datetime :password_changed_at
   end
+  add_index :the_resources, :password_changed_at
 
 === Password archivable
 
   create_table :old_passwords do |t|
-    t.password_archivable
+    t.string :encrypted_password, :null => false
+    t.string :password_salt
+    t.string :password_archivable_type, :null => false
+    t.integer :password_archivable_id, :null => false
+    t.datetime :created_at
   end
   add_index :old_passwords, [:password_archivable_type, :password_archivable_id], :name => :index_password_archivable
 
 === Session limitable
 
   create_table :the_resources do |t|
-    t.session_limitable
+    # other devise fields
+
+    t.string :unique_session_id, :limit => 20
   end
 
 === Expirable
-Devise 2.0 style migrations on new resource:
 
   create_table :the_resources do |t|
-    ...
-    t.datetime :last_activity_at
-    t.datetime :expired_at
-    ...
-  end
+    # other devise fields
 
-Add module to existing resource with
-  
-  change_table :the_resources do |t|
     t.datetime :last_activity_at
     t.datetime :expired_at
   end
-
+  add_index :the_resources, :last_activity_at
+  add_index :the_resources, :expired_at
 
 == Requirements
 
@@ -133,6 +135,7 @@ Add module to existing resource with
 * Team Phatworx (http://github.com/phatworx)
 * Marco Scholl (http://github.com/traxanos)
 * Alexander Dreher (http://github.com/alexdreher)
+* Christoph Chilian (http://github.com/cc-web)
 
 == Contributing to devise_security_extension
  
@@ -146,4 +149,4 @@ Add module to existing resource with
 
 == Copyright
 
-Copyright (c) 2011 Marco Scholl. See LICENSE.txt for further details.
+Copyright (c) 2011-2012 Marco Scholl. See LICENSE.txt for further details.

data/VERSION

@@ -1 +1 @@
-0.6.0
+0.6.1

data/app/controllers/devise/password_expired_controller.rb

@@ -1,11 +1,11 @@
-class Devise::PasswordExpiredController < ApplicationController
+class Devise::PasswordExpiredController < DeviseController
   skip_before_filter :handle_password_change
   prepend_before_filter :authenticate_scope!, :only => [:show, :update]
-  include Devise::Controllers::InternalHelpers
+  include Devise::Controllers::Helpers
 
   def show
     if not resource.nil? and resource.need_change_password?
-      render_with_scope :show
+      render 'devise/password_expired/show'
     else
       redirect_to :root
     end
@@ -19,7 +19,7 @@ class Devise::PasswordExpiredController < ApplicationController
       redirect_to stored_location_for(scope) || :root
     else
       clean_up_passwords(resource)
-      render_with_scope :show
+      render 'devise/password_expired/show'
     end
   end
 

data/devise_security_extension.gemspec

@@ -5,11 +5,11 @@
 
 Gem::Specification.new do |s|
   s.name = "devise_security_extension"
-  s.version = "0.6.0"
+  s.version = "0.6.1"
 
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["Marco Scholl", "Alexander Dreher"]
-  s.date = "2011-12-28"
+  s.date = "2012-06-06"
   s.description = "An enterprise security extension for devise, trying to meet industrial standard security demands for web applications."
   s.email = "team@phatworx.de"
   s.extra_rdoc_files = [
@@ -42,7 +42,11 @@ Gem::Specification.new do |s|
     "lib/devise_security_extension/models/session_limitable.rb",
     "lib/devise_security_extension/orm/active_record.rb",
     "lib/devise_security_extension/patches.rb",
-    "lib/devise_security_extension/patches/controller_captcha.rb",
+    "lib/devise_security_extension/patches/confirmations_controller_captcha.rb",
+    "lib/devise_security_extension/patches/passwords_controller_captcha.rb",
+    "lib/devise_security_extension/patches/registrations_controller_captcha.rb",
+    "lib/devise_security_extension/patches/sessions_controller_captcha.rb",
+    "lib/devise_security_extension/patches/unlocks_controller_captcha.rb",
     "lib/devise_security_extension/rails.rb",
     "lib/devise_security_extension/routes.rb",
     "lib/devise_security_extension/schema.rb",
@@ -53,7 +57,7 @@ Gem::Specification.new do |s|
   s.homepage = "http://github.com/phatworx/devise_security_extension"
   s.licenses = ["MIT"]
   s.require_paths = ["lib"]
-  s.rubygems_version = "1.8.10"
+  s.rubygems_version = "1.8.21"
   s.summary = "Security extension for devise"
   s.test_files = [
     "test/helper.rb",
@@ -65,14 +69,14 @@ Gem::Specification.new do |s|
 
     if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
       s.add_runtime_dependency(%q<rails>, [">= 3.1.1"])
-      s.add_runtime_dependency(%q<devise>, [">= 0"])
+      s.add_runtime_dependency(%q<devise>, [">= 2.0.0"])
       s.add_development_dependency(%q<rails_email_validator>, [">= 0"])
       s.add_development_dependency(%q<easy_captcha>, [">= 0"])
       s.add_development_dependency(%q<bundler>, ["~> 1.0.0"])
       s.add_development_dependency(%q<jeweler>, ["~> 1.5.2"])
     else
       s.add_dependency(%q<rails>, [">= 3.1.1"])
-      s.add_dependency(%q<devise>, [">= 0"])
+      s.add_dependency(%q<devise>, [">= 2.0.0"])
       s.add_dependency(%q<rails_email_validator>, [">= 0"])
       s.add_dependency(%q<easy_captcha>, [">= 0"])
       s.add_dependency(%q<bundler>, ["~> 1.0.0"])
@@ -80,7 +84,7 @@ Gem::Specification.new do |s|
     end
   else
     s.add_dependency(%q<rails>, [">= 3.1.1"])
-    s.add_dependency(%q<devise>, [">= 0"])
+    s.add_dependency(%q<devise>, [">= 2.0.0"])
     s.add_dependency(%q<rails_email_validator>, [">= 0"])
     s.add_dependency(%q<easy_captcha>, [">= 0"])
     s.add_dependency(%q<bundler>, ["~> 1.0.0"])

data/lib/devise_security_extension.rb

@@ -5,7 +5,7 @@ require 'active_support/ordered_hash'
 require 'active_support/concern'
 require 'devise'
 
-module Devise # :nodoc:  
+module Devise
 
   # Should the password expire (e.g 3.months)
   mattr_accessor :expire_password_after
@@ -43,6 +43,10 @@ module Devise # :nodoc:
   # captcha integration for unlock form
   mattr_accessor :captcha_for_unlock
   @@captcha_for_unlock = false
+  
+  # captcha integration for confirmation form
+  mattr_accessor :captcha_for_confirmation
+  @@captcha_for_confirmation = false
 
   # Time period for account expiry from last_activity_at
   mattr_accessor :expire_after

data/lib/devise_security_extension/controllers/helpers.rb

@@ -1,6 +1,6 @@
 module DeviseSecurityExtension
-  module Controllers # :nodoc:
-    module Helpers # :nodoc:
+  module Controllers
+    module Helpers
       extend ActiveSupport::Concern
 
       included do
@@ -10,22 +10,18 @@ module DeviseSecurityExtension
       module ClassMethods
         # helper for captcha
         def init_recover_password_captcha
-          p "init"
-          p self.inspect
-          
           include RecoverPasswordCaptcha
         end        
       end
 
       module RecoverPasswordCaptcha
         def new
-          p "Check here captcha"
           super
         end
       end
 
       # controller instance methods
-      module InstanceMethods
+
         private
 
         # lookup if an password change needed
@@ -60,7 +56,7 @@ module DeviseSecurityExtension
           false
         end
 
-      end
+
     end
   end
 

data/lib/devise_security_extension/models/expirable.rb

@@ -18,51 +18,48 @@ module Devise
     module Expirable
       extend ActiveSupport::Concern
 
-      module InstanceMethods
-        # Updates +last_activity_at+, called from a Warden::Manager.after_set_user hook.
-        def update_last_activitiy!
-          self.last_activity_at = Time.now.utc
-          save(:validate => false)
-        end
-
-        # Tells if the account has expired
-        #
-        # @return [bool]
-        def expired?
-          # expired_at set (manually, via cron, etc.)
-          return self.expired_at < Time.now.utc unless self.expired_at.nil?
-          # if it is not set, check the last activity against configured expire_after time range
-          return self.last_activity_at < self.class.expire_after.ago unless self.last_activity_at.nil?
-          # if last_activity_at is nil as well, the user has to be 'fresh' and is therefore not expired
-          false
-        end
+      # Updates +last_activity_at+, called from a Warden::Manager.after_set_user hook.
+      def update_last_activitiy!
+        self.last_activity_at = Time.now.utc
+        save(:validate => false)
+      end
 
-        # Expire an account. This is for cron jobs and manually expiring of accounts.
-        #
-        # @example 
-        #   User.expire!
-        #   User.expire! 1.week.from_now
-        # @note +expired_at+ can be in the future as well
-        def expire!(at = Time.now.utc)
-          self.expired_at = at
-          save(:validate => false)
-        end
+      # Tells if the account has expired
+      #
+      # @return [bool]
+      def expired?
+        # expired_at set (manually, via cron, etc.)
+        return self.expired_at < Time.now.utc unless self.expired_at.nil?
+        # if it is not set, check the last activity against configured expire_after time range
+        return self.last_activity_at < self.class.expire_after.ago unless self.last_activity_at.nil?
+        # if last_activity_at is nil as well, the user has to be 'fresh' and is therefore not expired
+        false
+      end
 
-        # Overwrites active_for_authentication? from Devise::Models::Activatable
-        # for verifying whether a user is active to sign in or not. If the account
-        # is expired, it should never be allowed.
-        #
-        # @return [bool]
-        def active_for_authentication?
-          super && !self.expired?
-        end
+      # Expire an account. This is for cron jobs and manually expiring of accounts.
+      #
+      # @example 
+      #   User.expire!
+      #   User.expire! 1.week.from_now
+      # @note +expired_at+ can be in the future as well
+      def expire!(at = Time.now.utc)
+        self.expired_at = at
+        save(:validate => false)
+      end
 
-        # The message sym, if {#active_for_authentication?} returns +false+. E.g. needed 
-        # for i18n.
-        def inactive_message
-          !self.expired? ? super : :expired
-        end
+      # Overwrites active_for_authentication? from Devise::Models::Activatable
+      # for verifying whether a user is active to sign in or not. If the account
+      # is expired, it should never be allowed.
+      #
+      # @return [bool]
+      def active_for_authentication?
+        super && !self.expired?
+      end
 
+      # The message sym, if {#active_for_authentication?} returns +false+. E.g. needed 
+      # for i18n.
+      def inactive_message
+        !self.expired? ? super : :expired
       end
 
       module ClassMethods

data/lib/devise_security_extension/models/old_password.rb

@@ -1,3 +1,5 @@
 class OldPassword < ActiveRecord::Base
   belongs_to :password_archivable, :polymorphic => true
-end
+
+  attr_accessible :encrypted_password
+end

data/lib/devise_security_extension/models/password_archivable.rb

@@ -1,68 +1,61 @@
-module Devise # :nodoc:
-  module Models # :nodoc:
+module Devise
+  module Models
 
     # PasswordArchivable
     module PasswordArchivable
+      extend  ActiveSupport::Concern
 
-      def self.included(base) # :nodoc:
-        base.extend ClassMethods
-
-        base.class_eval do
-          include InstanceMethods
-          has_many :old_passwords, :as => :password_archivable, :dependent => :destroy
-          before_update :archive_password
-          validate :validate_password_archive
-        end
+      included do
+        has_many :old_passwords, :as => :password_archivable, :dependent => :destroy
+        before_update :archive_password
+        validate :validate_password_archive
       end
 
-      module InstanceMethods # :nodoc:
-
-        def validate_password_archive
-          self.errors.add(:password, :taken_in_past) if encrypted_password_changed? and password_archive_included?
-        end
+      def validate_password_archive
+        self.errors.add(:password, :taken_in_past) if encrypted_password_changed? and password_archive_included?
+      end
 
-        # validate is the password used in the past
-        def password_archive_included?
-          unless self.class.deny_old_passwords.is_a? Fixnum
-            if self.class.deny_old_passwords.is_a? TrueClass and self.class.password_archiving_count > 0
-              self.class.deny_old_passwords = self.class.password_archiving_count
-            else
-              self.class.deny_old_passwords = 0
-            end
+      # validate is the password used in the past
+      def password_archive_included?
+        unless self.class.deny_old_passwords.is_a? Fixnum
+          if self.class.deny_old_passwords.is_a? TrueClass and self.class.password_archiving_count > 0
+            self.class.deny_old_passwords = self.class.password_archiving_count
+          else
+            self.class.deny_old_passwords = 0
           end
+        end
 
-          if self.class.deny_old_passwords > 0 and not self.password.nil?
-            self.old_passwords.order('created_at DESC').limit(self.class.deny_old_passwords).limit(self.class.deny_old_passwords).each do |old_password|
-              dummy                    = self.class.new
-              dummy.encrypted_password = old_password.encrypted_password
-              dummy.password_salt      = old_password.password_salt if dummy.respond_to?(:password_salt)
-              return true if dummy.valid_password?(self.password)
-            end
+        if self.class.deny_old_passwords > 0 and not self.password.nil?
+          self.old_passwords.reverse_order(:id).limit(self.class.deny_old_passwords).each do |old_password|
+            dummy                    = self.class.new
+            dummy.encrypted_password = old_password.encrypted_password
+            dummy.password_salt      = old_password.password_salt if dummy.respond_to?(:password_salt)
+            return true if dummy.valid_password?(self.password)
           end
-
-          false
         end
 
-        private
+        false
+      end
+
+      private
 
-        # archive the last password before save and delete all to old passwords from archive
-        def archive_password
-          if self.encrypted_password_changed?
-            if self.class.password_archiving_count.to_i > 0
-              if self.respond_to?(:password_salt_change) and not self.password_salt_change.nil?
-                self.old_passwords.create! :encrypted_password => self.encrypted_password_change.first, :password_salt => self.password_salt_change.first
-              else
-                self.old_passwords.create! :encrypted_password => self.encrypted_password_change.first
-              end
-              self.old_passwords.order('created_at DESC').offset(self.class.password_archiving_count).destroy_all
+      # archive the last password before save and delete all to old passwords from archive
+      def archive_password
+        if self.encrypted_password_changed?
+          if self.class.password_archiving_count.to_i > 0
+            if self.respond_to?(:password_salt_change) and not self.password_salt_change.nil?
+              self.old_passwords.create! :encrypted_password => self.encrypted_password_change.first, :password_salt => self.password_salt_change.first
             else
-              self.old_passwords.destroy_all
+              self.old_passwords.create! :encrypted_password => self.encrypted_password_change.first
             end
+            self.old_passwords.reverse_order(:id).offset(self.class.password_archiving_count).destroy_all
+          else
+            self.old_passwords.destroy_all
           end
         end
       end
 
-      module ClassMethods #:nodoc:
+      module ClassMethods
         ::Devise::Models.config(self, :password_archiving_count, :deny_old_passwords)
       end
     end

data/lib/devise_security_extension/models/password_expirable.rb

@@ -1,63 +1,57 @@
 require 'devise_security_extension/hooks/password_expirable'
 
-module Devise # :nodoc:
-  module Models # :nodoc:
+module Devise
+  module Models
 
     # PasswordExpirable takes care of change password after
     module PasswordExpirable
+      extend ActiveSupport::Concern
 
-      def self.included(base) # :nodoc:
-        base.extend ClassMethods
+      included do
+        before_save :update_password_changed
+      end
 
-        base.class_eval do
-          before_save :update_password_changed
-          include InstanceMethods
+      # is an password change required?
+      def need_change_password?
+        if self.class.expire_password_after.is_a? Fixnum or self.class.expire_password_after.is_a? Float
+          self.password_changed_at.nil? or self.password_changed_at < self.class.expire_password_after.ago
+        else
+          false
         end
       end
 
-      module InstanceMethods # :nodoc:
-
-        # is an password change required?
-        def need_change_password?
-          if self.class.expire_password_after.is_a? Fixnum
-            self.password_changed_at.nil? or self.password_changed_at < self.class.expire_password_after.ago
-          else
-            false
-          end
+      # set a fake datetime so a password change is needed and save the record
+      def need_change_password!
+        if self.class.expire_password_after.is_a? Fixnum or self.class.expire_password_after.is_a? Float
+          need_change_password
+          self.save(:validate => false)
         end
+      end
 
-        # set a fake datetime so a password change is needed and save the record
-        def need_change_password!
-          if self.class.expire_password_after.is_a? Fixnum
-            need_change_password
-            self.save(:validate => false)
-          end
+      # set a fake datetime so a password change is needed
+      def need_change_password
+        if self.class.expire_password_after.is_a? Fixnum or self.class.expire_password_after.is_a? Float
+          self.password_changed_at = self.class.expire_password_after.ago
         end
 
-        # set a fake datetime so a password change is needed
-        def need_change_password
-          if self.class.expire_password_after.is_a? Fixnum
-            self.password_changed_at = self.class.expire_password_after.ago
-          end
-
-          # is date not set it will set default to need set new password next login
-          need_change_password if self.password_changed_at.nil?
+        # is date not set it will set default to need set new password next login
+        need_change_password if self.password_changed_at.nil?
 
-          self.password_changed_at
-        end
+        self.password_changed_at
+      end
 
-        private
+      private
 
         # is password changed then update password_cahanged_at
         def update_password_changed
           self.password_changed_at = Time.now if (self.new_record? or self.encrypted_password_changed?) and not self.password_changed_at_changed?
         end
-      end
 
-      module ClassMethods #:nodoc:
+      module ClassMethods
         ::Devise::Models.config(self, :expire_password_after)
       end
     end
+
   end
 
 end

data/lib/devise_security_extension/models/secure_validatable.rb

@@ -11,6 +11,7 @@ module Devise
     #   * +password_regex+: need strong password. Defaults to /(?=.*\d)(?=.*[a-z])(?=.*[A-Z])/
     #
     module SecureValidatable
+
       def self.included(base)
         base.extend ClassMethods
         assert_secure_validations_api!(base)
@@ -22,6 +23,7 @@ module Devise
 
           # validates email
           validates :email, :presence => true, :if => :email_required?
+          validates :email, :uniqueness => true, :allow_blank => true, :if => :email_changed? # check uniq for email ever
           validates :email, :email => email_validation if email_validation # use rails_email_validator or similar
           
           # validates password
@@ -32,7 +34,7 @@ module Devise
         end
       end
 
-      def self.assert_secure_validations_api!(base) #:nodoc:
+      def self.assert_secure_validations_api!(base)
         raise "Could not use SecureValidatable on #{base}" unless base.respond_to?(:validates)
       end
 

data/lib/devise_security_extension/models/session_limitable.rb

@@ -1,7 +1,7 @@
 require 'devise_security_extension/hooks/session_limitable'
 
-module Devise # :nodoc:
-  module Models # :nodoc:
+module Devise
+  module Models
     # SessionLimited ensures, that there is only one session usable per account at once.
     # If someone logs in, and some other is logging in with the same credentials,
     # the session from the first one is invalidated and not usable anymore.

data/lib/devise_security_extension/patches.rb

@@ -1,13 +1,18 @@
 module DeviseSecurityExtension
   module Patches
-    autoload :ControllerCaptcha, 'devise_security_extension/patches/controller_captcha'
+    autoload :UnlocksControllerCaptcha, 'devise_security_extension/patches/unlocks_controller_captcha'
+    autoload :PasswordsControllerCaptcha, 'devise_security_extension/patches/passwords_controller_captcha'
+    autoload :SessionsControllerCaptcha, 'devise_security_extension/patches/sessions_controller_captcha'
+    autoload :RegistrationsControllerCaptcha, 'devise_security_extension/patches/registrations_controller_captcha'
+    autoload :ConfirmationsControllerCaptcha, 'devise_security_extension/patches/confirmations_controller_captcha'
     
     class << self
       def apply
-        Devise::PasswordsController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_recover
-        Devise::UnlocksController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_unlock
-        Devise::RegistrationsController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_sign_up
-        Devise::SessionsController.send(:include, Patches::ControllerCaptcha) if Devise.captcha_for_sign_in
+        Devise::PasswordsController.send(:include, Patches::PasswordsControllerCaptcha) if Devise.captcha_for_recover
+        Devise::UnlocksController.send(:include, Patches::UnlocksControllerCaptcha) if Devise.captcha_for_unlock
+        Devise::RegistrationsController.send(:include, Patches::RegistrationsControllerCaptcha) if Devise.captcha_for_sign_up
+        Devise::SessionsController.send(:include, Patches::SessionsControllerCaptcha) if Devise.captcha_for_sign_in
+        Devise::ConfirmationsController.send(:include, Patches::ConfirmationsControllerCaptcha) if Devise.captcha_for_confirmation
       end
     end
   end

data/lib/devise_security_extension/patches/confirmations_controller_captcha.rb

@@ -0,0 +1,21 @@
+module DeviseSecurityExtension::Patches
+  module ConfirmationsControllerCaptcha
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        if valid_captcha? params[:captcha]
+          self.resource = resource_class.send_confirmation_instructions(params[resource_name])
+
+          if successfully_sent?(resource)
+            respond_with({}, :location => after_resending_confirmation_instructions_path_for(resource_name))
+          else
+            respond_with(resource)
+          end
+        else
+          flash[:alert] = t('devise.invalid_captcha') if is_navigational_format?
+          respond_with({}, :location => new_confirmation_path(resource_name))
+        end
+      end
+    end
+  end
+end

data/lib/devise_security_extension/patches/passwords_controller_captcha.rb

@@ -0,0 +1,20 @@
+module DeviseSecurityExtension::Patches
+  module PasswordsControllerCaptcha
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        if valid_captcha? params[:captcha]
+          self.resource = resource_class.send_reset_password_instructions(params[resource_name])
+          if successfully_sent?(resource)
+            respond_with({}, :location => new_session_path(resource_name))
+          else
+            respond_with(resource)
+          end
+        else
+          flash[:alert] = t('devise.invalid_captcha') if is_navigational_format?
+          respond_with({}, :location => new_password_path(resource_name))
+        end
+      end
+    end
+  end
+end

data/lib/devise_security_extension/patches/registrations_controller_captcha.rb

@@ -0,0 +1,33 @@
+module DeviseSecurityExtension::Patches
+  module RegistrationsControllerCaptcha
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        build_resource
+
+        if valid_captcha? params[:captcha]
+
+          if resource.save
+            if resource.active_for_authentication?
+              set_flash_message :notice, :signed_up if is_navigational_format?
+              sign_in(resource_name, resource)
+              respond_with resource, :location => after_sign_up_path_for(resource)
+            else
+              set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_navigational_format?
+              expire_session_data_after_sign_in!
+              respond_with resource, :location => after_inactive_sign_up_path_for(resource)
+            end
+          else
+            clean_up_passwords resource
+            respond_with resource
+          end
+
+        else
+          resource.errors.add :base, t('devise.invalid_captcha')
+          clean_up_passwords resource
+          respond_with resource
+        end
+      end
+    end
+  end
+end

data/lib/devise_security_extension/patches/sessions_controller_captcha.rb

@@ -0,0 +1,23 @@
+module DeviseSecurityExtension::Patches
+  module SessionsControllerCaptcha
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        if valid_captcha? params[:captcha]
+          resource = warden.authenticate!(auth_options)
+          set_flash_message(:notice, :signed_in) if is_navigational_format?
+          sign_in(resource_name, resource)
+          respond_with resource, :location => after_sign_in_path_for(resource)
+        else
+          flash[:alert] = t('devise.invalid_captcha') if is_navigational_format?
+          respond_with({}, :location => new_session_path(resource_name))
+        end
+      end
+    
+      # for bad protected use in controller
+      define_method :auth_options do
+        { :scope => resource_name, :recall => "#{controller_path}#new" }
+      end
+    end
+  end
+end

data/lib/devise_security_extension/patches/unlocks_controller_captcha.rb

@@ -0,0 +1,20 @@
+module DeviseSecurityExtension::Patches
+  module UnlocksControllerCaptcha
+    extend ActiveSupport::Concern
+    included do
+      define_method :create do
+        if valid_captcha? params[:captcha]
+          self.resource = resource_class.send_unlock_instructions(params[resource_name])
+          if successfully_sent?(resource)
+            respond_with({}, :location => new_session_path(resource_name))
+          else
+            respond_with(resource)
+          end
+        else
+          flash[:alert] = t('devise.invalid_captcha') if is_navigational_format?
+          respond_with({}, :location => new_unlock_path(resource_name))
+        end
+      end
+    end
+  end
+end

data/lib/devise_security_extension/rails.rb

@@ -1,5 +1,5 @@
 module DeviseSecurityExtension
-  class Engine < ::Rails::Engine # :nodoc:
+  class Engine < ::Rails::Engine
     ActiveSupport.on_load(:action_controller) do
       include DeviseSecurityExtension::Controllers::Helpers
     end

data/lib/devise_security_extension/routes.rb

@@ -1,5 +1,5 @@
-module ActionDispatch::Routing # :nodoc:
-  class Mapper # :nodoc:
+module ActionDispatch::Routing
+  class Mapper
 
     protected
 

data/lib/generators/devise_security_extension/install_generator.rb

@@ -1,5 +1,5 @@
 module DeviseSecurityExtension
-  module Generators # :nodoc:
+  module Generators
     # Install Generator
     class InstallGenerator < Rails::Generators::Base
       source_root File.expand_path("../../templates", __FILE__)
@@ -27,9 +27,10 @@ module DeviseSecurityExtension
         "  # config.captcha_for_sign_in = true\n\n" +
         "  # captcha integration for unlock form\n" +
         "  # config.captcha_for_unlock = true\n\n" +
-        "  # ==> Configuration for :expirable\n" +
+        "  # captcha integration for confirmation form\n" +
+        "  # config.captcha_for_confirmation = true\n\n" +
         "  # Time period for account expiry from last_activity_at\n" +
-        "  config.expire_after = 90.days\n" +
+        "  # config.expire_after = 90.days\n\n" +
         "", :before => /end[ |\n|]+\Z/
       end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: devise_security_extension
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.6.1
   prerelease: 
 platform: ruby
 authors:
@@ -10,11 +10,11 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2011-12-28 00:00:00.000000000 Z
+date: 2012-06-06 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
-  requirement: &21216320 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -22,21 +22,31 @@ dependencies:
         version: 3.1.1
   type: :runtime
   prerelease: false
-  version_requirements: *21216320
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 3.1.1
 - !ruby/object:Gem::Dependency
   name: devise
-  requirement: &21234920 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
       - !ruby/object:Gem::Version
-        version: '0'
+        version: 2.0.0
   type: :runtime
   prerelease: false
-  version_requirements: *21234920
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: 2.0.0
 - !ruby/object:Gem::Dependency
   name: rails_email_validator
-  requirement: &21250840 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -44,10 +54,15 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *21250840
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: easy_captcha
-  requirement: &21246220 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ! '>='
@@ -55,10 +70,15 @@ dependencies:
         version: '0'
   type: :development
   prerelease: false
-  version_requirements: *21246220
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
-  requirement: &21243800 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -66,10 +86,15 @@ dependencies:
         version: 1.0.0
   type: :development
   prerelease: false
-  version_requirements: *21243800
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.0.0
 - !ruby/object:Gem::Dependency
   name: jeweler
-  requirement: &21268580 !ruby/object:Gem::Requirement
+  requirement: !ruby/object:Gem::Requirement
     none: false
     requirements:
     - - ~>
@@ -77,7 +102,12 @@ dependencies:
         version: 1.5.2
   type: :development
   prerelease: false
-  version_requirements: *21268580
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: 1.5.2
 description: An enterprise security extension for devise, trying to meet industrial
   standard security demands for web applications.
 email: team@phatworx.de
@@ -112,7 +142,11 @@ files:
 - lib/devise_security_extension/models/session_limitable.rb
 - lib/devise_security_extension/orm/active_record.rb
 - lib/devise_security_extension/patches.rb
-- lib/devise_security_extension/patches/controller_captcha.rb
+- lib/devise_security_extension/patches/confirmations_controller_captcha.rb
+- lib/devise_security_extension/patches/passwords_controller_captcha.rb
+- lib/devise_security_extension/patches/registrations_controller_captcha.rb
+- lib/devise_security_extension/patches/sessions_controller_captcha.rb
+- lib/devise_security_extension/patches/unlocks_controller_captcha.rb
 - lib/devise_security_extension/rails.rb
 - lib/devise_security_extension/routes.rb
 - lib/devise_security_extension/schema.rb
@@ -134,7 +168,7 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
       segments:
       - 0
-      hash: -3314141216685045721
+      hash: -3249260859492066288
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements:
@@ -143,7 +177,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 1.8.10
+rubygems_version: 1.8.21
 signing_key: 
 specification_version: 3
 summary: Security extension for devise

data/lib/devise_security_extension/patches/controller_captcha.rb

@@ -1,21 +0,0 @@
-module DeviseSecurityExtension::Patches
-  # patch passwords controller for captcha
-  module ControllerCaptcha
-    extend ActiveSupport::Concern
-    included do
-    # here the patch
-
-      alias_method :create_without_captcha_check, :create
-      define_method :create do
-        if valid_captcha? params[:captcha]
-          create_without_captcha_check
-        else
-          build_resource
-          clean_up_passwords(resource)
-          flash[:alert] = I18n.translate('devise.invalid_captcha')
-          render_with_scope :new
-        end
-      end
-    end
-  end
-end