Release v1.4.8.

Typo

.travis.yml

@@ -5,4 +5,8 @@ rvm:
   - ree
   - rbx
   - rbx-2.0
-  - jruby
+  - jruby
+notifications:
+  recipients:
+    - jose.valim@plataformatec.com.br
+    - carlos@plataformatec.com.br

CHANGELOG.rdoc

@@ -1,3 +1,32 @@
+== 1.4.8
+
+* enhancements
+  * Add docs for assets pipeline and Heroku
+
+* bug fix
+  * confirmation_url was not being set under some circumstances
+
+== 1.4.7
+
+* bug fix
+  * Fix backward incompatible change from 1.4.6 for those using custom controllers
+
+== 1.4.6
+
+* enhancements
+  * Allow devise_for :skip => :all
+  * Allow options to be passed to authenticate_user!
+  * Allow --skip-routes to devise generator
+  * Add allow_params_authentication! to make it explicit when params authentication is allowed in a controller
+
+== 1.4.5
+
+* bug fix
+  * Failure app tries the root path if a session one does not exist
+  * No need to finalize Devise helpers all the time (by github.com/bradleypriest)
+  * Reset password shows proper message if user is not active
+  * `clean_up_passwords` sets the accessors to nil to skip validations
+
 == 1.4.4
 
 * bug fix

Gemfile

@@ -2,7 +2,7 @@ source "http://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 3.1.0.rc8"
+gem "rails", "~> 3.1.0"
 gem "oa-oauth", '~> 0.2.0', :require => "omniauth/oauth"
 gem "oa-openid", '~> 0.2.0', :require => "omniauth/openid"
 
@@ -14,7 +14,9 @@ group :test do
 end
 
 platforms :jruby do
+  gem 'activerecord-jdbc-adapter', :git => 'https://github.com/nicksieger/activerecord-jdbc-adapter.git'
   gem 'activerecord-jdbcsqlite3-adapter'
+  gem 'jruby-openssl'
 end
 
 platforms :mri_18 do

app/controllers/devise/passwords_controller.rb

@@ -32,7 +32,8 @@ class Devise::PasswordsController < ApplicationController
     self.resource = resource_class.reset_password_by_token(params[resource_name])
 
     if resource.errors.empty?
-      set_flash_message(:notice, :updated) if is_navigational_format?
+      flash_message = resource.active_for_authentication? ? :updated : :updated_not_active
+      set_flash_message(:notice, flash_message) if is_navigational_format?
       sign_in(resource_name, resource)
       respond_with resource, :location => redirect_location(resource_name, resource)
     else

app/controllers/devise/registrations_controller.rb

@@ -114,7 +114,7 @@ class Devise::RegistrationsController < ApplicationController
 
     # Authenticates the current scope and gets the current resource from the session.
     def authenticate_scope!
-      send(:"authenticate_#{resource_name}!", true)
+      send(:"authenticate_#{resource_name}!", :force => true)
       self.resource = send(:"current_#{resource_name}")
     end
 end

app/controllers/devise/sessions_controller.rb

@@ -1,5 +1,6 @@
 class Devise::SessionsController < ApplicationController
   prepend_before_filter :require_no_authentication, :only => [ :new, :create ]
+  prepend_before_filter :allow_params_authentication!, :only => :create
   include Devise::Controllers::InternalHelpers
 
   # GET /resource/sign_in

config/locales/en.yml

@@ -27,6 +27,7 @@ en:
     passwords:
       send_instructions: 'You will receive an email with instructions about how to reset your password in a few minutes.'
       updated: 'Your password was changed successfully. You are now signed in.'
+      updated_not_active: 'Your password was changed successfully.'
       send_paranoid_instructions: "If your e-mail exists on our database, you will receive a password recovery link on your e-mail"
     confirmations:
       send_instructions: 'You will receive an email with instructions about how to confirm your account in a few minutes.'

lib/devise.rb

@@ -382,13 +382,10 @@ module Devise
 
   # Include helpers in the given scope to AC and AV.
   def self.include_helpers(scope)
+    Rails.application.routes.url_helpers.send :include, scope::UrlHelpers
+
     ActiveSupport.on_load(:action_controller) do
       include scope::Helpers if defined?(scope::Helpers)
-      include scope::UrlHelpers
-    end
-
-    ActiveSupport.on_load(:action_view) do
-      include scope::UrlHelpers
     end
   end
 
@@ -397,7 +394,7 @@ module Devise
     Rails::VERSION::STRING[0,3] != "3.0"
   end
 
-  # Renegeres url helpers considering Devise.mapping
+  # Regenerates url helpers considering Devise.mapping
   def self.regenerate_helpers!
     Devise::Controllers::UrlHelpers.remove_helpers!
     Devise::Controllers::UrlHelpers.generate_helpers!

lib/devise/controllers/helpers.rb

@@ -36,8 +36,14 @@ module Devise
         mapping = mapping.name
 
         class_eval <<-METHODS, __FILE__, __LINE__ + 1
-          def authenticate_#{mapping}!(force = false)
-            warden.authenticate!(:scope => :#{mapping}) if !devise_controller? || force
+          def authenticate_#{mapping}!(opts={})
+            if !opts.is_a?(Hash)
+              opts = { :force => opts }
+              ActiveSupport::Deprecation.warn "Passing a boolean to authenticate_#{mapping}! " \
+                "is deprecated, please use :force => \#{opts[:force]} instead", caller
+            end
+            opts[:scope] = :#{mapping}
+            warden.authenticate!(opts) if !devise_controller? || opts.delete(:force)
           end
 
           def #{mapping}_signed_in?
@@ -72,6 +78,11 @@ module Devise
         false
       end
 
+      # Tell warden that params authentication is allowed for that specific page.
+      def allow_params_authentication!
+        request.env["devise.allow_params_authentication"] = true
+      end
+
       # Return true if the given scope is signed in session. If no scope given, return
       # true if any scope is signed in. Does not run authentication hooks.
       def signed_in?(scope=nil)

lib/devise/controllers/url_helpers.rb

@@ -24,25 +24,31 @@ module Devise
         end
       end
 
-      def self.generate_helpers!
-        mappings = Devise.mappings.values.map(&:used_helpers).flatten.uniq
-        routes = Devise::URL_HELPERS.slice(*mappings)
+      def self.generate_helpers!(routes=nil)
+        routes ||= begin
+          mappings = Devise.mappings.values.map(&:used_helpers).flatten.uniq
+          Devise::URL_HELPERS.slice(*mappings)
+        end
 
         routes.each do |module_name, actions|
           [:path, :url].each do |path_or_url|
             actions.each do |action|
               action = action ? "#{action}_" : ""
+              method = "#{action}#{module_name}_#{path_or_url}"
 
               class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
-                def #{action}#{module_name}_#{path_or_url}(resource_or_scope, *args)
+                def #{method}(resource_or_scope, *args)
                   scope = Devise::Mapping.find_scope!(resource_or_scope)
                   send("#{action}\#{scope}_#{module_name}_#{path_or_url}", *args)
                 end
+                protected :#{method}
               URL_HELPERS
             end
           end
         end
       end
+
+      generate_helpers!(Devise::URL_HELPERS)
     end
   end
 end

lib/devise/failure_app.rb

@@ -65,10 +65,14 @@ module Devise
     end
 
     def redirect_url
-      if skip_format?
-        send(:"new_#{scope}_session_path")
+      opts  = {}
+      route = :"new_#{scope}_session_path"
+      opts[:format] = request_format unless skip_format?
+
+      if respond_to?(route)
+        send(route, opts)
       else
-        send(:"new_#{scope}_session_path", :format => request_format)
+        root_path(opts)
       end
     end
 

lib/devise/mapping.rb

@@ -78,6 +78,8 @@ module Devise
 
       if options.has_key?(:only)
         @used_routes = self.routes & Array(options[:only]).map(&singularizer)
+      elsif options[:skip] == :all
+        @used_routes = []
       else
         @used_routes = self.routes - Array(options[:skip]).map(&singularizer)
       end

lib/devise/models/database_authenticatable.rb

@@ -45,7 +45,7 @@ module Devise
 
       # Set password and password confirmation to nil
       def clean_up_passwords
-        self.password = self.password_confirmation = ""
+        self.password = self.password_confirmation = nil
       end
 
       # Update record attributes when :current_password matches, otherwise returns

lib/devise/models/trackable.rb

@@ -5,7 +5,7 @@ module Devise
     # Track information about your user sign in. It tracks the following columns:
     #
     # * sign_in_count      - Increased every time a sign in is made (by form, openid, oauth)
-    # * current_sign_in_at - A tiemstamp updated when the user signs in
+    # * current_sign_in_at - A timestamp updated when the user signs in
     # * last_sign_in_at    - Holds the timestamp of the previous sign in
     # * current_sign_in_ip - The remote ip updated when the user sign in
     # * last_sign_in_ip    - Holds the remote ip of the previous sign in

lib/devise/omniauth/url_helpers.rb

@@ -3,9 +3,10 @@ module Devise
     module UrlHelpers
       def self.define_helpers(mapping)
         return unless mapping.omniauthable?
+        method = "#{mapping.name}_omniauth_authorize_path"
 
         class_eval <<-URL_HELPERS, __FILE__, __LINE__ + 1
-          def #{mapping.name}_omniauth_authorize_path(provider, params = {})
+          def #{method}(provider, params = {})
             if Devise.omniauth_configs[provider.to_sym]
               script_name = request.env["SCRIPT_NAME"]
 
@@ -16,9 +17,12 @@ module Devise
               raise ArgumentError, "Could not find omniauth provider \#{provider.inspect}"
             end
           end
+          protected :#{method}
         URL_HELPERS
       end
 
+      protected
+
       def omniauth_authorize_path(resource_or_scope, *args)
         scope = Devise::Mapping.find_scope!(resource_or_scope)
         send("#{scope}_omniauth_authorize_path", *args)

lib/devise/rails/routes.rb

@@ -4,8 +4,12 @@ module ActionDispatch::Routing
     # need devise_for mappings already declared to create filters and helpers.
     def finalize_with_devise!
       finalize_without_devise!
-      Devise.configure_warden!
-      Devise.regenerate_helpers!
+
+      @devise_finalized ||= begin
+        Devise.configure_warden!
+        Devise.regenerate_helpers!
+        true
+      end
     end
     alias_method_chain :finalize!, :devise
   end
@@ -169,6 +173,7 @@ module ActionDispatch::Routing
     #     end
     #
     def devise_for(*resources)
+      @devise_finalized = false
       options = resources.extract_options!
 
       options[:as]          ||= @scope[:as]     if @scope[:as].present?
@@ -177,7 +182,6 @@ module ActionDispatch::Routing
       options[:path_names]    = (@scope[:path_names] || {}).merge(options[:path_names] || {})
       options[:constraints]   = (@scope[:constraints] || {}).merge(options[:constraints] || {})
       options[:defaults]      = (@scope[:defaults] || {}).merge(options[:defaults] || {})
-
       @scope[:options]        = (@scope[:options] || {}).merge({:format => false}) if options[:format] == false
 
       resources.map!(&:to_sym)

lib/devise/strategies/authenticatable.rb

@@ -85,17 +85,17 @@ module Devise
 
       # By default, a request is valid  if the controller is allowed and the VERB is POST.
       def valid_request?
-        valid_controller? && valid_verb?
-      end
-
-      # Check if the controller is the one registered for authentication.
-      def valid_controller?
-        mapping.controllers[:sessions] == params[:controller]
-      end
-
-      # Check if it was a POST request.
-      def valid_verb?
-        request.post?
+        if env["devise.allow_params_authentication"]
+          true
+        elsif request.post? && mapping.controllers[:sessions] == params[:controller]
+          ActiveSupport::Deprecation.warn "It seems that you are using a custom SessionsController. " \
+            "In order for it to work from Devise 1.4.6 forward, you need to add the following:" \
+            "\n\n  prepend_before_filter :allow_params_authentication!, :only => :create\n\n" \
+            "This will ensure your controller can authenticate from params for the create action.", caller
+          true
+        else
+          false
+        end
       end
 
       # If the request is valid, finally check if params_auth_hash returns a hash.

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.4.4".freeze
+  VERSION = "1.4.8".freeze
 end

lib/generators/devise/devise_generator.rb

@@ -9,9 +9,12 @@ module Devise
 
       hook_for :orm
 
+      class_option :routes, :desc => "Generate routes", :type => :boolean, :default => true
+
       def add_devise_routes
         devise_route  = "devise_for :#{plural_name}"
-        devise_route += %Q(, :class_name => "#{class_name}") if class_name.include?("::")
+        devise_route << %Q(, :class_name => "#{class_name}") if class_name.include?("::")
+        devise_route << %Q(, :skip => :all) unless options.routes?
         route devise_route
       end
     end

lib/generators/templates/README

@@ -22,4 +22,11 @@ Some setup you must do manually if you haven't yet:
        <p class="notice"><%= notice %></p>
        <p class="alert"><%= alert %></p>
 
+  4. If you are deploying Rails 3.1 on Heroku, you may want to set:
+
+       config.assets.initialize_on_precompile = false
+
+     On config/application.rb forcing your application to not access the DB
+     or load models when precompiling your assets.
+
 ===============================================================================

lib/generators/templates/devise.rb

@@ -72,12 +72,11 @@ Devise.setup do |config|
   # config.pepper = <%= SecureRandom.hex(64).inspect %>
 
   # ==> Configuration for :confirmable
-  # The time you want to give your user to confirm his account. During this time
-  # he will be able to access your application without confirming. Default is 0.days
-  # When confirm_within is zero, the user won't be able to sign in without confirming.
-  # You can use this to let your user access some features of your application
-  # without confirming the account, but blocking it after a certain period
-  # (ie 2 days).
+  # A period that the user is allowed to access the website even without
+  # confirming his account. For instance, if set to 2.days, the user will be
+  # able to access the website for two days without confirming his account,
+  # access will be blocked just in the third day. Default is 0.days, meaning
+  # the user cannot access the website without confirming his account.
   # config.confirm_within = 2.days
 
   # Defines which key will be used when confirming an account

test/controllers/helpers_test.rb

@@ -45,6 +45,11 @@ class ControllerAuthenticatableTest < ActionController::TestCase
     @controller.authenticate_user!
   end
 
+  test 'proxy authenticate_user! options to authenticate with user scope' do
+    @mock_warden.expects(:authenticate!).with(:scope => :user, :recall => "foo")
+    @controller.authenticate_user!(:recall => "foo")
+  end
+
   test 'proxy authenticate_admin! to authenticate with admin scope' do
     @mock_warden.expects(:authenticate!).with(:scope => :admin)
     @controller.authenticate_admin!

test/controllers/internal_helpers_test.rb

@@ -35,7 +35,7 @@ class HelpersTest < ActionController::TestCase
   end
 
   test 'resources methods are not controller actions' do
-    assert @controller.class.action_methods.empty?
+    assert @controller.class.action_methods.empty?, "Expected empty, got #{@controller.class.action_methods.inspect}"
   end
 
   test 'require no authentication tests current mapping' do

test/failure_app_test.rb

@@ -2,6 +2,10 @@ require 'test_helper'
 require 'ostruct'
 
 class FailureTest < ActiveSupport::TestCase
+  class RootFailureApp < Devise::FailureApp
+    undef_method :new_user_session_path
+  end
+
   def self.context(name, &block)
     instance_eval(&block)
   end
@@ -18,32 +22,31 @@ class FailureTest < ActiveSupport::TestCase
       'warden' => OpenStruct.new(:message => nil)
     }.merge!(env_params)
 
-    @response = Devise::FailureApp.call(env).to_a
+    @response = (env.delete(:app) || Devise::FailureApp).call(env).to_a
     @request  = ActionDispatch::Request.new(env)
   end
 
   context 'When redirecting' do
-    test 'return 302 status' do
-      call_failure
-      assert_equal 302, @response.first
-    end
-
-    test 'return 302 status for wildcard requests' do
-      call_failure 'action_dispatch.request.formats' => nil, 'HTTP_ACCEPT' => '*/*'
-      assert_equal 302, @response.first
-    end
-
     test 'return to the default redirect location' do
       call_failure
+      assert_equal 302, @response.first
       assert_equal 'You need to sign in or sign up before continuing.', @request.flash[:alert]
       assert_equal 'http://test.host/users/sign_in', @response.second['Location']
     end
 
     test 'return to the default redirect location for wildcard requests' do
       call_failure 'action_dispatch.request.formats' => nil, 'HTTP_ACCEPT' => '*/*'
+      assert_equal 302, @response.first
       assert_equal 'http://test.host/users/sign_in', @response.second['Location']
     end
 
+    test 'return to the root path if no session path is available' do
+      call_failure :app => RootFailureApp
+      assert_equal 302, @response.first
+      assert_equal 'You need to sign in or sign up before continuing.', @request.flash[:alert]
+      assert_equal 'http://test.host/', @response.second['Location']
+    end
+
     test 'uses the proxy failure message as symbol' do
       call_failure('warden' => OpenStruct.new(:message => :test))
       assert_equal 'test', @request.flash[:alert]
@@ -74,7 +77,7 @@ class FailureTest < ActiveSupport::TestCase
         assert_equal 302, @response.first
       end
     end
-    
+
     test 'redirects the correct format if it is a non-html format request' do
       swap Devise, :navigational_formats => [:js] do
         call_failure('formats' => :js)
@@ -178,7 +181,7 @@ class FailureTest < ActiveSupport::TestCase
       assert @response.third.body.include?('<h2>Sign in</h2>')
       assert @response.third.body.include?('Invalid email or password.')
     end
-    
+
     test 'calls the original controller if not confirmed email' do
       env = {
         "warden.options" => { :recall => "devise/sessions#new", :attempted_path => "/users/sign_in", :message => :unconfirmed },
@@ -187,9 +190,9 @@ class FailureTest < ActiveSupport::TestCase
       }
       call_failure(env)
       assert @response.third.body.include?('<h2>Sign in</h2>')
-      assert @response.third.body.include?('You have to confirm your account before continuing.')     
+      assert @response.third.body.include?('You have to confirm your account before continuing.')
     end
-    
+
     test 'calls the original controller if inactive account' do
       env = {
         "warden.options" => { :recall => "devise/sessions#new", :attempted_path => "/users/sign_in", :message => :inactive },
@@ -198,7 +201,7 @@ class FailureTest < ActiveSupport::TestCase
       }
       call_failure(env)
       assert @response.third.body.include?('<h2>Sign in</h2>')
-      assert @response.third.body.include?('Your account was not activated yet.')     
+      assert @response.third.body.include?('Your account was not activated yet.')
     end
   end
 end

test/generators/devise_generator_test.rb

@@ -22,6 +22,12 @@ class DeviseGeneratorTest < Rails::Generators::TestCase
     assert_file "config/routes.rb", match
   end
 
+  test "route generation with skip routes" do
+    run_generator %w(monster name:string --skip-routes)
+    match = /devise_for :monsters, :skip => :all/
+    assert_file "config/routes.rb", match
+  end
+
   def copy_routes
     routes = File.expand_path("../../rails_app/config/routes.rb", __FILE__)
     destination = File.join(destination_root, "config")

test/integration/authenticatable_test.rb

@@ -401,14 +401,14 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
 
   test 'sign in stub in xml format' do
     get new_user_session_path(:format => 'xml')
-    assert_equal "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>\n  <email></email>\n  <password></password>\n</user>\n", response.body
+    assert_equal "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>\n  <email></email>\n  <password nil=\"true\"></password>\n</user>\n", response.body
   end
 
   test 'sign in stub in json format' do
     get new_user_session_path(:format => 'json')
     assert_match '{"user":{', response.body
     assert_match '"email":""', response.body
-    assert_match '"password":""', response.body
+    assert_match '"password":null', response.body
   end
 
   test 'sign in stub in json with non attribute key' do
@@ -416,7 +416,7 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
       get new_user_session_path(:format => 'json')
       assert_match '{"user":{', response.body
       assert_match '"other_key":null', response.body
-      assert_match '"password":""', response.body
+      assert_match '"password":null', response.body
     end
   end
 

test/integration/recoverable_test.rb

@@ -147,7 +147,7 @@ class PasswordTest < ActionController::IntegrationTest
     reset_password :reset_password_token => user.reload.reset_password_token
 
     assert_current_url '/'
-    assert_contain 'Your password was changed successfully.'
+    assert_contain 'Your password was changed successfully. You are now signed in.'
     assert user.reload.valid_password?('987654321')
   end
 
@@ -179,6 +179,8 @@ class PasswordTest < ActionController::IntegrationTest
     request_forgot_password
     reset_password :reset_password_token => user.reload.reset_password_token
 
+    assert_contain 'Your password was changed successfully.'
+    assert_not_contain 'You are now signed in.'
     assert_equal new_user_session_path, @request.path
     assert !warden.authenticated?(:user)
   end

test/mapping_test.rb

@@ -31,6 +31,10 @@ class MappingTest < ActiveSupport::TestCase
     assert_equal "admin_area", Devise.mappings[:admin].path
   end
 
+  test 'allows to skip all routes' do
+    assert_equal [], Devise.mappings[:skip_admin].used_routes
+  end
+
   test 'sign_out_via defaults to :get' do
     assert_equal :get, Devise.mappings[:user].sign_out_via
   end

test/omniauth/url_helpers_test.rb

@@ -28,31 +28,31 @@ class OmniAuthRoutesTest < ActionController::TestCase
   end
 
   test 'should generate authorization path' do
-    assert_match "/users/auth/facebook", @controller.omniauth_authorize_path(:user, :facebook)
+    assert_match "/users/auth/facebook", @controller.send(:omniauth_authorize_path, :user, :facebook)
 
     assert_raise ArgumentError do
-      @controller.omniauth_authorize_path(:user, :github)
+      @controller.send :omniauth_authorize_path, :user, :github
     end
   end
 
   test 'should generate authorization path for named open_id omniauth' do
-    assert_match "/users/auth/google", @controller.omniauth_authorize_path(:user, :google)
+    assert_match "/users/auth/google", @controller.send(:omniauth_authorize_path, :user, :google)
   end
 
   test 'should generate authorization path with params' do
     assert_match "/users/auth/open_id?openid_url=http%3A%2F%2Fyahoo.com",
-                  @controller.omniauth_authorize_path(:user, :open_id, :openid_url => "http://yahoo.com")
+                  @controller.send(:omniauth_authorize_path, :user, :open_id, :openid_url => "http://yahoo.com")
   end
 
   test 'should not add a "?" if no param was sent' do
     assert_equal "/users/auth/open_id",
-                  @controller.omniauth_authorize_path(:user, :open_id)
+                  @controller.send(:omniauth_authorize_path, :user, :open_id)
   end
 
   test 'should set script name in the path if present' do
     @request.env['SCRIPT_NAME'] = '/q'
 
     assert_equal "/q/users/auth/facebook",
-                 @controller.omniauth_authorize_path(:user, :facebook)
+                 @controller.send(:omniauth_authorize_path, :user, :facebook)
   end
 end

test/rails_app/config/boot.rb

@@ -2,12 +2,7 @@ unless defined?(DEVISE_ORM)
   DEVISE_ORM = (ENV["DEVISE_ORM"] || :active_record).to_sym
 end
 
-begin
-  require File.expand_path("../../../../.bundle/environment", __FILE__)
-rescue LoadError
-  require 'rubygems'
-  require 'bundler'
-  Bundler.setup :default, :test, DEVISE_ORM
-end
+require 'rubygems'
+require 'bundler/setup'
 
-$:.unshift File.expand_path('../../../../lib', __FILE__)
+$:.unshift File.expand_path('../../../../lib', __FILE__)

test/rails_app/config/routes.rb

@@ -50,6 +50,8 @@ Rails.application.routes.draw do
   constraints(:host => /192\.168\.1\.\d\d\d/) do
     devise_for :homebase_admin, :class_name => "Admin", :path => "homebase"
   end
+
+  devise_for :skip_admin, :class_name => "Admin", :skip => :all
   
   # Routes for format=false testing
   devise_for :htmlonly_admin, :class_name => "Admin", :skip => [:confirmations, :unlocks], :path => "htmlonly_admin", :format => false, :skip_helpers => [:confirmations, :unlocks]