Release 2.0.6

Yes we still support Ruby 1.8 😢

Conflicts:
	Gemfile.lock

CHANGELOG.rdoc

@@ -1,6 +1,27 @@
-== 2.0.2
+== 2.0.6
 
-Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0
+* bug fix
+  * Do not confirm account after reset password
+
+== 2.0.5
+
+* bug fix
+  * Require string conversion for all values
+
+== 2.0.4
+
+* bug fix
+  * Fix a regression that caused Warden to be initialized too late
+
+== 2.0.3 (yanked)
+
+* bug fix
+  * Ensure warning is not shown by mistake on apps with mounted engines
+  * Fixes related to remember_token and rememberable_options
+  * Ensure serializable_hash does not depend on accessible attributes
+  * Ensure that timeout callback does not run on sign out action
+
+== 2.0.2
 
 * enhancements
   * Add devise_i18n_options to customize I18n message
@@ -106,7 +127,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
   * Fix backward incompatible change from 1.4.6 for those using custom controllers
 
-== 1.4.6
+== 1.4.6 (yanked)
 
 * enhancements
   * Allow devise_for :skip => :all

Gemfile.lock

@@ -1,11 +1,11 @@
 PATH
   remote: .
   specs:
-    devise (2.0.1)
+    devise (2.0.6)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.0.3)
       railties (~> 3.1)
-      warden (~> 1.1)
+      warden (~> 1.1.1)
 
 GEM
   remote: http://rubygems.org/
@@ -39,7 +39,7 @@ GEM
       multi_json (~> 1.0)
     addressable (2.2.6)
     arel (3.0.0)
-    bcrypt-ruby (3.0.1)
+    bcrypt-ruby (3.1.1)
     bson (1.5.1)
     bson_ext (1.3.1)
     builder (3.0.0)
@@ -87,7 +87,7 @@ GEM
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
-    orm_adapter (0.0.6)
+    orm_adapter (0.0.7)
     polyglot (0.3.3)
     rack (1.4.1)
     rack-cache (1.1)
@@ -137,7 +137,7 @@ GEM
       polyglot
       polyglot (>= 0.3.1)
     tzinfo (0.3.31)
-    warden (1.1.0)
+    warden (1.1.1)
       rack (>= 1.0)
     webrat (0.7.2)
       nokogiri (>= 1.2.0)

app/controllers/devise/sessions_controller.rb

@@ -19,10 +19,9 @@ class Devise::SessionsController < DeviseController
 
   # DELETE /resource/sign_out
   def destroy
-    signed_in = signed_in?(resource_name)
     redirect_path = after_sign_out_path_for(resource_name)
-    Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
-    set_flash_message :notice, :signed_out if signed_in
+    signed_out = (Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name))
+    set_flash_message :notice, :signed_out if signed_out
 
     # We actually need to hardcode this as Rails default responder doesn't
     # support returning empty response on GET request

devise.gemspec

@@ -18,7 +18,7 @@ Gem::Specification.new do |s|
   s.test_files    = `git ls-files -- test/*`.split("\n")
   s.require_paths = ["lib"]
 
-  s.add_dependency("warden", "~> 1.1")
+  s.add_dependency("warden", "~> 1.1.1")
   s.add_dependency("orm_adapter", "~> 0.0.3")
   s.add_dependency("bcrypt-ruby", "~> 3.0")
   s.add_dependency("railties", "~> 3.1")

gemfiles/Gemfile.rails-3.1.x.lock

@@ -0,0 +1,169 @@
+PATH
+  remote: ..
+  specs:
+    devise (2.0.6)
+      bcrypt-ruby (~> 3.0)
+      orm_adapter (~> 0.0.3)
+      railties (~> 3.1)
+      warden (~> 1.1.1)
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    actionmailer (3.1.3)
+      actionpack (= 3.1.3)
+      mail (~> 2.3.0)
+    actionpack (3.1.3)
+      activemodel (= 3.1.3)
+      activesupport (= 3.1.3)
+      builder (~> 3.0.0)
+      erubis (~> 2.7.0)
+      i18n (~> 0.6)
+      rack (~> 1.3.5)
+      rack-cache (~> 1.1)
+      rack-mount (~> 0.8.2)
+      rack-test (~> 0.6.1)
+      sprockets (~> 2.0.3)
+    activemodel (3.1.3)
+      activesupport (= 3.1.3)
+      builder (~> 3.0.0)
+      i18n (~> 0.6)
+    activerecord (3.1.3)
+      activemodel (= 3.1.3)
+      activesupport (= 3.1.3)
+      arel (~> 2.2.1)
+      tzinfo (~> 0.3.29)
+    activeresource (3.1.3)
+      activemodel (= 3.1.3)
+      activesupport (= 3.1.3)
+    activesupport (3.1.3)
+      multi_json (~> 1.0)
+    addressable (2.2.7)
+    arel (2.2.1)
+    bcrypt-ruby (3.1.1)
+    bson (1.5.2)
+    bson_ext (1.3.1)
+    builder (3.0.0)
+    columnize (0.3.6)
+    erubis (2.7.0)
+    faraday (0.7.6)
+      addressable (~> 2.2)
+      multipart-post (~> 1.1)
+      rack (~> 1.1)
+    hashie (1.2.0)
+    hike (1.2.1)
+    i18n (0.6.0)
+    json (1.6.5)
+    linecache (0.46)
+      rbx-require-relative (> 0.0.4)
+    mail (2.3.0)
+      i18n (>= 0.4.0)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    metaclass (0.0.1)
+    mime-types (1.17.2)
+    mocha (0.10.4)
+      metaclass (~> 0.0.1)
+    mongo (1.3.1)
+      bson (>= 1.3.1)
+    mongoid (2.4.4)
+      activemodel (~> 3.1)
+      mongo (~> 1.3)
+      tzinfo (~> 0.3.22)
+    multi_json (1.0.4)
+    multipart-post (1.1.5)
+    nokogiri (1.5.0)
+    oauth2 (0.5.2)
+      faraday (~> 0.7)
+      multi_json (~> 1.0)
+    omniauth (1.0.2)
+      hashie (~> 1.2)
+      rack
+    omniauth-facebook (1.2.0)
+      omniauth-oauth2 (~> 1.0.0)
+    omniauth-oauth2 (1.0.0)
+      oauth2 (~> 0.5.0)
+      omniauth (~> 1.0)
+    omniauth-openid (1.0.1)
+      omniauth (~> 1.0)
+      rack-openid (~> 1.3.1)
+    orm_adapter (0.0.7)
+    polyglot (0.3.3)
+    rack (1.3.6)
+    rack-cache (1.1)
+      rack (>= 0.4)
+    rack-mount (0.8.3)
+      rack (>= 1.0.0)
+    rack-openid (1.3.1)
+      rack (>= 1.1.0)
+      ruby-openid (>= 2.1.8)
+    rack-ssl (1.3.2)
+      rack
+    rack-test (0.6.1)
+      rack (>= 1.0)
+    rails (3.1.3)
+      actionmailer (= 3.1.3)
+      actionpack (= 3.1.3)
+      activerecord (= 3.1.3)
+      activeresource (= 3.1.3)
+      activesupport (= 3.1.3)
+      bundler (~> 1.0)
+      railties (= 3.1.3)
+    railties (3.1.3)
+      actionpack (= 3.1.3)
+      activesupport (= 3.1.3)
+      rack-ssl (~> 1.3.2)
+      rake (>= 0.8.7)
+      rdoc (~> 3.4)
+      thor (~> 0.14.6)
+    rake (0.9.2.2)
+    rbx-require-relative (0.0.5)
+    rdoc (3.12)
+      json (~> 1.4)
+    ruby-debug (0.10.4)
+      columnize (>= 0.1)
+      ruby-debug-base (~> 0.10.4.0)
+    ruby-debug-base (0.10.4)
+      linecache (>= 0.3)
+    ruby-openid (2.1.8)
+    sprockets (2.0.3)
+      hike (~> 1.2)
+      rack (~> 1.0)
+      tilt (~> 1.1, != 1.3.0)
+    sqlite3 (1.3.5)
+    sqlite3-ruby (1.3.3)
+      sqlite3 (>= 1.3.3)
+    thor (0.14.6)
+    tilt (1.3.3)
+    treetop (1.4.10)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.31)
+    warden (1.1.1)
+      rack (>= 1.0)
+    webrat (0.7.2)
+      nokogiri (>= 1.2.0)
+      rack (>= 1.0)
+      rack-test (>= 0.5.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord-jdbc-adapter
+  activerecord-jdbcsqlite3-adapter
+  bson_ext (~> 1.3.0)
+  devise!
+  jruby-openssl
+  mocha
+  mongo (~> 1.3.0)
+  mongoid (~> 2.0)
+  omniauth (~> 1.0.0)
+  omniauth-facebook
+  omniauth-oauth2 (~> 1.0.0)
+  omniauth-openid (~> 1.0.1)
+  rails (~> 3.1.0)
+  rdoc
+  ruby-debug (>= 0.10.3)
+  sqlite3-ruby
+  webrat (= 0.7.2)

lib/devise.rb

@@ -10,7 +10,6 @@ module Devise
   autoload :FailureApp,  'devise/failure_app'
   autoload :OmniAuth,    'devise/omniauth'
   autoload :ParamFilter, 'devise/param_filter'
-  autoload :PathChecker, 'devise/path_checker'
   autoload :Schema,      'devise/schema'
   autoload :TestHelpers, 'devise/test_helpers'
 
@@ -63,8 +62,8 @@ module Devise
   }
 
   # Custom domain for cookies. Not set by default
-  mattr_accessor :cookie_options
-  @@cookie_options = {}
+  mattr_accessor :rememberable_options
+  @@rememberable_options = {}
 
   # The number of times to encrypt password.
   mattr_accessor :stretches
@@ -244,6 +243,11 @@ module Devise
     Devise.allow_unconfirmed_access_for = value
   end
 
+  def self.cookie_options=(value)
+    warn "\n[DEVISE] Devise.cookie_options= is deprecated. Please set Devise.rememberable_options= instead.\n"
+    Devise.rememberable_options = value
+  end
+
   def self.stateless_token=(value)
     warn "\n[DEVISE] Devise.stateless_token= is deprecated. Please append :token_auth to Devise.skip_session_storage " \
       "instead, for example: Devise.skip_session_storage << :token_auth\n"

lib/devise/controllers/helpers.rb

@@ -126,7 +126,8 @@ module Devise
       end
 
       # Sign out a given user or scope. This helper is useful for signing out a user
-      # after deleting accounts.
+      # after deleting accounts. Returns true if there was a logout and false if there is no user logged in
+      # on the referred scope
       #
       # Examples:
       #
@@ -136,19 +137,26 @@ module Devise
       def sign_out(resource_or_scope=nil)
         return sign_out_all_scopes unless resource_or_scope
         scope = Devise::Mapping.find_scope!(resource_or_scope)
-        warden.user(scope) # Without loading user here, before_logout hook is not called
+        user = warden.user(:scope => scope, :run_callbacks => false) # If there is no user
+
         warden.raw_session.inspect # Without this inspect here. The session does not clear.
         warden.logout(scope)
         instance_variable_set(:"@current_#{scope}", nil)
+
+        !!user
       end
 
       # Sign out all active users or scopes. This helper is useful for signing out all roles
-      # in one click. This signs out ALL scopes in warden.
+      # in one click. This signs out ALL scopes in warden. Returns true if there was at least one logout
+      # and false if there was no user logged in on all scopes.
       def sign_out_all_scopes
-        Devise.mappings.keys.each { |s| warden.user(s) }
+        users = Devise.mappings.keys.map { |s| warden.user(:scope => s, :run_callbacks => false) }
+
         warden.raw_session.inspect
         warden.logout
         expire_devise_cached_variables!
+        
+        users.any?
       end
 
       # Returns and delete the url stored in the session for the given scope. Useful

lib/devise/controllers/rememberable.rb

@@ -36,7 +36,7 @@ module Devise
       protected
 
       def forget_cookie_values(resource)
-        Devise::Controllers::Rememberable.cookie_values.merge!(resource.cookie_options)
+        Devise::Controllers::Rememberable.cookie_values.merge!(resource.rememberable_options)
       end
 
       def remember_cookie_values(resource)

lib/devise/hooks/timeoutable.rb

@@ -10,11 +10,8 @@ Warden::Manager.after_set_user do |record, warden, options|
     last_request_at = warden.session(scope)['last_request_at']
 
     if record.timedout?(last_request_at)
-      path_checker = Devise::PathChecker.new(warden.env, scope)
-      unless path_checker.signing_out?
-        warden.logout(scope)
-        throw :warden, :scope => scope, :message => :timeout
-      end
+      warden.logout(scope)
+      throw :warden, :scope => scope, :message => :timeout
     end
 
     unless warden.request.env['devise.skip_trackable']

lib/devise/models/authenticatable.rb

@@ -1,5 +1,4 @@
 require 'devise/hooks/activatable'
-require 'devise/models/serializable'
 
 module Devise
   module Models
@@ -52,7 +51,10 @@ module Devise
     module Authenticatable
       extend ActiveSupport::Concern
 
-      include Devise::Models::Serializable
+      BLACKLIST_FOR_SERIALIZATION = [:encrypted_password, :reset_password_token, :reset_password_sent_at,
+        :remember_created_at, :sign_in_count, :current_sign_in_at, :last_sign_in_at, :current_sign_in_ip,
+        :last_sign_in_ip, :password_salt, :confirmation_token, :confirmed_at, :confirmation_sent_at,
+        :unconfirmed_email, :failed_attempts, :unlock_token, :locked_at, :authentication_token]
 
       included do
         class_attribute :devise_modules, :instance_writer => false
@@ -99,6 +101,31 @@ module Devise
         (self.class.strip_whitespace_keys || []).each { |k| self[k].try(:strip!) }
       end
 
+      array = %w(serializable_hash)
+      # to_xml does not call serializable_hash on 3.1
+      array << "to_xml" if Rails::VERSION::STRING[0,3] == "3.1"
+
+      array.each do |method|
+        class_eval <<-RUBY, __FILE__, __LINE__
+          # Redefine to_xml and serializable_hash in models for more secure defaults.
+          # By default, it removes from the serializable model all attributes that
+          # are *not* accessible. You can remove this default by using :force_except
+          # and passing a new list of attributes you want to exempt. All attributes
+          # given to :except will simply add names to exempt to Devise internal list.
+          def #{method}(options=nil)
+            options ||= {}
+            options[:except] = Array(options[:except])
+
+            if options[:force_except]
+              options[:except].concat Array(options[:force_except])
+            else
+              options[:except].concat BLACKLIST_FOR_SERIALIZATION
+            end
+            super(options)
+          end
+        RUBY
+      end
+
       module ClassMethods
         Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys,
           :case_insensitive_keys, :http_authenticatable, :params_authenticatable, :skip_session_storage)
@@ -127,17 +154,20 @@ module Devise
         # namedscope to filter records while authenticating.
         # Example:
         #
-        #   def self.find_for_authentication(conditions={})
-        #     conditions[:active] = true
-        #     super
+        #   def self.find_for_authentication(tainted_conditions)
+        #     find_first_by_auth_conditions(tainted_conditions, :active => true)
         #   end
         #
-        def find_for_authentication(conditions)
-          find_first_by_auth_conditions(conditions)
+        # Finally, notice that Devise also queries for users in other scenarios
+        # besides authentication, for example when retrieving an user to send
+        # an e-mail for password reset. In such cases, find_for_authentication
+        # is not called.
+        def find_for_authentication(tainted_conditions)
+          find_first_by_auth_conditions(tainted_conditions)
         end
 
-        def find_first_by_auth_conditions(conditions)
-          to_adapter.find_first devise_param_filter.filter(conditions)
+        def find_first_by_auth_conditions(tainted_conditions, opts={})
+          to_adapter.find_first(devise_param_filter.filter(tainted_conditions).merge(opts))
         end
 
         # Find an initialize a record setting an error if it can't be found.
@@ -183,4 +213,4 @@ module Devise
       end
     end
   end
-end
+end

lib/devise/models/confirmable.rb

@@ -165,11 +165,6 @@ module Devise
           generate_confirmation_token && save(:validate => false)
         end
 
-        def after_password_reset
-          super
-          confirm! unless confirmed?
-        end
-
         def postpone_email_change_until_confirmation
           @reconfirmation_required = true
           self.unconfirmed_email = self.email

lib/devise/models/rememberable.rb

@@ -44,6 +44,7 @@ module Devise
       # Generate a new remember token and save the record without validations
       # unless remember_across_browsers is true and the user already has a valid token.
       def remember_me!(extend_period=false)
+        self.remember_token = self.class.remember_token if generate_remember_token?
         self.remember_created_at = Time.now.utc if generate_remember_timestamp?(extend_period)
         save(:validate => false)
       end
@@ -51,11 +52,10 @@ module Devise
       # If the record is persisted, remove the remember token (but only if
       # it exists), and save the record without validations.
       def forget_me!
-        if persisted?
-          self.remember_token = nil if respond_to?(:remember_token=)
-          self.remember_created_at = nil
-          save(:validate => false)
-        end
+        return unless persisted?
+        self.remember_token = nil if respond_to?(:remember_token=)
+        self.remember_created_at = nil
+        save(:validate => false)
       end
 
       # Remember token should be expired if expiration time not overpass now.
@@ -69,21 +69,28 @@ module Devise
       end
 
       def rememberable_value
-        if salt = authenticatable_salt
+        if respond_to?(:remember_token)
+          remember_token
+        elsif salt = authenticatable_salt
           salt
         else
           raise "authenticable_salt returned nil for the #{self.class.name} model. " \
             "In order to use rememberable, you must ensure a password is always set " \
-            "or implement rememberable_value in your model with your own logic."
+            "or have a remember_token column in your model or implement your own " \
+            "rememberable_value in the model with custom logic."
         end
       end
 
-      def cookie_options
-        self.class.cookie_options
+      def rememberable_options
+        self.class.rememberable_options
       end
 
     protected
 
+      def generate_remember_token?
+        respond_to?(:remember_token) && remember_expired?
+      end
+
       # Generate a timestamp if extend_remember_period is true, if no remember_token
       # exists, or if an existing remember token has expired.
       def generate_remember_timestamp?(extend_period) #:nodoc:
@@ -107,7 +114,7 @@ module Devise
           generate_token(:remember_token)
         end
 
-        Devise::Models.config(self, :remember_for, :extend_remember_period, :cookie_options)
+        Devise::Models.config(self, :remember_for, :extend_remember_period, :rememberable_options)
       end
     end
   end

lib/devise/models/serializable.rb

@@ -1,46 +0,0 @@
-module Devise
-  module Models
-    # This module redefine to_xml and serializable_hash in models for more
-    # secure defaults. By default, it removes from the serializable model
-    # all attributes that are *not* accessible. You can remove this default
-    # by using :force_except and passing a new list of attributes you want
-    # to exempt. All attributes given to :except will simply add names to
-    # exempt to Devise internal list.
-    module Serializable
-      extend ActiveSupport::Concern
-
-      array = %w(serializable_hash)
-      # to_xml does not call serializable_hash on 3.1
-      array << "to_xml" if Rails::VERSION::STRING[0,3] == "3.1"
-
-      array.each do |method|
-        class_eval <<-RUBY, __FILE__, __LINE__
-          def #{method}(options=nil)
-            options ||= {}
-            if options.key?(:force_except)
-              options[:except] = options.delete(:force_except)
-              super(options)
-            elsif self.class.blacklist_keys?
-              except = Array(options[:except])
-              super(options.merge(:except => except + self.class.blacklist_keys))
-            else
-              super
-            end
-          end
-        RUBY
-      end
-
-      module ClassMethods
-        # Return true if we can retrieve blacklist keys from the record.
-        def blacklist_keys?
-          @has_except_keys ||= respond_to?(:accessible_attributes) && !accessible_attributes.to_a.empty?
-        end
-
-        # Returns keys that should be removed when serializing the record.
-        def blacklist_keys
-          @blacklist_keys ||= to_adapter.column_names.map(&:to_s) - accessible_attributes.to_a.map(&:to_s)
-        end
-      end
-    end
-  end
-end

lib/devise/param_filter.rb

@@ -33,9 +33,8 @@ module Devise
 
     private
 
-    # Determine which values should be transformed to string or passed as-is to the query builder underneath
     def param_requires_string_conversion?(value)
-      [Fixnum, TrueClass, FalseClass, Regexp].none? {|clz| value.is_a? clz }
+      true
     end
   end
 end

lib/devise/path_checker.rb

@@ -1,23 +0,0 @@
-module Devise
-  class PathChecker
-    include Rails.application.routes.url_helpers
-
-    def self.default_url_options(*args)
-      if defined?(ApplicationController)
-        ApplicationController.default_url_options(*args)
-      else
-        {}
-      end
-    end
-
-    def initialize(env, scope)
-      @current_path = "/#{env["SCRIPT_NAME"]}/#{env["PATH_INFO"]}".squeeze("/")
-      @scope = scope
-    end
-
-    def signing_out?
-      route = "destroy_#{@scope}_session_path"
-      respond_to?(route) && @current_path == send(route)
-    end
-  end
-end

lib/devise/rails/routes.rb

@@ -5,10 +5,10 @@ module ActionDispatch::Routing
     # Ensure Devise modules are included only after loading routes, because we
     # need devise_for mappings already declared to create filters and helpers.
     def finalize_with_devise!
-      finalize_without_devise!
+      result = finalize_without_devise!
 
       @devise_finalized ||= begin
-        if Devise.router_name.nil? && self != Rails.application.try(:routes)
+        if Devise.router_name.nil? && defined?(@devise_finalized) && self != Rails.application.try(:routes)
           warn "[DEVISE] We have detected that you are using devise_for inside engine routes. " \
             "In this case, you probably want to set Devise.router_name = MOUNT_POINT, where "   \
             "MOUNT_POINT is a symbol representing where this engine will be mounted at. For "   \
@@ -20,6 +20,8 @@ module ActionDispatch::Routing
         Devise.regenerate_helpers!
         true
       end
+
+      result
     end
     alias_method_chain :finalize!, :devise
   end

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "2.0.2".freeze
+  VERSION = "2.0.6".freeze
 end

test/controllers/helpers_test.rb

@@ -141,7 +141,7 @@ class ControllerAuthenticatableTest < ActionController::TestCase
 
   test 'sign out clears up any signed in user by scope' do
     user = User.new
-    @mock_warden.expects(:user).with(:user).returns(user)
+    @mock_warden.expects(:user).with(:scope => :user, :run_callbacks => false).returns(user)
     @mock_warden.expects(:logout).with(:user).returns(true)
     @controller.instance_variable_set(:@current_user, user)
     @controller.sign_out(:user)
@@ -149,13 +149,13 @@ class ControllerAuthenticatableTest < ActionController::TestCase
   end
   
   test 'sign out proxy to logout on warden' do
-    @mock_warden.expects(:user).with(:user).returns(true)
+    @mock_warden.expects(:user).with(:scope => :user, :run_callbacks => false).returns(true)
     @mock_warden.expects(:logout).with(:user).returns(true)
     @controller.sign_out(:user)
   end
 
   test 'sign out accepts a resource as argument' do
-    @mock_warden.expects(:user).with(:user).returns(true)
+    @mock_warden.expects(:user).with(:scope => :user, :run_callbacks => false).returns(true)
     @mock_warden.expects(:logout).with(:user).returns(true)
     @controller.sign_out(User.new)
   end
@@ -230,7 +230,7 @@ class ControllerAuthenticatableTest < ActionController::TestCase
 
   test 'sign out and redirect uses the configured after sign out path when signing out only the current scope' do
     swap Devise, :sign_out_all_scopes => false do
-      @mock_warden.expects(:user).with(:admin).returns(true)
+      @mock_warden.expects(:user).with(:scope => :admin, :run_callbacks => false).returns(true)
       @mock_warden.expects(:logout).with(:admin).returns(true)
       @controller.expects(:redirect_to).with(admin_root_path)
       @controller.instance_eval "def after_sign_out_path_for(resource); admin_root_path; end"

test/integration/recoverable_test.rb

@@ -195,15 +195,6 @@ class PasswordTest < ActionController::IntegrationTest
     assert !warden.authenticated?(:user)
   end
 
-  test 'sign in user automatically and confirm after changing its password if it\'s not confirmed' do
-    user = create_user(:confirm => false)
-    request_forgot_password
-    reset_password :reset_password_token => user.reload.reset_password_token
-
-    assert warden.authenticated?(:user)
-    assert user.reload.confirmed?
-  end
-
   test 'reset password request with valid E-Mail in XML format should return valid response' do
     create_user
     post user_password_path(:format => 'xml'), :user => {:email => "user@test.com"}

test/integration/rememberable_test.rb

@@ -51,7 +51,7 @@ class RememberMeTest < ActionController::IntegrationTest
     # We test this by asserting the cookie is not sent after the redirect
     # since we changed the domain. This is the only difference with the
     # previous test.
-    swap Devise, :cookie_options => { :domain => "omg.somewhere.com" } do
+    swap Devise, :rememberable_options => { :domain => "omg.somewhere.com" } do
       user = sign_in_as_user :remember_me => true
       assert_nil request.cookies["remember_user_token"]
     end

test/integration/timeoutable_test.rb

@@ -50,10 +50,12 @@ class SessionTimeoutTest < ActionController::IntegrationTest
     get expire_user_path(user)
 
     get destroy_user_session_path
+
     assert_response :redirect
     assert_redirected_to root_path
 
     follow_redirect!
+
     assert_contain 'Signed out successfully'
   end
 

test/models/authenticatable_test.rb

@@ -0,0 +1,9 @@
+require 'test_helper'
+
+class AuthenticatableTest < ActiveSupport::TestCase
+  test 'find_first_by_auth_conditions allows custom filtering parameters' do
+    user = User.create!(:email => "example@example.com", :password => "123456")
+    assert_equal User.find_first_by_auth_conditions({ :email => "example@example.com" }), user
+    assert_equal User.find_first_by_auth_conditions({ :email => "example@example.com" }, :id => user.id + 1), nil
+  end
+end

test/models/database_authenticatable_test.rb

@@ -23,15 +23,9 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
   end
 
   test "param filter should not convert booleans and integer to strings" do
-    conditions = { 'login' => 'foo@bar.com', "bool1" => true, "bool2" => false, "fixnum" => 123, "will_be_converted" => (1..10) }
+    conditions = { "login" => "foo@bar.com", "bool1" => true, "bool2" => false, "fixnum" => 123, "will_be_converted" => (1..10) }
     conditions = Devise::ParamFilter.new([], []).filter(conditions)
-    assert_equal( { 'login' => 'foo@bar.com', "bool1" => true, "bool2" => false, "fixnum" => 123, "will_be_converted" => "1..10" }, conditions)
-  end
-
-  test "param filter should not convert regular expressions to strings" do
-    conditions = { "regexp" => /expression/ }
-    conditions = Devise::ParamFilter.new([], []).filter(conditions)
-    assert_equal( { "regexp" => /expression/ }, conditions)
+    assert_equal( { "login" => "foo@bar.com", "bool1" => "true", "bool2" => "false", "fixnum" => "123", "will_be_converted" => "1..10" }, conditions)
   end
 
   test 'should respond to password and password confirmation' do

test/models/serializable_test.rb

@@ -6,8 +6,8 @@ class SerializableTest < ActiveSupport::TestCase
   end
 
   test 'should not include unsafe keys on XML' do
-    assert_match /email/, @user.to_xml 
-    assert_no_match /confirmation-token/, @user.to_xml 
+    assert_match /email/, @user.to_xml
+    assert_no_match /confirmation-token/, @user.to_xml
   end
 
   test 'should not include unsafe keys on XML even if a new except is provided' do
@@ -21,18 +21,28 @@ class SerializableTest < ActiveSupport::TestCase
   end
 
   test 'should not include unsafe keys on JSON' do
-    assert_match /"email":/, @user.to_json 
-    assert_no_match /"confirmation_token":/, @user.to_json 
+    assert_equal %w(created_at email facebook_token id updated_at username), from_json().keys.sort
   end
 
   test 'should not include unsafe keys on JSON even if a new except is provided' do
-    assert_no_match /"email":/, @user.to_json(:except => :email)
-    assert_no_match /"confirmation_token":/, @user.to_json(:except => :email)
+    assert_no_key "email", from_json(:except => :email)
+    assert_no_key "confirmation_token", from_json(:except => :email)
   end
 
   test 'should include unsafe keys on JSON if a force_except is provided' do
-    assert_no_match /"email":/, @user.to_json(:force_except => :email)
-    assert_match /"confirmation_token":/, @user.to_json(:force_except => :email)
+    assert_no_key "email", from_json(:force_except => :email)
+    assert_key "confirmation_token", from_json(:force_except => :email)
   end
 
+  def assert_key(key, subject)
+    assert subject.key?(key), "Expected #{subject.inspect} to have key #{key.inspect}"
+  end
+
+  def assert_no_key(key, subject)
+    assert !subject.key?(key), "Expected #{subject.inspect} to not have key #{key.inspect}"
+  end
+
+  def from_json(options=nil)
+    ActiveSupport::JSON.decode(@user.to_json(options))["user"]
+  end
 end

test/path_checker_test.rb

@@ -1,21 +0,0 @@
-require 'test_helper'
-
-class PathCheckerTest < ActiveSupport::TestCase
-  test 'check if sign out path matches' do
-    path_checker = Devise::PathChecker.new({"PATH_INFO" => "/users/sign_out"}, :user)
-    assert path_checker.signing_out?
-
-    path_checker = Devise::PathChecker.new({"PATH_INFO" => "/users/sign_in"}, :user)
-    assert_not path_checker.signing_out?
-  end
-
-  test 'considers script name' do
-    path_checker = Devise::PathChecker.new({"SCRIPT_NAME" => "/users", "PATH_INFO" => "/sign_out"}, :user)
-    assert path_checker.signing_out?
-  end
-
-  test 'ignores invalid routes' do
-    path_checker = Devise::PathChecker.new({"PATH_INFO" => "/users/sign_in"}, :omg)
-    assert_not path_checker.signing_out?
-  end
-end

test/rails_app/app/controllers/application_controller.rb

@@ -3,6 +3,6 @@
 
 class ApplicationController < ActionController::Base
   protect_from_forgery
-  before_filter :current_user
+  before_filter :current_user, :unless => :devise_controller?
   before_filter :authenticate_user!, :if => :devise_controller?
 end