Release 3.0.0.rc with Rails 4 support

Support Rails 4

Keep compatibility with Rails 3.2. Drop support to Ruby 1.8.

.travis.yml

@@ -1,28 +1,13 @@
 language: ruby
 script: "bundle exec rake test"
 rvm:
-  - 1.8.7
-  - 1.9.2
   - 1.9.3
+  - 2.0.0
 env:
   - DEVISE_ORM=mongoid
   - DEVISE_ORM=active_record
-matrix:
-  exclude:
-    - rvm: 1.8.7
-      env: DEVISE_ORM=mongoid
-      gemfile: Gemfile
-    - rvm: 1.8.7
-      env: DEVISE_ORM=mongoid
-      gemfile: gemfiles/Gemfile.rails-3.1.x
-    - rvm: 1.9.2
-      env: DEVISE_ORM=mongoid
-      gemfile: Gemfile
-    - rvm: 1.9.2
-      env: DEVISE_ORM=mongoid
-      gemfile: gemfiles/Gemfile.rails-3.1.x
 gemfile:
-  - gemfiles/Gemfile.rails-3.1.x
+  - gemfiles/Gemfile.rails-3.2.x
   - Gemfile
 services:
   - mongodb

CHANGELOG.rdoc

@@ -1,3 +1,9 @@
+== 3.0.0.rc
+
+* enhancements
+  * Rails 4 and Strong Parameters compatibility. (@carlosantoniodasilva, @josevalim, @latortuga, @lucasmazza, @nashby, @rafaelfranca, @spastorino)
+  * Drop support for Rails < 3.2 and Ruby < 1.9.3.
+
 == 2.2.4
 
 * enhancements

Gemfile

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gemspec
 
-gem "rails", "~> 3.2.6"
+gem "rails", "~> 4.0.0.rc1"
 gem "omniauth", "~> 1.0.0"
 gem "omniauth-oauth2", "~> 1.0.0"
 gem "rdoc"
@@ -24,9 +24,8 @@ platforms :ruby do
   gem "sqlite3"
 end
 
-
-platforms :mri_19 do
+platforms :mri_19, :mri_20 do
   group :mongoid do
-    gem "mongoid", "~> 3.0"
+    gem "mongoid", github: "mongoid/mongoid", branch: "master"
   end
 end

Gemfile.lock

@@ -1,53 +1,61 @@
+GIT
+  remote: git://github.com/mongoid/mongoid.git
+  revision: fe7f43430580860db6d1d89cea27eda24ab60ab1
+  branch: master
+  specs:
+    mongoid (4.0.0)
+      activemodel (~> 4.0.0.rc1)
+      moped (~> 1.4.2)
+      origin (~> 1.0)
+      tzinfo (~> 0.3.22)
+
 PATH
   remote: .
   specs:
-    devise (2.2.4)
+    devise (3.0.0.rc)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (~> 3.1)
+      railties (>= 3.2.6, < 5)
       warden (~> 1.2.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (3.2.13)
-      actionpack (= 3.2.13)
+    actionmailer (4.0.0.rc1)
+      actionpack (= 4.0.0.rc1)
       mail (~> 2.5.3)
-    actionpack (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
-      builder (~> 3.0.0)
+    actionpack (4.0.0.rc1)
+      activesupport (= 4.0.0.rc1)
+      builder (~> 3.1.0)
       erubis (~> 2.7.0)
-      journey (~> 1.0.4)
-      rack (~> 1.4.5)
-      rack-cache (~> 1.2)
-      rack-test (~> 0.6.1)
-      sprockets (~> 2.2.1)
-    activemodel (3.2.13)
-      activesupport (= 3.2.13)
-      builder (~> 3.0.0)
-    activerecord (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
-      arel (~> 3.0.2)
-      tzinfo (~> 0.3.29)
-    activeresource (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
-    activesupport (3.2.13)
-      i18n (= 0.6.1)
-      multi_json (~> 1.0)
-    arel (3.0.2)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    activemodel (4.0.0.rc1)
+      activesupport (= 4.0.0.rc1)
+      builder (~> 3.1.0)
+    activerecord (4.0.0.rc1)
+      activemodel (= 4.0.0.rc1)
+      activerecord-deprecated_finders (~> 1.0.2)
+      activesupport (= 4.0.0.rc1)
+      arel (~> 4.0.0)
+    activerecord-deprecated_finders (1.0.2)
+    activesupport (4.0.0.rc1)
+      i18n (~> 0.6, >= 0.6.4)
+      minitest (~> 4.2)
+      multi_json (~> 1.3)
+      thread_safe (~> 0.1)
+      tzinfo (~> 0.3.37)
+    arel (4.0.0)
+    atomic (1.1.8)
     bcrypt-ruby (3.0.1)
-    builder (3.0.4)
+    builder (3.1.4)
     erubis (2.7.0)
     faraday (0.8.7)
       multipart-post (~> 1.1)
     hashie (1.2.0)
     hike (1.2.2)
     httpauth (0.2.0)
-    i18n (0.6.1)
-    journey (1.0.4)
+    i18n (0.6.4)
     json (1.7.7)
     jwt (0.1.8)
       multi_json (>= 1.5)
@@ -56,14 +64,10 @@ GEM
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
     metaclass (0.0.1)
-    mime-types (1.22)
+    mime-types (1.23)
+    minitest (4.7.4)
     mocha (0.13.3)
       metaclass (~> 0.0.1)
-    mongoid (3.1.2)
-      activemodel (~> 3.2)
-      moped (~> 1.4.2)
-      origin (~> 1.0)
-      tzinfo (~> 0.3.22)
     moped (1.4.5)
     multi_json (1.7.2)
     multipart-post (1.2.0)
@@ -85,46 +89,46 @@ GEM
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
-    origin (1.0.11)
+    origin (1.1.0)
     orm_adapter (0.4.0)
     polyglot (0.3.3)
-    rack (1.4.5)
-    rack-cache (1.2)
-      rack (>= 0.4)
+    rack (1.5.2)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
-    rack-ssl (1.3.3)
-      rack
     rack-test (0.6.2)
       rack (>= 1.0)
-    rails (3.2.13)
-      actionmailer (= 3.2.13)
-      actionpack (= 3.2.13)
-      activerecord (= 3.2.13)
-      activeresource (= 3.2.13)
-      activesupport (= 3.2.13)
-      bundler (~> 1.0)
-      railties (= 3.2.13)
-    railties (3.2.13)
-      actionpack (= 3.2.13)
-      activesupport (= 3.2.13)
-      rack-ssl (~> 1.3.2)
+    rails (4.0.0.rc1)
+      actionmailer (= 4.0.0.rc1)
+      actionpack (= 4.0.0.rc1)
+      activerecord (= 4.0.0.rc1)
+      activesupport (= 4.0.0.rc1)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.0.0.rc1)
+      sprockets-rails (~> 2.0.0.rc4)
+    railties (4.0.0.rc1)
+      actionpack (= 4.0.0.rc1)
+      activesupport (= 4.0.0.rc1)
       rake (>= 0.8.7)
-      rdoc (~> 3.4)
-      thor (>= 0.14.6, < 2.0)
+      thor (>= 0.18.1, < 2.0)
     rake (10.0.4)
-    rdoc (3.12.2)
+    rdoc (4.0.1)
       json (~> 1.4)
     ruby-openid (2.2.3)
-    sprockets (2.2.2)
+    sprockets (2.9.3)
       hike (~> 1.2)
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
+    sprockets-rails (2.0.0.rc4)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (~> 2.8)
     sqlite3 (1.3.7)
     thor (0.18.1)
-    tilt (1.3.7)
+    thread_safe (0.1.0)
+      atomic
+    tilt (1.4.0)
     treetop (1.4.12)
       polyglot
       polyglot (>= 0.3.1)
@@ -145,12 +149,12 @@ DEPENDENCIES
   devise!
   jruby-openssl
   mocha (~> 0.13.1)
-  mongoid (~> 3.0)
+  mongoid!
   omniauth (~> 1.0.0)
   omniauth-facebook
   omniauth-oauth2 (~> 1.0.0)
   omniauth-openid (~> 1.0.1)
-  rails (~> 3.2.6)
+  rails (~> 4.0.0.rc1)
   rdoc
   sqlite3
   webrat (= 0.7.3)

README.md

@@ -57,7 +57,7 @@ You can view the Devise documentation in RDoc format here:
 
 http://rubydoc.info/github/plataformatec/devise/master/frames
 
-If you need to use Devise with Rails 2.3, you can always run "gem server" from the command line after you install the gem to access the old documentation.
+If you need to use Devise with previous versions of Rails, you can always run "gem server" from the command line after you install the gem to access the old documentation.
 
 ### Example applications
 
@@ -90,7 +90,7 @@ Once you have solidified your understanding of Rails and authentication mechanis
 
 ## Getting started
 
-Devise 2.0 works with Rails 3.1 onwards. You can add it to your Gemfile with:
+Devise 3.0 works with Rails 3.2 onwards. You can add it to your Gemfile with:
 
 ```ruby
 gem 'devise'
@@ -143,7 +143,7 @@ user_session
 After signing in a user, confirming the account or updating the password, Devise will look for a scoped root path to redirect. Example: For a :user resource, it will use `user_root_path` if it exists, otherwise default `root_path` will be used. This means that you need to set the root inside your routes:
 
 ```ruby
-root :to => "home#index"
+root to: "home#index"
 ```
 
 You can also overwrite `after_sign_in_path_for` and `after_sign_out_path_for` to customize your redirect hooks.
@@ -176,34 +176,31 @@ devise :database_authenticatable, :registerable, :confirmable, :recoverable, :st
 
 Besides :stretches, you can define :pepper, :encryptor, :confirm_within, :remember_for, :timeout_in, :unlock_in and other values. For details, see the initializer file that was created when you invoked the "devise:install" generator described above.
 
-### Configuring multiple models
+### Strong Parameters
 
-Devise allows you to set up as many roles as you want. For example, you may have a User model and also want an Admin model with just authentication and timeoutable features. If so, just follow these steps:
+When you customize your own views, you may end up adding new attributes to forms. Rails 4 moved the parameter sanitization from the model to the controller, causing Devise to handle this concern at the controller as well.
+
+There are just three actions in Devise that allows any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permited parameters by default are:
+
+* `sign_in` (`Devise::SessionsController#new`) - Permits only the authentication keys (like `email`)
+* `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`
+* `account_update` (`Devise::RegistrationsController#update`) - Permits authentication keys plus `password`, `password_confirmation` and `current_password`
+
+In case you want to customize the permitted parameters (the lazy way™) you can do with a simple before filter in your `ApplicationController`:
 
 ```ruby
-# Create a migration with the required fields
-create_table :admins do |t|
-  t.string :email
-  t.string :encrypted_password
-  t.timestamps
+class ApplicationController < ActionController::Base
+  before_filter :configure_permitted_parameters, if: :devise_controller?
+
+  protected
+
+  def configure_permitted_parameters
+    devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:username, :email) }
+  end
 end
-
-# Inside your Admin model
-devise :database_authenticatable, :timeoutable
-
-# Inside your routes
-devise_for :admins
-
-# Inside your protected controller
-before_filter :authenticate_admin!
-
-# Inside your controllers and views
-admin_signed_in?
-current_admin
-admin_session
 ```
 
-On the other hand, you can simply run the generator!
+The example above overrides the permitted parameters for the user to be both `:username` and `:email`. The non-lazy way to configure parameters would be by defining the before filter above in a custom controller. We detail how to configure and customize controllers in some sections below.
 
 ### Configuring views
 
@@ -353,15 +350,40 @@ You can read more about Omniauth support in the wiki:
 
 * https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
 
+### Configuring multiple models
+
+Devise allows you to set up as many roles as you want. For example, you may have a User model and also want an Admin model with just authentication and timeoutable features. If so, just follow these steps:
+
+```ruby
+# Create a migration with the required fields
+create_table :admins do |t|
+  t.string :email
+  t.string :encrypted_password
+  t.timestamps
+end
+
+# Inside your Admin model
+devise :database_authenticatable, :timeoutable
+
+# Inside your routes
+devise_for :admins
+
+# Inside your protected controller
+before_filter :authenticate_admin!
+
+# Inside your controllers and views
+admin_signed_in?
+current_admin
+admin_session
+```
+
+On the other hand, you can simply run the generator!
+
 ### Other ORMs
 
 Devise supports ActiveRecord (default) and Mongoid. To choose other ORM, you just need to require it in the initializer file.
 
-### Migrating from other solutions
-
-Devise implements encryption strategies for Clearance, Authlogic and Restful-Authentication. To make use of these strategies, you need set the desired encryptor in the encryptor initializer config option and add :encryptable to your model. You might also need to rename your encrypted password and salt columns to match Devise's fields (encrypted_password and password_salt).
-
-## Troubleshooting
+## Additional information
 
 ### Heroku
 
@@ -373,8 +395,6 @@ config.assets.initialize_on_precompile = false
 
 Read more about the potential issues at http://guides.rubyonrails.org/asset_pipeline.html
 
-## Additional information
-
 ### Warden
 
 Devise is based on Warden, which is a general Rack authentication framework created by Daniel Neighman. We encourage you to read more about Warden here:

app/controllers/devise/confirmations_controller.rb

@@ -1,7 +1,7 @@
 class Devise::ConfirmationsController < DeviseController
   # GET /resource/confirmation/new
   def new
-    build_resource({})
+    self.resource = resource_class.new
   end
 
   # POST /resource/confirmation
@@ -39,5 +39,4 @@ class Devise::ConfirmationsController < DeviseController
     def after_confirmation_path_for(resource_name, resource)
       after_sign_in_path_for(resource)
     end
-
 end

app/controllers/devise/passwords_controller.rb

@@ -5,7 +5,7 @@ class Devise::PasswordsController < DeviseController
 
   # GET /resource/password/new
   def new
-    build_resource({})
+    self.resource = resource_class.new
   end
 
   # POST /resource/password

app/controllers/devise/registrations_controller.rb

@@ -4,13 +4,13 @@ class Devise::RegistrationsController < DeviseController
 
   # GET /resource/sign_up
   def new
-    resource = build_resource({})
-    respond_with resource
+    build_resource({})
+    respond_with self.resource
   end
 
   # POST /resource
   def create
-    build_resource
+    self.resource = build_resource(sign_up_params)
 
     if resource.save
       if resource.active_for_authentication?
@@ -40,7 +40,7 @@ class Devise::RegistrationsController < DeviseController
     self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
     prev_unconfirmed_email = resource.unconfirmed_email if resource.respond_to?(:unconfirmed_email)
 
-    if resource.update_with_password(resource_params)
+    if resource.update_with_password(account_update_params)
       if is_navigational_format?
         flash_key = update_needs_confirmation?(resource, prev_unconfirmed_email) ?
           :update_needs_confirmation : :updated
@@ -83,8 +83,7 @@ class Devise::RegistrationsController < DeviseController
   # Build a devise resource passing in the session. Useful to move
   # temporary session data to the newly created user.
   def build_resource(hash=nil)
-    hash ||= resource_params || {}
-    self.resource = resource_class.new_with_session(hash, session)
+    self.resource = resource_class.new_with_session(hash || {}, session)
   end
 
   # Signs in a user on sign up. You can overwrite this method in your own
@@ -116,4 +115,12 @@ class Devise::RegistrationsController < DeviseController
     send(:"authenticate_#{resource_name}!", :force => true)
     self.resource = send(:"current_#{resource_name}")
   end
+
+  def sign_up_params
+    devise_parameter_sanitizer.for(:sign_up)
+  end
+
+  def account_update_params
+    devise_parameter_sanitizer.for(:account_update)
+  end
 end

app/controllers/devise/sessions_controller.rb

@@ -5,7 +5,7 @@ class Devise::SessionsController < DeviseController
 
   # GET /resource/sign_in
   def new
-    self.resource = build_resource(nil, :unsafe => true)
+    self.resource = resource_class.new(sign_in_params)
     clean_up_passwords(resource)
     respond_with(resource, serialize_options(resource))
   end
@@ -34,6 +34,10 @@ class Devise::SessionsController < DeviseController
 
   protected
 
+  def sign_in_params
+    devise_parameter_sanitizer.for(:sign_in)
+  end
+
   def serialize_options(resource)
     methods = resource_class.authentication_keys.dup
     methods = methods.keys if methods.is_a?(Hash)

app/controllers/devise/unlocks_controller.rb

@@ -3,7 +3,7 @@ class Devise::UnlocksController < DeviseController
 
   # GET /resource/unlock/new
   def new
-    build_resource({})
+    self.resource = resource_class.new
   end
 
   # POST /resource/unlock

app/controllers/devise_controller.rb

@@ -28,10 +28,6 @@ class DeviseController < Devise.parent_controller.constantize
     devise_mapping.to
   end
 
-  def resource_params
-    params[resource_name]
-  end
-
   # Returns a signed in resource from session (if one exists)
   def signed_in_resource
     warden.authenticate(:scope => resource_name)
@@ -93,23 +89,6 @@ MESSAGE
     instance_variable_set(:"@#{resource_name}", new_resource)
   end
 
-  # Build a devise resource.
-  # Assignment bypasses attribute protection when :unsafe option is passed
-  def build_resource(hash = nil, options = {})
-    hash ||= resource_params || {}
-
-    if options[:unsafe]
-      self.resource = resource_class.new.tap do |resource|
-        hash.each do |key, value|
-          setter = :"#{key}="
-          resource.send(setter, value) if resource.respond_to?(setter)
-        end
-      end
-    else
-      self.resource = resource_class.new(hash)
-    end
-  end
-
   # Helper for use in before_filters where no authentication is required.
   #
   # Example:
@@ -186,4 +165,8 @@ MESSAGE
       format.any(*navigational_formats, &block)
     end
   end
+
+  def resource_params
+    params.fetch(resource_name, {})
+  end
 end

devise.gemspec

@@ -22,5 +22,5 @@ Gem::Specification.new do |s|
   s.add_dependency("warden", "~> 1.2.1")
   s.add_dependency("orm_adapter", "~> 0.1")
   s.add_dependency("bcrypt-ruby", "~> 3.0")
-  s.add_dependency("railties", "~> 3.1")
+  s.add_dependency("railties", ">= 3.2.6", "< 5")
 end

gemfiles/Gemfile.rails-3.2.x

@@ -1,8 +1,8 @@
 source "https://rubygems.org"
 
-gem "devise", :path => ".."
+gemspec :path => '..'
 
-gem "rails", "~> 3.1.0"
+gem "rails", "~> 3.2.6"
 gem "omniauth", "~> 1.0.0"
 gem "omniauth-oauth2", "~> 1.0.0"
 gem "rdoc"
@@ -12,10 +12,6 @@ group :test do
   gem "omniauth-openid", "~> 1.0.1"
   gem "webrat", "0.7.3", :require => false
   gem "mocha", "~> 0.13.1", :require => false
-
-  platforms :mri_18 do
-    gem "ruby-debug", ">= 0.10.3"
-  end
 end
 
 platforms :jruby do
@@ -28,7 +24,7 @@ platforms :ruby do
   gem "sqlite3"
 end
 
-platforms :mri_19 do
+platforms :mri_19, :mri_20 do
   group :mongoid do
     gem "mongoid", "~> 3.0"
   end

gemfiles/Gemfile.rails-3.2.x.lock

@@ -1,60 +1,57 @@
 PATH
   remote: ..
   specs:
-    devise (2.2.4)
+    devise (3.0.0.rc)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (~> 3.1)
+      railties (>= 3.2.6, < 5)
       warden (~> 1.2.1)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    actionmailer (3.1.12)
-      actionpack (= 3.1.12)
-      mail (~> 2.4.4)
-    actionpack (3.1.12)
-      activemodel (= 3.1.12)
-      activesupport (= 3.1.12)
+    actionmailer (3.2.13)
+      actionpack (= 3.2.13)
+      mail (~> 2.5.3)
+    actionpack (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
       builder (~> 3.0.0)
       erubis (~> 2.7.0)
-      i18n (~> 0.6)
-      rack (~> 1.3.6)
+      journey (~> 1.0.4)
+      rack (~> 1.4.5)
       rack-cache (~> 1.2)
-      rack-mount (~> 0.8.2)
       rack-test (~> 0.6.1)
-      sprockets (~> 2.0.4)
-    activemodel (3.1.12)
-      activesupport (= 3.1.12)
+      sprockets (~> 2.2.1)
+    activemodel (3.2.13)
+      activesupport (= 3.2.13)
       builder (~> 3.0.0)
-      i18n (~> 0.6)
-    activerecord (3.1.12)
-      activemodel (= 3.1.12)
-      activesupport (= 3.1.12)
-      arel (~> 2.2.3)
+    activerecord (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
+      arel (~> 3.0.2)
       tzinfo (~> 0.3.29)
-    activeresource (3.1.12)
-      activemodel (= 3.1.12)
-      activesupport (= 3.1.12)
-    activesupport (3.1.12)
+    activeresource (3.2.13)
+      activemodel (= 3.2.13)
+      activesupport (= 3.2.13)
+    activesupport (3.2.13)
+      i18n (= 0.6.1)
       multi_json (~> 1.0)
-    arel (2.2.3)
+    arel (3.0.2)
     bcrypt-ruby (3.0.1)
     builder (3.0.4)
-    columnize (0.3.6)
     erubis (2.7.0)
     faraday (0.8.7)
       multipart-post (~> 1.1)
     hashie (1.2.0)
     hike (1.2.2)
     httpauth (0.2.0)
-    i18n (0.6.4)
+    i18n (0.6.1)
+    journey (1.0.4)
     json (1.7.7)
     jwt (0.1.8)
       multi_json (>= 1.5)
-    linecache (0.46)
-      rbx-require-relative (> 0.0.4)
-    mail (2.4.4)
+    mail (2.5.3)
       i18n (>= 0.4.0)
       mime-types (~> 1.16)
       treetop (~> 1.4.8)
@@ -62,9 +59,9 @@ GEM
     mime-types (1.23)
     mocha (0.13.3)
       metaclass (~> 0.0.1)
-    mongoid (3.0.23)
-      activemodel (~> 3.1)
-      moped (~> 1.2)
+    mongoid (3.1.3)
+      activemodel (~> 3.2)
+      moped (~> 1.4.2)
       origin (~> 1.0)
       tzinfo (~> 0.3.22)
     moped (1.4.5)
@@ -91,11 +88,9 @@ GEM
     origin (1.1.0)
     orm_adapter (0.4.0)
     polyglot (0.3.3)
-    rack (1.3.10)
+    rack (1.4.5)
     rack-cache (1.2)
       rack (>= 0.4)
-    rack-mount (0.8.3)
-      rack (>= 1.0.0)
     rack-openid (1.3.1)
       rack (>= 1.1.0)
       ruby-openid (>= 2.1.8)
@@ -103,37 +98,32 @@ GEM
       rack
     rack-test (0.6.2)
       rack (>= 1.0)
-    rails (3.1.12)
-      actionmailer (= 3.1.12)
-      actionpack (= 3.1.12)
-      activerecord (= 3.1.12)
-      activeresource (= 3.1.12)
-      activesupport (= 3.1.12)
+    rails (3.2.13)
+      actionmailer (= 3.2.13)
+      actionpack (= 3.2.13)
+      activerecord (= 3.2.13)
+      activeresource (= 3.2.13)
+      activesupport (= 3.2.13)
       bundler (~> 1.0)
-      railties (= 3.1.12)
-    railties (3.1.12)
-      actionpack (= 3.1.12)
-      activesupport (= 3.1.12)
+      railties (= 3.2.13)
+    railties (3.2.13)
+      actionpack (= 3.2.13)
+      activesupport (= 3.2.13)
       rack-ssl (~> 1.3.2)
       rake (>= 0.8.7)
       rdoc (~> 3.4)
-      thor (~> 0.14.6)
+      thor (>= 0.14.6, < 2.0)
     rake (10.0.4)
-    rbx-require-relative (0.0.9)
     rdoc (3.12.2)
       json (~> 1.4)
-    ruby-debug (0.10.4)
-      columnize (>= 0.1)
-      ruby-debug-base (~> 0.10.4.0)
-    ruby-debug-base (0.10.4)
-      linecache (>= 0.3)
     ruby-openid (2.2.3)
-    sprockets (2.0.4)
+    sprockets (2.2.2)
       hike (~> 1.2)
+      multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
     sqlite3 (1.3.7)
-    thor (0.14.6)
+    thor (0.18.1)
     tilt (1.4.0)
     treetop (1.4.12)
       polyglot
@@ -160,8 +150,7 @@ DEPENDENCIES
   omniauth-facebook
   omniauth-oauth2 (~> 1.0.0)
   omniauth-openid (~> 1.0.1)
-  rails (~> 3.1.0)
+  rails (~> 3.2.6)
   rdoc
-  ruby-debug (>= 0.10.3)
   sqlite3
   webrat (= 0.7.3)

lib/devise.rb

@@ -6,12 +6,14 @@ require 'set'
 require 'securerandom'
 
 module Devise
-  autoload :Delegator,     'devise/delegator'
-  autoload :FailureApp,    'devise/failure_app'
-  autoload :OmniAuth,      'devise/omniauth'
-  autoload :ParamFilter,   'devise/param_filter'
-  autoload :TestHelpers,   'devise/test_helpers'
-  autoload :TimeInflector, 'devise/time_inflector'
+  autoload :Delegator,          'devise/delegator'
+  autoload :FailureApp,         'devise/failure_app'
+  autoload :OmniAuth,           'devise/omniauth'
+  autoload :ParamFilter,        'devise/param_filter'
+  autoload :BaseSanitizer,      'devise/parameter_sanitizer'
+  autoload :ParameterSanitizer, 'devise/parameter_sanitizer'
+  autoload :TestHelpers,        'devise/test_helpers'
+  autoload :TimeInflector,      'devise/time_inflector'
 
   module Controllers
     autoload :Helpers, 'devise/controllers/helpers'

lib/devise/controllers/helpers.rb

@@ -80,6 +80,17 @@ module Devise
         is_a?(DeviseController)
       end
 
+      # Setup a param sanitizer to filter parameters using strong_parameters. See
+      # lib/devise/parameter_sanitizer.rb for more info. Override this
+      # method in your application controller to use your own parameter sanitizer.
+      def devise_parameter_sanitizer
+        @devise_parameter_sanitizer ||= if defined?(ActionController::StrongParameters)
+          Devise::ParameterSanitizer.new(resource_class, resource_name, params)
+        else
+          Devise::BaseSanitizer.new(resource_class, resource_name, params)
+        end
+      end
+
       # Tell warden that params authentication is allowed for that specific page.
       def allow_params_authentication!
         request.env["devise.allow_params_authentication"] = true

lib/devise/parameter_sanitizer.rb

@@ -0,0 +1,59 @@
+module Devise
+  class BaseSanitizer
+    attr_reader :params, :resource_name, :resource_class
+
+    def initialize(resource_class, resource_name, params)
+      @resource_class = resource_class
+      @resource_name  = resource_name
+      @params         = params
+      @blocks         = Hash.new
+    end
+
+    def for(kind, &block)
+      if block_given?
+        @blocks[kind] = block
+      else
+        block = @blocks[kind]
+        block ? block.call(default_params) : fallback_for(kind)
+      end
+    end
+
+    private
+
+    def fallback_for(kind)
+      default_params
+    end
+
+    def default_params
+      params.fetch(resource_name, {})
+    end
+  end
+
+  class ParameterSanitizer < BaseSanitizer
+    private
+
+    def fallback_for(kind)
+      if respond_to?(kind, true)
+        send(kind)
+      else
+        raise NotImplementedError, "Devise Parameter Sanitizer doesn't know how to sanitize parameters for #{kind}"
+      end
+    end
+
+    def sign_in
+      default_params.permit(auth_keys)
+    end
+
+    def sign_up
+      default_params.permit(auth_keys + [:password, :password_confirmation])
+    end
+
+    def account_update
+      default_params.permit(auth_keys + [:password, :password_confirmation, :current_password])
+    end
+
+    def auth_keys
+      resource_class.authentication_keys
+    end
+  end
+end

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "2.2.4".freeze
+  VERSION = "3.0.0.rc".freeze
 end

lib/generators/active_record/devise_generator.rb

@@ -22,10 +22,7 @@ module ActiveRecord
       end
 
       def inject_devise_content
-        content = model_contents + <<CONTENT
-  # Setup accessible (or protected) attributes for your model
-  attr_accessible :email, :password, :password_confirmation, :remember_me
-CONTENT
+        content = model_contents
 
         class_path = if namespaced?
           class_name.to_s.split("::")

test/controllers/internal_helpers_test.rb

@@ -34,10 +34,20 @@ class HelpersTest < ActionController::TestCase
   end
 
   test 'get resource params from request params using resource name as key' do
-    user_params = {'name' => 'Shirley Templar'}
-    @controller.stubs(:params).returns(HashWithIndifferentAccess.new({'user' => user_params}))
+    user_params = {'email' => 'shirley@templar.com'}
 
-    assert_equal user_params, @controller.resource_params
+    params = if Devise.rails4?
+      # Stub controller name so strong parameters can filter properly.
+      # DeviseController does not allow any parameters by default.
+      @controller.stubs(:controller_name).returns(:sessions_controller)
+
+      ActionController::Parameters.new({'user' => user_params})
+    else
+      HashWithIndifferentAccess.new({'user' => user_params})
+    end
+    @controller.stubs(:params).returns(params)
+
+    assert_equal user_params, @controller.send(:resource_params)
   end
 
   test 'resources methods are not controller actions' do

test/generators/active_record_generator_test.rb

@@ -10,13 +10,11 @@ if DEVISE_ORM == :active_record
 
     test "all files are properly created with rails31 migration syntax" do
       run_generator %w(monster)
-      assert_file "app/models/monster.rb", /devise/, /attr_accessible (:[a-z_]+(, )?)+/
       assert_migration "db/migrate/devise_create_monsters.rb", /def change/
     end
 
     test "all files for namespaced model are properly created" do
       run_generator %w(admin/monster)
-      assert_file "app/models/admin/monster.rb", /devise/, /attr_accessible (:[a-z_]+(, )?)+/
       assert_migration "db/migrate/devise_create_admin_monsters.rb", /def change/
     end
 
@@ -68,7 +66,7 @@ if DEVISE_ORM == :active_record
       simulate_inside_engine(RailsEngine::Engine, RailsEngine) do
         run_generator ["monster"]
 
-        assert_file "app/models/rails_engine/monster.rb", /devise/,/attr_accessible (:[a-z_]+(, )?)+/
+        assert_file "app/models/rails_engine/monster.rb", /devise/
       end
     end
   end

test/integration/authenticatable_test.rb

@@ -191,7 +191,7 @@ class AuthenticationRoutesRestrictions < ActionDispatch::IntegrationTest
     get dashboard_path
 
     assert_response :success
-    assert_template 'home/admin'
+    assert_template 'home/admin_dashboard'
     assert_contain 'Admin dashboard'
   end
 
@@ -203,7 +203,7 @@ class AuthenticationRoutesRestrictions < ActionDispatch::IntegrationTest
     get dashboard_path
 
     assert_response :success
-    assert_template 'home/user'
+    assert_template 'home/user_dashboard'
     assert_contain 'User dashboard'
   end
 

test/integration/recoverable_test.rb

@@ -153,7 +153,8 @@ class PasswordTest < ActionDispatch::IntegrationTest
     assert_response :success
     assert_current_url '/users/password'
     assert_have_selector '#error_explanation'
-    assert_contain 'Password doesn\'t match confirmation'
+    assert_contain Devise.rails4? ?
+      "Password confirmation doesn't match Password" : "Password doesn't match confirmation"
     assert_not user.reload.valid_password?('987654321')
   end
 

test/integration/registerable_test.rb

@@ -17,7 +17,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert warden.authenticated?(:admin)
     assert_current_url "/admin_area/home"
 
-    admin = Admin.last :order => "id"
+    admin = Admin.order(:id).last
     assert_equal admin.email, 'new_user@test.com'
   end
 
@@ -56,7 +56,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
 
     assert_not warden.authenticated?(:user)
 
-    user = User.last :order => "id"
+    user = User.order(:id).last
     assert_equal user.email, 'new_user@test.com'
     assert_not user.confirmed?
   end
@@ -100,7 +100,8 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert_template 'registrations/new'
     assert_have_selector '#error_explanation'
     assert_contain "Email is invalid"
-    assert_contain "Password doesn't match confirmation"
+    assert_contain Devise.rails4? ?
+      "Password confirmation doesn't match Password" : "Password doesn't match confirmation"
     assert_contain "2 errors prohibited"
     assert_nil User.first
 
@@ -206,7 +207,8 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     fill_in 'current password', :with => '12345678'
     click_button 'Update'
 
-    assert_contain "Password doesn't match confirmation"
+    assert_contain Devise.rails4? ?
+      "Password confirmation doesn't match Password" : "Password doesn't match confirmation"
     assert_not User.first.valid_password?('pas123')
   end
 
@@ -251,7 +253,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert_response :success
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<admin>)
 
-    admin = Admin.last :order => "id"
+    admin = Admin.order(:id).last
     assert_equal admin.email, 'new_user@test.com'
   end
 
@@ -260,7 +262,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert_response :success
     assert response.body.include? %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>)
 
-    user = User.last :order => "id"
+    user = User.order(:id).last
     assert_equal user.email, 'new_user@test.com'
   end
 

test/models/database_authenticatable_test.rb

@@ -123,13 +123,6 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert user.reload.valid_password?('pass4321')
   end
 
-  test 'should update password with valid current password and :as option' do
-    user = create_user
-    assert user.update_with_password(:current_password => '12345678',
-      :password => 'pass4321', :password_confirmation => 'pass4321', :as => :admin)
-    assert user.reload.valid_password?('pass4321')
-  end
-
   test 'should add an error to current password when it is invalid' do
     user = create_user
     assert_not user.update_with_password(:current_password => 'other',
@@ -182,12 +175,6 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert_equal 'new@example.com', user.email
   end
 
-  test 'should update the user without password with :as option' do
-    user = create_user
-    user.update_without_password(:email => 'new@example.com', :as => :admin)
-    assert_equal 'new@example.com', user.email
-  end
-
   test 'should not update password without password' do
     user = create_user
     user.update_without_password(:password => 'pass4321', :password_confirmation => 'pass4321')

test/models/validatable_test.rb

@@ -56,7 +56,12 @@ class ValidatableTest < ActiveSupport::TestCase
   test 'should require confirmation to be set when creating a new record' do
     user = new_user(:password => 'new_password', :password_confirmation => 'blabla')
     assert user.invalid?
-    assert_equal 'doesn\'t match confirmation', user.errors[:password].join
+
+    if Devise.rails4?
+      assert_equal 'doesn\'t match Password', user.errors[:password_confirmation].join
+    else
+      assert_equal 'doesn\'t match confirmation', user.errors[:password].join
+    end
   end
 
   test 'should require password when updating/resetting password' do
@@ -73,7 +78,12 @@ class ValidatableTest < ActiveSupport::TestCase
     user = create_user
     user.password_confirmation = 'another_password'
     assert user.invalid?
-    assert_equal 'doesn\'t match confirmation', user.errors[:password].join
+
+    if Devise.rails4?
+      assert_equal 'doesn\'t match Password', user.errors[:password_confirmation].join
+    else
+      assert_equal 'doesn\'t match confirmation', user.errors[:password].join
+    end
   end
 
   test 'should require a password with minimum of 6 characters' do

test/omniauth/url_helpers_test.rb

@@ -1,6 +1,9 @@
 require 'test_helper'
 
 class OmniAuthRoutesTest < ActionController::TestCase
+  ExpectedUrlGeneratiorError = Devise.rails4? ?
+    ActionController::UrlGenerationError : ActionController::RoutingError
+
   tests ApplicationController
 
   def assert_path(action, provider, with_param=true)
@@ -30,7 +33,7 @@ class OmniAuthRoutesTest < ActionController::TestCase
   test 'should generate authorization path' do
     assert_match "/users/auth/facebook", @controller.omniauth_authorize_path(:user, :facebook)
 
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedUrlGeneratiorError do
       @controller.omniauth_authorize_path(:user, :github)
     end
   end

test/orm/active_record.rb

@@ -1,5 +1,6 @@
 ActiveRecord::Migration.verbose = false
 ActiveRecord::Base.logger = Logger.new(nil)
+ActiveRecord::Base.include_root_in_json = true
 
 ActiveRecord::Migrator.migrate(File.expand_path("../../rails_app/db/migrate/", __FILE__))
 

test/parameter_sanitizer_test.rb

@@ -0,0 +1,51 @@
+require 'test_helper'
+require 'devise/parameter_sanitizer'
+
+class BaseSanitizerTest < ActiveSupport::TestCase
+  def sanitizer
+    Devise::BaseSanitizer.new(User, :user, { user: { "email" => "jose" } })
+  end
+
+  test 'returns chosen params' do
+    assert_equal({ "email" => "jose" }, sanitizer.for(:sign_in))
+  end
+end
+
+if defined?(ActionController::StrongParameters)
+  require 'active_model/forbidden_attributes_protection'
+
+  class ParameterSanitizerTest < ActiveSupport::TestCase
+    def sanitizer(params)
+      params = ActionController::Parameters.new(params)
+      Devise::ParameterSanitizer.new(User, :user, params)
+    end
+
+    test 'filters some parameters on sign in by default' do
+      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
+      assert_equal({ "email" => "jose" }, sanitizer.for(:sign_in))
+    end
+
+    test 'filters some parameters on sign up by default' do
+      sanitizer = sanitizer(user: { "email" => "jose", "role" => "invalid" })
+      assert_equal({ "email" => "jose" }, sanitizer.for(:sign_up))
+    end
+
+    test 'filters some parameters on account update by default' do
+      sanitizer = sanitizer(user: { "email" => "jose", "role" => "invalid" })
+      assert_equal({ "email" => "jose" }, sanitizer.for(:account_update))
+    end
+
+    test 'allows custom hooks' do
+      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
+      sanitizer.for(:sign_in) { |user| user.permit(:email, :password) }
+      assert_equal({ "email" => "jose", "password" => "invalid" }, sanitizer.for(:sign_in))
+    end
+
+    test 'raises on unknown hooks' do
+      sanitizer = sanitizer(user: { "email" => "jose", "password" => "invalid" })
+      assert_raise NotImplementedError do
+        sanitizer.for(:unknown)
+      end
+    end
+  end
+end

test/rails_app/Rakefile

@@ -3,8 +3,4 @@
 
 require File.expand_path('../config/application', __FILE__)
 
-require 'rake'
-require 'rake/testtask'
-require 'rake/rdoctask'
-
 Rails.application.load_tasks

test/rails_app/app/mongoid/shim.rb

@@ -7,9 +7,8 @@ module Shim
   end
 
   module ClassMethods
-    def last(options = {})
-      options.delete(:order) if options[:order] == "id"
-      where(options).last
+    def order(attribute)
+      asc(attribute)
     end
 
     def find_by_email(email)

test/rails_app/bin/bundle

@@ -0,0 +1,3 @@
+#!/usr/bin/env ruby
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../Gemfile', __FILE__)
+load Gem.bin_path('bundler', 'bundle')

test/rails_app/bin/rails

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+APP_PATH = File.expand_path('../../config/application',  __FILE__)
+require_relative '../config/boot'
+require 'rails/commands'

test/rails_app/bin/rake

@@ -0,0 +1,4 @@
+#!/usr/bin/env ruby
+require_relative '../config/boot'
+require 'rake'
+Rake.application.run

test/rails_app/config/application.rb

@@ -2,7 +2,6 @@ require File.expand_path('../boot', __FILE__)
 
 require "action_controller/railtie"
 require "action_mailer/railtie"
-require "active_resource/railtie"
 require "rails/test_unit/railtie"
 
 Bundler.require :default, DEVISE_ORM
@@ -17,7 +16,7 @@ require "devise"
 module RailsApp
   class Application < Rails::Application
     # Add additional load paths for your own custom dirs
-    config.autoload_paths.reject!{ |p| p =~ /\/app\/(\w+)$/ && !%w(controllers helpers views).include?($1) }
+    config.autoload_paths.reject!{ |p| p =~ /\/app\/(\w+)$/ && !%w(controllers helpers mailers views).include?($1) }
     config.autoload_paths += [ "#{config.root}/app/#{DEVISE_ORM}" ]
 
     # Configure generators values. Many other options are available, be sure to check the documentation.

test/rails_app/config/boot.rb

@@ -2,7 +2,7 @@ unless defined?(DEVISE_ORM)
   DEVISE_ORM = (ENV["DEVISE_ORM"] || :active_record).to_sym
 end
 
-require 'rubygems'
-require 'bundler/setup'
+# Set up gems listed in the Gemfile.
+ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../../../Gemfile', __FILE__)
 
-$:.unshift File.expand_path('../../../../lib', __FILE__)
+require 'bundler/setup' if File.exists?(ENV['BUNDLE_GEMFILE'])

test/rails_app/config/environment.rb

@@ -1,5 +1,5 @@
-# Load the rails application
+# Load the rails application.
 require File.expand_path('../application', __FILE__)
 
-# Initialize the rails application
+# Initialize the rails application.
 RailsApp::Application.initialize!

test/rails_app/config/environments/development.rb

@@ -1,18 +1,34 @@
 RailsApp::Application.configure do
-  # Settings specified here will take precedence over those in config/environment.rb
+  # Settings specified here will take precedence over those in config/application.rb.
 
   # In the development environment your application's code is reloaded on
-  # every request.  This slows down response time but is perfect for development
-  # since you don't have to restart the webserver when you make code changes.
+  # every request. This slows down response time but is perfect for development
+  # since you don't have to restart the web server when you make code changes.
   config.cache_classes = false
 
-  # Log error messages when you accidentally call methods on nil.
-  config.whiny_nils = true
+  # Do not eager load code on boot.
+  config.eager_load = false
 
-  # Show full error reports and disable caching
+  # Show full error reports and disable caching.
   config.consider_all_requests_local       = true
   config.action_controller.perform_caching = false
 
-  # Don't care if the mailer can't send
+  # Don't care if the mailer can't send.
   config.action_mailer.raise_delivery_errors = false
+
+  # Print deprecation notices to the Rails logger.
+  config.active_support.deprecation = :log
+
+  # Only use best-standards-support built into browsers.
+  config.action_dispatch.best_standards_support = :builtin
+
+  # Log the query plan for queries taking more than this (works
+  # with SQLite, MySQL, and PostgreSQL).
+  config.active_record.auto_explain_threshold_in_seconds = 0.5
+
+  # Raise an error on page load if there are pending migrations
+  config.active_record.migration_error = :page_load
+
+  # Debug mode disables concatenation and preprocessing of assets.
+  config.assets.debug = true
 end

test/rails_app/config/environments/production.rb

@@ -1,33 +1,84 @@
 RailsApp::Application.configure do
-  # Settings specified here will take precedence over those in config/environment.rb
+  # Settings specified here will take precedence over those in config/application.rb.
 
-  # The production environment is meant for finished, "live" apps.
-  # Code is not reloaded between requests
+  # Code is not reloaded between requests.
   config.cache_classes = true
 
-  # Full error reports are disabled and caching is turned on
+  # Eager load code on boot. This eager loads most of Rails and
+  # your application in memory, allowing both thread web servers
+  # and those relying on copy on write to perform better.
+  # Rake tasks automatically ignore this option for performance.
+  config.eager_load = true
+
+  # Full error reports are disabled and caching is turned on.
   config.consider_all_requests_local       = false
   config.action_controller.perform_caching = true
 
-  # See everything in the log (default is :info)
-  # config.log_level = :debug
+  # Enable Rack::Cache to put a simple HTTP cache in front of your application
+  # Add `rack-cache` to your Gemfile before enabling this.
+  # For large-scale production use, consider using a caching reverse proxy like nginx, varnish or squid.
+  # config.action_dispatch.rack_cache = true
 
-  # Use a different logger for distributed setups
-  # config.logger = SyslogLogger.new
-
-  # Use a different cache store in production
-  # config.cache_store = :mem_cache_store
-
-  # Disable Rails's static asset server
-  # In production, Apache or nginx will already do this
+  # Disable Rails's static asset server (Apache or nginx will already do this).
   config.serve_static_assets = false
 
-  # Enable serving of images, stylesheets, and javascripts from an asset server
+  # Compress JavaScripts and CSS.
+  config.assets.js_compressor  = :uglifier
+  # config.assets.css_compressor = :sass
+
+  # Whether to fallback to assets pipeline if a precompiled asset is missed.
+  config.assets.compile = false
+
+  # Generate digests for assets URLs.
+  config.assets.digest = true
+
+  # Version of your assets, change this if you want to expire all your assets.
+  config.assets.version = '1.0'
+
+  # Specifies the header that your server uses for sending files.
+  # config.action_dispatch.x_sendfile_header = "X-Sendfile" # for apache
+  # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for nginx
+
+  # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies.
+  # config.force_ssl = true
+
+  # Set to :debug to see everything in the log.
+  config.log_level = :info
+
+  # Prepend all log lines with the following tags.
+  # config.log_tags = [ :subdomain, :uuid ]
+
+  # Use a different logger for distributed setups.
+  # config.logger = ActiveSupport::TaggedLogging.new(SyslogLogger.new)
+
+  # Use a different cache store in production.
+  # config.cache_store = :mem_cache_store
+
+  # Enable serving of images, stylesheets, and JavaScripts from an asset server.
   # config.action_controller.asset_host = "http://assets.example.com"
 
-  # Disable delivery errors, bad email addresses will be ignored
+  # Precompile additional assets.
+  # application.js, application.css, and all non-JS/CSS in app/assets folder are already added.
+  # config.assets.precompile += %w( search.js )
+
+  # Ignore bad email addresses and do not raise email delivery errors.
+  # Set this to true and configure the email server for immediate delivery to raise delivery errors.
   # config.action_mailer.raise_delivery_errors = false
 
-  # Enable threaded mode
-  # config.threadsafe!
+  # Enable locale fallbacks for I18n (makes lookups for any locale fall back to
+  # the I18n.default_locale when a translation can not be found).
+  config.i18n.fallbacks = true
+
+  # Send deprecation notices to registered listeners.
+  config.active_support.deprecation = :notify
+
+  # Log the query plan for queries taking more than this (works
+  # with SQLite, MySQL, and PostgreSQL).
+  # config.active_record.auto_explain_threshold_in_seconds = 0.5
+
+  # Disable automatic flushing of the log to improve performance.
+  # config.autoflush_log = false
+
+  # Use default logging formatter so that PID and timestamp are not suppressed.
+  config.log_formatter = ::Logger::Formatter.new
 end

test/rails_app/config/environments/test.rb

@@ -1,33 +1,36 @@
 RailsApp::Application.configure do
-  # Settings specified here will take precedence over those in config/environment.rb
+  # Settings specified here will take precedence over those in config/application.rb.
 
   # The test environment is used exclusively to run your application's
-  # test suite.  You never need to work with it otherwise.  Remember that
+  # test suite. You never need to work with it otherwise. Remember that
   # your test database is "scratch space" for the test suite and is wiped
-  # and recreated between test runs.  Don't rely on the data there!
+  # and recreated between test runs. Don't rely on the data there!
   config.cache_classes = true
 
-  # Log error messages when you accidentally call methods on nil.
-  config.whiny_nils = true
+  # Do not eager load code on boot. This avoids loading your whole application
+  # just for the purpose of running a single test. If you are using a tool that
+  # preloads Rails for running tests, you may have to set it to true.
+  config.eager_load = false
 
-  # Show full error reports and disable caching
+  # Configure static asset server for tests with Cache-Control for performance.
+  config.serve_static_assets = true
+  config.static_cache_control = "public, max-age=3600"
+
+  # Show full error reports and disable caching.
   config.consider_all_requests_local       = true
   config.action_controller.perform_caching = false
 
-  # Disable request forgery protection in test environment
-  config.action_controller.allow_forgery_protection    = false
+  # Raise exceptions instead of rendering exception templates.
+  config.action_dispatch.show_exceptions = false
+
+  # Disable request forgery protection in test environment.
+  config.action_controller.allow_forgery_protection = false
 
   # Tell Action Mailer not to deliver emails to the real world.
   # The :test delivery method accumulates sent emails in the
   # ActionMailer::Base.deliveries array.
   config.action_mailer.delivery_method = :test
 
-  # Use SQL instead of Active Record's schema dumper when creating the test database.
-  # This is necessary if your schema can't be completely dumped by the schema dumper,
-  # like if you have constraints or database-specific column types
-  # config.active_record.schema_format = :sql
-
-  config.action_dispatch.show_exceptions = false
-
+  # Print deprecation notices to the stderr.
   config.active_support.deprecation = :stderr
 end

test/rails_app/config/initializers/secret_token.rb

@@ -1,2 +1,8 @@
-Rails.application.config.secret_token = 'ea942c41850d502f2c8283e26bdc57829f471bb18224ddff0a192c4f32cdf6cb5aa0d82b3a7a7adbeb640c4b06f3aa1cd5f098162d8240f669b39d6b49680571'
-Rails.application.config.session_store :cookie_store, :key => "_my_app"
+config = Rails.application.config
+
+if Devise.rails4?
+  config.secret_key_base = 'd588e99efff13a86461fd6ab82327823ad2f8feb5dc217ce652cdd9f0dfc5eb4b5a62a92d24d2574d7d51dfb1ea8dd453ea54e00cf672159a13104a135422a10'
+else
+  config.secret_token = 'ea942c41850d502f2c8283e26bdc57829f471bb18224ddff0a192c4f32cdf6cb5aa0d82b3a7a7adbeb640c4b06f3aa1cd5f098162d8240f669b39d6b49680571'
+  config.session_store :cookie_store, :key => "_my_app"
+end

test/rails_app/config/initializers/session_store.rb

@@ -0,0 +1 @@
+RailsApp::Application.config.session_store :cookie_store, key: '_rails_app_session'

test/rails_app/config/routes.rb

@@ -96,5 +96,5 @@ Rails.application.routes.draw do
   get "/unauthenticated", :to => "home#unauthenticated"
   get "/custom_strategy/new"
 
-  root :to => "home#index"
+  root :to => "home#index", :via => [:get, :post]
 end

test/rails_app/lib/shared_user.rb

@@ -7,7 +7,6 @@ module SharedUser
            :trackable, :validatable, :omniauthable
 
     attr_accessor :other_key
-    attr_accessible :username, :email, :password, :password_confirmation, :remember_me, :confirmation_sent_at
 
     # They need to be included after Devise is called.
     extend ExtendMethods

test/rails_app/script/rails

@@ -1,10 +0,0 @@
-#!/usr/bin/env ruby
-# This command will automatically be run when you run "rails" with Rails 3 gems installed from the root of your application.
-
-ENV_PATH  = File.expand_path('../../config/environment',  __FILE__)
-BOOT_PATH = File.expand_path('../../config/boot',  __FILE__)
-APP_PATH  = File.expand_path('../../config/application',  __FILE__)
-ROOT_PATH = File.expand_path('../..',  __FILE__)
-
-require BOOT_PATH
-require 'rails/commands'

test/routes_test.rb

@@ -1,5 +1,7 @@
 require 'test_helper'
 
+ExpectedRoutingError = Devise.rails4? ? MiniTest::Assertion : ActionController::RoutingError
+
 class DefaultRoutingTest < ActionController::TestCase
   test 'map new user session' do
     assert_recognizes({:controller => 'devise/sessions', :action => 'new'}, {:path => 'users/sign_in', :method => :get})
@@ -101,7 +103,7 @@ class DefaultRoutingTest < ActionController::TestCase
     assert_recognizes({:controller => 'users/omniauth_callbacks', :action => 'google'}, {:path => 'users/auth/google/callback', :method => :post})
     assert_named_route "/users/auth/google/callback", :user_omniauth_callback_path, :google
 
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedRoutingError do
       assert_recognizes({:controller => 'ysers/omniauth_callbacks', :action => 'twitter'}, {:path => 'users/auth/twitter/callback', :method => :get})
     end
   end
@@ -123,7 +125,7 @@ class CustomizedRoutingTest < ActionController::TestCase
   end
 
   test 'does not map admin password' do
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedRoutingError do
       assert_recognizes({:controller => 'devise/passwords', :action => 'new'}, 'admin_area/password/new')
     end
   end
@@ -133,7 +135,7 @@ class CustomizedRoutingTest < ActionController::TestCase
   end
 
   test 'does only map reader password' do
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedRoutingError do
       assert_recognizes({:controller => 'devise/sessions', :action => 'new'}, 'reader/sessions/new')
     end
     assert_recognizes({:controller => 'devise/passwords', :action => 'new'}, 'reader/password/new')
@@ -161,14 +163,14 @@ class CustomizedRoutingTest < ActionController::TestCase
 
   test 'map deletes with :sign_out_via option' do
     assert_recognizes({:controller => 'devise/sessions', :action => 'destroy'}, {:path => '/sign_out_via/deletes/sign_out', :method => :delete})
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedRoutingError do
       assert_recognizes({:controller => 'devise/sessions', :action => 'destroy'}, {:path => '/sign_out_via/deletes/sign_out', :method => :get})
     end
   end
 
   test 'map posts with :sign_out_via option' do
     assert_recognizes({:controller => 'devise/sessions', :action => 'destroy'}, {:path => '/sign_out_via/posts/sign_out', :method => :post})
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedRoutingError do
       assert_recognizes({:controller => 'devise/sessions', :action => 'destroy'}, {:path => '/sign_out_via/posts/sign_out', :method => :get})
     end
   end
@@ -176,56 +178,56 @@ class CustomizedRoutingTest < ActionController::TestCase
   test 'map delete_or_posts with :sign_out_via option' do
     assert_recognizes({:controller => 'devise/sessions', :action => 'destroy'}, {:path => '/sign_out_via/delete_or_posts/sign_out', :method => :post})
     assert_recognizes({:controller => 'devise/sessions', :action => 'destroy'}, {:path => '/sign_out_via/delete_or_posts/sign_out', :method => :delete})
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedRoutingError do
       assert_recognizes({:controller => 'devise/sessions', :action => 'destroy'}, {:path => '/sign_out_via/delete_or_posts/sign_out', :method => :get})
     end
   end
-  
+
   test 'map with constraints defined in hash' do
     assert_recognizes({:controller => 'devise/registrations', :action => 'new'}, {:path => 'http://192.168.1.100/headquarters/sign_up', :method => :get})
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedRoutingError do
       assert_recognizes({:controller => 'devise/registrations', :action => 'new'}, {:path => 'http://10.0.0.100/headquarters/sign_up', :method => :get})
     end
   end
-  
+
   test 'map with constraints defined in block' do
     assert_recognizes({:controller => 'devise/registrations', :action => 'new'}, {:path => 'http://192.168.1.100/homebase/sign_up', :method => :get})
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedRoutingError do
       assert_recognizes({:controller => 'devise/registrations', :action => 'new'}, {:path => 'http://10.0.0.100//homebase/sign_up', :method => :get})
     end
   end
-  
+
   test 'map with format false for sessions' do
     assert_recognizes({:controller => 'devise/sessions', :action => 'new'}, {:path => '/htmlonly_admin/sign_in', :method => :get})
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedRoutingError do
       assert_recognizes({:controller => 'devise/sessions', :action => 'new'}, {:path => '/htmlonly_admin/sign_in.xml', :method => :get})
     end
   end
-  
+
   test 'map with format false for passwords' do
     assert_recognizes({:controller => 'devise/passwords', :action => 'create'}, {:path => '/htmlonly_admin/password', :method => :post})
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedRoutingError do
       assert_recognizes({:controller => 'devise/passwords', :action => 'create'}, {:path => '/htmlonly_admin/password.xml', :method => :post})
     end
   end
-  
+
   test 'map with format false for registrations' do
     assert_recognizes({:controller => 'devise/registrations', :action => 'new'}, {:path => '/htmlonly_admin/sign_up', :method => :get})
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedRoutingError do
       assert_recognizes({:controller => 'devise/registrations', :action => 'new'}, {:path => '/htmlonly_admin/sign_up.xml', :method => :get})
     end
   end
-  
+
   test 'map with format false for confirmations' do
     assert_recognizes({:controller => 'devise/confirmations', :action => 'show'}, {:path => '/htmlonly_users/confirmation', :method => :get})
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedRoutingError do
       assert_recognizes({:controller => 'devise/confirmations', :action => 'show'}, {:path => '/htmlonly_users/confirmation.xml', :method => :get})
     end
   end
-  
+
   test 'map with format false for unlocks' do
     assert_recognizes({:controller => 'devise/unlocks', :action => 'show'}, {:path => '/htmlonly_users/unlock', :method => :get})
-    assert_raise ActionController::RoutingError do
+    assert_raise ExpectedRoutingError do
       assert_recognizes({:controller => 'devise/unlocks', :action => 'show'}, {:path => '/htmlonly_users/unlock.xml', :method => :get})
     end
   end

test/test_helper.rb

@@ -4,6 +4,13 @@ DEVISE_ORM = (ENV["DEVISE_ORM"] || :active_record).to_sym
 $:.unshift File.dirname(__FILE__)
 puts "\n==> Devise.orm = #{DEVISE_ORM.inspect}"
 
+module Devise
+  # Detection for minor differences between Rails 3.2 and 4 in tests.
+  def self.rails4?
+    Rails.version.start_with? '4'
+  end
+end
+
 require "rails_app/config/environment"
 require "rails/test_help"
 require "orm/#{DEVISE_ORM}"

test/test_models.rb

@@ -15,7 +15,6 @@ end
 class UserWithVirtualAttributes < User
   devise :case_insensitive_keys => [ :email, :email_confirmation ]
   validates :email, :presence => true, :confirmation => {:on => :create}
-  attr_accessible :email, :email_confirmation
 end
 
 class Several < Admin