Release v3.2.2

Fix spelling in README [ci skip]

CHANGELOG.md

@@ -1,3 +1,10 @@
+### 3.2.2
+
+* bug fix
+  * Ensure timeoutable works when `sign_out_all_scopes` is false (by @louman)
+  * Keep the query string when storing location (by @csexton)
+  * Require rails generator base class in devise generators
+
 ### 3.2.1
 
 Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode

Gemfile.lock

@@ -12,7 +12,7 @@ GIT
 PATH
   remote: .
   specs:
-    devise (3.2.1)
+    devise (3.2.2)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)

README.md

@@ -180,7 +180,7 @@ Besides :stretches, you can define :pepper, :encryptor, :confirm_within, :rememb
 
 When you customize your own views, you may end up adding new attributes to forms. Rails 4 moved the parameter sanitization from the model to the controller, causing Devise to handle this concern at the controller as well.
 
-There are just three actions in Devise that allows any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permited parameters by default are:
+There are just three actions in Devise that allows any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permitted parameters by default are:
 
 * `sign_in` (`Devise::SessionsController#new`) - Permits only the authentication keys (like `email`)
 * `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`

gemfiles/Gemfile.rails-3.2.x.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    devise (3.2.1)
+    devise (3.2.2)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)

lib/devise/controllers/store_location.rb

@@ -33,7 +33,10 @@ module Devise
       #
       def store_location_for(resource_or_scope, location)
         session_key = stored_location_key_for(resource_or_scope)
-        session[session_key] = URI.parse(location).path if location
+        if location
+          uri = URI.parse(location)
+          session[session_key] = [uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
+        end
       end
 
       private

lib/devise/hooks/timeoutable.rb

@@ -12,7 +12,7 @@ Warden::Manager.after_set_user do |record, warden, options|
     proxy = Devise::Hooks::Proxy.new(warden)
 
     if record.timedout?(last_request_at) && !env['devise.skip_timeout']
-      Devise.sign_out_all_scopes ? proxy.sign_out : sign_out(scope)
+      Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
 
       if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout
         record.reset_authentication_token!

lib/devise/rails/routes.rb

@@ -393,13 +393,13 @@ and you have set #{mapping.fullpath.inspect}. You can work around by passing
 `skip: :omniauth_callbacks` and manually defining the routes. Here is an example:
 
     match "/users/auth/:provider",
-      :constraints => { :provider => /\Agoogle|facebook\z/ },
+      :constraints => { :provider => /\A(google|facebook)\z/ },
       :to => "devise/omniauth_callbacks#passthru",
       :as => :omniauth_authorize,
       :via => [:get, :post]
 
     match "/users/auth/:action/callback",
-      :constraints => { :action => /\Agoogle|facebook\z/ },
+      :constraints => { :action => /\A(google|facebook)\z/ },
       :to => "devise/omniauth_callbacks",
       :as => :omniauth_callback,
       :via => [:get, :post]

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.2.1".freeze
+  VERSION = "3.2.2".freeze
 end

lib/generators/devise/devise_generator.rb

@@ -1,3 +1,5 @@
+require 'rails/generators/named_base'
+
 module Devise
   module Generators
     class DeviseGenerator < Rails::Generators::NamedBase

lib/generators/devise/install_generator.rb

@@ -1,3 +1,4 @@
+require 'rails/generators/base'
 require 'securerandom'
 
 module Devise

lib/generators/devise/views_generator.rb

@@ -1,3 +1,5 @@
+require 'rails/generators/base'
+
 module Devise
   module Generators
     # Include this module in your generator to generate Devise views.

lib/generators/mongoid/devise_generator.rb

@@ -1,3 +1,4 @@
+require 'rails/generators/named_base'
 require 'generators/devise/orm_helpers'
 
 module Mongoid

test/controllers/helpers_test.rb

@@ -198,10 +198,16 @@ class ControllerAuthenticatableTest < ActionController::TestCase
     assert_equal "/foo.bar", @controller.stored_location_for(User.new)
   end
 
-  test 'store location for stores only paths' do
-    assert_nil @controller.stored_location_for(:user)
+  test 'store location for stores paths' do
     @controller.store_location_for(:user, "//host/foo.bar")
     assert_equal "/foo.bar", @controller.stored_location_for(:user)
+    @controller.store_location_for(:user, "///foo.bar")
+    assert_equal "/foo.bar", @controller.stored_location_for(:user)
+  end
+
+  test 'store location for stores query string' do
+    @controller.store_location_for(:user, "/foo?bar=baz")
+    assert_equal "/foo?bar=baz", @controller.stored_location_for(:user)
   end
 
   test 'after sign in path defaults to root path if none by was specified for the given scope' do

test/integration/timeoutable_test.rb

@@ -35,14 +35,19 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
-  test 'time out user session after default limit time' do
-    user = sign_in_as_user
-    get expire_user_path(user)
-    assert_not_nil last_request_at
+  test 'time out user session after default limit time when sign_out_all_scopes is false' do
+    swap Devise, sign_out_all_scopes: false do
+      sign_in_as_admin
 
-    get users_path
-    assert_redirected_to users_path
-    assert_not warden.authenticated?(:user)
+      user = sign_in_as_user
+      get expire_user_path(user)
+      assert_not_nil last_request_at
+
+      get users_path
+      assert_redirected_to users_path
+      assert_not warden.authenticated?(:user)
+      assert warden.authenticated?(:admin)
+    end
   end
 
   test 'time out all sessions after default limit time when sign_out_all_scopes is true' do