Release v3.1.2

Add Rails 4 related todo
Merge pull request #2717 from memberful/2716-splat-sanitize-params
2026-01-09 23:58:06 -05:00 · 2013-11-13 14:08:08 +01:00 · 2013-10-31 14:39:52 +01:00 · 2013-10-31 06:38:30 -07:00 · 2013-10-31 13:02:50 +00:00 · 2013-10-01 17:11:42 +02:00
11 changed files with 59 additions and 15 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,16 @@
+== 3.1.2
+
+Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
+
+* bug fix
+  * Avoid e-mail enumeration on sign in when in paranoid mode
+
+== 3.1.1
+
+* bug fix
+  * Improve default message which asked users to sign in even when they were already signed (by @gregates)
+  * Improve error message for when the `config.secret_key` is missing
+
 == 3.1.0

 Security announcement: http://blog.plataformatec.com.br/2013/08/devise-3-1-now-with-more-secure-defaults/
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -12,7 +12,7 @@ GIT
 PATH
  remote: .
  specs:
-    devise (3.1.0)
+    devise (3.1.2)
      bcrypt-ruby (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 3.2.6, < 5)
@@ -48,7 +48,7 @@ GEM
      tzinfo (~> 0.3.37)
    arel (4.0.0)
    atomic (1.1.12)
-    bcrypt-ruby (3.1.1)
+    bcrypt-ruby (3.1.2)
    builder (3.1.4)
    erubis (2.7.0)
    faraday (0.8.8)
--- a/app/controllers/devise/confirmations_controller.rb
+++ b/app/controllers/devise/confirmations_controller.rb
@@ -43,6 +43,8 @@ class Devise::ConfirmationsController < DeviseController
    def after_confirmation_path_for(resource_name, resource)
      if Devise.allow_insecure_sign_in_after_confirmation
        after_sign_in_path_for(resource)
+      elsif signed_in?
+        signed_in_root_path(resource)
      else
        new_session_path(resource_name)
      end
--- a/config/locales/en.yml
+++ b/config/locales/en.yml
@@ -3,7 +3,7 @@
 en:
  devise:
    confirmations:
-      confirmed: "Your account was successfully confirmed. Please sign in."
+      confirmed: "Your account was successfully confirmed."
      confirmed_and_signed_in: "Your account was successfully confirmed. You are now signed in."
      send_instructions: "You will receive an email with instructions about how to confirm your account in a few minutes."
      send_paranoid_instructions: "If your email address exists in our database, you will receive an email with instructions about how to confirm your account in a few minutes."
--- a/gemfiles/Gemfile.rails-3.2.x.lock
+++ b/gemfiles/Gemfile.rails-3.2.x.lock
@@ -1,7 +1,7 @@
 PATH
  remote: ..
  specs:
-    devise (3.1.0)
+    devise (3.1.2)
      bcrypt-ruby (~> 3.0)
      orm_adapter (~> 0.1)
      railties (>= 3.2.6, < 5)
@@ -39,8 +39,8 @@ GEM
      i18n (~> 0.6, >= 0.6.4)
      multi_json (~> 1.0)
    arel (3.0.2)
-    atomic (1.1.13)
-    bcrypt-ruby (3.1.1)
+    atomic (1.1.14)
+    bcrypt-ruby (3.1.2)
    builder (3.0.4)
    erubis (2.7.0)
    faraday (0.8.8)
@@ -125,7 +125,7 @@ GEM
      tilt (~> 1.1, != 1.3.0)
    sqlite3 (1.3.7)
    thor (0.18.1)
-    thread_safe (0.1.2)
+    thread_safe (0.1.3)
      atomic
    tilt (1.4.1)
    treetop (1.4.14)
--- a/lib/devise/parameter_sanitizer.rb
+++ b/lib/devise/parameter_sanitizer.rb
@@ -47,19 +47,25 @@ module Devise
    end

    def sign_in
-      default_params.permit self.for(:sign_in)
+      permit self.for(:sign_in)
    end

    def sign_up
-      default_params.permit self.for(:sign_up)
+      permit self.for(:sign_up)
    end

    def account_update
-      default_params.permit self.for(:account_update)
+      permit self.for(:account_update)
    end

    private

+    # TODO: We do need to flatten so it works with strong_parameters
+    # gem. We should drop it once we move to Rails 4 only support.
+    def permit(keys)
+      default_params.permit(*Array(keys))
+    end
+
    # Change for(kind) to return the values in the @permitted
    # hash, allowing the developer to customize at runtime.
    def default_for(kind)
--- a/lib/devise/rails/routes.rb
+++ b/lib/devise/rails/routes.rb
@@ -442,6 +442,7 @@ Devise.secret_key was not set. Please add the following to your Devise initializ

  config.secret_key = '#{SecureRandom.hex(64)}'

+Please ensure you restarted your application after installing Devise or setting the key.
 ERROR
      end

--- a/lib/devise/strategies/database_authenticatable.rb
+++ b/lib/devise/strategies/database_authenticatable.rb
@@ -5,13 +5,16 @@ module Devise
    # Default strategy for signing in a user, based on his email and password in the database.
    class DatabaseAuthenticatable < Authenticatable
      def authenticate!
-        resource = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
-        return fail(:not_found_in_database) unless resource
+        resource  = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)
+        encrypted = false

-        if validate(resource){ resource.valid_password?(password) }
+        if validate(resource){ encrypted = true; resource.valid_password?(password) }
          resource.after_database_authentication
          success!(resource)
        end
+
+        mapping.to.new.password = password if !encrypted && Devise.paranoid
+        fail(:not_found_in_database) unless resource
      end
    end
  end
--- a/lib/devise/version.rb
+++ b/lib/devise/version.rb
@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.1.0".freeze
+  VERSION = "3.1.2".freeze
 end
--- a/test/integration/confirmable_test.rb
+++ b/test/integration/confirmable_test.rb
@@ -56,7 +56,7 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
      assert_not user.confirmed?
      visit_user_confirmation_with_token(user.raw_confirmation_token)

-      assert_contain 'Your account was successfully confirmed. Please sign in.'
+      assert_contain 'Your account was successfully confirmed.'
      assert_current_url '/users/sign_in'
      assert user.reload.confirmed?
    end
@@ -135,6 +135,16 @@ class ConfirmationTest < ActionDispatch::IntegrationTest
    end
  end

+  test 'unconfirmed but signed in user should be redirected to their root path' do
+    swap Devise, :allow_unconfirmed_access_for => 1.day do
+      user = sign_in_as_user(:confirm => false)
+
+      visit_user_confirmation_with_token(user.raw_confirmation_token)
+      assert_contain 'Your account was successfully confirmed.'
+      assert_current_url '/'
+    end
+  end
+
  test 'error message is configurable by resource name' do
    store_translations :en, :devise => {
      :failure => { :user => { :unconfirmed => "Not confirmed user" } }
--- a/test/parameter_sanitizer_test.rb
+++ b/test/parameter_sanitizer_test.rb
@@ -68,5 +68,14 @@ if defined?(ActionController::StrongParameters)
        sanitizer.sanitize(:unknown)
      end
    end
+
+    test 'passes parameters to filter as arguments to sanitizer' do
+      params = {user: stub}
+      sanitizer = Devise::ParameterSanitizer.new(User, :user, params)
+
+      params[:user].expects(:permit).with(kind_of(Symbol), kind_of(Symbol), kind_of(Symbol))
+
+      sanitizer.sanitize(:sign_in)
+    end
  end
 end
Author	SHA1	Message	Date
José Valim	0a0681c663	Release v3.1.2	2013-11-13 14:08:08 +01:00
José Valim	96c456a72f	Add Rails 4 related todo	2013-10-31 14:39:52 +01:00
José Valim	6a7011e84b	Merge pull request #2717 from memberful/2716-splat-sanitize-params Splat the arguments to strong_parameters#permit, fixes #2716	2013-10-31 06:38:30 -07:00
Matt Button	ceda14210d	Splat the arguments to strong_parameters#permit, fixes #2716 There is a discrepancy between rails' strong_parameter implementation, and the strong_parameter gem's[0]. While this is obviously a problem with the other gem, it doesn't hurt to explicitly splat the parameters. [0]: https://github.com/rails/strong_parameters/pull/170	2013-10-31 13:02:50 +00:00
José Valim	0efcba3627	Release v3.1.1	2013-10-01 17:11:42 +02:00
José Valim	07e77eb4b3	Make it clear a restart is required when setting the secret key	2013-10-01 17:10:42 +02:00
Greg Gates	e3d0a2ba45	Tweaks confirmation flow for signed_in users For #2627 When allow_unconfirmed_access_for > 0, users may be already signed in at the time they confirm their account. Consequently, the default confirmation should be compatible with this possibility. Additionally, they should not be redirected to the sign in form after confirmation in this case. So I've changed ConfirmationsController#after_confirmation_path_for to send the user to the root path when signed in, or the sign in form otherwise. Conflicts: app/controllers/devise/confirmations_controller.rb config/locales/en.yml	2013-10-01 17:00:27 +02:00