Release 2.0.6

Yes we still support Ruby 1.8 😢

Conflicts:
	Gemfile.lock

CHANGELOG.rdoc

@@ -1,4 +1,19 @@
-== 2.0.3
+== 2.0.6
+
+* bug fix
+  * Do not confirm account after reset password
+
+== 2.0.5
+
+* bug fix
+  * Require string conversion for all values
+
+== 2.0.4
+
+* bug fix
+  * Fix a regression that caused Warden to be initialized too late
+
+== 2.0.3 (yanked)
 
 * bug fix
   * Ensure warning is not shown by mistake on apps with mounted engines
@@ -8,8 +23,6 @@
 
 == 2.0.2
 
-Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0
-
 * enhancements
   * Add devise_i18n_options to customize I18n message
 
@@ -114,7 +127,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 * bug fix
   * Fix backward incompatible change from 1.4.6 for those using custom controllers
 
-== 1.4.6
+== 1.4.6 (yanked)
 
 * enhancements
   * Allow devise_for :skip => :all

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (2.0.2)
+    devise (2.0.6)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.0.3)
       railties (~> 3.1)
@@ -39,7 +39,7 @@ GEM
       multi_json (~> 1.0)
     addressable (2.2.6)
     arel (3.0.0)
-    bcrypt-ruby (3.0.1)
+    bcrypt-ruby (3.1.1)
     bson (1.5.1)
     bson_ext (1.3.1)
     builder (3.0.0)
@@ -87,7 +87,7 @@ GEM
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
-    orm_adapter (0.0.6)
+    orm_adapter (0.0.7)
     polyglot (0.3.3)
     rack (1.4.1)
     rack-cache (1.1)

gemfiles/Gemfile.rails-3.1.x.lock

@@ -1,7 +1,7 @@
 PATH
   remote: ..
   specs:
-    devise (2.0.2)
+    devise (2.0.6)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.0.3)
       railties (~> 3.1)
@@ -40,7 +40,7 @@ GEM
       multi_json (~> 1.0)
     addressable (2.2.7)
     arel (2.2.1)
-    bcrypt-ruby (3.0.1)
+    bcrypt-ruby (3.1.1)
     bson (1.5.2)
     bson_ext (1.3.1)
     builder (3.0.0)
@@ -87,7 +87,7 @@ GEM
     omniauth-openid (1.0.1)
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
-    orm_adapter (0.0.6)
+    orm_adapter (0.0.7)
     polyglot (0.3.3)
     rack (1.3.6)
     rack-cache (1.1)

lib/devise/models/authenticatable.rb

@@ -154,17 +154,20 @@ module Devise
         # namedscope to filter records while authenticating.
         # Example:
         #
-        #   def self.find_for_authentication(conditions={})
+        #   def self.find_for_authentication(tainted_conditions)
-        #     conditions[:active] = true
+        #     find_first_by_auth_conditions(tainted_conditions, :active => true)
-        #     super
         #   end
         #
-        def find_for_authentication(conditions)
+        # Finally, notice that Devise also queries for users in other scenarios
-          find_first_by_auth_conditions(conditions)
+        # besides authentication, for example when retrieving an user to send
+        # an e-mail for password reset. In such cases, find_for_authentication
+        # is not called.
+        def find_for_authentication(tainted_conditions)
+          find_first_by_auth_conditions(tainted_conditions)
         end
 
-        def find_first_by_auth_conditions(conditions)
+        def find_first_by_auth_conditions(tainted_conditions, opts={})
-          to_adapter.find_first devise_param_filter.filter(conditions)
+          to_adapter.find_first(devise_param_filter.filter(tainted_conditions).merge(opts))
         end
 
         # Find an initialize a record setting an error if it can't be found.
@@ -210,4 +213,4 @@ module Devise
       end
     end
   end
-end
+end

lib/devise/models/confirmable.rb

@@ -165,11 +165,6 @@ module Devise
           generate_confirmation_token && save(:validate => false)
         end
 
-        def after_password_reset
-          super
-          confirm! unless confirmed?
-        end
-
         def postpone_email_change_until_confirmation
           @reconfirmation_required = true
           self.unconfirmed_email = self.email

lib/devise/param_filter.rb

@@ -33,9 +33,8 @@ module Devise
 
     private
 
-    # Determine which values should be transformed to string or passed as-is to the query builder underneath
     def param_requires_string_conversion?(value)
-      [Fixnum, TrueClass, FalseClass, Regexp].none? {|clz| value.is_a? clz }
+      true
     end
   end
 end

lib/devise/rails.rb

@@ -87,8 +87,6 @@ module Devise
       end
 
       config.after_initialize do
-        Devise.configure_warden!
-
         example = <<-YAML
 en:
   devise:

lib/devise/rails/routes.rb

@@ -7,11 +7,8 @@ module ActionDispatch::Routing
     def finalize_with_devise!
       result = finalize_without_devise!
 
-      # If @devise_finalized was defined, it means devise_for was invoked
+      @devise_finalized ||= begin
-      # in this router, so we proceed to generate devise helpers unless
+        if Devise.router_name.nil? && defined?(@devise_finalized) && self != Rails.application.try(:routes)
-      # they were already defined (which then @devise_finalizd would be true).
-      if defined?(@devise_finalized) && !@devise_finalized
-        if Devise.router_name.nil? && self != Rails.application.try(:routes)
           warn "[DEVISE] We have detected that you are using devise_for inside engine routes. " \
             "In this case, you probably want to set Devise.router_name = MOUNT_POINT, where "   \
             "MOUNT_POINT is a symbol representing where this engine will be mounted at. For "   \
@@ -19,8 +16,9 @@ module ActionDispatch::Routing
             " to :main_app as well in case you want to keep the current behavior."
         end
 
+        Devise.configure_warden!
         Devise.regenerate_helpers!
-        @devise_finalized = true
+        true
       end
 
       result

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "2.0.3".freeze
+  VERSION = "2.0.6".freeze
 end

test/integration/recoverable_test.rb

@@ -195,15 +195,6 @@ class PasswordTest < ActionController::IntegrationTest
     assert !warden.authenticated?(:user)
   end
 
-  test 'sign in user automatically and confirm after changing its password if it\'s not confirmed' do
-    user = create_user(:confirm => false)
-    request_forgot_password
-    reset_password :reset_password_token => user.reload.reset_password_token
-
-    assert warden.authenticated?(:user)
-    assert user.reload.confirmed?
-  end
-
   test 'reset password request with valid E-Mail in XML format should return valid response' do
     create_user
     post user_password_path(:format => 'xml'), :user => {:email => "user@test.com"}

test/models/authenticatable_test.rb

@@ -0,0 +1,9 @@
+require 'test_helper'
+
+class AuthenticatableTest < ActiveSupport::TestCase
+  test 'find_first_by_auth_conditions allows custom filtering parameters' do
+    user = User.create!(:email => "example@example.com", :password => "123456")
+    assert_equal User.find_first_by_auth_conditions({ :email => "example@example.com" }), user
+    assert_equal User.find_first_by_auth_conditions({ :email => "example@example.com" }, :id => user.id + 1), nil
+  end
+end

test/models/database_authenticatable_test.rb

@@ -23,15 +23,9 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
   end
 
   test "param filter should not convert booleans and integer to strings" do
-    conditions = { 'login' => 'foo@bar.com', "bool1" => true, "bool2" => false, "fixnum" => 123, "will_be_converted" => (1..10) }
+    conditions = { "login" => "foo@bar.com", "bool1" => true, "bool2" => false, "fixnum" => 123, "will_be_converted" => (1..10) }
     conditions = Devise::ParamFilter.new([], []).filter(conditions)
-    assert_equal( { 'login' => 'foo@bar.com', "bool1" => true, "bool2" => false, "fixnum" => 123, "will_be_converted" => "1..10" }, conditions)
+    assert_equal( { "login" => "foo@bar.com", "bool1" => "true", "bool2" => "false", "fixnum" => "123", "will_be_converted" => "1..10" }, conditions)
-  end
-
-  test "param filter should not convert regular expressions to strings" do
-    conditions = { "regexp" => /expression/ }
-    conditions = Devise::ParamFilter.new([], []).filter(conditions)
-    assert_equal( { "regexp" => /expression/ }, conditions)
   end
 
   test 'should respond to password and password confirmation' do