Release 1.4.2.

CHANGELOG.rdoc

@@ -1,3 +1,9 @@
+== 1.4.2
+
+* bug fix
+  * Improve Rails 3.1 compatibility
+  * Provide a more robust behavior to serializers and add :force_except option
+
 == 1.4.1
 
 * enhancements

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    devise (1.4.0)
+    devise (1.4.1)
       bcrypt-ruby (~> 2.1.2)
       orm_adapter (~> 0.0.3)
       warden (~> 1.0.3)
@@ -91,7 +91,7 @@ GEM
     oauth2 (0.1.1)
       faraday (~> 0.5.0)
       multi_json (~> 0.0.4)
-    orm_adapter (0.0.4)
+    orm_adapter (0.0.5)
     polyglot (0.3.1)
     rack (1.2.2)
     rack-mount (0.6.14)

lib/devise/models/authenticatable.rb

@@ -1,4 +1,5 @@
 require 'devise/hooks/activatable'
+require 'devise/models/serializable'
 
 module Devise
   module Models
@@ -46,6 +47,8 @@ module Devise
     module Authenticatable
       extend ActiveSupport::Concern
 
+      include Devise::Models::Serializable
+
       included do
         class_attribute :devise_modules, :instance_writer => false
         self.devise_modules ||= []
@@ -76,20 +79,6 @@ module Devise
       def authenticatable_salt
       end
 
-      # TODO: to_xml does not call serializable_hash. Hopefully someone will fix this in AR.
-      %w(to_xml serializable_hash).each do |method|
-        class_eval <<-RUBY, __FILE__, __LINE__
-          def #{method}(options={})
-            if self.class.respond_to?(:accessible_attributes)
-              options = { :only => self.class.accessible_attributes.to_a }.merge(options || {})
-              super(options)
-            else
-              super
-            end
-          end
-        RUBY
-      end
-
       module ClassMethods
         Devise::Models.config(self, :authentication_keys, :request_keys, :strip_whitespace_keys, :case_insensitive_keys, :http_authenticatable, :params_authenticatable)
 

lib/devise/models/serializable.rb

@@ -0,0 +1,43 @@
+module Devise
+  module Models
+    # This module redefine to_xml and serializable_hash in models for more
+    # secure defaults. By default, it removes from the serializable model
+    # all attributes that are *not* accessible. You can remove this default
+    # by using :force_except and passing a new list of attributes you want
+    # to exempt. All attributes given to :except will simply add names to
+    # exempt to Devise internal list.
+    module Serializable
+      extend ActiveSupport::Concern
+
+      # TODO: to_xml does not call serializable_hash. Hopefully someone will fix this in AR.
+      %w(to_xml serializable_hash).each do |method|
+        class_eval <<-RUBY, __FILE__, __LINE__
+          def #{method}(options=nil)
+            options ||= {}
+            if options.key?(:force_except)
+              options[:except] = options.delete(:force_except)
+              super(options)
+            elsif self.class.blacklist_keys?
+              except = Array(options[:except])
+              super(options.merge(:except => except + self.class.blacklist_keys))
+            else
+              super
+            end
+          end
+        RUBY
+      end
+
+      module ClassMethods
+        # Return true if we can retrieve blacklist keys from the record.
+        def blacklist_keys?
+          @has_except_keys ||= respond_to?(:accessible_attributes) && !accessible_attributes.to_a.empty?
+        end
+
+        # Returns keys that should be removed when serializing the record.
+        def blacklist_keys
+          @blacklist_keys ||= to_adapter.column_names.map(&:to_s) - accessible_attributes.to_a.map(&:to_s)
+        end
+      end
+    end
+  end
+end

lib/devise/strategies/rememberable.rb

@@ -9,14 +9,15 @@ module Devise
     class Rememberable < Authenticatable
       # A valid strategy for rememberable needs a remember token in the cookies.
       def valid?
-        cookies.key?(remember_key)
+        @remember_cookie = nil
+        remember_cookie.present?
       end
 
       # To authenticate a user we deserialize the cookie and attempt finding
       # the record in the database. If the attempt fails, we pass to another
       # strategy handle the authentication.
       def authenticate!
-        resource = mapping.to.serialize_from_cookie(*cookies.signed[remember_key])
+        resource = mapping.to.serialize_from_cookie(*remember_cookie)
 
         if validate(resource)
           success!(resource)
@@ -40,6 +41,11 @@ module Devise
       def remember_key
         "remember_#{scope}_token"
       end
+
+      def remember_cookie
+        @remember_cookie ||= cookies.signed[remember_key]
+      end
+
     end
   end
 end

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "1.4.1".freeze
+  VERSION = "1.4.2".freeze
 end

lib/generators/devise/views_generator.rb

@@ -52,7 +52,7 @@ module Devise
 
     class SimpleFormForGenerator < Rails::Generators::Base #:nodoc:
       include ViewPathTemplates
-      source_root File.expand_path("../simple_form_for", __FILE__)
+      source_root File.expand_path("../../templates/simple_form_for", __FILE__)
       desc "Copies simple form enabled views to your application."
     end
 

lib/generators/templates/simple_form_for/confirmations/new.html.erb

@@ -4,7 +4,7 @@
   <%= f.error_notification %>
 
   <div class="inputs">
-    <%= f.input :email %>
+    <%= f.input :email, :required => true %>
   </div>
 
   <div class="actions">

lib/generators/templates/simple_form_for/passwords/edit.html.erb

@@ -7,7 +7,7 @@
   <%= f.full_error :reset_password_token %>
 
   <div class="inputs">
-    <%= f.input :password, :label => "New password" %>
+    <%= f.input :password, :label => "New password", :required => true %>
     <%= f.input :password_confirmation, :label => "Confirm your new password", :required => true %>
   </div>
 

lib/generators/templates/simple_form_for/passwords/new.html.erb

@@ -4,7 +4,7 @@
   <%= f.error_notification %>
 
   <div class="inputs">
-    <%= f.input :email %>
+    <%= f.input :email, :required => true %>
   </div>
 
   <div class="actions">

lib/generators/templates/simple_form_for/unlocks/new.html.erb

@@ -4,7 +4,7 @@
   <%= f.error_notification %>
 
   <div class="inputs">
-    <%= f.input :email %>
+    <%= f.input :email, :required => true %>
   </div>
 
   <div class="actions">

test/models/serializable_test.rb

@@ -0,0 +1,38 @@
+require 'test_helper'
+
+class SerializableTest < ActiveSupport::TestCase
+  setup do
+    @user = create_user
+  end
+
+  test 'should not include unsafe keys on XML' do
+    assert_match /email/, @user.to_xml 
+    assert_no_match /confirmation-token/, @user.to_xml 
+  end
+
+  test 'should not include unsafe keys on XML even if a new except is provided' do
+    assert_no_match /email/, @user.to_xml(:except => :email)
+    assert_no_match /confirmation-token/, @user.to_xml(:except => :email)
+  end
+
+  test 'should include unsafe keys on XML if a force_except is provided' do
+    assert_no_match /email/, @user.to_xml(:force_except => :email)
+    assert_match /confirmation-token/, @user.to_xml(:force_except => :email)
+  end
+
+  test 'should not include unsafe keys on JSON' do
+    assert_match /"email":/, @user.to_json 
+    assert_no_match /"confirmation_token":/, @user.to_json 
+  end
+
+  test 'should not include unsafe keys on JSON even if a new except is provided' do
+    assert_no_match /"email":/, @user.to_json(:except => :email)
+    assert_no_match /"confirmation_token":/, @user.to_json(:except => :email)
+  end
+
+  test 'should include unsafe keys on JSON if a force_except is provided' do
+    assert_no_match /"email":/, @user.to_json(:force_except => :email)
+    assert_match /"confirmation_token":/, @user.to_json(:force_except => :email)
+  end
+
+end