Release v3.2.3

Update password_length docs in config template

.gitignore

@@ -8,3 +8,4 @@ rdoc/*
 pkg
 log
 test/tmp/*
+gemfiles/*.lock

.travis.yml

@@ -1,14 +1,22 @@
 language: ruby
 script: "bundle exec rake test"
+before_install:
+  - gem install bundler -v '>= 1.5.1'
 rvm:
   - 1.9.3
   - 2.0.0
+  - 2.1.0
 env:
   - DEVISE_ORM=mongoid
   - DEVISE_ORM=active_record
 gemfile:
-  - gemfiles/Gemfile.rails-3.2.x
+  - gemfiles/Gemfile.rails-head
+  - gemfiles/Gemfile.rails-4.0-stable
+  - gemfiles/Gemfile.rails-3.2-stable
   - Gemfile
+matrix:
+  allow_failures:
+    - gemfile: gemfiles/Gemfile.rails-head
 services:
   - mongodb
 notifications:

CHANGELOG.md

@@ -1,3 +1,21 @@
+### Unreleased
+
+### 3.2.3
+
+* enhancements
+  * Devise will use the `secret_key_base` on Rails 4+ applications as its `secret_key`.
+    You can change this and use your own secret by changing the `devise.rb` initializer.
+
+* bug fix
+  * Migrations will be properly generated when using rails 4.1.0.
+
+### 3.2.2
+
+* bug fix
+  * Ensure timeoutable works when `sign_out_all_scopes` is false (by @louman)
+  * Keep the query string when storing location (by @csexton)
+  * Require rails generator base class in devise generators
+
 ### 3.2.1
 
 Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumeration-in-devise-in-paranoid-mode
@@ -16,7 +34,7 @@ Security announcement: http://blog.plataformatec.com.br/2013/11/e-mail-enumerati
   * Previously deprecated token authenticatable and insecure lookups have been removed
   * Add a class method so you can encrypt passwords from fixtures (by @tenderlove)
   * Send custom message when user enters invalid password and it has only one attempt
-  to enter correct password before his account will be locked (by @Lightpower)
+  to enter correct password before their account will be locked (by @Lightpower)
   * Prevent mutation of values assigned to case and whitespace santitized members (by @iamvery)
   * Separate redirects and flash messages in `navigational_formats` and `flashing_formats` (by @ssendev)
 
@@ -84,9 +102,6 @@ Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixat
 * bug fix
   * Errors on unlock are now properly reflected on the first `unlock_keys`
 
-* backwards incompatible changes
-  * Changes on session storage will expire all existing sessions on upgrade. For those storing the session in the DB, they can be upgraded according to this gist: https://gist.github.com/moll/6417606
-
 ### 2.2.4
 
 * enhancements
@@ -103,6 +118,9 @@ Security announcement: http://blog.plataformatec.com.br/2013/08/csrf-token-fixat
   * Fix inheriting mailer templates from `Devise::Mailer`
   * Fix a bug when procs are used as default mailer in Devise (by @tomasv)
 
+* backwards incompatible changes
+  * Changes on session storage will expire all existing sessions on upgrade. For those storing the session in the DB, they can be upgraded according to this gist: https://gist.github.com/moll/6417606
+
 ### 2.2.3
 
 Security announcement: http://blog.plataformatec.com.br/2013/01/security-announcement-devise-v2-2-3-v2-1-3-v2-0-5-and-v1-5-3-released/
@@ -383,7 +401,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 ### 1.4.0
 
 * enhancements
-  * Added authenticated and unauthenticated to the router to route the used based on his status (by @sj26)
+  * Added authenticated and unauthenticated to the router to route the used based on their status (by @sj26)
   * Improve e-mail regexp (by @rodrigoflores)
   * Add strip_whitespace_keys and default to e-mail (by @swrobel)
   * Do not run format and uniqueness validations on e-mail if it hasn't changed (by @Thibaut)
@@ -392,7 +410,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 
 * bug fix
   * password_required? should not affect length validation
-  * User cannot access sign up and similar pages if he is already signed in through a cookie or token
+  * User cannot access sign up and similar pages if they are already signed in through a cookie or token
   * Do not convert booleans to strings on finders (by @xavier)
   * Run validations even if current_password fails (by @crx)
   * Devise now honors routes constraints (by @macmartine)
@@ -500,10 +518,10 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
   * Ensure the friendly token does not include "_" or "-" since some e-mails may not autolink it properly (by @rymai)
   * Extracted encryptors into :encryptable for better bcrypt support
   * :rememberable is now able to use salt as token if no remember_token is provided
-  * Store the salt in session and expire the session if the user changes his password
+  * Store the salt in session and expire the session if the user changes their password
   * Allow :stateless_token to be set to true avoiding users to be stored in session through token authentication
   * cookie_options uses session_options values by default
-  * Sign up now check if the user is active or not and redirect him accordingly setting the inactive_signed_up message
+  * Sign up now checks if the user is active or not and redirect them accordingly, setting the inactive_signed_up message
   * Use ActiveModel#to_key instead of #id
   * sign_out_all_scopes now destroys the whole session
   * Added case_insensitive_keys that automatically downcases the given keys, by default downcases only e-mail (by @adahl)
@@ -946,7 +964,7 @@ Notes: https://github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.
 
 * deprecations
   * Renamed confirm_in to confirm_within
-  * Do not send confirmation messages when user changes his e-mail
+  * Do not send confirmation messages when user changes their e-mail
   * Renamed authenticable to authenticatable and added deprecation warnings
 
 ### 0.2.3

CONTRIBUTING.md

@@ -1,8 +1,8 @@
 ### Please read before contributing
 
-1) Do not post questions in the issues tracker. If you have any questions about Devise, search the [Wiki](https://github.com/plataformatec/devise/wiki) or use the [Mailing List](https://groups.google.com/group/plataformatec-devise) or [Stack Overflow](http://stackoverflow.com/questions/tagged/devise). 
+1) Do not post questions in the issues tracker. If you have any questions about Devise, search the [Wiki](https://github.com/plataformatec/devise/wiki) or use the [Mailing List](https://groups.google.com/group/plataformatec-devise) or [Stack Overflow](http://stackoverflow.com/questions/tagged/devise).
 
-2) If you find a security bug, **DO NOT** submit an issue here. Please send an e-mail to [developers@plataformatec.com.br](mailto:developers@plataformatec.com.br) instead.
+2) If you find a security bug, **DO NOT** submit an issue here. Please send an e-mail to [opensource@plataformatec.com.br](mailto:opensource@plataformatec.com.br) instead.
 
 3) Do a small search on the issues tracker before submitting your issue to see if it was already reported / fixed.
 

Gemfile

@@ -24,8 +24,6 @@ platforms :ruby do
   gem "sqlite3"
 end
 
-platforms :mri_19, :mri_20 do
-  group :mongoid do
-    gem "mongoid", github: "mongoid/mongoid", branch: "master"
-  end
+group :mongoid do
+  gem "mongoid", github: "mongoid/mongoid", branch: "master"
 end

Gemfile.lock

@@ -12,7 +12,7 @@ GIT
 PATH
   remote: .
   specs:
-    devise (3.2.1)
+    devise (3.2.3)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
       railties (>= 3.2.6, < 5)
@@ -90,7 +90,7 @@ GEM
       omniauth (~> 1.0)
       rack-openid (~> 1.3.1)
     origin (1.1.0)
-    orm_adapter (0.4.0)
+    orm_adapter (0.5.0)
     polyglot (0.3.3)
     rack (1.5.2)
     rack-openid (1.3.1)

MIT-LICENSE

@@ -1,4 +1,4 @@
-Copyright 2009-2013 Plataformatec. http://plataformatec.com.br
+Copyright 2009-2014 Plataformatec. http://plataformatec.com.br
 
 Permission is hereby granted, free of charge, to any person obtaining
 a copy of this software and associated documentation files (the

README.md

@@ -17,7 +17,7 @@ Devise is a flexible authentication solution for Rails based on Warden. It:
 It's composed of 10 modules:
 
 * [Database Authenticatable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/DatabaseAuthenticatable): encrypts and stores a password in the database to validate the authenticity of a user while signing in. The authentication can be done both through POST requests or HTTP Basic Authentication.
-* [Omniauthable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds Omniauth (https://github.com/intridea/omniauth) support;
+* [Omniauthable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Omniauthable): adds Omniauth (https://github.com/intridea/omniauth) support.
 * [Confirmable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Confirmable): sends emails with confirmation instructions and verifies whether an account is already confirmed during sign in.
 * [Recoverable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Recoverable): resets the user password and sends reset instructions.
 * [Registerable](http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Registerable): handles signing up users through a registration process, also allowing them to edit and destroy their account.
@@ -43,7 +43,7 @@ If you discover a problem with Devise, we would like to know about it. However,
 
 https://github.com/plataformatec/devise/wiki/Bug-reports
 
-If you found a security bug, do *NOT* use the GitHub issue tracker. Send an email to the maintainers listed at the bottom of the README.
+If you found a security bug, do *NOT* use the GitHub issue tracker. Send an email to opensource@plataformatec.com.br.
 
 ### Mailing list
 
@@ -110,9 +110,15 @@ The generator will install an initializer which describes ALL Devise's configura
 rails generate devise MODEL
 ```
 
-Replace MODEL by the class name used for the applications users, it's frequently `User` but could also be `Admin`. This will create a model (if one does not exist) and configure it with default Devise modules. Next, you'll usually run `rake db:migrate` as the generator will have created a migration file (if your ORM supports them). This generator also configures your config/routes.rb file to point to the Devise controller.
+Replace MODEL by the class name used for the applications users, it's frequently `User` but could also be `Admin`. This will create a model (if one does not exist) and configure it with default Devise modules. Next, you'll usually run `rake db:migrate` as the generator will have created a migration file (if your ORM supports them). This generator also configures your `config/routes.rb` file to point to the Devise controller.
 
-Note that you should re-start your app here if you've already started it. Otherwise you'll run into strange errors like users being unable to login and the route helpers being undefined.
+Next, you need to set up the default url options for the Devise mailer in each environment. Here is a possible configuration for `config/environments/development.rb`:
+
+```ruby
+config.action_mailer.default_url_options = { host: 'localhost:3000' }
+```
+
+You should restart your application after changing Devise's configuration options. Otherwise you'll run into strange errors like users being unable to login and route helpers being undefined.
 
 ### Controller filters and helpers
 
@@ -140,21 +146,15 @@ You can access the session for this scope:
 user_session
 ```
 
-After signing in a user, confirming the account or updating the password, Devise will look for a scoped root path to redirect. Example: For a :user resource, it will use `user_root_path` if it exists, otherwise default `root_path` will be used. This means that you need to set the root inside your routes:
+After signing in a user, confirming the account or updating the password, Devise will look for a scoped root path to redirect. For instance, for a `:user` resource, the `user_root_path` will be used if it exists, otherwise the default `root_path` will be used. This means that you need to set the root inside your routes:
 
 ```ruby
 root to: "home#index"
 ```
 
-You can also overwrite `after_sign_in_path_for` and `after_sign_out_path_for` to customize your redirect hooks.
+You can also override `after_sign_in_path_for` and `after_sign_out_path_for` to customize your redirect hooks.
 
-Finally, you need to set up default url options for the mailer in each environment. Here is the configuration for "config/environments/development.rb":
-
-```ruby
-config.action_mailer.default_url_options = { :host => 'localhost:3000' }
-```
-
-Notice that if your devise model is not called "user" but "member", then the helpers you should use are:
+Notice that if your Devise model is called `Member` instead of `User`, for example, then the helpers available are:
 
 ```ruby
 before_filter :authenticate_member!
@@ -168,19 +168,19 @@ member_session
 
 ### Configuring Models
 
-The devise method in your models also accepts some options to configure its modules. For example, you can choose the cost of the encryption algorithm with:
+The Devise method in your models also accepts some options to configure its modules. For example, you can choose the cost of the encryption algorithm with:
 
 ```ruby
-devise :database_authenticatable, :registerable, :confirmable, :recoverable, :stretches => 20
+devise :database_authenticatable, :registerable, :confirmable, :recoverable, stretches: 20
 ```
 
-Besides :stretches, you can define :pepper, :encryptor, :confirm_within, :remember_for, :timeout_in, :unlock_in and other values. For details, see the initializer file that was created when you invoked the "devise:install" generator described above.
+Besides `:stretches`, you can define `:pepper`, `:encryptor`, `:confirm_within`, `:remember_for`, `:timeout_in`, `:unlock_in` among other options. For more details, see the initializer file that was created when you invoked the "devise:install" generator described above.
 
 ### Strong Parameters
 
 When you customize your own views, you may end up adding new attributes to forms. Rails 4 moved the parameter sanitization from the model to the controller, causing Devise to handle this concern at the controller as well.
 
-There are just three actions in Devise that allows any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permited parameters by default are:
+There are just three actions in Devise that allows any set of parameters to be passed down to the model, therefore requiring sanitization. Their names and the permitted parameters by default are:
 
 * `sign_in` (`Devise::SessionsController#new`) - Permits only the authentication keys (like `email`)
 * `sign_up` (`Devise::RegistrationsController#create`) - Permits authentication keys plus `password` and `password_confirmation`
@@ -200,7 +200,9 @@ class ApplicationController < ActionController::Base
 end
 ```
 
-To completely change Devise defaults or invoke custom behaviour, you can also pass a block:
+The above works for any additional fields where the parameters are simple scalar types. If you have nested attributes (say you're using `accepts_nested_parameters_for`), then you will need to tell devise about those nestings and types. Devise allows you to completely change Devise defaults or invoke custom behaviour by passing a block:
+
+To permit simple scalar values for username and email, use this
 
 ```ruby
 def configure_permitted_parameters
@@ -208,6 +210,17 @@ def configure_permitted_parameters
 end
 ```
 
+If you have some checkboxes that express the roles a user may take on registration, the browser will send those selected checkboxes as an array. An array is not one of Strong Parameters permitted scalars, so we need to configure Devise thusly:
+
+```ruby
+def configure_permitted_parameters
+  devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(roles: [], :email, :password, :password_confirmation) }
+end
+```
+For the list of permitted scalars, and how to declare permitted keys in nested hashes and arrays, see
+
+https://github.com/rails/strong_parameters#nested-parameters
+
 If you have multiple Devise models, you may want to set up different parameter sanitizer per model. In this case, we recommend inheriting from `Devise::ParameterSanitizer` and add your own logic:
 
 ```ruby
@@ -246,9 +259,9 @@ Since Devise is an engine, all its views are packaged inside the gem. These view
 rails generate devise:views
 ```
 
-If you have more than one Devise model in your application (such as "User" and "Admin"), you will notice that Devise uses the same views for all models. Fortunately, Devise offers an easy way to customize views. All you need to do is set "config.scoped_views = true" inside "config/initializers/devise.rb".
+If you have more than one Devise model in your application (such as `User` and `Admin`), you will notice that Devise uses the same views for all models. Fortunately, Devise offers an easy way to customize views. All you need to do is set `config.scoped_views = true` inside the `config/initializers/devise.rb` file.
 
-After doing so, you will be able to have views based on the role like "users/sessions/new" and "admins/sessions/new". If no view is found within the scope, Devise will use the default view at "devise/sessions/new". You can also use the generator to generate scoped views:
+After doing so, you will be able to have views based on the role like `users/sessions/new` and `admins/sessions/new`. If no view is found within the scope, Devise will use the default view at `devise/sessions/new`. You can also use the generator to generate scoped views:
 
 ```console
 rails generate devise:views users
@@ -270,19 +283,45 @@ If the customization at the views level is not enough, you can customize each co
 2. Tell the router to use this controller:
 
     ```ruby
-    devise_for :admins, :controllers => { :sessions => "admins/sessions" }
+    devise_for :admins, controllers: { sessions: "admins/sessions" }
     ```
 
-3. And since we changed the controller, it won't use the `"devise/sessions"` views, so remember to copy `"devise/sessions"` to `"admin/sessions"`.
+3. Copy the views from `devise/sessions` to `admins/sessions`. Since the controller was changed, it won't use the default views located in `devise/sessions`.
 
-    Remember that Devise uses flash messages to let users know if sign in was successful or failed. Devise expects your application to call `"flash[:notice]"` and `"flash[:alert]"` as appropriate. Do not print the entire flash hash, print specific keys or at least remove the `:timedout` key from the hash as Devise adds this key in some circumstances, this key is not meant for display.
+4. Finally, change or extend the desired controller actions.
+
+    You can completely override a controller action:
+
+    ```ruby
+    class Admins::SessionsController < Devise::SessionsController
+      def create
+        # custom sign-in code
+      end
+    end
+    ```
+
+    Or you can simply add new behaviour to it:
+
+    ```ruby
+    class Admins::SessionsController < Devise::SessionsController
+      def create
+        super do |resource|
+          BackgroundWorker.trigger(resource)
+        end
+      end
+    end
+    ```
+
+    This is useful for triggering background jobs or logging events during certain actions.
+
+Remember that Devise uses flash messages to let users know if sign in was successful or failed. Devise expects your application to call `flash[:notice]` and `flash[:alert]` as appropriate. Do not print the entire flash hash, print only specific keys. In some circumstances, Devise adds a `:timedout` key to the flash hash, which is not meant for display. Remove this key from the hash if you intend to print the entire hash.
 
 ### Configuring routes
 
 Devise also ships with default routes. If you need to customize them, you should probably be able to do it through the devise_for method. It accepts several options like :class_name, :path_prefix and so on, including the possibility to change path names for I18n:
 
 ```ruby
-devise_for :users, :path => "auth", :path_names => { :sign_in => 'login', :sign_out => 'logout', :password => 'secret', :confirmation => 'verification', :unlock => 'unblock', :registration => 'register', :sign_up => 'cmon_let_me_in' }
+devise_for :users, path: "auth", path_names: { sign_in: 'login', sign_out: 'logout', password: 'secret', confirmation: 'verification', unlock: 'unblock', registration: 'register', sign_up: 'cmon_let_me_in' }
 ```
 
 Be sure to check `devise_for` documentation for details.
@@ -291,11 +330,11 @@ If you have the need for more deep customization, for instance to also allow "/s
 
 ```ruby
 devise_scope :user do
-  get "sign_in", :to => "devise/sessions#new"
+  get "sign_in", to: "devise/sessions#new"
 end
 ```
 
-This way you tell devise to use the scope :user when "/sign_in" is accessed. Notice `devise_scope` is also aliased as `as` in your router.
+This way you tell Devise to use the scope `:user` when "/sign_in" is accessed. Notice `devise_scope` is also aliased as `as` in your router.
 
 ### I18n
 
@@ -339,7 +378,7 @@ https://github.com/plataformatec/devise/wiki/I18n
 
 ### Test helpers
 
-Devise includes some tests helpers for functional specs. In order to use them, you need to include Devise in your functional tests by adding the following to the bottom of your `test/test_helper.rb` file:
+Devise includes some test helpers for functional specs. In order to use them, you need to include Devise in your functional tests by adding the following to the bottom of your `test/test_helper.rb` file:
 
 ```ruby
 class ActionController::TestCase
@@ -351,7 +390,7 @@ If you're using RSpec, you can put the following inside a file named `spec/suppo
 
 ```ruby
 RSpec.configure do |config|
-  config.include Devise::TestHelpers, :type => :controller
+  config.include Devise::TestHelpers, type: :controller
 end
 ```
 
@@ -381,7 +420,7 @@ There are two things that is important to keep in mind:
 Devise comes with Omniauth support out of the box to authenticate with other providers. To use it, just specify your omniauth configuration in `config/initializers/devise.rb`:
 
 ```ruby
-config.omniauth :github, 'APP_ID', 'APP_SECRET', :scope => 'user,public_repo'
+config.omniauth :github, 'APP_ID', 'APP_SECRET', scope: 'user,public_repo'
 ```
 
 You can read more about Omniauth support in the wiki:
@@ -427,7 +466,7 @@ Devise supports ActiveRecord (default) and Mongoid. To choose other ORM, you jus
 
 ### Heroku
 
-Using devise on Heroku with Ruby on Rails 3.1 requires setting:
+Using Devise on Heroku with Ruby on Rails 3.1 requires setting:
 
 ```ruby
 config.assets.initialize_on_precompile = false
@@ -449,6 +488,6 @@ https://github.com/plataformatec/devise/graphs/contributors
 
 ## License
 
-MIT License. Copyright 2009-2013 Plataformatec. http://plataformatec.com.br
+MIT License. Copyright 2009-2014 Plataformatec. http://plataformatec.com.br
 
 You are not granted rights or licenses to the trademarks of the Plataformatec, including without limitation the Devise name or logo.

config/locales/en.yml

@@ -28,7 +28,7 @@ en:
       success: "Successfully authenticated from %{kind} account."
     passwords:
       no_token: "You can't access this page without coming from a password reset email. If you do come from a password reset email, please make sure you used the full URL provided."
-      send_instructions: "You will receive an email with instructions about how to reset your password in a few minutes."
+      send_instructions: "You will receive an email with instructions on how to reset your password in a few minutes."
       send_paranoid_instructions: "If your email address exists in our database, you will receive a password recovery link at your email address in a few minutes."
       updated: "Your password was changed successfully. You are now signed in."
       updated_not_active: "Your password was changed successfully."

devise.gemspec

@@ -9,7 +9,7 @@ Gem::Specification.new do |s|
   s.licenses    = ["MIT"]
   s.summary     = "Flexible authentication solution for Rails with Warden"
   s.email       = "contact@plataformatec.com.br"
-  s.homepage    = "http://github.com/plataformatec/devise"
+  s.homepage    = "https://github.com/plataformatec/devise"
   s.description = "Flexible authentication solution for Rails with Warden"
   s.authors     = ['José Valim', 'Carlos Antônio']
 

gemfiles/Gemfile.rails-3.2-stable

@@ -2,7 +2,7 @@ source "https://rubygems.org"
 
 gemspec :path => '..'
 
-gem "rails", "~> 3.2.6"
+gem "rails", github: 'rails/rails', branch: '3-2-stable'
 gem "omniauth", "~> 1.0.0"
 gem "omniauth-oauth2", "~> 1.0.0"
 gem "rdoc"
@@ -24,8 +24,6 @@ platforms :ruby do
   gem "sqlite3"
 end
 
-platforms :mri_19, :mri_20 do
-  group :mongoid do
-    gem "mongoid", "~> 3.0"
-  end
+group :mongoid do
+  gem "mongoid", "~> 3.0"
 end

gemfiles/Gemfile.rails-3.2.x.lock

@@ -1,159 +0,0 @@
-PATH
-  remote: ..
-  specs:
-    devise (3.2.1)
-      bcrypt-ruby (~> 3.0)
-      orm_adapter (~> 0.1)
-      railties (>= 3.2.6, < 5)
-      thread_safe (~> 0.1)
-      warden (~> 1.2.3)
-
-GEM
-  remote: https://rubygems.org/
-  specs:
-    actionmailer (3.2.14)
-      actionpack (= 3.2.14)
-      mail (~> 2.5.4)
-    actionpack (3.2.14)
-      activemodel (= 3.2.14)
-      activesupport (= 3.2.14)
-      builder (~> 3.0.0)
-      erubis (~> 2.7.0)
-      journey (~> 1.0.4)
-      rack (~> 1.4.5)
-      rack-cache (~> 1.2)
-      rack-test (~> 0.6.1)
-      sprockets (~> 2.2.1)
-    activemodel (3.2.14)
-      activesupport (= 3.2.14)
-      builder (~> 3.0.0)
-    activerecord (3.2.14)
-      activemodel (= 3.2.14)
-      activesupport (= 3.2.14)
-      arel (~> 3.0.2)
-      tzinfo (~> 0.3.29)
-    activeresource (3.2.14)
-      activemodel (= 3.2.14)
-      activesupport (= 3.2.14)
-    activesupport (3.2.14)
-      i18n (~> 0.6, >= 0.6.4)
-      multi_json (~> 1.0)
-    arel (3.0.2)
-    atomic (1.1.14)
-    bcrypt-ruby (3.1.2)
-    builder (3.0.4)
-    erubis (2.7.0)
-    faraday (0.8.8)
-      multipart-post (~> 1.2.0)
-    hashie (1.2.0)
-    hike (1.2.3)
-    httpauth (0.2.0)
-    i18n (0.6.5)
-    journey (1.0.4)
-    json (1.8.0)
-    jwt (0.1.8)
-      multi_json (>= 1.5)
-    mail (2.5.4)
-      mime-types (~> 1.16)
-      treetop (~> 1.4.8)
-    metaclass (0.0.1)
-    mime-types (1.23)
-    mocha (0.13.3)
-      metaclass (~> 0.0.1)
-    mongoid (3.1.4)
-      activemodel (~> 3.2)
-      moped (~> 1.4)
-      origin (~> 1.0)
-      tzinfo (~> 0.3.22)
-    moped (1.5.1)
-    multi_json (1.7.9)
-    multipart-post (1.2.0)
-    nokogiri (1.5.9)
-    oauth2 (0.8.1)
-      faraday (~> 0.8)
-      httpauth (~> 0.1)
-      jwt (~> 0.1.4)
-      multi_json (~> 1.0)
-      rack (~> 1.2)
-    omniauth (1.0.3)
-      hashie (~> 1.2)
-      rack
-    omniauth-facebook (1.4.0)
-      omniauth-oauth2 (~> 1.0.2)
-    omniauth-oauth2 (1.0.3)
-      oauth2 (~> 0.8.0)
-      omniauth (~> 1.0)
-    omniauth-openid (1.0.1)
-      omniauth (~> 1.0)
-      rack-openid (~> 1.3.1)
-    origin (1.1.0)
-    orm_adapter (0.4.0)
-    polyglot (0.3.3)
-    rack (1.4.5)
-    rack-cache (1.2)
-      rack (>= 0.4)
-    rack-openid (1.3.1)
-      rack (>= 1.1.0)
-      ruby-openid (>= 2.1.8)
-    rack-ssl (1.3.3)
-      rack
-    rack-test (0.6.2)
-      rack (>= 1.0)
-    rails (3.2.14)
-      actionmailer (= 3.2.14)
-      actionpack (= 3.2.14)
-      activerecord (= 3.2.14)
-      activeresource (= 3.2.14)
-      activesupport (= 3.2.14)
-      bundler (~> 1.0)
-      railties (= 3.2.14)
-    railties (3.2.14)
-      actionpack (= 3.2.14)
-      activesupport (= 3.2.14)
-      rack-ssl (~> 1.3.2)
-      rake (>= 0.8.7)
-      rdoc (~> 3.4)
-      thor (>= 0.14.6, < 2.0)
-    rake (10.1.0)
-    rdoc (3.12.2)
-      json (~> 1.4)
-    ruby-openid (2.2.3)
-    sprockets (2.2.2)
-      hike (~> 1.2)
-      multi_json (~> 1.0)
-      rack (~> 1.0)
-      tilt (~> 1.1, != 1.3.0)
-    sqlite3 (1.3.7)
-    thor (0.18.1)
-    thread_safe (0.1.3)
-      atomic
-    tilt (1.4.1)
-    treetop (1.4.14)
-      polyglot
-      polyglot (>= 0.3.1)
-    tzinfo (0.3.37)
-    warden (1.2.3)
-      rack (>= 1.0)
-    webrat (0.7.3)
-      nokogiri (>= 1.2.0)
-      rack (>= 1.0)
-      rack-test (>= 0.5.3)
-
-PLATFORMS
-  ruby
-
-DEPENDENCIES
-  activerecord-jdbc-adapter
-  activerecord-jdbcsqlite3-adapter
-  devise!
-  jruby-openssl
-  mocha (~> 0.13.1)
-  mongoid (~> 3.0)
-  omniauth (~> 1.0.0)
-  omniauth-facebook
-  omniauth-oauth2 (~> 1.0.0)
-  omniauth-openid (~> 1.0.1)
-  rails (~> 3.2.6)
-  rdoc
-  sqlite3
-  webrat (= 0.7.3)

gemfiles/Gemfile.rails-4.0-stable

@@ -0,0 +1,29 @@
+source "https://rubygems.org"
+
+gemspec :path => '..'
+
+gem "rails", github: 'rails/rails', branch: '4-0-stable'
+gem "omniauth", "~> 1.0.0"
+gem "omniauth-oauth2", "~> 1.0.0"
+gem "rdoc"
+
+group :test do
+  gem "omniauth-facebook"
+  gem "omniauth-openid", "~> 1.0.1"
+  gem "webrat", "0.7.3", :require => false
+  gem "mocha", "~> 0.13.1", :require => false
+end
+
+platforms :jruby do
+  gem "activerecord-jdbc-adapter"
+  gem "activerecord-jdbcsqlite3-adapter"
+  gem "jruby-openssl"
+end
+
+platforms :ruby do
+  gem "sqlite3"
+end
+
+group :mongoid do
+  gem "mongoid", github: "mongoid/mongoid", branch: "master"
+end

gemfiles/Gemfile.rails-head

@@ -0,0 +1,29 @@
+source "https://rubygems.org"
+
+gemspec :path => '..'
+
+gem "rails", github: 'rails/rails'
+gem "omniauth", "~> 1.0.0"
+gem "omniauth-oauth2", "~> 1.0.0"
+gem "rdoc"
+
+group :test do
+  gem "omniauth-facebook"
+  gem "omniauth-openid", "~> 1.0.1"
+  gem "webrat", "0.7.3", :require => false
+  gem "mocha", "~> 0.14", :require => false
+end
+
+platforms :jruby do
+  gem "activerecord-jdbc-adapter"
+  gem "activerecord-jdbcsqlite3-adapter"
+  gem "jruby-openssl"
+end
+
+platforms :ruby do
+  gem "sqlite3"
+end
+
+group :mongoid do
+  gem "mongoid", github: "mongoid/mongoid", branch: "master"
+end

lib/devise.rb

@@ -236,12 +236,12 @@ module Devise
   @@parent_mailer = "ActionMailer::Base"
 
   # The router Devise should use to generate routes. Defaults
-  # to :main_app. Should be overriden by engines in order
+  # to :main_app. Should be overridden by engines in order
   # to provide custom routes.
   mattr_accessor :router_name
   @@router_name = nil
 
-  # Set the omniauth path prefix so it can be overriden when
+  # Set the omniauth path prefix so it can be overridden when
   # Devise is used in a mountable engine
   mattr_accessor :omniauth_path_prefix
   @@omniauth_path_prefix = nil
@@ -274,7 +274,7 @@ module Devise
   mattr_accessor :paranoid
   @@paranoid = false
 
-  # When true, warn user if he just used next-to-last attempt of authentication
+  # When true, warn user if they just used next-to-last attempt of authentication
   mattr_accessor :last_attempt_warning
   @@last_attempt_warning = false
 

lib/devise/controllers/helpers.rb

@@ -98,7 +98,7 @@ module Devise
         request.env["devise.allow_params_authentication"] = true
       end
 
-      # The scope root url to be used when he's signed in. By default, it first
+      # The scope root url to be used when they're signed in. By default, it first
       # tries to find a resource_root_path, otherwise it uses the root_path.
       def signed_in_root_path(resource_or_scope)
         scope = Devise::Mapping.find_scope!(resource_or_scope)

lib/devise/controllers/scoped_views.rb

@@ -14,4 +14,4 @@ module Devise
       end
     end
   end
-end
+end

lib/devise/controllers/sign_in_out.rb

@@ -100,4 +100,4 @@ module Devise
       end
     end
   end
-end
+end

lib/devise/controllers/store_location.rb

@@ -33,7 +33,10 @@ module Devise
       #
       def store_location_for(resource_or_scope, location)
         session_key = stored_location_key_for(resource_or_scope)
-        session[session_key] = URI.parse(location).path if location
+        if location
+          uri = URI.parse(location)
+          session[session_key] = [uri.path.sub(/\A\/+/, '/'), uri.query].compact.join('?')
+        end
       end
 
       private

lib/devise/hooks/activatable.rb

@@ -1,6 +1,6 @@
-# Deny user access whenever his account is not active yet. All strategies that inherits from
+# Deny user access whenever their account is not active yet. All strategies that inherits from
 # Devise::Strategies::Authenticatable and uses the validate already check if the user is active_for_authentication?
-# before actively signing him in. However, we need this as hook to validate the user activity
+# before actively signing them in. However, we need this as hook to validate the user activity
 # in each request and in case the user is using other strategies beside Devise ones.
 Warden::Manager.after_set_user do |record, warden, options|
   if record && record.respond_to?(:active_for_authentication?) && !record.active_for_authentication?
@@ -8,4 +8,4 @@ Warden::Manager.after_set_user do |record, warden, options|
     warden.logout(scope)
     throw :warden, :scope => scope, :message => record.inactive_message
   end
-end
+end

lib/devise/hooks/proxy.rb

@@ -18,4 +18,4 @@ module Devise
       end
     end
   end
-end
+end

lib/devise/hooks/rememberable.rb

@@ -4,4 +4,4 @@ Warden::Manager.after_set_user :except => :fetch do |record, warden, options|
      record.remember_me && warden.authenticated?(scope)
     Devise::Hooks::Proxy.new(warden).remember_me(record)
   end
-end
+end

lib/devise/hooks/timeoutable.rb

@@ -12,7 +12,7 @@ Warden::Manager.after_set_user do |record, warden, options|
     proxy = Devise::Hooks::Proxy.new(warden)
 
     if record.timedout?(last_request_at) && !env['devise.skip_timeout']
-      Devise.sign_out_all_scopes ? proxy.sign_out : sign_out(scope)
+      Devise.sign_out_all_scopes ? proxy.sign_out : proxy.sign_out(scope)
 
       if record.respond_to?(:expire_auth_token_on_timeout) && record.expire_auth_token_on_timeout
         record.reset_authentication_token!

lib/devise/models/authenticatable.rb

@@ -56,7 +56,7 @@ module Devise
       BLACKLIST_FOR_SERIALIZATION = [:encrypted_password, :reset_password_token, :reset_password_sent_at,
         :remember_created_at, :sign_in_count, :current_sign_in_at, :last_sign_in_at, :current_sign_in_ip,
         :last_sign_in_ip, :password_salt, :confirmation_token, :confirmed_at, :confirmation_sent_at,
-        :remember_token, :unconfirmed_email, :failed_attempts, :unlock_token, :locked_at, :authentication_token]
+        :remember_token, :unconfirmed_email, :failed_attempts, :unlock_token, :locked_at]
 
       included do
         class_attribute :devise_modules, :instance_writer => false
@@ -127,7 +127,7 @@ module Devise
       end
 
       # This is an internal method called every time Devise needs
-      # to send a notification/mail. This can be overriden if you
+      # to send a notification/mail. This can be overridden if you
       # need to customize the e-mail delivery logic. For instance,
       # if you are using a queue to deliver e-mails (delayed job,
       # sidekiq, resque, etc), you must add the delivery to the queue

lib/devise/models/confirmable.rb

@@ -9,7 +9,7 @@ module Devise
     #
     # Confirmable adds the following options to +devise+:
     #
-    #   * +allow_unconfirmed_access_for+: the time you want to allow the user to access his account
+    #   * +allow_unconfirmed_access_for+: the time you want to allow the user to access their account
     #     before confirming it. After this period, the user access is denied. You can
     #     use this to let your user access some features of your application without
     #     confirming the account, but blocking it after a certain period (ie 7 days).
@@ -152,7 +152,7 @@ module Devise
       protected
 
         # A callback method used to deliver confirmation
-        # instructions on creation. This can be overriden
+        # instructions on creation. This can be overridden
         # in models to map to a nice sign up e-mail.
         def send_on_create_confirmation_instructions
           send_confirmation_instructions

lib/devise/models/lockable.rb

@@ -34,10 +34,13 @@ module Devise
       end
 
       # Lock a user setting its locked_at to actual time.
-      def lock_access!
+      # * +opts+: Hash options if you don't want to send email
+      #   when you lock access, you could pass the next hash
+      #   `{ :send_instructions => false } as option`.
+      def lock_access!(opts = { })
         self.locked_at = Time.now.utc
 
-        if unlock_strategy_enabled?(:email)
+        if unlock_strategy_enabled?(:email) && opts.fetch(:send_instructions, true)
           send_unlock_instructions
         else
           save(:validate => false)
@@ -124,11 +127,11 @@ module Devise
       protected
 
         def attempts_exceeded?
-          self.failed_attempts > self.class.maximum_attempts
+          self.failed_attempts >= self.class.maximum_attempts
         end
 
         def last_attempt?
-          self.failed_attempts == self.class.maximum_attempts
+          self.failed_attempts == self.class.maximum_attempts - 1
         end
 
         # Tells if the lock is expired if :time unlock strategy is active

lib/devise/models/rememberable.rb

@@ -17,7 +17,7 @@ module Devise
     #
     #   * +remember_for+: the time you want the user will be remembered without
     #     asking for credentials. After this time the user will be blocked and
-    #     will have to enter his credentials again. This configuration is also
+    #     will have to enter their credentials again. This configuration is also
     #     used to calculate the expires time for the cookie created to remember
     #     the user. By default remember_for is 2.weeks.
     #

lib/devise/models/timeoutable.rb

@@ -2,9 +2,9 @@ require 'devise/hooks/timeoutable'
 
 module Devise
   module Models
-    # Timeoutable takes care of verifyng whether a user session has already
+    # Timeoutable takes care of verifying whether a user session has already
     # expired or not. When a session expires after the configured time, the user
-    # will be asked for credentials again, it means, he/she will be redirected
+    # will be asked for credentials again, it means, they will be redirected
     # to the sign in page.
     #
     # == Options

lib/devise/modules.rb

@@ -25,4 +25,4 @@ Devise.with_options :model => true do |d|
 
   # Stats for last, so we make sure the user is really signed in
   d.add_module :trackable
-end
+end

lib/devise/orm/active_record.rb

@@ -1,3 +1,3 @@
 require 'orm_adapter/adapters/active_record'
 
-ActiveRecord::Base.extend Devise::Models
+ActiveRecord::Base.extend Devise::Models

lib/devise/orm/mongoid.rb

@@ -1,3 +1,3 @@
 require 'orm_adapter/adapters/mongoid'
 
-Mongoid::Document::ClassMethods.send :include, Devise::Models
+Mongoid::Document::ClassMethods.send :include, Devise::Models

lib/devise/rails.rb

@@ -29,7 +29,13 @@ module Devise
       end
     end
 
-    initializer "devise.secret_key" do
+    config.after_initialize do |app|
+      if app.respond_to?(:secrets)
+        Devise.secret_key ||= app.secrets.secret_key_base
+      elsif app.config.respond_to?(:secret_key_base)
+        Devise.secret_key ||= app.config.secret_key_base
+      end
+
       Devise.token_generator ||=
         if secret_key = Devise.secret_key
           Devise::TokenGenerator.new(

lib/devise/rails/routes.rb

@@ -102,8 +102,11 @@ module ActionDispatch::Routing
     #  * :path_names => configure different path names to overwrite defaults :sign_in, :sign_out, :sign_up,
     #    :password, :confirmation, :unlock.
     #
-    #      devise_for :users, :path_names => { :sign_in => 'login', :sign_out => 'logout',
-    #        :password => 'secret', :confirmation => 'verification', registration: 'register }
+    #      devise_for :users, path_names: {
+    #        sign_in: 'login', sign_out: 'logout',
+    #        password: 'secret', confirmation: 'verification',
+    #        registration: 'register', edit: 'edit/profile'
+    #      }
     #
     #  * :controllers => the controller which should be used. All routes by default points to Devise controllers.
     #    However, if you want them to point to custom controller, you should do:
@@ -229,6 +232,14 @@ module ActionDispatch::Routing
           raise_no_devise_method_error!(mapping.class_name)
         end
 
+        if options[:controllers] && options[:controllers][:omniauth_callbacks]
+          unless mapping.omniauthable?
+            msg =  "Mapping omniauth_callbacks on a resource that is not omniauthable\n"
+            msg << "Please add `devise :omniauthable` to the `#{mapping.class_name}` model"
+            raise msg
+          end
+        end
+
         routes  = mapping.used_routes
 
         devise_scope mapping.name do
@@ -370,6 +381,7 @@ module ActionDispatch::Routing
       def devise_registration(mapping, controllers) #:nodoc:
         path_names = {
           :new => mapping.path_names[:sign_up],
+          :edit => mapping.path_names[:edit],
           :cancel => mapping.path_names[:cancel]
         }
 
@@ -393,13 +405,13 @@ and you have set #{mapping.fullpath.inspect}. You can work around by passing
 `skip: :omniauth_callbacks` and manually defining the routes. Here is an example:
 
     match "/users/auth/:provider",
-      :constraints => { :provider => /\Agoogle|facebook\z/ },
+      :constraints => { :provider => /google|facebook/ },
       :to => "devise/omniauth_callbacks#passthru",
       :as => :omniauth_authorize,
       :via => [:get, :post]
 
     match "/users/auth/:action/callback",
-      :constraints => { :action => /\Agoogle|facebook\z/ },
+      :constraints => { :action => /google|facebook/ },
       :to => "devise/omniauth_callbacks",
       :as => :omniauth_callback,
       :via => [:get, :post]

lib/devise/strategies/authenticatable.rb

@@ -49,7 +49,7 @@ module Devise
         valid_params? && Devise::TRUE_VALUES.include?(params_auth_hash[:remember_me])
       end
 
-      # Check if this is strategy is valid for http authentication by:
+      # Check if this is a valid strategy for http authentication by:
       #
       #   * Validating if the model allows params authentication;
       #   * If any of the authorization headers were sent;
@@ -59,7 +59,7 @@ module Devise
         http_authenticatable? && request.authorization && with_authentication_hash(:http_auth, http_auth_hash)
       end
 
-      # Check if this is strategy is valid for params authentication by:
+      # Check if this is a valid strategy for params authentication by:
       #
       #   * Validating if the model allows params authentication;
       #   * If the request hits the sessions controller through POST;
@@ -102,9 +102,9 @@ module Devise
         params_auth_hash.is_a?(Hash)
       end
 
-      # Check if password is present and is not equal to "X" (default value for token).
+      # Check if password is present.
       def valid_password?
-        password.present? && password != "X"
+        password.present?
       end
 
       # Helper to decode credentials from HTTP.

lib/devise/strategies/base.rb

@@ -17,4 +17,4 @@ module Devise
       end
     end
   end
-end
+end

lib/devise/strategies/database_authenticatable.rb

@@ -2,7 +2,7 @@ require 'devise/strategies/authenticatable'
 
 module Devise
   module Strategies
-    # Default strategy for signing in a user, based on his email and password in the database.
+    # Default strategy for signing in a user, based on their email and password in the database.
     class DatabaseAuthenticatable < Authenticatable
       def authenticate!
         resource  = valid_password? && mapping.to.find_for_database_authentication(authentication_hash)

lib/devise/time_inflector.rb

@@ -11,4 +11,4 @@ module Devise
 
     @instance = new
   end
-end
+end

lib/devise/version.rb

@@ -1,3 +1,3 @@
 module Devise
-  VERSION = "3.2.1".freeze
+  VERSION = "3.2.3".freeze
 end

lib/generators/active_record/devise_generator.rb

@@ -11,9 +11,9 @@ module ActiveRecord
 
       def copy_devise_migration
         if (behavior == :invoke && model_exists?) || (behavior == :revoke && migration_exists?(table_name))
-          migration_template "migration_existing.rb", "db/migrate/add_devise_to_#{table_name}"
+          migration_template "migration_existing.rb", "db/migrate/add_devise_to_#{table_name}.rb"
         else
-          migration_template "migration.rb", "db/migrate/devise_create_#{table_name}"
+          migration_template "migration.rb", "db/migrate/devise_create_#{table_name}.rb"
         end
       end
 

lib/generators/devise/devise_generator.rb

@@ -1,3 +1,5 @@
+require 'rails/generators/named_base'
+
 module Devise
   module Generators
     class DeviseGenerator < Rails::Generators::NamedBase

lib/generators/devise/install_generator.rb

@@ -1,3 +1,4 @@
+require 'rails/generators/base'
 require 'securerandom'
 
 module Devise
@@ -19,6 +20,10 @@ module Devise
       def show_readme
         readme "README" if behavior == :invoke
       end
+
+      def rails_4?
+        Rails::VERSION::MAJOR == 4
+      end
     end
   end
 end

lib/generators/devise/views_generator.rb

@@ -1,3 +1,5 @@
+require 'rails/generators/base'
+
 module Devise
   module Generators
     # Include this module in your generator to generate Devise views.

lib/generators/mongoid/devise_generator.rb

@@ -1,3 +1,4 @@
+require 'rails/generators/named_base'
 require 'generators/devise/orm_helpers'
 
 module Mongoid

lib/generators/templates/README

@@ -2,8 +2,8 @@
 
 Some setup you must do manually if you haven't yet:
 
-  1. Ensure you have defined default url options in your environments files. Here 
-     is an example of default_url_options appropriate for a development environment 
+  1. Ensure you have defined default url options in your environments files. Here
+     is an example of default_url_options appropriate for a development environment
      in config/environments/development.rb:
 
        config.action_mailer.default_url_options = { :host => 'localhost:3000' }

lib/generators/templates/devise.rb

@@ -4,7 +4,11 @@ Devise.setup do |config|
   # The secret key used by Devise. Devise uses this key to generate
   # random tokens. Changing this key will render invalid all existing
   # confirmation, reset password and unlock tokens in the database.
+<% if  rails_4? -%>
+  # config.secret_key = '<%= SecureRandom.hex(64) %>'
+<% else -%>
   config.secret_key = '<%= SecureRandom.hex(64) %>'
+<% end -%>
 
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,
@@ -99,10 +103,10 @@ Devise.setup do |config|
 
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without
-  # confirming his account. For instance, if set to 2.days, the user will be
-  # able to access the website for two days without confirming his account,
+  # confirming their account. For instance, if set to 2.days, the user will be
+  # able to access the website for two days without confirming their account,
   # access will be blocked just in the third day. Default is 0.days, meaning
-  # the user cannot access the website without confirming his account.
+  # the user cannot access the website without confirming their account.
   # config.allow_unconfirmed_access_for = 2.days
 
   # A period that the user is allowed to confirm their account before their
@@ -134,7 +138,7 @@ Devise.setup do |config|
   # config.rememberable_options = {}
 
   # ==> Configuration for :validatable
-  # Range for password length. Default is 8..128.
+  # Range for password length.
   config.password_length = 8..128
 
   # Email regex used to validate email formats. It simply asserts that

test/controllers/helpers_test.rb

@@ -198,10 +198,16 @@ class ControllerAuthenticatableTest < ActionController::TestCase
     assert_equal "/foo.bar", @controller.stored_location_for(User.new)
   end
 
-  test 'store location for stores only paths' do
-    assert_nil @controller.stored_location_for(:user)
+  test 'store location for stores paths' do
     @controller.store_location_for(:user, "//host/foo.bar")
     assert_equal "/foo.bar", @controller.stored_location_for(:user)
+    @controller.store_location_for(:user, "///foo.bar")
+    assert_equal "/foo.bar", @controller.stored_location_for(:user)
+  end
+
+  test 'store location for stores query string' do
+    @controller.store_location_for(:user, "/foo?bar=baz")
+    assert_equal "/foo?bar=baz", @controller.stored_location_for(:user)
   end
 
   test 'after sign in path defaults to root path if none by was specified for the given scope' do

test/controllers/internal_helpers_test.rb

@@ -113,8 +113,11 @@ class HelpersTest < ActionController::TestCase
 
   test 'navigational_formats not returning a wild card' do
     MyController.send(:public, :navigational_formats)
-    Devise.navigational_formats = [:"*/*", :html]
-    assert_not @controller.navigational_formats.include?(:"*/*")
+
+    swap Devise, :navigational_formats => ['*/*', :html] do
+      assert_not @controller.navigational_formats.include?("*/*")
+    end
+
     MyController.send(:protected, :navigational_formats)
   end
 end

test/controllers/sessions_controller_test.rb

@@ -5,17 +5,21 @@ class SessionsControllerTest < ActionController::TestCase
   include Devise::TestHelpers
 
   test "#create doesn't raise unpermitted params when sign in fails" do
-    ActiveSupport::Notifications.subscribe /unpermitted_parameters/ do |name, start, finish, id, payload|
-      flunk "Unpermitted params: #{payload}"
+    begin
+      subscriber = ActiveSupport::Notifications.subscribe /unpermitted_parameters/ do |name, start, finish, id, payload|
+        flunk "Unpermitted params: #{payload}"
+      end
+      request.env["devise.mapping"] = Devise.mappings[:user]
+      request.session["user_return_to"] = 'foo.bar'
+      create_user
+      post :create, :user => {
+        :email => "wrong@email.com",
+        :password => "wrongpassword"
+      }
+      assert_equal 200, @response.status
+    ensure
+      ActiveSupport::Notifications.unsubscribe(subscriber)
     end
-    request.env["devise.mapping"] = Devise.mappings[:user]
-    request.session["user_return_to"] = 'foo.bar'
-    create_user
-    post :create, :user => {
-      :email => "wrong@email.com",
-      :password => "wrongpassword"
-    }
-    assert_equal 200, @response.status
   end
 
   test "#create works even with scoped views" do

test/generators/mongoid_generator_test.rb

@@ -7,12 +7,12 @@ if DEVISE_ORM == :mongoid
     tests Mongoid::Generators::DeviseGenerator
     destination File.expand_path("../../tmp", __FILE__)
     setup :prepare_destination
-  
+
     test "all files are properly created" do
       run_generator %w(monster)
       assert_file "app/models/monster.rb", /devise/
     end
-  
+
     test "all files are properly deleted" do
       run_generator %w(monster)
       run_generator %w(monster), :behavior => :revoke

test/integration/recoverable_test.rb

@@ -39,7 +39,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
     end
 
     assert_current_url '/users/sign_in'
-    assert_contain 'You will receive an email with instructions about how to reset your password in a few minutes.'
+    assert_contain 'You will receive an email with instructions on how to reset your password in a few minutes.'
   end
 
   test 'reset password with email should send an email from a custom mailer' do
@@ -78,7 +78,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
     end
 
     assert_current_url '/users/sign_in'
-    assert_contain 'You will receive an email with instructions about how to reset your password in a few minutes.'
+    assert_contain 'You will receive an email with instructions on how to reset your password in a few minutes.'
   end
 
   test 'reset password with email with extra whitespace should fail when email is NOT the list of strip whitespace keys' do
@@ -111,7 +111,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
     request_forgot_password
 
     assert_current_url '/users/sign_in'
-    assert_contain 'You will receive an email with instructions about how to reset your password in a few minutes.'
+    assert_contain 'You will receive an email with instructions on how to reset your password in a few minutes.'
   end
 
   test 'not authenticated user with invalid email should receive an error message' do
@@ -139,7 +139,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
     assert_redirected_to "/users/sign_in"
   end
 
-  test 'not authenticated user with invalid reset password token should not be able to change his password' do
+  test 'not authenticated user with invalid reset password token should not be able to change their password' do
     user = create_user
     reset_password :reset_password_token => 'invalid_reset_password'
 
@@ -150,7 +150,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
     assert_not user.reload.valid_password?('987654321')
   end
 
-  test 'not authenticated user with valid reset password token but invalid password should not be able to change his password' do
+  test 'not authenticated user with valid reset password token but invalid password should not be able to change their password' do
     user = create_user
     request_forgot_password
     reset_password do
@@ -165,7 +165,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
     assert_not user.reload.valid_password?('987654321')
   end
 
-  test 'not authenticated user with valid data should be able to change his password' do
+  test 'not authenticated user with valid data should be able to change their password' do
     user = create_user
     request_forgot_password
     reset_password
@@ -175,7 +175,7 @@ class PasswordTest < ActionDispatch::IntegrationTest
     assert user.reload.valid_password?('987654321')
   end
 
-  test 'after entering invalid data user should still be able to change his password' do
+  test 'after entering invalid data user should still be able to change their password' do
     user = create_user
     request_forgot_password
 

test/integration/registerable_test.rb

@@ -140,7 +140,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert_redirected_to root_path
   end
 
-  test 'a signed in user should be able to edit his account' do
+  test 'a signed in user should be able to edit their account' do
     sign_in_as_user
     get edit_user_registration_path
 
@@ -154,7 +154,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert_equal "user.new@example.com", User.first.email
   end
 
-  test 'a signed in user should still be able to use the website after changing his password' do
+  test 'a signed in user should still be able to use the website after changing their password' do
     sign_in_as_user
     get edit_user_registration_path
 
@@ -168,7 +168,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
-  test 'a signed in user should not change his current user with invalid password' do
+  test 'a signed in user should not change their current user with invalid password' do
     sign_in_as_user
     get edit_user_registration_path
 
@@ -183,7 +183,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert_equal "user@test.com", User.first.email
   end
 
-  test 'a signed in user should be able to edit his password' do
+  test 'a signed in user should be able to edit their password' do
     sign_in_as_user
     get edit_user_registration_path
 
@@ -198,7 +198,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert User.first.valid_password?('pass1234')
   end
 
-  test 'a signed in user should not be able to edit his password with invalid confirmation' do
+  test 'a signed in user should not be able to edit their password with invalid confirmation' do
     sign_in_as_user
     get edit_user_registration_path
 
@@ -212,7 +212,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert_not User.first.valid_password?('pas123')
   end
 
-  test 'a signed in user should be able to cancel his account' do
+  test 'a signed in user should be able to cancel their account' do
     sign_in_as_user
     get edit_user_registration_path
 
@@ -286,7 +286,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
     assert_equal user.reload.email, 'user@test.com'
   end
 
-  test 'a user cancel his account in XML format should return valid response' do
+  test 'a user cancel their account in XML format should return valid response' do
     sign_in_as_user
     delete user_registration_path(:format => 'xml')
     assert_response :success
@@ -295,7 +295,7 @@ class RegistrationTest < ActionDispatch::IntegrationTest
 end
 
 class ReconfirmableRegistrationTest < ActionDispatch::IntegrationTest
-  test 'a signed in admin should see a more appropriate flash message when editing his account if reconfirmable is enabled' do
+  test 'a signed in admin should see a more appropriate flash message when editing their account if reconfirmable is enabled' do
     sign_in_as_admin
     get edit_admin_registration_path
 
@@ -326,7 +326,7 @@ class ReconfirmableRegistrationTest < ActionDispatch::IntegrationTest
     assert Admin.first.valid_password?('pas123')
   end
 
-  test 'a signed in admin should not see a reconfirmation message if he did not change his email, despite having an unconfirmed email' do
+  test 'a signed in admin should not see a reconfirmation message if they did not change their email, despite having an unconfirmed email' do
     sign_in_as_admin
 
     get edit_admin_registration_path

test/integration/rememberable_test.rb

@@ -25,7 +25,7 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     Time.parse(expires).utc
   end
 
-  test 'do not remember the user if he has not checked remember me option' do
+  test 'do not remember the user if they have not checked remember me option' do
     sign_in_as_user
     assert_nil request.cookies["remember_user_cookie"]
   end
@@ -95,7 +95,7 @@ class RememberMeTest < ActionDispatch::IntegrationTest
     assert_match /remember_user_token[^\n]*HttpOnly/, response.headers["Set-Cookie"], "Expected Set-Cookie header in response to set HttpOnly flag on remember_user_token cookie."
   end
 
-  test 'remember the user before sign up and redirect him to his home' do
+  test 'remember the user before sign up and redirect them to their home' do
     create_user_and_remember
     get new_user_registration_path
     assert warden.authenticated?(:user)

test/integration/timeoutable_test.rb

@@ -35,14 +35,19 @@ class SessionTimeoutTest < ActionDispatch::IntegrationTest
     assert warden.authenticated?(:user)
   end
 
-  test 'time out user session after default limit time' do
-    user = sign_in_as_user
-    get expire_user_path(user)
-    assert_not_nil last_request_at
+  test 'time out user session after default limit time when sign_out_all_scopes is false' do
+    swap Devise, sign_out_all_scopes: false do
+      sign_in_as_admin
 
-    get users_path
-    assert_redirected_to users_path
-    assert_not warden.authenticated?(:user)
+      user = sign_in_as_user
+      get expire_user_path(user)
+      assert_not_nil last_request_at
+
+      get users_path
+      assert_redirected_to users_path
+      assert_not warden.authenticated?(:user)
+      assert warden.authenticated?(:admin)
+    end
   end
 
   test 'time out all sessions after default limit time when sign_out_all_scopes is true' do

test/integration/trackable_test.rb

@@ -63,7 +63,7 @@ class TrackableHooksTest < ActionDispatch::IntegrationTest
   end
 
   test "does not update anything if user has signed out along the way" do
-    swap Devise, :allow_unconfirmed_access_for => 0 do
+    swap Devise, :allow_unconfirmed_access_for => 0.days do
       user = create_user(:confirm => false)
       sign_in_as_user
 

test/mapping_test.rb

@@ -110,12 +110,12 @@ class MappingTest < ActiveSupport::TestCase
     assert mapping.lockable?
     assert_not mapping.omniauthable?
   end
-  
+
   test 'find mapping by path' do
     assert_raise RuntimeError do
       Devise::Mapping.find_by_path!('/accounts/facebook/callback')
     end
-    
+
     assert_nothing_raised do
       Devise::Mapping.find_by_path!('/:locale/accounts/login')
     end
@@ -123,5 +123,5 @@ class MappingTest < ActiveSupport::TestCase
     assert_nothing_raised do
       Devise::Mapping.find_by_path!('/accounts/facebook/callback', :path)
     end
-  end  
+  end
 end

test/models/confirmable_test.rb

@@ -155,7 +155,7 @@ class ConfirmableTest < ActiveSupport::TestCase
     assert_not_nil user.reload.confirmation_token
   end
 
-  test 'should not resend email instructions if the user change his email' do
+  test 'should not resend email instructions if the user change their email' do
     user = create_user
     user.email = 'new_test@example.com'
     assert_email_not_sent do

test/models/database_authenticatable_test.rb

@@ -231,7 +231,7 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
     assert !user.valid?
   end
 
-  test 'required_fiels should be encryptable_password and the email field by default' do
+  test 'required_fields should be encryptable_password and the email field by default' do
     assert_same_content Devise::Models::DatabaseAuthenticatable.required_fields(User), [
       :email,
       :encrypted_password

test/models/lockable_test.rb

@@ -9,7 +9,7 @@ class LockableTest < ActiveSupport::TestCase
     user = create_user
     user.confirm!
     swap Devise, :maximum_attempts => 2 do
-      3.times { user.valid_for_authentication?{ false } }
+      2.times { user.valid_for_authentication?{ false } }
       assert user.reload.access_locked?
     end
   end
@@ -19,12 +19,12 @@ class LockableTest < ActiveSupport::TestCase
     user.confirm!
 
     swap Devise, :maximum_attempts => 2 do
-      3.times { user.valid_for_authentication?{ false } }
+      2.times { user.valid_for_authentication?{ false } }
       assert user.reload.access_locked?
     end
 
     user.valid_for_authentication?{ true }
-    assert_equal 4, user.reload.failed_attempts
+    assert_equal 3, user.reload.failed_attempts
   end
 
   test "should not touch failed_attempts if lock_strategy is none" do
@@ -130,6 +130,24 @@ class LockableTest < ActiveSupport::TestCase
     end
   end
 
+  test "doesn't send email when you pass option send_instructions to false" do
+    swap Devise, :unlock_strategy => :email do
+      user = create_user
+      assert_email_not_sent do
+        user.lock_access! send_instructions: false
+      end
+    end
+  end
+
+  test "sends email when you pass options other than send_instructions" do
+    swap Devise, :unlock_strategy => :email do
+      user = create_user
+      assert_email_sent do
+        user.lock_access! foo: :bar, bar: :foo
+      end
+    end
+  end
+
   test "should not send email with unlock instructions when :email is not an unlock strategy" do
     swap Devise, :unlock_strategy => :time do
       user = create_user
@@ -284,13 +302,13 @@ class LockableTest < ActiveSupport::TestCase
     swap Devise, :last_attempt_warning => :true do
       swap Devise, :lock_strategy => :failed_attempts do
         user = create_user
-        user.failed_attempts = Devise.maximum_attempts - 1
+        user.failed_attempts = Devise.maximum_attempts - 2
         assert_equal :invalid, user.unauthenticated_message
 
-        user.failed_attempts = Devise.maximum_attempts
+        user.failed_attempts = Devise.maximum_attempts - 1
         assert_equal :last_attempt, user.unauthenticated_message
 
-        user.failed_attempts = Devise.maximum_attempts + 1
+        user.failed_attempts = Devise.maximum_attempts
         assert_equal :locked, user.unauthenticated_message
       end
     end

test/models/recoverable_test.rb

@@ -101,14 +101,14 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_not_equal token, user.reload.reset_password_token
   end
 
-  test 'should send email instructions to the user reset his password' do
+  test 'should send email instructions to the user reset their password' do
     user = create_user
     assert_email_sent do
       User.send_reset_password_instructions(:email => user.email)
     end
   end
 
-  test 'should find a user to reset his password based on the raw token' do
+  test 'should find a user to reset their password based on the raw token' do
     user = create_user
     raw  = user.send_reset_password_instructions
 
@@ -180,5 +180,5 @@ class RecoverableTest < ActiveSupport::TestCase
       :reset_password_sent_at,
       :reset_password_token
     ]
-  end  
+  end
 end

test/omniauth/config_test.rb

@@ -54,4 +54,4 @@ class OmniAuthConfigTest < ActiveSupport::TestCase
     config_class = config.strategy_class
     assert_equal MyStrategy, config_class
   end
-end
+end

test/orm/mongoid.rb

@@ -1,7 +1,7 @@
 require 'mongoid/version'
 
 Mongoid.configure do |config|
-  config.connect_to("devise-test-suite")
+  config.load!('test/support/mongoid.yml')
   config.use_utc = true
   config.include_root_in_json = true
 end

test/rails_app/app/active_record/shim.rb

@@ -1,2 +1,2 @@
 module Shim
-end
+end

test/rails_app/app/controllers/admins/sessions_controller.rb

@@ -3,4 +3,4 @@ class Admins::SessionsController < Devise::SessionsController
     flash[:special] = "Welcome to #{controller_path.inspect} controller!"
     super
   end
-end
+end

test/rails_app/app/controllers/publisher/registrations_controller.rb

@@ -1,2 +1,2 @@
 class Publisher::RegistrationsController < ApplicationController
-end
+end

test/rails_app/app/controllers/publisher/sessions_controller.rb

@@ -1,2 +1,2 @@
 class Publisher::SessionsController < ApplicationController
-end
+end

test/rails_app/app/controllers/users/omniauth_callbacks_controller.rb

@@ -11,4 +11,4 @@ class Users::OmniauthCallbacksController < Devise::OmniauthCallbacksController
     sign_in user
     render :text => ""
   end
-end
+end

test/rails_app/app/views/admins/sessions/new.html.erb

@@ -1,2 +1,2 @@
 Welcome to "sessions/new" view!
-<%= render :file => "devise/sessions/new" %>
+<%= render :file => "devise/sessions/new" %>

test/rails_app/app/views/home/admin_dashboard.html.erb

@@ -1 +1 @@
-Admin dashboard
+Admin dashboard

test/rails_app/app/views/home/index.html.erb

@@ -1 +1 @@
-Home!
+Home!

test/rails_app/app/views/home/join.html.erb

@@ -1 +1 @@
-Join
+Join

test/rails_app/app/views/home/user_dashboard.html.erb

@@ -1 +1 @@
-User dashboard
+User dashboard

test/rails_app/config/initializers/devise.rb

@@ -66,8 +66,8 @@ Devise.setup do |config|
   config.stretches = Rails.env.test? ? 1 : 10
 
   # ==> Configuration for :confirmable
-  # The time you want to give your user to confirm his account. During this time
-  # he will be able to access your application without confirming. Default is nil.
+  # The time you want to give your user to confirm their account. During this time
+  # they will be able to access your application without confirming. Default is nil.
   # When allow_unconfirmed_access_for is zero, the user won't be able to sign in without confirming.
   # You can use this to let your user access some features of your application
   # without confirming the account, but blocking it after a certain period

test/rails_app/config/routes.rb

@@ -86,7 +86,8 @@ Rails.application.routes.draw do
         :sign_in => "login", :sign_out => "logout",
         :password => "secret", :confirmation => "verification",
         :unlock => "unblock", :sign_up => "register",
-        :registration => "management", :cancel => "giveup"
+        :registration => "management",
+        :cancel => "giveup", :edit => "edit/profile"
       }, :failure_app => lambda { |env| [404, {"Content-Type" => "text/plain"}, ["Oops, not found"]] }, :module => :devise
   end
 

test/routes_test.rb

@@ -157,6 +157,10 @@ class CustomizedRoutingTest < ActionController::TestCase
     assert_recognizes({:controller => 'devise/registrations', :action => 'new', :locale => 'en'}, '/en/accounts/management/register')
   end
 
+  test 'map account with custom path name for edit registration' do
+    assert_recognizes({:controller => 'devise/registrations', :action => 'edit', :locale => 'en'}, '/en/accounts/management/edit/profile')
+  end
+
   test 'map account with custom path name for cancel registration' do
     assert_recognizes({:controller => 'devise/registrations', :action => 'cancel', :locale => 'en'}, '/en/accounts/management/giveup')
   end
@@ -235,6 +239,14 @@ class CustomizedRoutingTest < ActionController::TestCase
   test 'map with format false is not permanent' do
     assert_equal "/set.xml", @routes.url_helpers.set_path(:xml)
   end
+
+  test 'checks if mapping has proper configuration for omniauth callback' do
+    assert_raise ArgumentError do
+      @routes.dup.eval_block do
+        devise_for :admin, controllers: {omniauth_callbacks: "users/omniauth_callbacks"}
+      end
+    end
+  end
 end
 
 class ScopedRoutingTest < ActionController::TestCase

test/support/action_controller/record_identifier.rb

@@ -0,0 +1,10 @@
+# Since webrat uses ActionController::RecordIdentifier class that was moved to
+# ActionView namespace in Rails 4.1+
+
+unless defined?(ActionController::RecordIdentifier)
+  require 'action_view/record_identifier'
+
+  module ActionController
+    RecordIdentifier = ActionView::RecordIdentifier
+  end
+end

test/support/mongoid.yml

@@ -0,0 +1,6 @@
+test:
+  sessions:
+    default:
+      database: devise-test-suite
+      hosts:
+        - localhost:<%= ENV['MONGODB_PORT'] || '27017' %>

test/test_helpers_test.rb

@@ -17,7 +17,7 @@ class TestHelpersTest < ActionController::TestCase
   end
 
   test "redirects if attempting to access a page with an unconfirmed account" do
-    swap Devise, :allow_unconfirmed_access_for => 0 do
+    swap Devise, :allow_unconfirmed_access_for => 0.days do
       user = create_user
       assert !user.active_for_authentication?
 
@@ -28,7 +28,7 @@ class TestHelpersTest < ActionController::TestCase
   end
 
   test "returns nil if accessing current_user with an unconfirmed account" do
-    swap Devise, :allow_unconfirmed_access_for => 0 do
+    swap Devise, :allow_unconfirmed_access_for => 0.days do
       user = create_user
       assert !user.active_for_authentication?