Skip to content

Latest commit

 

History

History
786 lines (575 loc) · 25.5 KB

CHANGELOG.rdoc

File metadata and controls

786 lines (575 loc) · 25.5 KB

2.0.0.rc2

Notes: github.com/plataformatec/devise/wiki/How-To:-Upgrade-to-Devise-2.0

  • bug fix

    • Fix incorrect message for locked account (by @jigyasa)

    • Regenerate confirmation token on reconfirmation (by @nashby)

    • Allow alternate ORMs to run compatibility setup code before Authenticatable is included (by @jm81)

    • Do not run validations unless on reconfirmable branch

  • enhancements

    • Inherit from the same Devise parent controller (by @sj26)

    • Allow parent_controller to be customizable via Devise.parent_controller, useful for engines

    • Allow router_name to be customizable via Devise.router_name, useful for engines

  • deprecation

    • Move devise/shared/_links.erb to devise/_links.erb

    • Devise only supports Rails 3.1 forward

2.0.0.rc

  • enhancements

    • Add support for e-mail reconfirmation on change (by @Mandaryn and @heimidal)

    • Redirect users to sign in page after unlock (by @nashby)

  • deprecation

    • Devise.apply_schema is deprecated

    • Devise migration helpers are deprecated

    • Usage of Devise.remember_across_browsers was deprecated

    • Usage of Devise.confirm_within was deprecated in favor Devise.allow_unconfirmed_access_for

    • Usage of rememberable with remember_token was removed

    • Usage of recoverable without reset_password_sent_at was removed

    • Usage of Devise.case_insensitive_keys equals to false was removed

    • Usage of Devise.stateless_token= is deprecated in favor of appending :token_auth to Devise.skip_session_storage

1.5.3

  • bug fix

    • Ensure delegator converts scope to symbol (by @dmitriy-kiriyenko)

    • Ensure passing :format => false to devise_for is not permanent

    • Ensure path checker does not check invalid routes

1.5.2

  • enhancements

    • Add support for Rails 3.1 new mass assignment conventions (by @kirs)

    • Add timeout_in method to Timeoutable, it can be overridden in a model (by @lest)

  • bug fix

    • OmniAuth error message now shows the proper option (:strategy_class instead of :klass)

1.5.1

  • bug fix

    • Devise should not attempt to load OmniAuth strategies. Strategies should be loaded before hand by the developer or explicitly given to Devise.

1.5.0

  • enhancements

    • Timeoutable also skips tracking if skip_trackable is given

    • devise_for now accepts :failure_app as an option

    • Models can select the proper mailer via devise_mailer method (by @locomotivecms)

    • Migration generator now uses the change method (by @nashby)

    • Support to markerb templates on the mailer generator (by @sbounmy)

    • Support for Omniauth 1.0 (older versions are no longer supported) (by @TamiasSibiricus)

  • bug fix

    • Allow idempotent API requests

    • Fix bug where logs did not show 401 as status code

    • Change paranoid settings to behave as success instead of as failure

    • Fix bug where activation messages were shown first than the credentials error message

    • Instance variables are expired after sign out

  • deprecation

    • redirect_location is deprecated, please use after_sign_in_path_for

    • after_sign_in_path_for now redirects to session if any value is stored in it

1.4.9

  • bug fix

    • url helpers were not being set under some circumstances

1.4.8

  • enhancements

    • Add docs for assets pipeline and Heroku

  • bug fix

    • confirmation_url was not being set under some circumstances

1.4.7

  • bug fix

    • Fix backward incompatible change from 1.4.6 for those using custom controllers

1.4.6

  • enhancements

    • Allow devise_for :skip => :all

    • Allow options to be passed to authenticate_user!

    • Allow –skip-routes to devise generator

    • Add allow_params_authentication! to make it explicit when params authentication is allowed in a controller

1.4.5

  • bug fix

    • Failure app tries the root path if a session one does not exist

    • No need to finalize Devise helpers all the time (by @bradleypriest)

    • Reset password shows proper message if user is not active

    • ‘clean_up_passwords` sets the accessors to nil to skip validations

1.4.4

  • bug fix

    • Do not always skip helpers, instead provide :skip_helpers as option to trigger it manually

1.4.3

  • enhancements

    • Improve Rails 3.1 compatibility

    • Use serialize_into_session and serialize_from_session in Warden serialize to improve extensibility

  • bug fix

    • Generator properly generates a change_table migration if a model already exists

    • Properly deprecate setup_mail

    • Fix encoding issues with email regexp

    • Only generate helpers for the used mappings

    • Wrap :action constraints in the proper hash

  • deprecations

1.4.2

  • bug fix

    • Provide a more robust behavior to serializers and add :force_except option

1.4.1

  • enhancements

    • Add :defaults and :format support on router

    • Add simple form generators

    • Better localization for devise_error_messages! (by @zedtux)

  • bug fix

    • Ensure to_xml is properly white listened

    • Ensure handle_unverified_request clean up any cached signed-in user

1.4.0

  • enhancements

    • Added authenticated and unauthenticated to the router to route the used based on his status (by @sj26)

    • Improve e-mail regexp (by @rodrigoflores)

    • Add strip_whitespace_keys and default to e-mail (by @swrobel)

    • Do not run format and uniqueness validations on e-mail if it hasn’t changed (by @Thibaut)

    • Added update_without_password to update models but not allowing the password to change (by @fschwahn)

    • Added config.paranoid, check the generator for more information (by @rodrigoflores)

  • bug fix

    • password_required? should not affect length validation

    • User cannot access sign up and similar pages if he is already signed in through a cookie or token

    • Do not convert booleans to strings on finders (by @xavier)

    • Run validations even if current_password fails (by @crx)

    • Devise now honors routes constraints (by @macmartine)

    • Do not return the user resource when requesting instructions (by @rodrigoflores)

1.3.4

  • bug fix

    • Do not add formats if html or “/

1.3.3

  • bug fix

    • Explicitly mark the token as expired if so

1.3.2

  • bug fix

    • Fix another regression related to reset_password_sent_at (by @alexdreher)

1.3.1

  • enhancements

    • Improve failure_app responses (by @indirect)

    • sessions/new and registrations/new also respond to xml and json now

  • bug fix

    • Fix a regression that occurred if reset_password_sent_at is not present (by @stevehodgkiss)

1.3.0

  • enhancements

    • All controllers can now handle different mime types than html using Responders (by @sikachu)

    • Added reset_password_within as configuration option to send the token for recovery (by @jdguyot)

    • Bump password length to 128 characters (by @k33l0r)

    • Add :only as option to devise_for (by @timoschilling)

    • Allow to override path after sending password instructions (by @irohiroki)

    • require_no_authentication has its own flash message (by @jackdempsey)

  • bug fix

    • Fix a bug where configuration options were being included too late

    • Ensure Devise::TestHelpers can be used to tests Devise internal controllers (by @jwilger)

    • valid_password? should not choke on empty passwords (by @mikel)

    • Calling devise more than once does not include previously added modules anymore

    • downcase_keys before validation

  • backward incompatible changes

    • authentication_keys are no longer considered when creating the e-mail validations, the previous behavior was buggy. You must double check if you were relying on such behavior.

1.2.1

  • enhancements

    • Improve update path messages

1.2.0

  • bug fix

    • Properly ignore path prefix on omniauthable

    • Faster uniqueness queries

    • Rename active? to active_for_authentication? to avoid conflicts

1.2.rc2

  • enhancements

    • Make friendly_token 20 chars long

    • Use secure_compare

  • bug fix

    • Fix an issue causing infinite redirects in production

    • rails g destroy works properly with devise generators (by @andmej)

    • before_failure callbacks should work on test helpers (by @twinge)

    • rememberable cookie now is httponly by default (by @JamesFerguson)

    • Add missing confirmation_keys (by @JohnPlummer)

    • Ensure after_* hooks are called on RegistrationsController

    • When using database_authenticatable Devise will now only create an email field when appropriate (if using default authentication_keys or custom authentication_keys with email included)

    • Ensure stateless token does not trigger timeout (by @pixelauthority)

    • Implement handle_unverified_request for Rails 3.0.4 compatibility and improve FailureApp reliance on symbols

    • Consider namespaces while generating routes

    • Custom failure apps no longer ignored in test mode (by @jaghion)

    • Do not depend on ActiveModel::Dirty

    • Manual sign_in now triggers remember token

    • Be sure to halt strategies on failures

    • Consider SCRIPT_NAME on Omniauth paths

    • Reset failed attempts when lock is expired

    • Ensure there is no Mongoid injection

  • deprecations

    • Deprecated anybody_signed_in? in favor of signed_in? (by @gavinhughes)

    • Removed –haml and –slim view templates

    • Devise::OmniAuth helpers were deprecated and removed in favor of Omniauth.config.test_mode

1.2.rc

  • deprecations

    • cookie_domain is deprecated in favor of cookie_options

    • after_update_path_for can no longer be defined in ApplicationController

  • enhancements

    • Added OmniAuth support

    • Added ORM adapter to abstract ORM iteraction

    • sign_out_via is available in the router to configure the method used for sign out (by @martinrehfeld)

    • Improved Ajax requests handling in failure app (by @spastorino)

    • Added request_keys to easily use request specific values (like subdomain) in authentication

    • Increased the size of friendly_token to 60 characters (reduces the chances of a successful brute attack)

    • Ensure the friendly token does not include “_” or “-” since some e-mails may not autolink it properly (by @rymai)

    • Extracted encryptors into :encryptable for better bcrypt support

    • :rememberable is now able to use salt as token if no remember_token is provided

    • Store the salt in session and expire the session if the user changes his password

    • Allow :stateless_token to be set to true avoiding users to be stored in session through token authentication

    • cookie_options uses session_options values by default

    • Sign up now check if the user is active or not and redirect him accordingly setting the inactive_signed_up message

    • Use ActiveModel#to_key instead of #id

    • sign_out_all_scopes now destroys the whole session

    • Added case_insensitive_keys that automatically downcases the given keys, by default downcases only e-mail (by @adahl)

  • default behavior changes

    • sign_out_all_scopes defaults to true as security measure

    • http authenticatable is disabled by default

    • Devise does not intercept 401 returned from applications

  • bugfix

    • after_sign_in_path_for always receives a resource

    • Do not execute Warden::Callbacks on Devise::TestHelpers (by @sgronblo)

    • Allow password recovery and account unlocking to change used keys (by @RStankov)

    • FailureApp now properly handles nil request.format

    • Fix a bug causing FailureApp to return with HTTP Auth Headers for IE7

    • Ensure namespaces has proper scoped views

    • Ensure Devise does not set empty flash messages (by @sxross)

1.1.6

  • Use a more secure e-mail regexp

  • Implement Rails 3.0.4 handle unverified request

  • Use secure_compare to compare passwords

1.1.5

  • bugfix

    • Ensure to convert keys on indifferent hash

  • defaults

    • Set config.http_authenticatable to false to avoid confusion

1.1.4

  • bugfix

    • Avoid session fixation attacks

1.1.3

  • bugfix

    • Add reply-to to e-mail headers by default

    • Updated the views generator to respect the rails :template_engine option (by @fredwu)

    • Check the type of HTTP Authentication before using Basic headers

    • Avoid invalid_salt errors by checking salt presence (by @thibaudgg)

    • Forget user deletes the right cookie before logout, not remembering the user anymore (by @emtrane)

    • Fix for failed first-ever logins on PostgreSQL where column default is nil (by @bensie)

    • :default options is now honored in migrations

1.1.2

  • bugfix

    • Compatibility with latest Rails routes schema

1.1.1

  • bugfix

    • Fix a small bug where generated locale file was empty on devise:install

1.1.0

  • enhancements

    • Rememberable module allows user to be remembered across browsers and is enabled by default (by @trevorturk)

    • Rememberable module allows you to activate the period the remember me token is extended (by @trevorturk)

    • devise_for can now be used together with scope method in routes but with a few limitations (check the documentation)

    • Support ‘as` or `devise_scope` in the router to specify controller access scope

    • HTTP Basic Auth can now be disabled/enabled for xhr(ajax) requests using http_authenticatable_on_xhr option (by @pellja)

  • bug fix

    • Fix a bug in Devise::TestHelpers where current_user was returning a Response object for non active accounts

    • Devise should respect script_name and path_info contracts

    • Fix a bug when accessing a path with (.:format) (by @klacointe)

    • Do not add unlock routes unless unlock strategy is email or both

    • Email should be case insensitive

    • Store classes as string in session, to avoid serialization and stale data issues

  • deprecations

    • use_default_scope is deprecated and has no effect. Use :as or :devise_scope in the router instead

1.1.rc2

  • enhancements

    • Allow to set cookie domain for the remember token. (by @mantas)

    • Added navigational formats to specify when it should return a 302 and when a 401.

    • Added authenticate(scope) support in routes (by @wildchild)

    • Added after_update_path_for to registrations controller (by @thedelchop)

    • Allow the mailer object to be replaced through config.mailer = “MyOwnMailer”

  • bug fix

    • Fix a bug where session was timing out on sign out

  • deprecations

    • bcrypt is now the default encryptor

    • devise.mailer.confirmations_instructions now should be devise.mailer.confirmations_instructions.subject

    • devise.mailer.user.confirmations_instructions now should be devise.mailer.confirmations_instructions.user_subject

    • Generators now use Rails 3 syntax (devise:install) instead of devise_install

1.1.rc1

  • enhancements

    • Rails 3 compatibility

    • All controllers and views are namespaced, for example: Devise::SessionsController and “devise/sessions”

    • Devise.orm is deprecated. This reduces the required API to hook your ORM with devise

    • Use metal for failure app

    • HTML e-mails now have proper formatting

    • Allow to give :skip and :controllers in routes

    • Move trackable logic to the model

    • E-mails now use any template available in the filesystem. Easy to create multipart e-mails

    • E-mails asks headers_for in the model to set the proper headers

    • Allow to specify haml in devise_views

    • Compatibility with Mongoid

    • Make config.devise available on config/application.rb

    • TokenAuthenticatable now works with HTTP Basic Auth

    • Allow :unlock_strategy to be :none and add :lock_strategy which can be :failed_attempts or none. Setting those values to :none means that you want to handle lock and unlocking by yourself

    • No need to append ?unauthenticated=true in URLs anymore since Flash was moved to a middleware in Rails 3

    • :activatable is included by default in your models

  • bug fix

    • Fix a bug with STI

  • deprecations

    • Rails 3 compatible only

    • Removed support for MongoMapper

    • Scoped views are no longer “sessions/users/new”. Now use “users/sessions/new”

    • Devise.orm is deprecated, just require “devise/orm/YOUR_ORM” instead

    • Devise.default_url_options is deprecated, just modify ApplicationController.default_url_options

    • All messages under devise.sessions, except :signed_in and :signed_out, should be moved to devise.failure

    • :as and :scope in routes is deprecated. Use :path and :singular instead

1.0.8

  • enhancements

    • Support for latest MongoMapper

    • Added anybody_signed_in? helper (by @SSDany)

  • bug fix

    • confirmation_required? is properly honored on active? calls. (by @paulrosania)

1.0.7

  • bug fix

    • Ensure password confirmation is always required

  • deprecations

    • authenticatable was deprecated and renamed to database_authenticatable

    • confirmable is not included by default on generation

1.0.6

  • bug fix

    • Do not allow unlockable strategies based on time to access a controller.

    • Do not send unlockable email several times.

    • Allow controller to upstram custom! failures to Warden.

1.0.5

  • bug fix

    • Use prepend_before_filter in require_no_authentication.

    • require_no_authentication on unlockable.

    • Fix a bug when giving an association proxy to devise.

    • Do not use lock! on lockable since it’s part of ActiveRecord API.

1.0.4

  • bug fix

    • Fixed a bug when deleting an account with rememberable

    • Fixed a bug with custom controllers

1.0.3

  • enhancements

    • HTML e-mails now have proper formatting

    • Do not remove MongoMapper options in find

1.0.2

  • enhancements

    • Allows you set mailer content type (by @glennr)

  • bug fix

    • Uses the same content type as request on http authenticatable 401 responses

1.0.1

  • enhancements

    • HttpAuthenticatable is not added by default automatically.

    • Avoid mass assignment error messages with current password.

  • bug fix

    • Fixed encryptors autoload

1.0.0

  • deprecation

    • :old_password in update_with_password is deprecated, use :current_password instead

  • enhancements

    • Added Registerable

    • Added Http Basic Authentication support

    • Allow scoped_views to be customized per controller/mailer class

    • #99

      Allow authenticatable to used in change_table statements

0.9.2

  • bug fix

    • Ensure inactive user cannot sign in

    • Ensure redirect to proper url after sign up

  • enhancements

    • Added gemspec to repo

    • Added token authenticatable (by @grimen)

0.9.1

  • bug fix

    • Allow bigger salt size (by @jgeiger)

    • Fix relative url root

0.9.0

  • deprecation

    • devise :all is deprecated

    • :success and :failure flash messages are now :notice and :alert

  • enhancements

    • Added devise lockable (by @mhfs)

    • Warden 0.9.0 compatibility

    • Mongomapper 0.6.10 compatibility

    • Added Devise.add_module as hooks for extensions (by @grimen)

    • Ruby 1.9.1 compatibility (by @grimen)

  • bug fix

    • Accept path prefix not starting with slash

    • url helpers should rely on find_scope!

0.8.2

  • enhancements

    • Allow Devise.mailer_sender to be a proc (by @grimen)

  • bug fix

    • Fix bug with passenger, update is required to anyone deploying on passenger (by @dvdpalm)

0.8.1

  • enhancements

    • Move salt to encryptors

    • Devise::Lockable

    • Moved view links into partial and I18n’ed them

  • bug fix

    • Bcrypt generator was not being loaded neither setting the proper salt

0.8.0

  • enhancements

    • Warden 0.8.0 compatibility

    • Add an easy for map.connect “sign_in”, :controller => “sessions”, :action => “new” to work

    • Added :bcrypt encryptor (by @capotej)

  • bug fix

    • sign_in_count is also increased when user signs in via password change, confirmation, etc..

    • More DataMapper compatibility (by @lancecarlson)

  • deprecation

    • Removed DeviseMailer.sender

0.7.5

  • enhancements

    • Set a default value for mailer to avoid find_template issues

    • Add models configuration to MongoMapper::EmbeddedDocument as well

0.7.4

  • enhancements

    • Extract Activatable from Confirmable

    • Decouple Serializers from Devise modules

0.7.3

  • bug fix

    • Give scope to the proper model validation

  • enhancements

    • Mail views are scoped as well

    • Added update_with_password for authenticatable

    • Allow render_with_scope to accept :controller option

0.7.2

  • deprecation

    • Renamed reset_confirmation! to resend_confirmation!

    • Copying locale is part of the installation process

  • bug fix

    • Fixed render_with_scope to work with all controllers

    • Allow sign in with two different users in Devise::TestHelpers

0.7.1

  • enhancements

    • Small enhancements for other plugins compatibility (by @grimen)

0.7.0

  • deprecations

    • :authenticatable is not included by default anymore

  • enhancements

    • Improve loading process

    • Extract SessionSerializer from Authenticatable

0.6.3

  • bug fix

    • Added trackable to migrations

    • Allow inflections to work

0.6.2

  • enhancements

    • More DataMapper compatibility

    • Devise::Trackable - track sign in count, timestamps and ips

0.6.1

  • enhancements

    • Devise::Timeoutable - timeout sessions without activity

    • DataMapper now accepts conditions

0.6.0

  • deprecations

    • :authenticatable is still included by default, but yields a deprecation warning

  • enhancements

    • Added DataMapper support

    • Remove store_location from authenticatable strategy and add it to failure app

    • Allow a strategy to be placed after authenticatable

    • #45

      Do not rely attribute? methods, since they are not added on Datamapper

0.5.6

  • enhancements

    • #42

      Do not send nil to build (DataMapper compatibility)

    • #44

      Allow to have scoped views

0.5.5

  • enhancements

    • Allow overwriting find for authentication method

    • #38

      Remove Ruby 1.8.7 dependency

0.5.4

  • deprecations

    • Deprecate :singular in devise_for and use :scope instead

  • enhancements

    • #37

      Create after_sign_in_path_for and after_sign_out_path_for hooks to be

      overwriten in ApplicationController

    • Create sign_in_and_redirect and sign_out_and_redirect helpers

    • Warden::Manager.default_scope is automatically configured to the first given scope

0.5.3

  • bug fix

    • MongoMapper now converts DateTime to Time

    • Ensure all controllers are unloadable

  • enhancements

    • #35

      Moved friendly_token to Devise

    • Added Devise.all, so you can freeze your app strategies

    • Added Devise.apply_schema, so you can turn it to false in Datamapper or MongoMapper in cases you don’t want it be handlded automatically

0.5.2

  • enhancements

    • #28

      Improved sign_in and sign_out helpers to accepts resources

    • #28

      Added stored_location_for as a helper

    • #20

      Added test helpers

0.5.1

  • enhancements

    • Added serializers based on Warden ones

    • Allow authentication keys to be set

0.5.0

  • bug fix

    • Fixed a bug where remember me module was not working properly

  • enhancements

    • Moved encryption strategy into the Encryptors module to allow several algorithms (by @mhfs)

    • Implemented encryptors for Clearance, Authlogic and Restful-Authentication (by @mhfs)

    • Added support for MongoMapper (by @shingara)

0.4.3

  • bug fix

    • #29

      Authentication just fails if user cannot be serialized from session, without raising errors;

    • Default configuration values should not overwrite user values;

0.4.2

  • deprecations

    • Renamed mail_sender to mailer_sender

  • enhancements

    • skip_before_filter added in Devise controllers

    • Use home_or_root_path on require_no_authentication as well

    • Added devise_controller?, useful to select or reject filters in ApplicationController

    • Allow :path_prefix to be given to devise_for

    • Allow default_url_options to be configured through devise (:path_prefix => “/:locale” is now supported)

0.4.1

  • bug fix

    • #21

      Ensure options can be set even if models were not loaded

0.4.0

  • deprecations

    • Notifier is deprecated, use DeviseMailer instead. Remember to rename app/views/notifier to app/views/devise_mailer and I18n key from devise.notifier to devise.mailer

    • :authenticable calls are deprecated, use :authenticatable instead

  • enhancements

    • #16

      Allow devise to be more agnostic and do not require ActiveRecord to be loaded

    • Allow Warden::Manager to be configured through Devise

    • Created a generator which creates an initializer

0.3.0

  • bug fix

    • #15

      Allow yml messages to be configured by not using engine locales

  • deprecations

    • Renamed confirm_in to confirm_within

    • #14

      Do not send confirmation messages when user changes his e-mail

    • #13

      Renamed authenticable to authenticatable and added deprecation warnings

0.2.3

  • enhancements

    • Ensure fail! works inside strategies

    • #12

      Make unauthenticated message (when you haven’t signed in) different from invalid message

  • bug fix

    • Do not redirect on invalid authenticate

    • Allow model configuration to be set to nil

0.2.2

  • bug fix

    • #9

      Fix a bug when using customized resources

0.2.1

  • refactor

    • Clean devise_views generator to use devise existing views

  • enhancements

    • #7

      Create instance variables (like @user) for each devise controller

    • Use Devise::Controller::Helpers only internally

  • bug fix

    • #6

      Fix a bug with Mongrel and Ruby 1.8.6

0.2.0

  • enhancements

    • #4

      Allow option :null => true in authenticable migration

    • #3

      Remove attr_accessible calls from devise modules

    • Customizable time frame for rememberable with :remember_for config

    • Customizable time frame for confirmable with :confirm_in config

    • Generators for creating a resource and copy views

  • optimize

    • Do not load hooks or strategies if they are not used

  • bug fixes

    • #2

      Fixed requiring devise strategies

0.1.1

  • bug fixes

    • #1

      Fixed requiring devise mapping

0.1.0

  • Devise::Authenticable

  • Devise::Confirmable

  • Devise::Recoverable

  • Devise::Validatable

  • Devise::Migratable

  • Devise::Rememberable

  • SessionsController

  • PasswordsController

  • ConfirmationsController

  • Create an example app

  • devise :all, :except => :rememberable

  • Use sign_in and sign_out in SessionsController

  • Mailer subjects namespaced by model

  • Allow stretches and pepper per model

  • Store session in session

  • Sign user in automatically after confirming or changing it’s password