Merge pull request #78 from tvdeyen/4.2-stable

4.2 stable

.travis.yml

@@ -3,9 +3,9 @@ dist: trusty
 sudo: false
 cache: bundler
 rvm:
-- 2.2.7
-- 2.3.5
-- 2.4.2
+- 2.4.5
+- 2.5.5
+- 2.6.2
 branches:
   only:
     - master

CHANGELOG.md

@@ -1,3 +1,11 @@
+## 4.2.0 (unreleased)
+
+- Do not store screen size at login [#78](https://github.com/AlchemyCMS/alchemy-devise/pull/78) ([tvdeyen](https://github.com/tvdeyen))
+- Security: Use at least Devise 4.6 [#78](https://github.com/AlchemyCMS/alchemy-devise/pull/78) ([tvdeyen](https://github.com/tvdeyen))
+- Fix dummy app rails version [#76](https://github.com/AlchemyCMS/alchemy-devise/pull/76) ([tvdeyen](https://github.com/tvdeyen))
+- Fix translation key on user admin page [#75](https://github.com/AlchemyCMS/alchemy-devise/pull/75) ([mamhoff](https://github.com/mamhoff))
+
+
 ## 4.1.0 (2018-09-22)
 
 - Only allow Alchemy > 4.1 [#72](https://github.com/AlchemyCMS/alchemy-devise/pull/72) ([tvdeyen](https://github.com/tvdeyen))

Gemfile

@@ -10,6 +10,7 @@ unless ENV['CI']
   gem 'pry'
   gem 'spring-commands-rspec'
   gem 'launchy'
+  gem 'github_fast_changelog', require: false
 end
 
 group :test do

README.md

@@ -1,10 +1,10 @@
-## Devise based authentication for Alchemy 4.1
+## Devise based authentication for AlchemyCMS 4.2
 
 [![Build Status](https://secure.travis-ci.org/AlchemyCMS/alchemy-devise.svg?branch=master)](http://travis-ci.org/AlchemyCMS/alchemy-devise)
 
 [![Gem Version](https://badge.fury.io/rb/alchemy-devise.svg)](http://badge.fury.io/rb/alchemy-devise) [![Test Coverage](https://codeclimate.com/github/AlchemyCMS/alchemy-devise/badges/coverage.svg)](https://codeclimate.com/github/AlchemyCMS/alchemy-devise/coverage) [![Code Climate](https://codeclimate.com/github/AlchemyCMS/alchemy-devise/badges/gpa.svg)](https://codeclimate.com/github/AlchemyCMS/alchemy-devise) [![security](https://hakiri.io/github/AlchemyCMS/alchemy-devise/master.svg)](https://hakiri.io/github/AlchemyCMS/alchemy-devise/master)
 
-**CAUTION: This master branch is a development branch that can contain bugs. For productive environments you should use the [current Ruby gem version](https://rubygems.org/gems/alchemy-devise/versions/4.1.0), or the [latest stable branch (4.1-stable)](https://github.com/AlchemyCMS/alchemy-devise/tree/4.1-stable).**
+**CAUTION: This master branch is a development branch that can contain bugs. For productive environments you should use the [current Ruby gem version](https://rubygems.org/gems/alchemy-devise/versions/4.1.0), or the [latest stable branch (4.2-stable)](https://github.com/AlchemyCMS/alchemy-devise/tree/4.2-stable).**
 
 AlchemyCMS has no authentication in its core. So it is possibly to bring your own authentication and use it to authorize users in AlchemyCMS. If you don't have your own authentication, you can use this gem.
 
@@ -17,7 +17,7 @@ Just put the gem into your projects `Gemfile`.
 gem 'alchemy-devise', github: 'AlchemyCMS/alchemy-devise', branch: 'master'
 ```
 
-**NOTE:** You normally want to use a stable branch, like `4.1-stable`.
+**NOTE:** You normally want to use a stable branch, like `4.2-stable`.
 
 and run `bundle install`.
 

Rakefile

@@ -39,4 +39,24 @@ cd -
 BASH
     end
   end
+
+  namespace :changelog do
+    desc "Update changelog"
+    task :update do
+      original_file = './CHANGELOG.md'
+      new_file = original_file + '.new'
+      backup = original_file + '.old'
+      changes = `git rev-list #{ENV['PREVIOUS_VERSION']}...master | bundle exec github_fast_changelog AlchemyCMS/alchemy-devise`
+      File.open(new_file, 'w') do |fo|
+        fo.puts changes
+        File.foreach(original_file) do |li|
+          fo.puts li
+        end
+        fo.puts ""
+      end
+      File.rename(original_file, backup)
+      File.rename(new_file, original_file)
+      File.delete(backup)
+    end
+  end
 end

alchemy-devise.gemspec

@@ -17,7 +17,7 @@ Gem::Specification.new do |s|
   s.test_files = Dir["spec/**/*"]
 
   s.add_dependency "alchemy_cms", [">= 4.1.0.beta", "< 4.99"]
-  s.add_dependency "devise",      [">= 4.0", "< 4.99"]
+  s.add_dependency "devise",      [">= 4.6.0", "< 4.99"]
 
   s.add_development_dependency "capybara"
   s.add_development_dependency "factory_bot_rails"

app/controllers/alchemy/admin/users_controller.rb

@@ -17,7 +17,7 @@ def index
         @query.sorts = 'login asc' if @query.sorts.empty?
         @users = @query.result
           .page(params[:page] || 1)
-          .per(per_page_value_for_screen_size)
+          .per(items_per_page)
       end
 
       def new

app/controllers/alchemy/user_sessions_controller.rb

@@ -20,7 +20,6 @@ def create
       authenticate_user!
 
       if user_signed_in?
-        store_screen_size
         if session[:redirect_path].blank?
           redirect_path = admin_dashboard_path
         else
@@ -49,10 +48,6 @@ def check_user_count
       end
     end
 
-    def store_screen_size
-      session[:screen_size] = params[:user_screensize]
-    end
-
     # Overwriting the default of Devise
     def after_sign_out_path_for(resource_or_scope)
       if request.referer.blank? || request.referer.to_s =~ /admin/

app/views/alchemy/user_sessions/new.html.erb

@@ -9,7 +9,6 @@
       </small>
     </div>
     <div class="submit">
-      <%= hidden_field_tag 'user_screensize' %>
       <button class="secondary"><%= Alchemy.t(:login) %></button>
     </div>
   <% end %>
@@ -19,9 +18,6 @@
 <script type="text/javascript" charset="utf-8">
   jQuery(function($) {
     $('#user_login').focus();
-    $('#user_screensize').val(function() {
-      return screen.width+'x'+screen.height;
-    });
   });
 </script>
 <%- end -%>

lib/alchemy/devise/test_support/factories.rb

@@ -1,26 +1,28 @@
+# frozen_string_literal: true
+
 FactoryBot.define do
-  factory :alchemy_user, class: 'Alchemy::User' do
+  factory :alchemy_user, class: Alchemy::User do
     sequence(:login) { |n| "john_#{n}.doe" }
     sequence(:email) { |n| "john_#{n}@doe.com" }
-    firstname 'John'
-    lastname 'Doe'
-    password 's3cr3t'
-    password_confirmation 's3cr3t'
+    firstname { 'John' }
+    lastname { 'Doe' }
+    password { 's3cr3t' }
+    password_confirmation { 's3cr3t' }
 
     factory :alchemy_admin_user do
-      alchemy_roles 'admin'
+      alchemy_roles { 'admin' }
     end
 
     factory :alchemy_member_user do
-      alchemy_roles 'member'
+      alchemy_roles { 'member' }
     end
 
     factory :alchemy_author_user do
-      alchemy_roles 'author'
+      alchemy_roles { 'author' }
     end
 
     factory :alchemy_editor_user do
-      alchemy_roles 'editor'
+      alchemy_roles { 'editor' }
     end
   end
 end

lib/generators/alchemy/devise/install/templates/devise.rb.tt

@@ -1,14 +1,18 @@
+# frozen_string_literal: true
+
 # Use this hook to configure devise mailer, warden hooks and so forth.
 # Many of these configuration options can be set straight in your model.
 Devise.setup do |config|
   # The secret key used by Devise. Devise uses this key to generate
   # random tokens. Changing this key will render invalid all existing
   # confirmation, reset password and unlock tokens in the database.
+  # Devise will use the `secret_key_base` as its `secret_key`
+  # by default. You can change it below and use your own secret key.
+  # config.secret_key = '<%= SecureRandom.hex(64) %>'
 
-  # By default, Devise will use your Application's secret_key_base as its
-  # secret_key. You can override it here by uncommenting the following
-  # line. Remember to keep this file out of source control if you do that.
-  # config.secret_key = <%= SecureRandom.hex(50).inspect %>
+  # ==> Controller configuration
+  # Configure the parent class to the devise controllers.
+  config.parent_controller = "Alchemy::BaseController"
 
   # ==> Mailer Configuration
   # Configure the e-mail address which will be shown in Devise::Mailer,
@@ -19,14 +23,15 @@ Devise.setup do |config|
   # Configure the class responsible to send e-mails.
   config.mailer = "Alchemy::Notifications"
 
+  # Configure the parent class responsible to send e-mails.
+  # config.parent_mailer = 'ActionMailer::Base'
+
   # ==> ORM configuration
   # Load and configure the ORM. Supports :active_record (default) and
   # :mongoid (bson_ext recommended) by default. Other ORMs may be
   # available as additional gems.
   require 'devise/orm/active_record'
 
-  config.parent_controller = "Alchemy::BaseController"
-
   # ==> Configuration for any authentication mechanism
   # Configure which keys are used when authenticating a user. The default is
   # just :email. You can configure it to use [:username, :subdomain], so for
@@ -91,26 +96,41 @@ Devise.setup do |config|
   # from the server. You can disable this option at your own risk.
   # config.clean_up_csrf_token_on_authentication = true
 
+  # When false, Devise will not attempt to reload routes on eager load.
+  # This can reduce the time taken to boot the app but if your application
+  # requires the Devise mappings to be loaded during boot time the application
+  # won't boot properly.
+  # config.reload_routes = true
+
   # ==> Configuration for :database_authenticatable
-  # For bcrypt, this is the cost for hashing the password and defaults to 10. If
-  # using other encryptors, it sets how many times you want the password re-encrypted.
+  # For bcrypt, this is the cost for hashing the password and defaults to 11. If
+  # using other algorithms, it sets how many times you want the password to be hashed.
   #
   # Limiting the stretches to just one in testing will increase the performance of
   # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use
   # a value less than 10 in other environments. Note that, for bcrypt (the default
-  # encryptor), the cost increases exponentially with the number of stretches (e.g.
+  # algorithm), the cost increases exponentially with the number of stretches (e.g.
   # a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation).
-  config.stretches = Rails.env.test? ? 1 : 10
+  config.stretches = Rails.env.test? ? 1 : 11
+
+  # Set up a pepper to generate the hashed password.
+  # config.pepper = '<%= SecureRandom.hex(64) %>'
+
+  # Send a notification to the original email when the user's email is changed.
+  # config.send_email_changed_notification = false
 
-  # Setup a pepper to generate the encrypted password.
-  # config.pepper = <%= SecureRandom.hex(50).inspect %>
+  # Send a notification email when the user's password is changed.
+  # config.send_password_change_notification = false
 
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without
   # confirming their account. For instance, if set to 2.days, the user will be
   # able to access the website for two days without confirming their account,
-  # access will be blocked just in the third day. Default is 0.days, meaning
-  # the user cannot access the website without confirming their account.
+  # access will be blocked just in the third day.
+  # You can also set it to nil, which will allow the user to access the website
+  # without confirming their account.
+  # Default is 0.days, meaning the user cannot access the website without
+  # confirming their account.
   # config.allow_unconfirmed_access_for = 2.days
 
   # A period that the user is allowed to confirm their account before their
@@ -128,7 +148,7 @@ Devise.setup do |config|
   config.reconfirmable = false
 
   # Defines which key will be used when confirming an account
-  # config.confirmation_keys = [ :email ]
+  # config.confirmation_keys = [:email]
 
   # ==> Configuration for :rememberable
   # The time the user will be remembered without asking for credentials again.
@@ -151,24 +171,21 @@ Devise.setup do |config|
   # Email regex used to validate email formats. It simply asserts that
   # one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
-  # config.email_regexp = /\A[^@]+@[^@]+\z/
+  config.email_regexp = /\A[^@\s]+@[^@\s]+\z/
 
   # ==> Configuration for :timeoutable
   # The time you want to timeout the user session without activity. After this
   # time the user will be asked for credentials again. Default is 30 minutes.
   config.timeout_in = Rails.env.development? ? nil : Alchemy::Config.get(:auto_logout_time).minutes
 
-  # If true, expires auth token on session timeout.
-  # config.expire_auth_token_on_timeout = false
-
   # ==> Configuration for :lockable
   # Defines which strategy will be used to lock an account.
   # :failed_attempts = Locks an account after a number of failed attempts to sign in.
   # :none            = No lock strategy. You should handle locking by yourself.
   # config.lock_strategy = :failed_attempts
 
   # Defines which key will be used when locking and unlocking an account
-  # config.unlock_keys = [ :email ]
+  # config.unlock_keys = [:email]
 
   # Defines which strategy will be used to unlock an account.
   # :email = Sends an unlock link to the user email
@@ -185,24 +202,28 @@ Devise.setup do |config|
   # config.unlock_in = 1.hour
 
   # Warn on the last attempt before the account is locked.
-  config.last_attempt_warning = true
+  # config.last_attempt_warning = true
 
   # ==> Configuration for :recoverable
   #
   # Defines which key will be used when recovering the password for an account
-  # config.reset_password_keys = [ :email ]
+  # config.reset_password_keys = [:email]
 
   # Time interval you can reset your password with a reset password key.
   # Don't put a too small interval or your users won't have the time to
   # change their passwords.
   config.reset_password_within = 6.hours
 
+  # When set to false, does not sign a user in automatically after their password is
+  # reset. Defaults to true, so a user is signed in automatically after a reset.
+  # config.sign_in_after_reset_password = true
+
   # ==> Configuration for :encryptable
-  # Allow you to use another encryption algorithm besides bcrypt (default). You can use
-  # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
-  # :authlogic_sha512 (then you should set stretches above to 20 for default behavior)
-  # and :restful_authentication_sha1 (then you should set stretches to 10, and copy
-  # REST_AUTH_SITE_KEY to pepper).
+  # Allow you to use another hashing or encryption algorithm besides bcrypt (default).
+  # You can use :sha1, :sha512 or algorithms from others authentication tools as
+  # :clearance_sha1, :authlogic_sha512 (then you should set stretches above to 20
+  # for default behavior) and :restful_authentication_sha1 (then you should set
+  # stretches to 10, and copy REST_AUTH_SITE_KEY to pepper).
   #
   # Require the `devise-encryptable` gem when using anything other than bcrypt
   # config.encryptor = :sha512
@@ -259,7 +280,20 @@ Devise.setup do |config|
   # The router that invoked `devise_for`, in the example above, would be:
   # config.router_name = :my_engine
   #
-  # When using omniauth, Devise cannot automatically set Omniauth path,
+  # When using OmniAuth, Devise cannot automatically set OmniAuth path,
   # so you need to do it manually. For the users scope, it would be:
   # config.omniauth_path_prefix = '/my_engine/users/auth'
+
+  # ==> Turbolinks configuration
+  # If your app is using Turbolinks, Turbolinks::Controller needs to be included to make redirection work correctly:
+  #
+  # ActiveSupport.on_load(:devise_failure_app) do
+  #   include Turbolinks::Controller
+  # end
+
+  # ==> Configuration for :registerable
+
+  # When set to false, does not sign a user in automatically after their password is
+  # changed. Defaults to true, so a user is signed in automatically after changing a password.
+  # config.sign_in_after_change_password = true
 end

spec/controllers/user_sessions_controller_spec.rb

@@ -54,11 +54,6 @@
           end
         end
 
-        it "stores users screen size" do
-          post :create, params: {user: user_params, user_screensize: screen_size}
-          expect(session[:screen_size]).to eq(screen_size)
-        end
-
         context 'without valid params' do
           it "renders login form" do
             post :create, params: {user: {login: ''}}

spec/dummy/bin/setup

@@ -1,10 +1,9 @@
 #!/usr/bin/env ruby
-require 'pathname'
 require 'fileutils'
 include FileUtils
 
 # path to your application root.
-APP_ROOT = Pathname.new File.expand_path('../../', __FILE__)
+APP_ROOT = File.expand_path('..', __dir__)
 
 def system!(*args)
   system(*args) || abort("\n== Command #{args} failed ==")
@@ -18,6 +17,9 @@ chdir APP_ROOT do
   system! 'gem install bundler --conservative'
   system('bundle check') || system!('bundle install')
 
+  # Install JavaScript dependencies if using Yarn
+  # system('bin/yarn')
+
   # puts "\n== Copying sample files =="
   # unless File.exist?('config/database.yml')
   #   cp 'config/database.yml.sample', 'config/database.yml'