From c5111f793eb710c88ba086dd336a4bc92989aca0 Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Mon, 1 Apr 2019 09:40:32 +0200 Subject: [PATCH 01/11] Add changelog update rake task --- Gemfile | 1 + Rakefile | 20 ++++++++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/Gemfile b/Gemfile index 4442776..b3a8495 100644 --- a/Gemfile +++ b/Gemfile @@ -10,6 +10,7 @@ unless ENV['CI'] gem 'pry' gem 'spring-commands-rspec' gem 'launchy' + gem 'github_fast_changelog', require: false end group :test do diff --git a/Rakefile b/Rakefile index 793408e..c517cd0 100644 --- a/Rakefile +++ b/Rakefile @@ -39,4 +39,24 @@ cd - BASH end end + + namespace :changelog do + desc "Update changelog" + task :update do + original_file = './CHANGELOG.md' + new_file = original_file + '.new' + backup = original_file + '.old' + changes = `git rev-list #{ENV['PREVIOUS_VERSION']}...master | bundle exec github_fast_changelog AlchemyCMS/alchemy-devise` + File.open(new_file, 'w') do |fo| + fo.puts changes + File.foreach(original_file) do |li| + fo.puts li + end + fo.puts "" + end + File.rename(original_file, backup) + File.rename(new_file, original_file) + File.delete(backup) + end + end end From 45230021f2b3cacc57a4ca2a175af652dc790a70 Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Mon, 1 Apr 2019 09:55:22 +0200 Subject: [PATCH 02/11] Use at least Devise 4.6 for security patch Devise ruby gem before 4.6.0 when the lockable module is used is vulnerable to a time-of-check time-of-use (TOCTOU) race condition due to increment_failed_attempts within the `Devise::Models::Lockable` class not being concurrency safe. --- alchemy-devise.gemspec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/alchemy-devise.gemspec b/alchemy-devise.gemspec index 35e4e09..663bb3a 100644 --- a/alchemy-devise.gemspec +++ b/alchemy-devise.gemspec @@ -17,7 +17,7 @@ Gem::Specification.new do |s| s.test_files = Dir["spec/**/*"] s.add_dependency "alchemy_cms", [">= 4.1.0.beta", "< 4.99"] - s.add_dependency "devise", [">= 4.0", "< 4.99"] + s.add_dependency "devise", [">= 4.6.0", "< 4.99"] s.add_development_dependency "capybara" s.add_development_dependency "factory_bot_rails" From 20a1c6732932a79cb69963e3fde06ca0253fb8bc Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Mon, 1 Apr 2019 09:55:57 +0200 Subject: [PATCH 03/11] Update default config for devise 4.6 Nothing changed, just updated to keeop up with the defaults. --- .../devise/install/templates/devise.rb.tt | 90 +++++++++++++------ 1 file changed, 62 insertions(+), 28 deletions(-) diff --git a/lib/generators/alchemy/devise/install/templates/devise.rb.tt b/lib/generators/alchemy/devise/install/templates/devise.rb.tt index 8885730..15c1660 100644 --- a/lib/generators/alchemy/devise/install/templates/devise.rb.tt +++ b/lib/generators/alchemy/devise/install/templates/devise.rb.tt @@ -1,14 +1,18 @@ +# frozen_string_literal: true + # Use this hook to configure devise mailer, warden hooks and so forth. # Many of these configuration options can be set straight in your model. Devise.setup do |config| # The secret key used by Devise. Devise uses this key to generate # random tokens. Changing this key will render invalid all existing # confirmation, reset password and unlock tokens in the database. + # Devise will use the `secret_key_base` as its `secret_key` + # by default. You can change it below and use your own secret key. + # config.secret_key = '<%= SecureRandom.hex(64) %>' - # By default, Devise will use your Application's secret_key_base as its - # secret_key. You can override it here by uncommenting the following - # line. Remember to keep this file out of source control if you do that. - # config.secret_key = <%= SecureRandom.hex(50).inspect %> + # ==> Controller configuration + # Configure the parent class to the devise controllers. + config.parent_controller = "Alchemy::BaseController" # ==> Mailer Configuration # Configure the e-mail address which will be shown in Devise::Mailer, @@ -19,14 +23,15 @@ Devise.setup do |config| # Configure the class responsible to send e-mails. config.mailer = "Alchemy::Notifications" + # Configure the parent class responsible to send e-mails. + # config.parent_mailer = 'ActionMailer::Base' + # ==> ORM configuration # Load and configure the ORM. Supports :active_record (default) and # :mongoid (bson_ext recommended) by default. Other ORMs may be # available as additional gems. require 'devise/orm/active_record' - config.parent_controller = "Alchemy::BaseController" - # ==> Configuration for any authentication mechanism # Configure which keys are used when authenticating a user. The default is # just :email. You can configure it to use [:username, :subdomain], so for @@ -91,26 +96,41 @@ Devise.setup do |config| # from the server. You can disable this option at your own risk. # config.clean_up_csrf_token_on_authentication = true + # When false, Devise will not attempt to reload routes on eager load. + # This can reduce the time taken to boot the app but if your application + # requires the Devise mappings to be loaded during boot time the application + # won't boot properly. + # config.reload_routes = true + # ==> Configuration for :database_authenticatable - # For bcrypt, this is the cost for hashing the password and defaults to 10. If - # using other encryptors, it sets how many times you want the password re-encrypted. + # For bcrypt, this is the cost for hashing the password and defaults to 11. If + # using other algorithms, it sets how many times you want the password to be hashed. # # Limiting the stretches to just one in testing will increase the performance of # your test suite dramatically. However, it is STRONGLY RECOMMENDED to not use # a value less than 10 in other environments. Note that, for bcrypt (the default - # encryptor), the cost increases exponentially with the number of stretches (e.g. + # algorithm), the cost increases exponentially with the number of stretches (e.g. # a value of 20 is already extremely slow: approx. 60 seconds for 1 calculation). - config.stretches = Rails.env.test? ? 1 : 10 + config.stretches = Rails.env.test? ? 1 : 11 + + # Set up a pepper to generate the hashed password. + # config.pepper = '<%= SecureRandom.hex(64) %>' + + # Send a notification to the original email when the user's email is changed. + # config.send_email_changed_notification = false - # Setup a pepper to generate the encrypted password. - # config.pepper = <%= SecureRandom.hex(50).inspect %> + # Send a notification email when the user's password is changed. + # config.send_password_change_notification = false # ==> Configuration for :confirmable # A period that the user is allowed to access the website even without # confirming their account. For instance, if set to 2.days, the user will be # able to access the website for two days without confirming their account, - # access will be blocked just in the third day. Default is 0.days, meaning - # the user cannot access the website without confirming their account. + # access will be blocked just in the third day. + # You can also set it to nil, which will allow the user to access the website + # without confirming their account. + # Default is 0.days, meaning the user cannot access the website without + # confirming their account. # config.allow_unconfirmed_access_for = 2.days # A period that the user is allowed to confirm their account before their @@ -128,7 +148,7 @@ Devise.setup do |config| config.reconfirmable = false # Defines which key will be used when confirming an account - # config.confirmation_keys = [ :email ] + # config.confirmation_keys = [:email] # ==> Configuration for :rememberable # The time the user will be remembered without asking for credentials again. @@ -151,16 +171,13 @@ Devise.setup do |config| # Email regex used to validate email formats. It simply asserts that # one (and only one) @ exists in the given string. This is mainly # to give user feedback and not to assert the e-mail validity. - # config.email_regexp = /\A[^@]+@[^@]+\z/ + config.email_regexp = /\A[^@\s]+@[^@\s]+\z/ # ==> Configuration for :timeoutable # The time you want to timeout the user session without activity. After this # time the user will be asked for credentials again. Default is 30 minutes. config.timeout_in = Rails.env.development? ? nil : Alchemy::Config.get(:auto_logout_time).minutes - # If true, expires auth token on session timeout. - # config.expire_auth_token_on_timeout = false - # ==> Configuration for :lockable # Defines which strategy will be used to lock an account. # :failed_attempts = Locks an account after a number of failed attempts to sign in. @@ -168,7 +185,7 @@ Devise.setup do |config| # config.lock_strategy = :failed_attempts # Defines which key will be used when locking and unlocking an account - # config.unlock_keys = [ :email ] + # config.unlock_keys = [:email] # Defines which strategy will be used to unlock an account. # :email = Sends an unlock link to the user email @@ -185,24 +202,28 @@ Devise.setup do |config| # config.unlock_in = 1.hour # Warn on the last attempt before the account is locked. - config.last_attempt_warning = true + # config.last_attempt_warning = true # ==> Configuration for :recoverable # # Defines which key will be used when recovering the password for an account - # config.reset_password_keys = [ :email ] + # config.reset_password_keys = [:email] # Time interval you can reset your password with a reset password key. # Don't put a too small interval or your users won't have the time to # change their passwords. config.reset_password_within = 6.hours + # When set to false, does not sign a user in automatically after their password is + # reset. Defaults to true, so a user is signed in automatically after a reset. + # config.sign_in_after_reset_password = true + # ==> Configuration for :encryptable - # Allow you to use another encryption algorithm besides bcrypt (default). You can use - # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1, - # :authlogic_sha512 (then you should set stretches above to 20 for default behavior) - # and :restful_authentication_sha1 (then you should set stretches to 10, and copy - # REST_AUTH_SITE_KEY to pepper). + # Allow you to use another hashing or encryption algorithm besides bcrypt (default). + # You can use :sha1, :sha512 or algorithms from others authentication tools as + # :clearance_sha1, :authlogic_sha512 (then you should set stretches above to 20 + # for default behavior) and :restful_authentication_sha1 (then you should set + # stretches to 10, and copy REST_AUTH_SITE_KEY to pepper). # # Require the `devise-encryptable` gem when using anything other than bcrypt # config.encryptor = :sha512 @@ -259,7 +280,20 @@ Devise.setup do |config| # The router that invoked `devise_for`, in the example above, would be: # config.router_name = :my_engine # - # When using omniauth, Devise cannot automatically set Omniauth path, + # When using OmniAuth, Devise cannot automatically set OmniAuth path, # so you need to do it manually. For the users scope, it would be: # config.omniauth_path_prefix = '/my_engine/users/auth' + + # ==> Turbolinks configuration + # If your app is using Turbolinks, Turbolinks::Controller needs to be included to make redirection work correctly: + # + # ActiveSupport.on_load(:devise_failure_app) do + # include Turbolinks::Controller + # end + + # ==> Configuration for :registerable + + # When set to false, does not sign a user in automatically after their password is + # changed. Defaults to true, so a user is signed in automatically after changing a password. + # config.sign_in_after_change_password = true end From 03583d6acf458b722edbebacac5e95ad7dcd141a Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Mon, 1 Apr 2019 11:58:12 +0200 Subject: [PATCH 04/11] Update schema.rb version syntax of dummy app --- spec/dummy/db/schema.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spec/dummy/db/schema.rb b/spec/dummy/db/schema.rb index 832409e..de8c6b7 100644 --- a/spec/dummy/db/schema.rb +++ b/spec/dummy/db/schema.rb @@ -10,7 +10,7 @@ # # It's strongly recommended that you check this file into your version control system. -ActiveRecord::Schema.define(version: 20180301103350) do +ActiveRecord::Schema.define(version: 2018_03_01_103350) do create_table "alchemy_attachments", force: :cascade do |t| t.string "name" From ff5f817432507cf76d297ec5d8e6e00ebb6ed7d4 Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Mon, 1 Apr 2019 11:58:38 +0200 Subject: [PATCH 05/11] Update user factory to latest FactoryBot version --- lib/alchemy/devise/test_support/factories.rb | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/lib/alchemy/devise/test_support/factories.rb b/lib/alchemy/devise/test_support/factories.rb index c8c1890..bc3f7f2 100644 --- a/lib/alchemy/devise/test_support/factories.rb +++ b/lib/alchemy/devise/test_support/factories.rb @@ -1,26 +1,28 @@ +# frozen_string_literal: true + FactoryBot.define do - factory :alchemy_user, class: 'Alchemy::User' do + factory :alchemy_user, class: Alchemy::User do sequence(:login) { |n| "john_#{n}.doe" } sequence(:email) { |n| "john_#{n}@doe.com" } - firstname 'John' - lastname 'Doe' - password 's3cr3t' - password_confirmation 's3cr3t' + firstname { 'John' } + lastname { 'Doe' } + password { 's3cr3t' } + password_confirmation { 's3cr3t' } factory :alchemy_admin_user do - alchemy_roles 'admin' + alchemy_roles { 'admin' } end factory :alchemy_member_user do - alchemy_roles 'member' + alchemy_roles { 'member' } end factory :alchemy_author_user do - alchemy_roles 'author' + alchemy_roles { 'author' } end factory :alchemy_editor_user do - alchemy_roles 'editor' + alchemy_roles { 'editor' } end end end From 38c56909ebf132b94c0030ec3d22a668dbb6cf51 Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Mon, 1 Apr 2019 12:05:02 +0200 Subject: [PATCH 06/11] Don't require rails test/unit support We use RSpec to test, no need to require it. Fixes invalid option: --pattern output appearing at end of tests. --- spec/spec_helper.rb | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/spec/spec_helper.rb b/spec/spec_helper.rb index 7cce332..0049bfe 100644 --- a/spec/spec_helper.rb +++ b/spec/spec_helper.rb @@ -8,10 +8,9 @@ end # Configure Rails Environment -ENV["RAILS_ENV"] = "test" +ENV["RAILS_ENV"] ||= "test" require File.expand_path("../dummy/config/environment.rb", __FILE__) -require "rails/test_help" require "rspec/rails" require 'rspec/active_model/mocks' require "capybara/rails" From fdead5a57157292c09e31b3727b9dc533d66cc76 Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Mon, 1 Apr 2019 14:23:25 +0200 Subject: [PATCH 07/11] Upgrade bundled dummy app to Rails 5.2 --- spec/dummy/bin/setup | 6 ++- spec/dummy/bin/update | 6 ++- spec/dummy/config/application.rb | 12 ++++-- spec/dummy/config/boot.rb | 4 +- spec/dummy/config/environments/development.rb | 13 +++++-- spec/dummy/config/environments/production.rb | 13 ++++--- spec/dummy/config/environments/test.rb | 6 ++- .../application_controller_renderer.rb | 10 +++-- spec/dummy/config/initializers/assets.rb | 9 +++-- .../initializers/content_security_policy.rb | 25 ++++++++++++ .../config/initializers/cookies_serializer.rb | 2 +- .../new_framework_defaults_5_2.rb | 38 +++++++++++++++++++ spec/dummy/config/locales/en.yml | 10 +++++ spec/dummy/config/storage.yml | 34 +++++++++++++++++ 14 files changed, 160 insertions(+), 28 deletions(-) create mode 100644 spec/dummy/config/initializers/content_security_policy.rb create mode 100644 spec/dummy/config/initializers/new_framework_defaults_5_2.rb create mode 100644 spec/dummy/config/storage.yml diff --git a/spec/dummy/bin/setup b/spec/dummy/bin/setup index e620b4d..94fd4d7 100755 --- a/spec/dummy/bin/setup +++ b/spec/dummy/bin/setup @@ -1,10 +1,9 @@ #!/usr/bin/env ruby -require 'pathname' require 'fileutils' include FileUtils # path to your application root. -APP_ROOT = Pathname.new File.expand_path('../../', __FILE__) +APP_ROOT = File.expand_path('..', __dir__) def system!(*args) system(*args) || abort("\n== Command #{args} failed ==") @@ -18,6 +17,9 @@ chdir APP_ROOT do system! 'gem install bundler --conservative' system('bundle check') || system!('bundle install') + # Install JavaScript dependencies if using Yarn + # system('bin/yarn') + # puts "\n== Copying sample files ==" # unless File.exist?('config/database.yml') # cp 'config/database.yml.sample', 'config/database.yml' diff --git a/spec/dummy/bin/update b/spec/dummy/bin/update index a8e4462..58bfaed 100755 --- a/spec/dummy/bin/update +++ b/spec/dummy/bin/update @@ -1,10 +1,9 @@ #!/usr/bin/env ruby -require 'pathname' require 'fileutils' include FileUtils # path to your application root. -APP_ROOT = Pathname.new File.expand_path('../../', __FILE__) +APP_ROOT = File.expand_path('..', __dir__) def system!(*args) system(*args) || abort("\n== Command #{args} failed ==") @@ -18,6 +17,9 @@ chdir APP_ROOT do system! 'gem install bundler --conservative' system('bundle check') || system!('bundle install') + # Install JavaScript dependencies if using Yarn + # system('bin/yarn') + puts "\n== Updating database ==" system! 'bin/rails db:migrate' diff --git a/spec/dummy/config/application.rb b/spec/dummy/config/application.rb index af86759..c031fc6 100644 --- a/spec/dummy/config/application.rb +++ b/spec/dummy/config/application.rb @@ -1,13 +1,16 @@ require_relative 'boot' +require "rails" # Pick the frameworks you want: +require "active_model/railtie" +# require "active_job/railtie" require "active_record/railtie" +# require "active_storage/engine" require "action_controller/railtie" require "action_mailer/railtie" require "action_view/railtie" -require "sprockets/railtie" -# require "active_job/railtie" # require "action_cable/engine" +require "sprockets/railtie" # require "rails/test_unit/railtie" # Require the gems listed in Gemfile, including any gems @@ -21,7 +24,8 @@ class Application < Rails::Application config.load_defaults 5.1 # Settings in config/environments/* take precedence over those specified here. - # Application configuration should go into files in config/initializers - # -- all .rb files in that directory are automatically loaded. + # Application configuration can go into files in config/initializers + # -- all .rb files in that directory are automatically loaded after loading + # the framework and any gems in your application. end end diff --git a/spec/dummy/config/boot.rb b/spec/dummy/config/boot.rb index c9aef85..4059200 100644 --- a/spec/dummy/config/boot.rb +++ b/spec/dummy/config/boot.rb @@ -1,5 +1,3 @@ -# Set up gems listed in the Gemfile. ENV['BUNDLE_GEMFILE'] ||= File.expand_path('../../../Gemfile', __dir__) -require 'bundler/setup' if File.exist?(ENV['BUNDLE_GEMFILE']) -$LOAD_PATH.unshift File.expand_path('../../../lib', __dir__) +require 'bundler/setup' # Set up gems listed in the Gemfile. diff --git a/spec/dummy/config/environments/development.rb b/spec/dummy/config/environments/development.rb index e64889c..9ffc645 100644 --- a/spec/dummy/config/environments/development.rb +++ b/spec/dummy/config/environments/development.rb @@ -13,12 +13,13 @@ config.consider_all_requests_local = true # Enable/disable caching. By default caching is disabled. - if Rails.root.join('tmp/caching-dev.txt').exist? + # Run rails dev:cache to toggle caching. + if Rails.root.join('tmp', 'caching-dev.txt').exist? config.action_controller.perform_caching = true config.cache_store = :memory_store config.public_file_server.headers = { - 'Cache-Control' => 'public, max-age=172800' + 'Cache-Control' => "public, max-age=#{2.days.to_i}" } else config.action_controller.perform_caching = false @@ -26,6 +27,9 @@ config.cache_store = :null_store end + # Store uploaded files on the local file system (see config/storage.yml for options) + # config.active_storage.service = :local + # Don't care if the mailer can't send. config.action_mailer.raise_delivery_errors = false @@ -37,6 +41,9 @@ # Raise an error on page load if there are pending migrations. config.active_record.migration_error = :page_load + # Highlight code that triggered database queries in logs. + config.active_record.verbose_query_logs = true + # Debug mode disables concatenation and preprocessing of assets. # This option may cause significant delays in view rendering with a large # number of complex assets. @@ -50,5 +57,5 @@ # Use an evented file watcher to asynchronously detect changes in source code, # routes, locales, etc. This feature depends on the listen gem. - # config.file_watcher = ActiveSupport::EventedFileUpdateChecker + config.file_watcher = ActiveSupport::EventedFileUpdateChecker end diff --git a/spec/dummy/config/environments/production.rb b/spec/dummy/config/environments/production.rb index 739e81c..638ae1d 100644 --- a/spec/dummy/config/environments/production.rb +++ b/spec/dummy/config/environments/production.rb @@ -14,6 +14,10 @@ config.consider_all_requests_local = false config.action_controller.perform_caching = true + # Ensures that a master key has been made available in either ENV["RAILS_MASTER_KEY"] + # or in config/master.key. This key is used to decrypt credentials (and other encrypted files). + # config.require_master_key = true + # Disable serving static files from the `/public` folder by default since # Apache or NGINX already handles this. config.public_file_server.enabled = ENV['RAILS_SERVE_STATIC_FILES'].present? @@ -34,10 +38,8 @@ # config.action_dispatch.x_sendfile_header = 'X-Sendfile' # for Apache # config.action_dispatch.x_sendfile_header = 'X-Accel-Redirect' # for NGINX - # Mount Action Cable outside main process or domain - # config.action_cable.mount_path = nil - # config.action_cable.url = 'wss://example.com/cable' - # config.action_cable.allowed_request_origins = [ 'http://example.com', /http:\/\/example.*/ ] + # Store uploaded files on the local file system (see config/storage.yml for options) + # config.active_storage.service = :local # Force all access to the app over SSL, use Strict-Transport-Security, and use secure cookies. # config.force_ssl = true @@ -55,6 +57,7 @@ # Use a real queuing backend for Active Job (and separate queues per environment) # config.active_job.queue_adapter = :resque # config.active_job.queue_name_prefix = "dummy_#{Rails.env}" + config.action_mailer.perform_caching = false # Ignore bad email addresses and do not raise email delivery errors. @@ -78,7 +81,7 @@ if ENV["RAILS_LOG_TO_STDOUT"].present? logger = ActiveSupport::Logger.new(STDOUT) logger.formatter = config.log_formatter - config.logger = ActiveSupport::TaggedLogging.new(logger) + config.logger = ActiveSupport::TaggedLogging.new(logger) end # Do not dump schema after migrations. diff --git a/spec/dummy/config/environments/test.rb b/spec/dummy/config/environments/test.rb index 30587ef..288b92f 100644 --- a/spec/dummy/config/environments/test.rb +++ b/spec/dummy/config/environments/test.rb @@ -15,7 +15,7 @@ # Configure public file server for tests with Cache-Control for performance. config.public_file_server.enabled = true config.public_file_server.headers = { - 'Cache-Control' => 'public, max-age=3600' + 'Cache-Control' => "public, max-age=#{1.hour.to_i}" } # Show full error reports and disable caching. @@ -27,6 +27,10 @@ # Disable request forgery protection in test environment. config.action_controller.allow_forgery_protection = false + + # Store uploaded files on the local file system in a temporary directory + # config.active_storage.service = :test + config.action_mailer.perform_caching = false # Tell Action Mailer not to deliver emails to the real world. diff --git a/spec/dummy/config/initializers/application_controller_renderer.rb b/spec/dummy/config/initializers/application_controller_renderer.rb index 51639b6..89d2efa 100644 --- a/spec/dummy/config/initializers/application_controller_renderer.rb +++ b/spec/dummy/config/initializers/application_controller_renderer.rb @@ -1,6 +1,8 @@ # Be sure to restart your server when you modify this file. -# ApplicationController.renderer.defaults.merge!( -# http_host: 'example.org', -# https: false -# ) +# ActiveSupport::Reloader.to_prepare do +# ApplicationController.renderer.defaults.merge!( +# http_host: 'example.org', +# https: false +# ) +# end diff --git a/spec/dummy/config/initializers/assets.rb b/spec/dummy/config/initializers/assets.rb index 01ef3e6..4b828e8 100644 --- a/spec/dummy/config/initializers/assets.rb +++ b/spec/dummy/config/initializers/assets.rb @@ -3,9 +3,12 @@ # Version of your assets, change this if you want to expire all your assets. Rails.application.config.assets.version = '1.0' -# Add additional assets to the asset load path +# Add additional assets to the asset load path. # Rails.application.config.assets.paths << Emoji.images_path +# Add Yarn node_modules folder to the asset load path. +Rails.application.config.assets.paths << Rails.root.join('node_modules') # Precompile additional assets. -# application.js, application.css, and all non-JS/CSS in app/assets folder are already added. -# Rails.application.config.assets.precompile += %w( search.js ) +# application.js, application.css, and all non-JS/CSS in the app/assets +# folder are already added. +# Rails.application.config.assets.precompile += %w( admin.js admin.css ) diff --git a/spec/dummy/config/initializers/content_security_policy.rb b/spec/dummy/config/initializers/content_security_policy.rb new file mode 100644 index 0000000..d3bcaa5 --- /dev/null +++ b/spec/dummy/config/initializers/content_security_policy.rb @@ -0,0 +1,25 @@ +# Be sure to restart your server when you modify this file. + +# Define an application-wide content security policy +# For further information see the following documentation +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy + +# Rails.application.config.content_security_policy do |policy| +# policy.default_src :self, :https +# policy.font_src :self, :https, :data +# policy.img_src :self, :https, :data +# policy.object_src :none +# policy.script_src :self, :https +# policy.style_src :self, :https + +# # Specify URI for violation reports +# # policy.report_uri "/csp-violation-report-endpoint" +# end + +# If you are using UJS then enable automatic nonce generation +# Rails.application.config.content_security_policy_nonce_generator = -> request { SecureRandom.base64(16) } + +# Report CSP violations to a specified URI +# For further information see the following documentation: +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only +# Rails.application.config.content_security_policy_report_only = true diff --git a/spec/dummy/config/initializers/cookies_serializer.rb b/spec/dummy/config/initializers/cookies_serializer.rb index 1389e86..5a6a32d 100644 --- a/spec/dummy/config/initializers/cookies_serializer.rb +++ b/spec/dummy/config/initializers/cookies_serializer.rb @@ -2,4 +2,4 @@ # Specify a serializer for the signed and encrypted cookie jars. # Valid options are :json, :marshal, and :hybrid. -Rails.application.config.action_dispatch.cookies_serializer = :marshal +Rails.application.config.action_dispatch.cookies_serializer = :json diff --git a/spec/dummy/config/initializers/new_framework_defaults_5_2.rb b/spec/dummy/config/initializers/new_framework_defaults_5_2.rb new file mode 100644 index 0000000..5132a0b --- /dev/null +++ b/spec/dummy/config/initializers/new_framework_defaults_5_2.rb @@ -0,0 +1,38 @@ +# Be sure to restart your server when you modify this file. +# +# This file contains migration options to ease your Rails 5.2 upgrade. +# +# Once upgraded flip defaults one by one to migrate to the new default. +# +# Read the Guide for Upgrading Ruby on Rails for more info on each option. + +# Make Active Record use stable #cache_key alongside new #cache_version method. +# This is needed for recyclable cache keys. +# Rails.application.config.active_record.cache_versioning = true + +# Use AES-256-GCM authenticated encryption for encrypted cookies. +# Also, embed cookie expiry in signed or encrypted cookies for increased security. +# +# This option is not backwards compatible with earlier Rails versions. +# It's best enabled when your entire app is migrated and stable on 5.2. +# +# Existing cookies will be converted on read then written with the new scheme. +# Rails.application.config.action_dispatch.use_authenticated_cookie_encryption = true + +# Use AES-256-GCM authenticated encryption as default cipher for encrypting messages +# instead of AES-256-CBC, when use_authenticated_message_encryption is set to true. +# Rails.application.config.active_support.use_authenticated_message_encryption = true + +# Add default protection from forgery to ActionController::Base instead of in +# ApplicationController. +# Rails.application.config.action_controller.default_protect_from_forgery = true + +# Store boolean values are in sqlite3 databases as 1 and 0 instead of 't' and +# 'f' after migrating old data. +Rails.application.config.active_record.sqlite3.represent_boolean_as_integer = true + +# Use SHA-1 instead of MD5 to generate non-sensitive digests, such as the ETag header. +# Rails.application.config.active_support.use_sha1_digests = true + +# Make `form_with` generate id attributes for any generated HTML tags. +# Rails.application.config.action_view.form_with_generates_ids = true diff --git a/spec/dummy/config/locales/en.yml b/spec/dummy/config/locales/en.yml index 0653957..decc5a8 100644 --- a/spec/dummy/config/locales/en.yml +++ b/spec/dummy/config/locales/en.yml @@ -16,6 +16,16 @@ # # This would use the information in config/locales/es.yml. # +# The following keys must be escaped otherwise they will not be retrieved by +# the default I18n backend: +# +# true, false, on, off, yes, no +# +# Instead, surround them with single quotes. +# +# en: +# 'true': 'foo' +# # To learn more, please read the Rails Internationalization guide # available at http://guides.rubyonrails.org/i18n.html. diff --git a/spec/dummy/config/storage.yml b/spec/dummy/config/storage.yml new file mode 100644 index 0000000..d32f76e --- /dev/null +++ b/spec/dummy/config/storage.yml @@ -0,0 +1,34 @@ +test: + service: Disk + root: <%= Rails.root.join("tmp/storage") %> + +local: + service: Disk + root: <%= Rails.root.join("storage") %> + +# Use rails credentials:edit to set the AWS secrets (as aws:access_key_id|secret_access_key) +# amazon: +# service: S3 +# access_key_id: <%= Rails.application.credentials.dig(:aws, :access_key_id) %> +# secret_access_key: <%= Rails.application.credentials.dig(:aws, :secret_access_key) %> +# region: us-east-1 +# bucket: your_own_bucket + +# Remember not to checkin your GCS keyfile to a repository +# google: +# service: GCS +# project: your_project +# credentials: <%= Rails.root.join("path/to/gcs.keyfile") %> +# bucket: your_own_bucket + +# Use rails credentials:edit to set the Azure Storage secret (as azure_storage:storage_access_key) +# microsoft: +# service: AzureStorage +# storage_account_name: your_account_name +# storage_access_key: <%= Rails.application.credentials.dig(:azure_storage, :storage_access_key) %> +# container: your_container_name + +# mirror: +# service: Mirror +# primary: local +# mirrors: [ amazon, google, microsoft ] From a076dc55e2f31c7ed367056b81bace42f08033dc Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Mon, 1 Apr 2019 14:28:07 +0200 Subject: [PATCH 08/11] Do not use deprecated per_page_value_for_screen_size Use the screen size independent items_per_page instead. --- app/controllers/alchemy/admin/users_controller.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/controllers/alchemy/admin/users_controller.rb b/app/controllers/alchemy/admin/users_controller.rb index 5e00182..9286277 100644 --- a/app/controllers/alchemy/admin/users_controller.rb +++ b/app/controllers/alchemy/admin/users_controller.rb @@ -17,7 +17,7 @@ def index @query.sorts = 'login asc' if @query.sorts.empty? @users = @query.result .page(params[:page] || 1) - .per(per_page_value_for_screen_size) + .per(items_per_page) end def new From 5fcb9c48d8a1abb801a11034fb170be1c3d1a544 Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Mon, 1 Apr 2019 14:31:04 +0200 Subject: [PATCH 09/11] Do not store screensize at login This feature has been deprecated in Alchemy 4.2 --- app/controllers/alchemy/user_sessions_controller.rb | 5 ----- app/views/alchemy/user_sessions/new.html.erb | 4 ---- spec/controllers/user_sessions_controller_spec.rb | 5 ----- 3 files changed, 14 deletions(-) diff --git a/app/controllers/alchemy/user_sessions_controller.rb b/app/controllers/alchemy/user_sessions_controller.rb index cb50d90..16a0b9b 100644 --- a/app/controllers/alchemy/user_sessions_controller.rb +++ b/app/controllers/alchemy/user_sessions_controller.rb @@ -20,7 +20,6 @@ def create authenticate_user! if user_signed_in? - store_screen_size if session[:redirect_path].blank? redirect_path = admin_dashboard_path else @@ -49,10 +48,6 @@ def check_user_count end end - def store_screen_size - session[:screen_size] = params[:user_screensize] - end - # Overwriting the default of Devise def after_sign_out_path_for(resource_or_scope) if request.referer.blank? || request.referer.to_s =~ /admin/ diff --git a/app/views/alchemy/user_sessions/new.html.erb b/app/views/alchemy/user_sessions/new.html.erb index 2fcb7b3..c6fe7d5 100644 --- a/app/views/alchemy/user_sessions/new.html.erb +++ b/app/views/alchemy/user_sessions/new.html.erb @@ -9,7 +9,6 @@
- <%= hidden_field_tag 'user_screensize' %>
<% end %> @@ -19,9 +18,6 @@ <%- end -%> diff --git a/spec/controllers/user_sessions_controller_spec.rb b/spec/controllers/user_sessions_controller_spec.rb index c659f62..a92c4dd 100644 --- a/spec/controllers/user_sessions_controller_spec.rb +++ b/spec/controllers/user_sessions_controller_spec.rb @@ -54,11 +54,6 @@ end end - it "stores users screen size" do - post :create, params: {user: user_params, user_screensize: screen_size} - expect(session[:screen_size]).to eq(screen_size) - end - context 'without valid params' do it "renders login form" do post :create, params: {user: {login: ''}} From aa480ca3e311e6919e294dbc0e057faa9a8b0a18 Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Mon, 1 Apr 2019 14:34:07 +0200 Subject: [PATCH 10/11] Test with recent Ruby versions on TravisCI --- .travis.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index 4a9c774..acb7cb7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,9 +3,9 @@ dist: trusty sudo: false cache: bundler rvm: -- 2.2.7 -- 2.3.5 -- 2.4.2 +- 2.4.5 +- 2.5.5 +- 2.6.2 branches: only: - master From bb2a50c7d0cb8ccb7b135e81e40622206a8db67d Mon Sep 17 00:00:00 2001 From: Thomas von Deyen Date: Mon, 1 Apr 2019 09:40:56 +0200 Subject: [PATCH 11/11] Update changelog and readme for 4.2-stable --- CHANGELOG.md | 8 ++++++++ README.md | 6 +++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index e5bc8e9..965218b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,11 @@ +## 4.2.0 (unreleased) + +- Do not store screen size at login [#78](https://github.com/AlchemyCMS/alchemy-devise/pull/78) ([tvdeyen](https://github.com/tvdeyen)) +- Security: Use at least Devise 4.6 [#78](https://github.com/AlchemyCMS/alchemy-devise/pull/78) ([tvdeyen](https://github.com/tvdeyen)) +- Fix dummy app rails version [#76](https://github.com/AlchemyCMS/alchemy-devise/pull/76) ([tvdeyen](https://github.com/tvdeyen)) +- Fix translation key on user admin page [#75](https://github.com/AlchemyCMS/alchemy-devise/pull/75) ([mamhoff](https://github.com/mamhoff)) + + ## 4.1.0 (2018-09-22) - Only allow Alchemy > 4.1 [#72](https://github.com/AlchemyCMS/alchemy-devise/pull/72) ([tvdeyen](https://github.com/tvdeyen)) diff --git a/README.md b/README.md index d27ee0d..54e33f8 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ -## Devise based authentication for Alchemy 4.1 +## Devise based authentication for AlchemyCMS 4.2 [![Build Status](https://secure.travis-ci.org/AlchemyCMS/alchemy-devise.svg?branch=master)](http://travis-ci.org/AlchemyCMS/alchemy-devise) [![Gem Version](https://badge.fury.io/rb/alchemy-devise.svg)](http://badge.fury.io/rb/alchemy-devise) [![Test Coverage](https://codeclimate.com/github/AlchemyCMS/alchemy-devise/badges/coverage.svg)](https://codeclimate.com/github/AlchemyCMS/alchemy-devise/coverage) [![Code Climate](https://codeclimate.com/github/AlchemyCMS/alchemy-devise/badges/gpa.svg)](https://codeclimate.com/github/AlchemyCMS/alchemy-devise) [![security](https://hakiri.io/github/AlchemyCMS/alchemy-devise/master.svg)](https://hakiri.io/github/AlchemyCMS/alchemy-devise/master) -**CAUTION: This master branch is a development branch that can contain bugs. For productive environments you should use the [current Ruby gem version](https://rubygems.org/gems/alchemy-devise/versions/4.1.0), or the [latest stable branch (4.1-stable)](https://github.com/AlchemyCMS/alchemy-devise/tree/4.1-stable).** +**CAUTION: This master branch is a development branch that can contain bugs. For productive environments you should use the [current Ruby gem version](https://rubygems.org/gems/alchemy-devise/versions/4.1.0), or the [latest stable branch (4.2-stable)](https://github.com/AlchemyCMS/alchemy-devise/tree/4.2-stable).** AlchemyCMS has no authentication in its core. So it is possibly to bring your own authentication and use it to authorize users in AlchemyCMS. If you don't have your own authentication, you can use this gem. @@ -17,7 +17,7 @@ Just put the gem into your projects `Gemfile`. gem 'alchemy-devise', github: 'AlchemyCMS/alchemy-devise', branch: 'master' ``` -**NOTE:** You normally want to use a stable branch, like `4.1-stable`. +**NOTE:** You normally want to use a stable branch, like `4.2-stable`. and run `bundle install`.