Other minor improvements in the REST code.

app/controllers/devise/registrations_controller.rb

@@ -5,8 +5,8 @@ class Devise::RegistrationsController < ApplicationController
 
   # GET /resource/sign_up
   def new
-    build_resource({})
-    render_with_scope :new
+    resource = build_resource({})
+    respond_with_navigational(resource){ render_with_scope :new }
   end
 
   # POST /resource

app/controllers/devise/sessions_controller.rb

@@ -38,8 +38,8 @@ def destroy
   protected
 
   def stub_options(resource)
-    hash = { :only => resource_class.authentication_keys }
-    hash[:methods] = [:password] if resource.respond_to?(:password)
-    hash
+    array = resource_class.authentication_keys.dup
+    array << :password if resource.respond_to?(:password)
+    { :methods => array, :only => [:password] }
   end
 end

lib/devise/models/authenticatable.rb

@@ -76,6 +76,19 @@ def inactive_message
       def authenticatable_salt
       end
 
+      %w(to_xml to_json).each do |method|
+        class_eval <<-RUBY, __FILE__, __LINE__
+          def #{method}(options={})
+            if self.class.respond_to?(:accessible_attributes)
+              options = { :only => self.class.accessible_attributes.to_a }.merge(options || {})
+              super(options)
+            else
+              super
+            end
+          end
+        RUBY
+      end
+
       module ClassMethods
         Devise::Models.config(self, :authentication_keys, :request_keys, :case_insensitive_keys, :http_authenticatable, :params_authenticatable)
 

test/integration/authenticatable_test.rb

@@ -348,6 +348,15 @@ class AuthenticationOthersTest < ActionController::IntegrationTest
     assert_match '"password":""', response.body
   end
 
+  test 'sign in stub in json with non attribute key' do
+    swap Devise, :authentication_keys => [:other_key] do
+      get new_user_session_path(:format => 'json')
+      assert_match '{"user":{', response.body
+      assert_match '"other_key":null', response.body
+      assert_match '"password":""', response.body
+    end
+  end
+
   test 'uses the mapping from router' do
     sign_in_as_user :visit => "/as/sign_in"
     assert warden.authenticated?(:user)

test/integration/registerable_test.rb

@@ -207,6 +207,20 @@ class RegistrationTest < ActionController::IntegrationTest
     assert_redirected_to new_user_registration_path
   end
 
+  test 'a user with XML sign up stub' do
+    get new_user_registration_path(:format => 'xml')
+    assert_response :success
+    assert_match %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>), response.body
+    assert_no_match(/<confirmation_token>/, response.body) if DEVISE_ORM == :active_record
+  end
+
+  test 'a user with JSON sign up stub' do
+    get new_user_registration_path(:format => 'json')
+    assert_response :success
+    assert_match %({"user":), response.body
+    assert_no_match(/"confirmation_token"/, response.body) if DEVISE_ORM == :active_record
+  end
+
   test 'an admin sign up with valid information in XML format should return valid response' do
     post admin_registration_path(:format => 'xml'), :admin => { :email => 'new_user@test.com', :password => 'new_user123', :password_confirmation => 'new_user123' }
     assert_response :success

test/rails_app/lib/shared_user.rb

@@ -6,6 +6,8 @@ module SharedUser
            :registerable, :rememberable, :timeoutable, :token_authenticatable,
            :trackable, :validatable, :omniauthable
 
+    attr_accessor :other_key
+
     # They need to be included after Devise is called.
     extend ExtendMethods
   end