Browse files

Added preliminary Rails 4 compatibility via devise_permitted

  • Loading branch information...
1 parent ac3a25b commit 2c5f6291e7c85ace9b7e711d996a718f8a27e730 Ernest Sim committed Dec 9, 2012
View
19 README.md
@@ -162,6 +162,25 @@ current_member
member_session
```
+### Rails 4 Beta
+
+By default Devise will whitelist [:email, :password, :password_confirmation, :password_current] on install. However in Rails 4.0, Strong Parameters requires any additional parameters to be explicitly permitted. As permission logic should be in the controller by nature, you would need to create a custom controller and define your permissions there.
+
+```ruby
+#config/routes.rb
+devise_for :users, :controllers => { :registrations => "custom_controller" }
+
+#apps/controllers/registrations_controller.rb
+class RegistrationsController < Devise::RegistrationsController
+ before_filter :permissions
+
+ def permissions
+ # Redefine the list of permissible parameters
+ devise_permitted [:name, :email, :password, :password_confirmation, :password_current]
+ end
+end
+```
+
### Configuring Models
The devise method in your models also accepts some options to configure its modules. For example, you can choose the cost of the encryption algorithm with:
View
11 app/controllers/devise/registrations_controller.rb
@@ -1,7 +1,7 @@
class Devise::RegistrationsController < DeviseController
prepend_before_filter :require_no_authentication, :only => [ :new, :create, :cancel ]
prepend_before_filter :authenticate_scope!, :only => [:edit, :update, :destroy]
-
+ prepend_before_filter :devise_permitted if Devise::RAILS4
# GET /resource/sign_up
def new
resource = build_resource({})
@@ -39,6 +39,9 @@ def edit
def update
self.resource = resource_class.to_adapter.get!(send(:"current_#{resource_name}").to_key)
prev_unconfirmed_email = resource.unconfirmed_email if resource.respond_to?(:unconfirmed_email)
+ if Devise::RAILS4
+ resource_params = permitted_params
+ end
if resource.update_with_password(resource_params)
if is_navigational_format?
@@ -83,7 +86,11 @@ def update_needs_confirmation?(resource, previous)
# Build a devise resource passing in the session. Useful to move
# temporary session data to the newly created user.
def build_resource(hash=nil)
- hash ||= resource_params || {}
+ if Devise::RAILS4
+ hash = resource_params ? permitted_params : {}
+ else
+ hash ||= resource_params || {}
+ end
self.resource = resource_class.new_with_session(hash, session)
end
View
37 app/controllers/devise_controller.rb
@@ -5,12 +5,13 @@ class DeviseController < Devise.parent_controller.constantize
helper DeviseHelper
helpers = %w(resource scope_name resource_name signed_in_resource
- resource_class resource_params devise_mapping)
+ resource_class resource_params devise_mapping devise_permitted permitted_params)
hide_action *helpers
helper_method *helpers
prepend_before_filter :assert_is_devise_resource!
respond_to *Mime::SET.map(&:to_sym) if mimes_for_respond_to.empty?
+ mattr_accessor :params_whitelist
# Gets the actual resource stored in the instance variable
def resource
@@ -28,6 +29,7 @@ def resource_class
devise_mapping.to
end
+
def resource_params
params[resource_name]
end
@@ -56,8 +58,20 @@ def _prefixes #:nodoc:
hide_action :_prefixes
+ public
+
+ # Whitelist default generated attributes
+ def devise_permitted(whitelist=[:email, :password, :password_confirmation, :current_password])
+ @@params_whitelist = whitelist
+ end
+
protected
+ # In concordance to Rails 4 Strong Parameters guidelines
+ def permitted_params
+ params.require(resource_class.name.downcase.to_sym).permit(@@params_whitelist)
+ end
+
# Checks whether it's a devise mapped resource or not.
def assert_is_devise_resource! #:nodoc:
unknown_action! <<-MESSAGE unless devise_mapping
@@ -96,17 +110,20 @@ def resource=(new_resource)
# Build a devise resource.
# Assignment bypasses attribute protection when :unsafe option is passed
def build_resource(hash = nil, options = {})
- hash ||= resource_params || {}
-
- if options[:unsafe]
- self.resource = resource_class.new.tap do |resource|
- hash.each do |key, value|
- setter = :"#{key}="
- resource.send(setter, value) if resource.respond_to?(setter)
+ if Devise::RAILS4
+ self.resource = resource_params ? resource_class.new(permitted_params) : resource_class.new
+ else
+ hash ||= resource_params || {}
+ if options[:unsafe]
+ self.resource = resource_class.new.tap do |resource|
+ hash.each do |key, value|
+ setter = :"#{key}="
+ resource.send(setter, value) if resource.respond_to?(setter)
+ end
end
+ else
+ self.resource = resource_class.new(hash)
end
- else
- self.resource = resource_class.new(hash)
end
end
View
2 devise.gemspec
@@ -21,5 +21,5 @@ Gem::Specification.new do |s|
s.add_dependency("warden", "~> 1.2.1")
s.add_dependency("orm_adapter", "~> 0.1")
s.add_dependency("bcrypt-ruby", "~> 3.0")
- s.add_dependency("railties", "~> 3.1")
+ s.add_dependency("railties", "> 3.1")
end
View
2 lib/devise.rb
@@ -5,6 +5,7 @@
require 'set'
require 'securerandom'
+
module Devise
autoload :Delegator, 'devise/delegator'
autoload :FailureApp, 'devise/failure_app'
@@ -31,6 +32,7 @@ module Strategies
# Constants which holds devise configuration for extensions. Those should
# not be modified by the "end user" (this is why they are constants).
+ RAILS4 = %r(4.0).match(Rails.version) ? true : false
ALL = []
CONTROLLERS = ActiveSupport::OrderedHash.new
ROUTES = ActiveSupport::OrderedHash.new
View
1 lib/devise/models.rb
@@ -3,6 +3,7 @@ module Models
class MissingAttribute < StandardError
def initialize(attributes)
@attributes = attributes
+ @@params_whitelist = []
end
def message
View
2 lib/generators/devise/orm_helpers.rb
@@ -29,4 +29,4 @@ def model_path
end
end
end
-end
+end

0 comments on commit 2c5f629

Please sign in to comment.