Disable HTTP Authentication by default. You can turn it on in the ini…

…tializer.
heartcombo · Aug 23, 2010 · b8ab9a8 · b8ab9a8
1 parent 617b95f
commit b8ab9a8
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 13 deletions.
diff --git a/CHANGELOG.rdoc b/CHANGELOG.rdoc
@@ -1,5 +1,6 @@
 * deprecations
   * sign_out_all_scopes defaults to true as security measure
+  * http authenticatable is disabled by default
 
 * enhancements
   * Added OAuth 2 support

diff --git a/lib/devise.rb b/lib/devise.rb
@@ -70,9 +70,9 @@ module Strategies
 
   # If http authentication is enabled by default.
   mattr_accessor :http_authenticatable
-  @@http_authenticatable = true
+  @@http_authenticatable = false
 
-  # If http authentication is used for ajax requests. True by default.
+  # If http headers should be returned for ajax requests. True by default.
   mattr_accessor :http_authenticatable_on_xhr
   @@http_authenticatable_on_xhr = true
 

diff --git a/lib/devise/failure_app.rb b/lib/devise/failure_app.rb
@@ -27,7 +27,6 @@ def respond
       elsif warden_options[:recall]
         recall
       else
-        debug!
         redirect
       end
     end
@@ -53,11 +52,6 @@ def redirect
 
   protected
 
-    def debug!
-      return unless Rails.logger.try(:debug?)
-      Rails.logger.debug "[Devise] Could not sign in #{scope}: #{i18n_message.inspect}."
-    end
-
     def i18n_message(default = nil)
       message = warden.message || warden_options[:message] || default || :unauthenticated
 
@@ -74,7 +68,7 @@ def redirect_url
     end
 
     def http_auth?
-      !Devise.navigational_formats.include?(request.format.to_sym) || (request.xhr? && Devise.http_authenticatable_on_xhr)
+      !Devise.navigational_formats.include?(request.format.to_sym) || (Devise.http_authenticatable_on_xhr && request.xhr?)
     end
 
     def http_auth_body

diff --git a/lib/devise/strategies/authenticatable.rb b/lib/devise/strategies/authenticatable.rb
@@ -9,7 +9,7 @@ class Authenticatable < Base
       attr_accessor :authentication_hash, :password
 
       def valid?
-        valid_for_http_auth? || valid_for_params_auth?
+        valid_for_params_auth? || valid_for_http_auth?
       end
 
     private

diff --git a/lib/generators/templates/devise.rb b/lib/generators/templates/devise.rb
@@ -25,10 +25,10 @@
   # Tell if authentication through request.params is enabled. True by default.
   # config.params_authenticatable = true
 
-  # Tell if authentication through HTTP Basic Auth is enabled. True by default.
+  # Tell if authentication through HTTP Basic Auth is enabled. False by default.
   # config.http_authenticatable = true
 
-  # Set this to true to use Basic Auth for AJAX requests.  True by default.
+  # If http headers should be returned for AJAX requests. True by default.
   # config.http_authenticatable_on_xhr = true
 
   # The realm used in Http Basic Authentication

diff --git a/test/rails_app/config/initializers/devise.rb b/test/rails_app/config/initializers/devise.rb
@@ -26,7 +26,7 @@
   # config.params_authenticatable = true
 
   # Tell if authentication through HTTP Basic Auth is enabled. True by default.
-  # config.http_authenticatable = true
+  config.http_authenticatable = true
 
   # The realm used in Http Basic Authentication
   # config.http_authentication_realm = "Application"