Commits on Aug 10, 2016
  1. @derekprior


    derekprior committed Aug 10, 2016
  2. @derekprior

    Inline bcrypt password strategy helpers

    The bcrypt password strategy had some private helper functions that
    cleaned up the `password=` method. These private helper functions end up
    getting mixed into the end application's `User` class because password
    strategies are implemented as mixins. This causes issues if the user
    class has `encrypt` or `cost` methods already. `attr_encrypted`, for
    instance, mixes in its own `encrypt` method.
    I considered renaming the helper functions, prefacing them with
    `clearance_` or something similar. I also considered nesting the helpers
    in a module and calling them as such. In the end, I felt inlining the
    helpers made the code marginally less readable but fixed the conflict
    problem without the added ceremony of a module.
    derekprior committed Aug 10, 2016
  3. @derekprior
  4. @jjb @derekprior
  5. @we138 @derekprior

    Remove unnecessary return

    we138 committed with derekprior Aug 10, 2016
Commits on May 13, 2016
  1. @derekprior
Commits on May 12, 2016
  1. @derekprior


    derekprior committed May 12, 2016
  2. @abunashir @derekprior

    Inject `include Clearance::User` inside model body (#677)

    * Inject `include Clearance::User` inside model body
    Clearance generator was inserting `include Clearance::User` between
    `class User <` and `ActiveRecord::Base`, which is not correct.
    Our spec was not checking if the generator was including clearance
    user model correctly or not. Let's add the test to ensure the generator
    is inserting the content properly. This commit fixes #676.
    * Add versionize app templates for test helpers
    abunashir committed with derekprior May 12, 2016
  3. @christoomey @derekprior

    Use config.redirect_url in deny_access matcher (#678)

    The `deny_access` matched currently uses the hard coded path `/` for the
    `singed_in?` case, but this does not match the implementation of the
    `deny_access` helper, which uses `url_after_denied_access_when_signed_in` which
    in turn uses the `Clearance.configuration.redirect_url`.
    This change updates the `deny_access` matcher to also use the `redirect_url`.
    christoomey committed with derekprior May 12, 2016
  4. @abunashir @derekprior

    Cleanup configuration spec (#680)

    * Clean up clearance configuration spec
    Remove unnecessary before hook and maintain consistency on setting
    up clearance configuration for each test example.
    In the configuration spec, there are some before hook where we're
    basically setting up nothing, but defaults.
    There is no consistency on setting up configuration, some example
    using before hook and others are not, some are using inline block
    and others are using multi-line block although it sets a single
    clearance configuration.
    * Update to double quotes
    abunashir committed with derekprior May 12, 2016
  5. @abunashir @derekprior
Commits on Apr 29, 2016
  1. @abunashir @derekprior
  2. @abunashir @derekprior
  3. @derekprior


    derekprior committed Apr 29, 2016
Commits on Apr 23, 2016
  1. @derekprior

    Correctly track dirty state of encrypted password

    Password validations only run when `skip_password_validation?` returns
    false. The idea of that method is that it returns true whenever the user
    requires a password and a change to their password was attempted.
    Previously, we relied on the developer explicitly having set
    `password_changing = true` on the instance to detect an attempt to
    change the password.
    This worked fine when the developer used `update_password` to change an
    existing users password. However, using other methods to update a
    password or even creating a new user (like in the `users#create` action)
    did not set this attribute.
    This was okay for our built-in validations (just presence) because of
    the way `password=` was implemented. However, users that added their own
    validations (like validating password length) and properly added the
    `unless: :skip_password_validation?` modifier to their validation found
    that their validations were not running for new users.
    To fix this, we rely on ActiveRecord/ActiveModel's built-in dirty
    tracking to check if encrypted password has changed rather than using a
    manual attribute. We further tell the user model that calling
    `password=` at all will automatically mark the encrypted_password as
    dirty, regardless of what the password strategy ultimately does.
    Making the change in `User` and calling `super` means that all password
    strategies -- even custom strategies -- get this improved behavior.
    Now that we're using dirty tracking properly, we can deprecate the
    `password_changing` attribute, as it is no longer used.
    Closes #664
    derekprior committed Apr 23, 2016
  2. @imtayadeway @derekprior

    Update to appraisal 2

    Appraisal 2 allows vendoring gems, which some people use when developing
    clearance. We also ignore `gemfiles/vendor` for this purpose.
    imtayadeway committed with derekprior Apr 23, 2016
  3. @imtayadeway @derekprior

    Upgrade to appraisal 2.1

    imtayadeway committed with derekprior Apr 8, 2016
  4. @abunashir @derekprior

    Correct custom cookie name configuration spec

    Previously we had the custom cookie name spec but we're only matching
    the token string in the header hash. We didn't configure custom cookie
    name but it was still passing the spec.
    Let's change the custom cookie name spec to test out the custom cookie
    name configuration.
    abunashir committed with derekprior Apr 23, 2016
Commits on Apr 22, 2016
  1. @derekprior

    User proper base class for User model

    In Rails 5, you are meant to have models that inherit from
    `ApplicationRecord`. The code to inject clearance code into your
    existing user model was hard-coded to look for a model that inherits
    from `ActiveRecord::Base`. The specific inheritance requirement was
    Similarly, applications that generated completely new user models were
    set to inherit from `ActiveRecord::Base`. This should be
    `ApplicationRecord` for Rails 5 and newer.
    derekprior committed Apr 15, 2016
  2. @abunashir @derekprior
  3. @derekprior

    Use mime-types 2 for versions tested with Ruby 1.9

    Older versions of Rails will happily allow mime-types 3.0+ to be used.
    That gem has a dependency on mime-types-data, which requires Ruby 2.0 or
    The additions to the appraisal file here will keep mime-types pinned to
    a version compatible with 1.9.3 for these versions of Rails. An
    alternative would be to add additional appraisals for each of these
    rails versions that only applied to 1.9.3, leaving no restriction on the
    mime-types gem for the existing appraisals.
    This seemed like more overhead than necessary as we don't directly
    interact with the mime-types gem.
    derekprior committed Apr 22, 2016
Commits on Apr 15, 2016
  1. @derekprior

    Update to double quotes

    derekprior committed Apr 15, 2016
  2. @halogenandtoast @derekprior

    Allow Clearance::BackDoor to take a block

    If `User#to_param` is overriden the `Clearance::BackDoor` will fail
    because it only looks the user up by id. By passing a block, this
    functionality can be replaced to be more flexible. For instance, with a
    User model that looks like:
        class User < ActiveRecord::Base
          def to_param
    You can specific the following backdoor in
        config.middleware.use Clearance::BackDoor do |username|
          Clearance.configuration.user_model.find_by(username: username)
    halogenandtoast committed with derekprior Mar 11, 2016
Commits on Mar 20, 2016
  1. @developingchris

    Remove html in text version of change password

    closing p tag present in text version of the change password email by
    developingchris committed Mar 20, 2016
Commits on Mar 4, 2016
  1. @derekprior


    derekprior committed Mar 4, 2016
  2. @derekprior

    Remove Rails 5 from allowed failures

    derekprior committed Mar 4, 2016
  3. @derekprior

    Use available betas for Rails 5 testing

    We no longer need to point at master.
    derekprior committed Mar 4, 2016
Commits on Feb 26, 2016
  1. @derekprior

    Always use inline adapter in feature specs

    Rails 5 defaults the ActiveJob adapter to `async` which makes it
    difficult to test the password reset feature in a manner that supports
    Rails 4.2 and 5.0 (and older versions as well, of course).
    The simplest fix, for now, is to use the inline adapter in our tests so
    we can observe the side effects we care about.
    derekprior committed Feb 26, 2016
  2. @derekprior

    Use latest Capybara for Rack 2 support

    Rails 5 uses Rack 2, which required an upgrade to Capybara. The upgrade
    addresses this error in tests:
    > undefined method `normalize_params' for Rack::Utils:Module
    derekprior committed Feb 26, 2016
  3. @derekprior

    Use versioned migrations when possible

    Rails 5 deprecates inheriting directly from `ActiveRecord::Migration` in
    favor of inheriting from `ActiveRecord::Migration[5.0]` where `5.0` is
    the `major.minor` version of Rails that the migration was originally
    written to support.
    If we detect we are using a version of rails that supports this
    nomenclature then we pass the current `major.minor` version to use.
    derekprior committed Feb 26, 2016
  4. @derekprior

    Test against Rails 5 master

    Master includes a fix for rails/rails#23645,
    which is not yet included in a beta release.
    When updating to master, I also had to explicitly set the ActiveJob
    queue adapter to `inline` in tests, as it now defaults to `async`.
    With these changes, the non-acceptance test suite is now green and has
    no deprecations. Next up - the acceptance tests.
    derekprior committed Feb 26, 2016
Commits on Feb 12, 2016
  1. @jeffreyguenther @derekprior

    Use proper param name for overridden user model

    The users controller was hard-coded to grab parameters from
    `params[:user]`, but if you have changed your user model the key will be
    something other than `:user`. We now get this key from configuration,
    which derives it from the model name.
    jeffreyguenther committed with derekprior Feb 12, 2016
  2. @derekprior

    Eliminate HTTP method deprecations from tests

    Rails 5 deprecates calling HTTP action methods with positional arguments
    in favor of keyword arguments. However, the keyword argument form is
    only supported in Rails 5+. Since we support back to 3.1, we need some
    sort of shim to avoid super noisy deprecations when running tests.
    I tried to shim this the other way - update tests to the new format, and
    shim older versions of rails, but that causes failures in older versions
    of Rails. Meanwhile, shimming in this direction actually fixed failures
    I was seeing on Rails 5. It appears the Rails 5 code for rewriting
    positional arguments to keyword arguments is broken. See: rails/rails#23643
    derekprior committed Feb 12, 2016
  3. @derekprior

    Handle deprecation of `render text:` in Rails 5

    In most cases we can render nothing and be just fine. In order for us to
    continue supporting Rails back to 3.1, we can't `render html:` or
    `render plain:` as the Rails 5 deprecation encourages because those
    older versions do not support that.
    derekprior committed Feb 12, 2016
  4. @derekprior

    Use `data_source_exists?` if available

    Rails 5.0 deprecates the previous use of `table_exists?`, which checked
    both tables and views, in favor of `data_source_exists?`.
    derekprior committed Jan 11, 2016