Skip to content
Commits on Mar 20, 2016
  1. @developingchris

    Remove html in text version of change password

    developingchris committed Mar 20, 2016
    closing p tag present in text version of the change password email by
    default.
Commits on Feb 26, 2016
  1. @derekprior

    Always use inline adapter in feature specs

    derekprior committed Feb 26, 2016
    Rails 5 defaults the ActiveJob adapter to `async` which makes it
    difficult to test the password reset feature in a manner that supports
    Rails 4.2 and 5.0 (and older versions as well, of course).
    
    The simplest fix, for now, is to use the inline adapter in our tests so
    we can observe the side effects we care about.
Commits on Feb 12, 2016
  1. @jrguenther @derekprior

    Use proper param name for overridden user model

    jrguenther committed with derekprior Feb 12, 2016
    The users controller was hard-coded to grab parameters from
    `params[:user]`, but if you have changed your user model the key will be
    something other than `:user`. We now get this key from configuration,
    which derives it from the model name.
  2. @derekprior

    Use `before_action` where it is supported

    derekprior committed Jan 10, 2016
    Rails 5 logs deprecation warnings when using `before_filter`. We knew
    this day was coming. Unfortunately, we still support rails 3, so we need
    to handle the case where `before_action` doe not exist.
Commits on Jan 11, 2016
  1. @j-dexx @derekprior

    Prevent `skip_before_filter` errors in Rails 5

    j-dexx committed with derekprior Jan 10, 2016
    Rails 5 will error if `skip_before_filter` is called with a filter name
    that has not yet been added. We can't always control if the `authorize`
    filter is in the inheritance chain, but we always want to be sure if it
    is, we skip it.
    
    Adding `raise: false` allows us to opt out of the new behavior without
    impacting older versions of rails.
Commits on Nov 24, 2015
  1. @bwanicur @derekprior
Commits on Jun 12, 2015
  1. @mxie

    Simplify the check for forbidden access

    mxie committed Jun 12, 2015
    This consolidates two separate `before_filter`s that both rendered the same
    failure notice into a single callback method. Since we depend on the token to
    find the user anyway, we'll only need to check if the user exists.
Commits on Apr 10, 2015
  1. @l3kn @derekprior
Commits on Apr 3, 2015
  1. @derekprior

    Include a text part for change password mailer

    derekprior committed Apr 3, 2015
    It's best practice to send a text part when sending HTML email. It's
    relatively simple for us to do so here even at the cost of some
    duplication.
  2. @farukaydin @derekprior

    Add link text to change password mail template

    farukaydin committed with derekprior Mar 27, 2015
    Included a default fallback to provide a base English translation for
    users that are using a locale file that does not define this new key.
Commits on Jan 30, 2015
  1. @derekprior

    Enable forgery protection on sessions#create

    derekprior committed Jan 30, 2015
    This line has existed since 2008, and yet I can determine no
    justification for it. It seems to me that we *would* want CSRF
    protection on `session#create`.
    
    On its own, skipping CSRF protection in just this single action doesn't
    seem particularly useful to an attacker. Additional vectors (such as an
    overly-permissive CORS header) would have to be present to make use of
    this, but at that point far more interesting attacks would be possible
    on any cookie-based auth system.
Commits on Jan 16, 2015
  1. @derekprior

    Prevent redirect loops when still using `authorize`

    derekprior committed Jan 14, 2015
    The `authorize` before filter is deprecated in favor of `require_login`.
    However, just switching Clearance's internal filters is not sufficient.
    We're dependent on users updating any `before_filter :authorize` calls.
    
    If they still have `before_filter :authorize` in their application
    controller, then they will see a deprecation on calls to authorize but
    the method will still run (it's aliased to `require_login`). This may
    cause them to be redirected to sign in. Sign in is set to
    `skip_before_filter :require_login`, but will happily still run
    authorize if instructed to by the application controller. Then you're
    stuck in a redirect loop.
    
    By duplicating the `skip_before_filter` calls to also skip `authorize`
    we can be sure this doesn't happen.
Commits on Jan 9, 2015
  1. @kenyonj
  2. @kenyonj

    Redirect signed in user to url_for_signed_in_users

    kenyonj committed Jan 9, 2015
    This adds a `before_filter` for `sessions#new` that will redirect signed in
    users to the same url that is configured for `url_after_create`, which, by
    default, points to `Clearance.configuration.redirect_url`.
Commits on Jan 8, 2015
  1. @derekprior

    Rename `authorize` filter to `require_login`

    derekprior committed Jan 5, 2015
    This name better expresses the intent of the filter and has the
    advantage of not conflicting with the `authorize` method provided by
    pundit or wading into the sometimes hairy line demarcating authorization
    from authentication.
    
    Clearance users should migrate from `:authorize` to `require_login` as
    the former will be removed in 2.0. Be sure to catch reference to
    `skip_before_filter :authorize` or `skip_before_action :authorize`,
    which the deprecation cannot catch.
    
    addresses #503, #436, and #239
Commits on Jan 5, 2015
  1. @jeroenvisser101
Commits on Dec 23, 2014
  1. @jessieay

    Update mailer spec

    jessieay committed Dec 22, 2014
    * Remove `before` block
    * Use I18n translations where available
    * Separate setup, exercise, expectation
    * Move to double quotes
    * Add `raw` to email body to avoid weird character encoding
Commits on Dec 20, 2014
  1. @derekprior

    Support Rails 4.2

    derekprior committed Dec 19, 2014
    Most of the changes necessary here were test-suite-only issues. The lone
    production-impactful change was adding support for
    `ActionMailer#deliver_later` in the `PasswordsController`. This will
    automatically use the queue configured with Active Job in order to
    background the sending of email. With no queue configured, it will be
    delivered synchronously. The old `#deliver` method still works, but
    generates deprecation warnings.
    
    The rest of the changes were related to the test suite:
    * Add a Rails 4.2 appraisal
    * Update cucumber steps to remove unnecessary gems from generated apps.
    * Simplify appraisal dependencies thanks to the above.
    * Fixed `forgeries_controller_spec`. This is still a brittle way to test
      this functionality but at least it works across Rails versions.
    * Removed deprecation related to test suite ordering in the test app
      that is loaded.
    
    There remains a single (repeated) deprecation when running specs on 4.2
    which comes from RSpec and will be addressed by upgrading to
    `rspec-rails` 3.1 (see [`rspec-rails` issue]. That work will be in a
    separate pull-request.
    
    [`rspec-rails` issue]: rspec/rspec-rails#1187
Commits on Jul 18, 2014
  1. @georgebrock @derekprior

    Replace sign out links with sign out buttons.

    georgebrock committed with derekprior Jul 4, 2014
    Using `button_to` instead of `link_to` for DELETE requests removes an
    unnecessary dependency on JavaScript.
Commits on Apr 28, 2014
  1. @mike-burns

    Use double quotes for HTML attributes

    mike-burns committed Apr 28, 2014
    Our style guide says to prefer double quotes for HTML and ERb
    attributes. Apply this consistently throughout this repo.
Commits on Apr 2, 2014
  1. @gylaz

    Introduce Clearance::UsersConteroller#user_params

    gylaz committed Apr 1, 2014
    This makes it easier to overwrite `user_params` when needing to provide extra
    fields during signup.
    
    For example, with `strong_parameter`:
    ```ruby
    class UsersController < Clearance::UsersController
      private
    
      def user_params
        params.require(:user).permit(:email, :password, :first_name, :last_name)
      end
    end
    ```
Commits on Mar 28, 2014
  1. @zamith @derekprior

    Controllers inherit from Clearance::BaseController

    zamith committed with derekprior Mar 11, 2014
    This allows clearance controllers to share functionality such as filters,
    layouts, and helper methods. `BaseController` has no methods defined and
    is in place to allow customization through re-opening the class.
Commits on Mar 4, 2014
  1. @richrines

    Update Hash Syntax

    richrines committed Feb 28, 2014
    * Update to ruby 1.9+ hash syntax
Commits on Feb 7, 2014
  1. @derekprior

    Get user_model id parameter from configuration

    derekprior committed Feb 7, 2014
    The password reset controller was previously assuming that the id
    parameter would be available as 'user_id', but if you have customized
    the user model this won't be the case. Get the proper name from the
    configuration.
    
    Supersedes #377
  2. @derekprior

    Remove SessionsController failure message override

    derekprior committed Feb 7, 2014
    Since the introduction of the `SignInGaurd` stack, this method was no
    longer being called. I moved it's implementation into the failure
    message used by the `DefaultSignInGuard`. Customizing the message is
    done entirely via I18n.
    
    Resolves #378
Commits on Jan 26, 2014
  1. @JoelQ @derekprior

    Allow sign up to be disabled via configuration

    JoelQ committed with derekprior Oct 18, 2013
    There are many instances where you don't want users to be able to sign
    up (e.g. admin-only system). Clearance can now disable sign up by
    setting:
    
        Clearance.configure do |config|
          # other configuration options
          config.allow_sign_up = false
        end
    
    in `config/initializers/clearance.rb`.
Commits on Nov 1, 2013
  1. @halogenandtoast

    Added sign in guards.

    halogenandtoast committed Oct 18, 2013
    Sign in guards provide you with fine-grained control over the process of
    signing in a user. Each guard is run in order and will hand the session
    off to the next guard in the process. Any guard may also choose to fail
    the sign in process and provide a message explaining why. Additionally
    you could immediately determine the sign in process was a success and
    skip running additional guards.
Commits on Aug 16, 2013
  1. @gylaz
Commits on Aug 14, 2013
  1. @kohgpat
Commits on Apr 3, 2013
  1. @unique-username @croaky
Commits on Mar 26, 2013
  1. @localhots @croaky

    Add `redirect_url` config option

    localhots committed with croaky Mar 22, 2013
    * Clarify in README that the config example shows the default values.
    * Wrap long line at 80 characters.
    * Move `redirect_to_root` from `lib/clearance/authorization.rb` to where
      it is used, in `app/controllers/clearance/sessions_controller.rb`, and
      better reveal its intent by re-naming it to `avoid_sign_in`.
    * Re-set `config.secure_cookie` to its original value in an `after`
      block in a test to teardown and avoid leakage across tests.
    * Use `_url` suffix in config name to match [RFC 2616 spec, section 14.
      14.30](http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html#sec14.30),
      which states the Location response-header field should use an absolute
      URI for 3xx responses.
    * The default value for `redirect_url` is the string path `'/'` as a
      previous compromise to make it less likely users will run into an
      issue if they don't want to define a root route. The string value avoids
      potentially confusing `NoMethodError: undefined method 'root_url'`
      errors.
    
    #281
  2. @croaky

    Remove `unloadable` from controllers

    croaky committed Mar 17, 2013
    They are causing circular dependencies in Rails 4 + Ruby 2:
    
    #276
Commits on Feb 25, 2013
  1. @gylaz @croaky

    Rename i18n keys for password email

    gylaz committed with croaky Feb 23, 2013
    * Take off _paragraph prefix because text does not contian <p> tags
    * Change password text copy to be more clear.
    * Sort i18n keys alphabetically.
    * Resolves #248
Commits on Feb 22, 2013
  1. @salbertson

    Move password email delivery to private method

    salbertson committed Feb 22, 2013
    * The password email delivery can now be overridden
  2. @croaky

    Removes duplicated sign up and forgot password links

    Galen Frechette committed with croaky Feb 15, 2013
Something went wrong with that request. Please try again.