Upgrade to devise 3.0.4

Gemfile

@@ -8,7 +8,7 @@ gem 'unicorn'
 gem 'foreman'
 
 gem 'crowdtilt', github: 'Crowdtilt/crowdtilt-gem'
-gem 'devise'
+gem 'devise', '~> 3.0.0'
 gem 'nokogiri'
 gem 'friendly_id', '~> 4.0.9'
 gem 'iso_country_codes'

Gemfile.lock

@@ -49,7 +49,7 @@ GEM
       json (~> 1.4)
       nokogiri (>= 1.4.4)
       uuidtools (~> 2.1)
-    bcrypt-ruby (3.0.1)
+    bcrypt-ruby (3.1.2)
     bootstrap-sass (2.1.0.0)
     builder (3.0.4)
     capybara (2.1.0)
@@ -73,11 +73,11 @@ GEM
       coffee-script-source
       execjs
     coffee-script-source (1.6.2)
-    devise (2.2.4)
+    devise (3.0.4)
       bcrypt-ruby (~> 3.0)
       orm_adapter (~> 0.1)
-      railties (~> 3.1)
-      warden (~> 1.2.1)
+      railties (>= 3.2.6, < 5)
+      warden (~> 1.2.3)
     diff-lcs (1.2.4)
     dotenv (0.7.0)
     email_spec (1.4.0)
@@ -229,7 +229,7 @@ GEM
       rack
       raindrops (~> 0.7)
     uuidtools (2.1.4)
-    warden (1.2.1)
+    warden (1.2.3)
       rack (>= 1.0)
     xpath (2.0.0)
       nokogiri (~> 1.3)
@@ -246,7 +246,7 @@ DEPENDENCIES
   ckeditor
   coffee-rails (~> 3.2.1)
   crowdtilt!
-  devise
+  devise (~> 3.0.0)
   email_spec
   factory_girl_rails
   faker

config/initializers/devise.rb

@@ -48,10 +48,14 @@
   # enable it only for database (email + password) authentication.
   # config.params_authenticatable = true
 
-  # Tell if authentication through HTTP Basic Auth is enabled. False by default.
+  # Tell if authentication through HTTP Auth is enabled. False by default.
   # It can be set to an array that will enable http authentication only for the
   # given strategies, for example, `config.http_authenticatable = [:token]` will
-  # enable it only for token authentication.
+  # enable it only for token authentication. The supported strategies are:
+  # :database      = Support basic authentication with authentication key + password
+  # :token         = Support basic authentication with token authentication key
+  # :token_options = Support token authentication with options as defined in
+  #                  http://api.rubyonrails.org/classes/ActionController/HttpAuthentication/Token.html
   # config.http_authenticatable = false
 
   # If http headers should be returned for AJAX requests. True by default.
@@ -72,6 +76,12 @@
   # passing :skip => :sessions to `devise_for` in your config/routes.rb
   config.skip_session_storage = [:http_auth]
 
+  # By default, Devise cleans up the CSRF token on authentication to
+  # avoid CSRF token fixation attacks. This means that, when using AJAX
+  # requests for sign in and sign up, you need to get a new CSRF token
+  # from the server. You can disable this option at your own risk.
+  # config.clean_up_csrf_token_on_authentication = true
+
   # ==> Configuration for :database_authenticatable
   # For bcrypt, this is the cost for hashing the password and defaults to 10. If
   # using other encryptors, it sets how many times you want the password re-encrypted.
@@ -82,7 +92,7 @@
   config.stretches = Rails.env.test? ? 1 : 10
 
   # Setup a pepper to generate the encrypted password.
-  # config.pepper = "335c70cd06c20f3fe9bcc6a3f9cba97e4051e38e699f6ca4ac7713807ac04b93a04b5fe8e6ec9a27f9e6b7ae155f02fd3b95efb7667c2d56e0851336835b682a"
+  # config.pepper = "bce28301f3fd7e1b6c3ddce3b95d432efa469df1e87d5ba56f8e2826e35bcdb58db429f355a6a7fe960503a2ca17b8ac70259c0b475db5e5dc6ef1317b407ebf"
 
   # ==> Configuration for :confirmable
   # A period that the user is allowed to access the website even without
@@ -122,10 +132,10 @@
 
   # ==> Configuration for :validatable
   # Range for password length. Default is 8..128.
-  config.password_length = 6..128
+  config.password_length = 8..128
 
   # Email regex used to validate email formats. It simply asserts that
-  # an one (and only one) @ exists in the given string. This is mainly
+  # one (and only one) @ exists in the given string. This is mainly
   # to give user feedback and not to assert the e-mail validity.
   # config.email_regexp = /\A[^@]+@[^@]+\z/
 
@@ -175,7 +185,9 @@
   # :sha1, :sha512 or encryptors from others authentication tools as :clearance_sha1,
   # :authlogic_sha512 (then you should set stretches above to 20 for default behavior)
   # and :restful_authentication_sha1 (then you should set stretches to 10, and copy
-  # REST_AUTH_SITE_KEY to pepper)
+  # REST_AUTH_SITE_KEY to pepper).
+  #
+  # Require the `devise-encryptable` gem when using anything other than bcrypt
   # config.encryptor = :sha512
 
   # ==> Configuration for :token_authenticatable

config/locales/devise.en.yml

@@ -14,7 +14,7 @@ en:
       locked: "Your account is locked."
       not_found_in_database: "Invalid email or password."
       timeout: "Your session expired, please sign in again to continue."
-      unauthenticated: ''
+      unauthenticated: "You need to sign in or sign up before continuing."
       unconfirmed: "You have to confirm your account before continuing."
     mailer:
       confirmation_instructions:
@@ -34,7 +34,7 @@ en:
       updated_not_active: "Your password was changed successfully."
     registrations:
       destroyed: "Bye! Your account was successfully cancelled. We hope to see you again soon."
-      signed_up: "Welcome! Your account has been created."
+      signed_up: "Welcome! You have signed up successfully."
       signed_up_but_inactive: "You have signed up successfully. However, we could not sign you in because your account is not yet activated."
       signed_up_but_locked: "You have signed up successfully. However, we could not sign you in because your account is locked."
       signed_up_but_unconfirmed: "A message with a confirmation link has been sent to your email address. Please open the link to activate your account."