Fix Devise 5 compatibility: replace deprecated positional scope in sign_in#273
Closed
antonzaytsev wants to merge 2 commits intosolidusio:mainfrom
Closed
Fix Devise 5 compatibility: replace deprecated positional scope in sign_in#273antonzaytsev wants to merge 2 commits intosolidusio:mainfrom
antonzaytsev wants to merge 2 commits intosolidusio:mainfrom
Conversation
Devise 5 removed the deprecated `sign_in(scope, resource)` form. Use `sign_in(resource)` instead — Devise infers the scope from the resource's class mapping automatically. This fixes a runtime error when using solidus_auth_devise with Devise >= 5.0 during user registration.
Author
|
Closing — 2.6.0 was just released with devise 5.x support already included. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes Devise 5.x runtime compatibility by replacing the deprecated positional scope argument in
sign_inand bumping the gem version to 2.6.1.What changed
sign_in(:spree_user, resource)→sign_in(resource)inUserRegistrationsController#createDevise 5 removed the deprecated
sign_in(scope, resource)form. The scope is inferred automatically from the resource's class mapping (Spree::User→:spree_user), so the explicit scope argument is unnecessary and causes a runtime error with Devise >= 5.0.Version bump to 2.6.1
Why this matters
The gemspec already allows Devise 5.x (
>= 4.1), but the code-level incompatibility causes aArgumentErrorduring user registration when running with Devise 5. This is the only Devise 5 incompatibility in the codebase — all other deprecated patterns (sign_in(:bypass),devise_error_messages!,Devise::TestHelpers,deliver) were already updated in previous releases.Context
CVE-2026-32700 affects Devise < 5.0.3 (email confirmation race condition). Downstream Solidus apps cannot upgrade to the patched Devise version without this fix. See also #271.
Backwards compatible
sign_in(resource)works identically on Devise 4.x and 5.x — Devise has inferred scopes from resource class mappings since 4.0. No behavior change for existing installations.Checklist