CHANGELOG.rdoc in devise-1.1.9 vs CHANGELOG.rdoc in devise-1.2.rc

- old
+ new
@@ -1,33 +1,41 @@
-== 1.1.9
+== 1.2.rc
 
-* bugfix
-  * double check if warden has not halted
+* deprecations
+  * cookie_domain is deprecated in favor of cookie_options
+  * after_update_path_for can no longer be defined in ApplicationController
 
-== 1.1.8
+* enhancements
+  * Added OmniAuth support
+  * Added ORM adapter to abstract ORM iteraction
+  * sign_out_via is available in the router to configure the method used for sign out (by github.com/martinrehfeld)
+  * Improved Ajax requests handling in failure app (by github.com/spastorino)
+  * Added request_keys to easily use request specific values (like subdomain) in authentication
+  * Increased the size of friendly_token to 60 characters (reduces the chances of a successful brute attack)
+  * Ensure the friendly token does not include "_" or "-" since some e-mails may not autolink it properly (by github.com/rymai)
+  * Extracted encryptors into :encryptable for better bcrypt support
+  * :rememberable is now able to use salt as token if no remember_token is provided
+  * Store the salt in session and expire the session if the user changes his password
+  * Allow :stateless_token to be set to true avoiding users to be stored in session through token authentication
+  * cookie_options uses session_options values by default
+  * Sign up now check if the user is active or not and redirect him accordingly setting the inactive_signed_up message
+  * Use ActiveModel#to_key instead of #id
+  * sign_out_all_scopes now destroys the whole session
+  * Added case_insensitive_keys that automatically downcases the given keys, by default downcases only e-mail (by github.com/adahl)
 
-* bugfix
-  * Ensure you can't inject Mongoid queries using token authenticatable
+* default behavior changes
+  * sign_out_all_scopes defaults to true as security measure
+  * http authenticatable is disabled by default
+  * Devise does not intercept 401 returned from applications
 
-== 1.1.7
-
 * bugfix
-  * Fix a backward incompatible change with versions prior to Rails 3.0.4
-
-== 1.1.6
-
-* bugfix
-  * Use a more secure e-mail regexp
-  * Implement Rails 3.0.4 handle unverified request
-  * Use secure_compare to compare passwords
-
-== 1.1.5
-
-* bugfix
-  * Ensure to convert keys on indifferent hash
-
-* defaults
-  * Set config.http_authenticatable to false to avoid confusion
+  * after_sign_in_path_for always receives a resource
+  * Do not execute Warden::Callbacks on Devise::TestHelpers (by github.com/sgronblo)
+  * Password recovery and account unlocking takes into account authentication keys (by github.com/RStankov)
+  * FailureApp now properly handles nil request.format
+  * Fix a bug causing FailureApp to return with HTTP Auth Headers for IE7
+  * Ensure namespaces has proper scoped views
+  * Ensure Devise does not set empty flash messages (by github.com/sxross)
 
 == 1.1.4
 
 * bugfix
   * Avoid session fixation attacks