From 07db04e77313918f568d43f2401e53cafed696c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jos=C3=A9=20Valim?= <jose.valim@gmail.com>
Date: Wed, 29 Jun 2011 20:17:29 -0300
Subject: [PATCH] Work around AR that does not call serializable_hash on
 to_xml.

---
 CHANGELOG.rdoc                        |  1 +
 lib/devise/models/authenticatable.rb  | 19 ++++++++++++-------
 test/integration/registerable_test.rb |  2 +-
 3 files changed, 14 insertions(+), 8 deletions(-)

diff --git a/CHANGELOG.rdoc b/CHANGELOG.rdoc
index bd3581db..b1a81a40 100644
--- a/CHANGELOG.rdoc
+++ b/CHANGELOG.rdoc
@@ -6,6 +6,7 @@
   * Better localization for devise_error_messages! (by github.com/zedtux)
 
 * bug fix
+  * Ensure to_xml is properly white listened
   * Ensure handle_unverified_request clean up any cached signed-in user
 
 == 1.4.0
diff --git a/lib/devise/models/authenticatable.rb b/lib/devise/models/authenticatable.rb
index f121ad9e..fcc34e52 100644
--- a/lib/devise/models/authenticatable.rb
+++ b/lib/devise/models/authenticatable.rb
@@ -76,13 +76,18 @@ module Devise
       def authenticatable_salt
       end
 
-      def serializable_hash(options={})
-        if self.class.respond_to?(:accessible_attributes)
-          options = { :only => self.class.accessible_attributes.to_a }.merge(options || {})
-          super(options)
-        else
-          super
-        end
+      # TODO: to_xml does not call serializable_hash. Hopefully someone will fix this in AR.
+      %w(to_xml serializable_hash).each do |method|
+        class_eval <<-RUBY, __FILE__, __LINE__
+          def #{method}(options={})
+            if self.class.respond_to?(:accessible_attributes)
+              options = { :only => self.class.accessible_attributes.to_a }.merge(options || {})
+              super(options)
+            else
+              super
+            end
+          end
+        RUBY
       end
 
       module ClassMethods
diff --git a/test/integration/registerable_test.rb b/test/integration/registerable_test.rb
index 36d32a60..846bac47 100644
--- a/test/integration/registerable_test.rb
+++ b/test/integration/registerable_test.rb
@@ -211,7 +211,7 @@ class RegistrationTest < ActionController::IntegrationTest
     get new_user_registration_path(:format => 'xml')
     assert_response :success
     assert_match %(<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<user>), response.body
-    assert_no_match(/<confirmation_token>/, response.body) if DEVISE_ORM == :active_record
+    assert_no_match(/<confirmation-token/, response.body) if DEVISE_ORM == :active_record
   end
 
   test 'a user with JSON sign up stub' do