Bug? Registerable user edit password does not check password and password_confirmation match, or min length
40 views
Skip to first unread message
Jonathan Andrew Wolter (乔沃特)
May 30, 2011, 4:02:16 PM5/30/11
to Devise
I created a vanilla devise implementation where we have turned
on :registerable and :validatable
I go to /users/edit and the edit_user_registration pops up.
Did not see this in the github issues. Please help me if I'm mistaken
or misunderstanding.
I can set the new password to "999000" and the new password
confimation to "9990001" and enter the correct existing password.
Click submit, and it works with no errors.
Ditto if I set password to "9" and confirmation to "8" -- min password
length is not enforced.
Looking at the devise/registrations_controller.rb, I see this get
called:
# PUT /resource
def update
if resource.update_with_password(params[resource_name])
set_flash_message :notice, :updated if is_navigational_format?
sign_in resource_name, resource, :bypass => true
respond_with resource, :location =>
after_update_path_for(resource)
else
clean_up_passwords(resource)
respond_with_navigational(resource){ render_with_scope :edit }
end
end
But, update_with_password does not check that either the model is
valid? or password and confirmation match.
I thought active record's update_attributes would, but it seems to not
be raising errors.
# Update record attributes when :current_password matches,
otherwise returns
# error on :current_password. It also automatically
rejects :password and
# :password_confirmation if they are blank.
def update_with_password(params={})
current_password = params.delete(:current_password)
if params[:password].blank?
params.delete(:password)
params.delete(:password_confirmation) if
params[:password_confirmation].blank?
end
result = if valid_password?(current_password)
update_attributes(params)
else
self.errors.add(:current_password,
current_password.blank? ? :blank : :invalid)
self.attributes = params
false
end
clean_up_passwords
result
end
on :registerable and :validatable
I go to /users/edit and the edit_user_registration pops up.
Did not see this in the github issues. Please help me if I'm mistaken
or misunderstanding.
I can set the new password to "999000" and the new password
confimation to "9990001" and enter the correct existing password.
Click submit, and it works with no errors.
Ditto if I set password to "9" and confirmation to "8" -- min password
length is not enforced.
Looking at the devise/registrations_controller.rb, I see this get
called:
# PUT /resource
def update
if resource.update_with_password(params[resource_name])
set_flash_message :notice, :updated if is_navigational_format?
sign_in resource_name, resource, :bypass => true
respond_with resource, :location =>
after_update_path_for(resource)
else
clean_up_passwords(resource)
respond_with_navigational(resource){ render_with_scope :edit }
end
end
But, update_with_password does not check that either the model is
valid? or password and confirmation match.
I thought active record's update_attributes would, but it seems to not
be raising errors.
# Update record attributes when :current_password matches,
otherwise returns
# error on :current_password. It also automatically
rejects :password and
# :password_confirmation if they are blank.
def update_with_password(params={})
current_password = params.delete(:current_password)
if params[:password].blank?
params.delete(:password)
params.delete(:password_confirmation) if
params[:password_confirmation].blank?
end
result = if valid_password?(current_password)
update_attributes(params)
else
self.errors.add(:current_password,
current_password.blank? ? :blank : :invalid)
self.attributes = params
false
end
clean_up_passwords
result
end
Jonathan Andrew Wolter (乔沃特)
May 30, 2011, 5:27:20 PM5/30/11
to Devise
An update:
I had in my model:
attr_accessible :password
but not also :password_confirmation
I removed both of them, validations did not occur between the password
and confirmation.
I added
attr_accessible :password, :password_confirmation
And it started working.
Do we need more clear instructions for users that are adopting an
existing model to use devise?
Am I the only one that has had this problem? Hope it helps someone
else!
On May 31, 1:02 am, Jonathan Andrew Wolter (乔沃特) <jawol...@gmail.com>
wrote:
I had in my model:
attr_accessible :password
but not also :password_confirmation
I removed both of them, validations did not occur between the password
and confirmation.
I added
attr_accessible :password, :password_confirmation
And it started working.
Do we need more clear instructions for users that are adopting an
existing model to use devise?
Am I the only one that has had this problem? Hope it helps someone
else!
On May 31, 1:02 am, Jonathan Andrew Wolter (乔沃特) <jawol...@gmail.com>
wrote:
Reply all
Reply to author
Forward
0 new messages