Reputation: 125
Using rails devise, empty password fields aren't present in debug(params)?
I'm new to rails and devise, so I'm trying to understand what is going on. I am following the devise wiki for allowing users to edit their own password, found here: https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-edit-their-password.
What I find confusing is that even though I am using :validatable in my model, it seems that I am able to submit the form even if I leave password/password_confirmation blank, as long as I complete current_password. It seems this has something to do with the fact that in validatable.rb, that there is a validation for password only if !password.nil? per line 54.
So I decided to look at debug(params) on form submission, and it seems indeed that if I leave the password/password_confirmation fields blank, then password/password_confirmation do not appear in the params hash at all (and though password.nil? is true?).
What I don't understand is why this happens? Even if I leave the password field blank, shouldn't password appear in params just like any other field, as "password" => ""? Since I'm using my own controller action to process the form, how is it that password is not in params?
Upvotes: 0
Views: 2097
Answers (1)
Reputation: 34072
The update_with_password method that is used on that wiki page is what's causing your confusion. It deletes both password and password_confirmation from the params if they are blank, as seen here.
This seems like an oversight on the wiki page, as it's describing how to implement your own change password action. This is definitely an issue in that case (submitting a "change password" form without filling out a password should probably fail).
Anyway, you could work around it, and still use the update_with_password method, just by checking to see if the password is blank beforehand, something like this (refactored as you like):
def update_password
@user = User.find(current_user.id)
if params[:user][:password].blank?
@user.errors.add(:password, :blank)
render "edit"
elsif @user.update_attributes(params[:user])
# Sign in the user by passing validation in case his password changed
sign_in @user, :bypass => true
redirect_to root_path
else
render "edit"
end
end
Upvotes: 1
Related Questions
- "Validation Error: Password can't be blank" but no password field in form
- Rails 6 - password showing up in logs even though I added it to the "filter_parameters"
- Devise let me to change new password as empty
- Rails Devise "Invalid Email or password" when password is correct and Email is not a parameter
- Ruby on rails - Devise registrations blank password
- Rails Devise user password is always invalid (tested in rails console)
- Unpermitted parameters: current_password, Rails 4 +Devise
- Devise Passwords Controller JSON params not working
- Password can't be blank
- Devise allows blank password during password reset