Bringing Form Values into a Controller - Ruby on Rails

Question

I am trying to create a basic form where the user can change their password but needs to enter their old password in order to do it. I am having trouble verifying the user's old password. Everytime I enter an old password it says password doesn't match when I know that it does. If a replace the actual password in the authenticate field it works. How can I bring in what was entered in the form to verify the old password that was entered?

Form:

<%= form_for(@user, :url => change_password_action_path(current_user.id), html: { "role" => "form" }) do |f| %>
<%= render 'shared/error_messages', object: f.object %>

<div class="form-group">
    <%= f.label :old_password, "Old Password:", :class => "control-label" %>
    <%= f.password_field :old_password, :class => "form-control"  %>
</div>

<div class="form-group">
    <%= f.label :password, "New Password:", :class => "control-label" %>
    <%= f.password_field :password, :class => "form-control"  %>
</div>

<div class="form-group">
    <%= f.label :password_confirmation, "Password Confirmation:", :class => "control-label" %>
    <%= f.password_field :password_confirmation, :class => "form-control"  %>
</div>

<%= f.submit "Update Password", class: "btn btn-large btn-primary" %>

Controller

def change_password
    @user = User.find(current_user.id)
end

def change_password_action
    user = current_user.id
    if User.find(user).authenticate(params[:old_password]) == false
        flash[:danger] = "Password Doesnt Match: "
    else 
        flash[:success] = "Password Match" 
             # Validate the new and confirm password.
     end
    redirect_to action: :change_password
end

Routes

get '/change_password' => 'main#change_password'
patch '/change_password_action' => 'main#change_password_action'

Rails Server Logs

Started PATCH "/change_password_action.1" for 127.0.0.1 at 2014-01-15 09:04:38 -0600
Processing by MainController#change_password_action as 
Parameters: {"utf8"=>"✓",    "authenticity_token"=>"yYdUx37Q7alr3SccuMVjPwCJoMgMPOaiKTesSsILlP4=", "user"=>{"old_password"=>"[FILTERED]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}, "commit"=>"Update Password"}
  User Load (0.5ms)  SELECT "users".* FROM "users" WHERE "users"."remember_token" = 'fc1baf63bac072bfefd5ed27664ece5427ad9e64' LIMIT 1
 {"utf8"=>"✓", "_method"=>"patch", "authenticity_token"=>"yYdUx37Q7alr3SccuMVjPwCJoMgMPOaiKTesSsILlP4=", "user"=>{"old_password"=>"test123", "password"=>"", "password_confirmation"=>""}, "commit"=>"Update Password", "controller"=>"main", "action"=>"change_password_action", "format"=>"1"}
 User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 1]]
 Redirected to http://localhost:3000/change_password
 Completed 302 Found in 115ms (ActiveRecord: 0.7ms)


 Started GET "/change_password" for 127.0.0.1 at 2014-01-15 09:04:39 -0600
 Processing by MainController#change_password as HTML
 User Load (0.2ms)  SELECT "users".* FROM "users" WHERE "users"."remember_token" =   'fc1baf63bac072bfefd5ed27664ece5427ad9e64' LIMIT 1
 User Load (0.1ms)  SELECT "users".* FROM "users" WHERE "users"."id" = ? LIMIT 1  [["id", 1]]
 Rendered shared/_error_messages.html.erb (0.1ms)
 Rendered main/change_password.html.erb within layouts/application (2.6ms)
 Rendered layouts/_header.html.erb (0.5ms)
 Rendered layouts/_footer.html.erb (0.0ms)
 Completed 200 OK in 19ms (Views: 16.2ms | ActiveRecord: 0.4ms)

Answer 1

It looks like you're passing the wrong parameter into your authenticate method. Try using params[:user][:old_password] instead of params[:old_password].

The param value you want will be under the :user key, because your form_for is using a user object.

You can also see this in your server logs where the user param in your params hash is: "user"=>{"old_password"=>"[FILTERED]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}