Feature request: let users have blank passwords (another config option?) #200

Open
northeast51 opened this Issue Oct 21, 2010 · 3 comments

Projects

None yet

2 participants

@northeast51

Feature request

Would it be possible for users to have blank passwords? This would ideally be another authlogic option, like:

 acts_as_authentic do |c|
   c.allow_blank_passwords = true
 end

I'm guessing this might affect the existing "ignore_blank_passwords" option as well.

Why this feature?

I am aware of the security implications of allowing website users to have blank passwords. However, I'm coding a website that isn't holding massively personal data needing bank-level security. User accounts will start off with blank passwords so users can quickly login by entering their username (and an unchanged blank password) in the signin form. Users can decide later if they'd like the extra security (but greater inconvenience) of a full password.

This feature request is driven by our particular use-case, but I do think it's useful to other developers. We're following the principle of "gradual engagement" in designing our website, and I believe other developers will too: http://www.alistapart.com/articles/signupforms

Discussion

I initially thought the "allow_blank_passwords" option set to false would allow blank passwords, and used this in my User model:

acts_as_authentic do |c|
 c.ignore_blank_passwords = false
 c.validate_password_field = false
end

This does allow the model to be saved to the DB with a blank password, but authentication fails with an error message in errors[:password]. I believe this line in authlogic/session/password.rb is causing the error:

def validate_by_password
  ...
  errors.add(password_field, I18n.t('error_messages.password_blank', :default => "cannot be blank")) if send("protected_#{password_field}").blank?

Thanks for authlogic - it's a great library!

@lichtamberg

Look at the source code:
# Whether or not to validate the password field.
#
# * Default: true
# * Accepts: Boolean
def validate_password_field(value = nil)
rw_config(:validate_password_field, value, true)
end
alias_method :validate_password_field=, :validate_password_field

@northeast51

The :validate_password_field option does not enable blank passwords to be used. I've tested it with the following authlogic configuration in my User model:

acts_as_authentic do |c|
  c.ignore_blank_passwords = false
  c.validate_password_field = false
end

The root problem is the line I specified above (errors.add(password_field...)) in the validate_by_password method of authlogic/session/password.rb. This method is triggered during session validation by:

validate :validate_by_password, :if => :authenticating_with_password?

def authenticating_with_password?
  login_field && (!send(login_field).nil? || !send("protected_#{password_field}").nil?)
end
@lichtamberg

Yeah... That line should be changed to
validate :validate_by_password, :if => :authenticating_with_password? && validate_password_field

Maybe you could monkeypatch it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment