Skip to content

validatable does not enforce password_confirmation #2796

@suung

Description

@suung
      describe "#password" do
        it { should validate_presence_of(:password) }
        it { should validate_confirmation_of(:password) }

        context "with password but without confirmation" do

          subject { FactoryGirl.build(:user) }

          before {
            subject.password = "testpassword"
            subject.password_confirmation = nil
          }

          it "should not be valid" do
            should_not be_valid
          end
        end

      end
 1) User instance validations #password with password but without confirmation should not be valid
     Failure/Error: should_not be_valid

We just came across this when debugging an api call to devise. With the field in the DOM, this will not happen, as password_confirmation will be "".

I cannot really see, how this will be a desired behaviour in any case.

It shouid be fixed in my opinion, also with a patch for older versions.

Also i don't think, it is a major security issue, do you agree?

The fix, i would be proposing is

validates_presence_of :password_confirmation, :if => :password

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions