validation should be checked anytime password is changed, even if password_required? returns false #27
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
password_required?
should only be used as the condition for validates that enforce requiredness — that is,presence
validations.Take a look at
lib/devise/models/validatable.rb
. That is the way it is done there, which we should generally try be consistent with:The only places validations are conditional on
email_required?
/password_required?
:all other validations are not conditional on requireness, but some of them are only checked if changing the field (email/password):
The length validation isn't conditional at all — I'm not sure why the email format validation is only checked if email changed, but password length is always checked. But it doesn't matter since it's cheap. Checking for pwned password, on the other hand, is a more expensive check to make, so it should only happen if email has actually changed.
P.S. We should also add tests that it only calls the pwned API when there is a change, but I didn't have time to figure that test out.
Context: I have a custom
password_required?
method defined, that returns false after a user is confirmed. I was surprised that this gem wasn't checking my password and wasn't adding errors even when changing to obviously-compromised passwords like'password'
.