New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Password attribute is emptied when record is invalid using has_secure_password #1386
Comments
That's a quite common behavior actually on most web applications. Moreover I see two problems with this :
-1 on this. |
Devise don't lose the password, authlogic neither. There is no more security flaw the second time you type than the first. In both case the password is somewhere in the browser (and accessible through Javascript, then with both Javascript and HTML). What kind of attack do you have in mind ? The main flaw is about user experience : i mistype my email so i have to retype the password and its confirmation ? Not good at all. :( Ps : Big up Oahu ! :) |
If you want to check that the password and it's confirmation match, and you're worried about user experience, you should go with a Javascript solution, like the jQuery validation plugin[1]. Then your user will know instantly. Similarly, if you're checking the password for strength, the same plugin allows for custom validation methods. |
part of the problem appears to be that password_field has {:value => nil} merged in as part of the helper (see actionpack/lib/action_view/helpers/form_helper.rb ) The other part is that password_confirmation attribute is virtual (in memory only). |
I think this is normal, no matter you're using If you want to make sure use does correctly type in the same password for confirmation, you should use client-side validation as suggested by @farleyknight. |
Such a bad faith is quite disappointing. For information: GitHub and Twitter do retain the user's password when the registration fail at validation. Anyway i will go for client-side validation. |
…rray [rails#1386 state:committed] Signed-off-by: David Heinemeier Hansson <david@loudthinking.com>
Hello,
In a model (say User) using has_secure_password, the password and it's confirmation are lost if one of the other fields is invalid.
It's really bad for user experience. For instance on a sign up form : if my username or email is invalid, i have to retype the password and its confirmation whereas they were good.
I would fix that but i don't know how. :(
The text was updated successfully, but these errors were encountered: