Skip to content

has_secure_password should accept an optional option #1512

gucki opened this Issue Jun 6, 2011 · 14 comments
gucki commented Jun 6, 2011

It should be possible to pass :optional => true to has_secure_password, which would simply skip adding the validations.

Would a patch for this be accepted? :)

Ruby on Rails member

I am -1 for adding more features to has_secure_password. If you want more customization, there are plenty auth tools out there.

@josevalim josevalim closed this Jun 7, 2011

I am also in favor of making this optional, as I have a model that has optional login functionality. Actually, I'm not sure the "validates_presence_of :password_digest" serves any real purpose, and it's the only thing causing me trouble. Removing that line seems like it would suffice.


I know this issue has been closed, but I am +1 for making the ability to turn off validation an option. I have two different applications right now with simple user classes that use has_secure_password, and both have a need to allow the password to be blank for completely different reasons. However, without some hackery (i.e. accessing the model's validations hash and brute force removing the :validates_presence_of proc) or completely overriding has_secure_password, there is no way to prevent the validation from occurring. A simple option that is passed into has_secure_password would solve that without in anyway making it more complicated to use. The default is still to validate presence (and confirmation).

seivan commented Nov 1, 2011

+1 I don't want password confirmation.
It's not much of a feature, :validate => false. Done

gucki commented Nov 1, 2011

+1 again

ghost commented Dec 26, 2011

+1 here, for the removal of the validation altogether.

I have lost count of times where I needed to implement secure password myself, recreating the has_secure_password functionality just because I wanted to get rid of this implicit validation.

Perhaps there's some need for it that I don't realise, but shouldn't it be the responsibility of the class itself to declare "validates :password, presence: true" or { on: :create } or whatever the specific implementation case is? Why the implicit validation at all? So counter-intuitive...

zoran commented Feb 8, 2012

+1 for skip validation - same problem as bloomdido

ay commented Apr 24, 2012

+1 for having an option to skip validates_presence_of :password_digest


Massive +1 from me. @josevalim I see your point, but one thing I really love about has_secure_password is just how simple it is to integrate. I don't want to have to install something as complex and monolithic as devise or authlogic in my current lightweight/simple rest api site. However, I would love to allow facebook users to have an empty password!

That being said ... my current solution is to simply calculate a hashed password for them now based on certain user parameters.


@whalesalad When/how are you setting this password? I can only set it in the stage, which doesn't work for me.


Right now in my UserController#create method i'm automatically setting password_confirmation to the value of password. Also, in my User model, I have before_validation :bootstrap_facebook_account, :on => :create which calls my custom method when the user is created, but before it is validated/saved. In that method I bootstrap the user with as much data from facebook that I can and also set their password to a salted hash of their user created_at and facebook_id so that I can re-create it later on. Since all this occurs before validation, by the time that stuff happens the User object is ready to rock.

Keep in mind I am building a very simple private API for an iPhone client, so while security is a priority, certain things can be avoided due to the fact that my only real user is the app itself, which I am also developing.

Ruby on Rails member

Please guys, look to the code and you will see that this feature was added 4 month ago.


Thanks guys...I see it in master...looking forward to it in the next release!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.