Fix regression in has_secure_password. #10694
Conversation
|
thanks Steve! |
|
|
||
| @user.password = "password" | ||
| @user.password_confirmation = "" | ||
| refute @user.valid?(:create) |
There was a problem hiding this comment.
I think we don't use refute in the rails code base. You can use assert_not
=> https://github.com/rails/rails/blob/master/activesupport/lib/active_support/test_case.rb#L60-L74
There was a problem hiding this comment.
That's what I get for porting an rspec test over. ;)
|
@senny you can thank the readers of "Rails 4 in Action" :) |
| @@ -106,7 +106,8 @@ def password=(unencrypted_password) | |||
| end | |||
|
|
|||
| def password_confirmation=(unencrypted_password) | |||
| unless unencrypted_password.blank? | |||
| @password ||= nil # prevent warnings about undefined ivar | |||
There was a problem hiding this comment.
Maybe we should it to nil on initialization? Or we simply should not access the instance variable directly and use self.password instead?
There was a problem hiding this comment.
changing it to self.password fails the test, actually.
|
|
|
Uhhhh, so this isn't actually working right now. Unsure what's up. |
|
Please review again, @josevalim @senny @rafaelfranca <3 |
|
I was just going to start working on a fix for that, glad I searched issues first! I'd been banging my head on this for a bit thinking I did something wrong heh. Thanks for all your work Steve. |
|
|
|
CHANGELOG added. Ugh, so last minute checks, there is one other test failing: Unsure what that is right this second. |
| @@ -3,7 +3,9 @@ module ActiveModel | |||
| module Validations | |||
| class ConfirmationValidator < EachValidator # :nodoc: | |||
| def validate_each(record, attribute, value) | |||
| if (confirmed = record.send("#{attribute}_confirmation")) && (value != confirmed) | |||
| confirmed = record.send("#{attribute}_confirmation") | |||
There was a problem hiding this comment.
Please don't make the changes to the confirmation validator unless we have very good reasons too. I don't feel we should be converting them too strings. What if one value is a float and the other is an integer? I am not sure anybody is relying on this use case but it would be a breaking change.
There was a problem hiding this comment.
The problem with this bug is that it's in the validator, not the setter, which is what changed last time.
Converting to strings was a way I saw to get around the case of nil vs "" being acceptable, but I'm not super happy with it either.
|
@steveklabnik have you tried fixing this issue by just running the confirmation validation if the password is present? Basically, replacing this line: https://github.com/rails/rails/blob/master/activemodel/lib/active_model/secure_password.rb#L59 By something like: |
|
I have not. Let me try that now, that seems simpler, thanks. |
|
Updated trying that method (but a different conditional, since that one isn't right), but it still fails: Still not sure. This bug makes me feel stupid, it should be so easy. |
|
Thanks to help from @pnc, this now works.
Also, this should get backported to 4-0-stable and 4-0-0, I think? |
|
Yes. It should. Seems good to me. @josevalim? |
If the confirmation was blank, but the password wasn't, it would still save.
Fix regression in has_secure_password.
|
|
If the confirmation was blank, but the password wasn't, it would still save.
Sent via a PR for feedback. Password stuff is tricky.
/cc @josevalim, @senny