Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix in has_secure_password for passwords containing only spaces. #16412

Merged
merged 1 commit into from
Aug 7, 2014
Merged

Fix in has_secure_password for passwords containing only spaces. #16412

merged 1 commit into from
Aug 7, 2014

Conversation

yevhene
Copy link
Contributor

@yevhene yevhene commented Aug 6, 2014

Steps:

  1. Existing model with has_secure_password. With encrypted_password stored.
  2. User try to update password with password containing only spaces.
  3. Password is discarded. Model is valid and stored. Password is not changed but no error massage given.

@@ -76,6 +76,7 @@ def has_secure_password(options = {})

validates_length_of :password, maximum: ActiveModel::SecurePassword::MAX_PASSWORD_LENGTH_ALLOWED
validates_confirmation_of :password, if: ->{ password.present? }
validates_presence_of :password, unless: ->{ password.nil? }
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To forbid passwords contains only spaces, and give relevant error message.

@chancancode
Copy link
Member

Not sure if we need actually want to block blank passwords. It seems like the original code was written this way to catch the nil case (3e23752), since we have a different branch for that we probably can just switch from checking blank -> empty? If people want to block empty passwords as well, they can just add another validation rule... what do you think?

@yevhene
Copy link
Contributor Author

yevhene commented Aug 6, 2014

I think it would be reasonable behavior, if we accept spaces as any other char.

@chancancode
Copy link
Member

seems good to me! can you add a changelog along the lines of "Fixed (what wasn't working). (Offer suggestion for those who preferred the original behavior)."? 😄

@chancancode
Copy link
Member

Also, can you squash your commits?

spastorino added a commit that referenced this pull request Aug 7, 2014
Fix in has_secure_password for passwords containing only spaces.
@spastorino spastorino merged commit e2689d1 into rails:master Aug 7, 2014
@reichertm
Copy link

Not sure if this is the commit to blame as I migrated from rails 4.0.11.1 straight to 4.2 but there seems to be a side effect to this change. It is possible now to create a new record with password set and password_confirmation being nil. In the previous version the validation was failing with the two values not matching.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants