Devise Not Validating Password/Password Confirmation

Question

I have a custom controller that handles the editing of user passwords based off of the code here.

User Model

attr_accessible :password, :password_confirmation, :username, :login
...
devise :database_authenticatable, 
       :lockable, 
       :registerable, 
       :recoverable, 
       :rememberable, 
       :trackable

PasswordsController

expose(:user) { current_user }

def update
  if user.update_with_password(params[:user])
    sign_in(user, :bypass => true)
    flash[:notice] = "success"
  else
    render :edit
  end
end

My edit password form is located here.

The problem is that no matter what I enter (or don't enter for that matter) into the edit password form, The "success" flash method is displayed.

Answer 1

If you want Devise to do validations, you need to add the :validatable module to your model. This is fairly easy to do, just add :validatable to the list of module in the devise call, so your model says:

devise
   :database_authenticatable, 
   :lockable, 
   :registerable, 
   :recoverable, 
   :rememberable, 
   :trackable,
   :validatable

This will make devise add validations.

Another easy way is to add your own validations. If you just want to validate that the password confirmation matches, you can add a validates_confirmation_of validation by adding this to your model:

validates_confirmation_of :password

I hope this helps.

Answer 2

I think you forgot to initialize strong parameter in application_controller.rb in rails 4

before_action :configure_permitted_parameters, if: :devise_controller? protected

 def configure_permitted_parameters    
    devise_parameter_sanitizer.for(:sign_up){|u|u.permit(:email,:password,:password_confirmation)}
 end  

Answer 3

find your object for updation in controller.

user = User.find_by_id(params[:id])
    unless user.blank?
      if user.update_attributes(params[:user])
        flash[:notice] = "User updated successfully."
        redirect_to "somwhere"
      else
        render :action => 'edit'
      end
    else
      render :action => 'edit'
    end

if you don't want to update the old password then add these line before updation so the new code will be:

    user = User.find_by_id(params[:id])
        unless user.blank?
          params[:user].delete(:password) if params[:user][:password].blank?
          params[:user].delete(:password_confirmation) if params[:user][:password_confirmation].blank?
if user.update_attributes(params[:user])
            flash[:notice] = "User updated successfully."
            redirect_to "somwhere"
          else
            render :action => 'edit'
          end
        else
          render :action => 'edit'
        end

write somthing like this in user.rb model

devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable, :locakable