validates_confirmation_of :password doesn't get triggered

Question

I have a very basic Admin model:

class Admin < ActiveRecord::Base
  has_secure_password
  validates_uniqueness_of :email
  attr_accessible :email, :password, :password_confirmation
end

According to the manual has_secure_password also adds a validates_confirmation_of :password. If I'm correct validates_confirmation_of should always error if :password and :password_confirmation do not match - even if :password_confirmation is nil.

I'm testing with RSpec and this test fails and tells me that admin is valid:

admin = Admin.new
admin.email = '[email protected]'
admin.password = 'secret'
admin.should be_invalid

This one passes:

admin = Admin.new
admin.email = '[email protected]'
admin.password = 'secret'
admin.password_confirmation = ''
admin.should be_invalid

So, what the heck am I doing wrong?

Answer 1

Here's the code for has_secure_password:

# File activemodel/lib/active_model/secure_password.rb, line 32
def has_secure_password
  attr_reader :password

  validates_confirmation_of :password
  validates_presence_of     :password_digest

  include InstanceMethodsOnActivation

  if respond_to?(:attributes_protected_by_default)
    def self.attributes_protected_by_default
      super + ['password_digest']
    end
  end
end

As you can see it never ensures that a password confirmation is sent. You could add that yourself however, and as long as you have the form field on your page an empty string will be sent if it is unfilled.