I have a very basic Admin model:
class Admin < ActiveRecord::Base
has_secure_password
validates_uniqueness_of :email
attr_accessible :email, :password, :password_confirmation
end
According to the manual has_secure_password
also adds a validates_confirmation_of :password
. If I'm correct validates_confirmation_of
should always error if :password
and :password_confirmation
do not match - even if :password_confirmation
is nil
.
I'm testing with RSpec and this test fails and tells me that admin
is valid:
admin = Admin.new
admin.email = '[email protected]'
admin.password = 'secret'
admin.should be_invalid
This one passes:
admin = Admin.new
admin.email = '[email protected]'
admin.password = 'secret'
admin.password_confirmation = ''
admin.should be_invalid
So, what the heck am I doing wrong?
Here's the code for has_secure_password
:
# File activemodel/lib/active_model/secure_password.rb, line 32
def has_secure_password
attr_reader :password
validates_confirmation_of :password
validates_presence_of :password_digest
include InstanceMethodsOnActivation
if respond_to?(:attributes_protected_by_default)
def self.attributes_protected_by_default
super + ['password_digest']
end
end
end
As you can see it never ensures that a password confirmation is sent. You could add that yourself however, and as long as you have the form field on your page an empty string will be sent if it is unfilled.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With