bcrypt will encrypt anything, so validate_presence_of would not catch nil / blank passwords. Thank you to Aleksander Kamil Modzelewski for reporting this

2 files changed, 15 insertions, 1 deletions

diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb
index d6f0456698..ee94ad66cf 100644
--- a/activemodel/lib/active_model/secure_password.rb
+++ b/activemodel/lib/active_model/secure_password.rb
@@ -58,7 +58,9 @@ module ActiveModel
       # Encrypts the password into the password_digest attribute.
       def password=(unencrypted_password)
         @password = unencrypted_password
-        self.password_digest = BCrypt::Password.create(unencrypted_password)
+        unless unencrypted_password.blank?
+          self.password_digest = BCrypt::Password.create(unencrypted_password)
+        end
       end
     end
   end
diff --git a/activemodel/test/cases/secure_password_test.rb b/activemodel/test/cases/secure_password_test.rb
index 4a47a7a226..c455cf57b3 100644
--- a/activemodel/test/cases/secure_password_test.rb
+++ b/activemodel/test/cases/secure_password_test.rb
@@ -9,6 +9,18 @@ class SecurePasswordTest < ActiveModel::TestCase
     @user = User.new
   end
 
+  test "blank password" do
+    user = User.new
+    user.password = ''
+    assert !user.valid?, 'user should be invalid'
+  end
+
+  test "nil password" do
+    user = User.new
+    user.password = nil
+    assert !user.valid?, 'user should be invalid'
+  end
+
   test "password must be present" do
     assert !@user.valid?
     assert_equal 1, @user.errors.size