aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--activemodel/CHANGELOG.md5
-rw-r--r--activemodel/lib/active_model/secure_password.rb7
-rw-r--r--activemodel/test/cases/secure_password_test.rb9
3 files changed, 17 insertions, 4 deletions
diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
index 8c7af2d078..6fc34ecd60 100644
--- a/activemodel/CHANGELOG.md
+++ b/activemodel/CHANGELOG.md
@@ -1,3 +1,8 @@
+* Fix regression in has_secure_password. When a password is set, but a
+ confirmation is an empty string, it would incorrectly save.
+
+ *Steve Klabnik* and *Phillip Calvin*
+
* Deprecate `Validator#setup`. This should be done manually now in the validator's constructor.
*Nick Sutterer*
diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb
index 750fd723a0..e553590671 100644
--- a/activemodel/lib/active_model/secure_password.rb
+++ b/activemodel/lib/active_model/secure_password.rb
@@ -56,8 +56,9 @@ module ActiveModel
include InstanceMethodsOnActivation
if options.fetch(:validations, true)
- validates_confirmation_of :password
+ validates_confirmation_of :password, if: lambda { |m| m.password.present? }
validates_presence_of :password, on: :create
+ validates_presence_of :password_confirmation, if: lambda { |m| m.password.present? }
before_create { raise "Password digest missing on new record" if password_digest.blank? }
end
@@ -106,9 +107,7 @@ module ActiveModel
end
def password_confirmation=(unencrypted_password)
- unless unencrypted_password.blank?
- @password_confirmation = unencrypted_password
- end
+ @password_confirmation = unencrypted_password
end
end
end
diff --git a/activemodel/test/cases/secure_password_test.rb b/activemodel/test/cases/secure_password_test.rb
index 02cd3b8a93..0b900d934d 100644
--- a/activemodel/test/cases/secure_password_test.rb
+++ b/activemodel/test/cases/secure_password_test.rb
@@ -94,4 +94,13 @@ class SecurePasswordTest < ActiveModel::TestCase
@user.password_confirmation = ""
assert @user.valid?(:update), "user should be valid"
end
+
+ test "will not save if confirmation is blank but password is not" do
+ @user.password = "password"
+ @user.password_confirmation = ""
+ assert_not @user.valid?(:create)
+
+ @user.password_confirmation = "password"
+ assert @user.valid?(:create)
+ end
end