-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#valid_password?
returns false when updating resource with empty password fields
#5038
Comments
valid_password
returns false when updating resource with "" password fieldsvalid_password
returns false when updating resource with empty password fields
valid_password
returns false when updating resource with empty password fieldsvalid_password?
returns false when updating resource with empty password fields
valid_password?
returns false when updating resource with empty password fields#valid_password?
returns false when updating resource with empty password fields
Hello @codeminator, thanks for your report. We changed this in #4245 because we thought it made sense to keep the attributes in sync ( I did not understand, however, what you said about your controller code that is not working anymore due to this. Are you calling |
@tegon Thanks for your feedback. Actually I encountered the case when I was upgrading a Rails app to latest version of Rails 5, and I had to upgrade devise on the way. In this app, there is an already-succeeded unit test about The console code I pasted in my previous comment is the exact same thing that the test case is doing. Please let me know if you need further clarification. |
It seems like your issue isn't really related to As you pointed out in your example, the Your real issue is what you pointed out - your I would check you haven't got anything strange happening with your models (make sure that you actually have the devise According to https://github.com/plataformatec/devise/blob/master/lib/devise/models/database_authenticatable.rb#L95 |
@timkrins Thanks, no monkey patch interference and it's not about including
The thing is that the user form scenario was just an example of a real-life use case, what I actually encountered in the project that I am working with, was a test spec:
Based on the line you sent, now devise is removing But if you use |
+1, same issue here. We want certain super-users to be able to update another user's information if necessary. With previous versions of Devise, we could allow them to do this without modifying the user's password. With the latest version of Devise, this behavior has changed. It is now mandatory for the password field to be filled. This appears to be a bug. @codeminator mentioned, the |
@codeminator yeah, looks like it could be a bug Same underlying issue as #5033 |
PR (which i've closed) should explain the why - but now, yeah, I am curious about the change in the first place (as there is a test which states |
+1 to this issue for us We are trying to update to 4.6.1 to address #4981 and are blocked because of the change from #4261. Our use case allows users to be created with just an email. IMO, this framework should not be making the decision whether users must have a non-null password. @timkrins I think the original issue from #4245 was that is the user entered password did not pass validation, it was cleaning |
I'm hitting the same problem in decidim/decidim#4986 (seems to be the same underlying issue as in #5033), there are failings CI jobs in my PR in case they help debugging this problem! |
I submitted #5048 to address this issue. |
Released in version |
Environment
Description
In prior versions of devise (I tested with
v.4.4.2
since, it's the earliest version compatible with Rails~> 5.2
), it was possible to callupdate
statement on a resource with some fields, while submittingpassword
andpassword_confirmation
fields as empty strings, and still old password is valid:While in
v.4.6.1
(the latest),#valid_password?
returnsfalse
when doing the same steps (Basically, it setsencrypted-password
column withNULL
):Current behavior
valid_password?
with old password returnsfalse
when password/password_confirmation fields have been submitted as empty strings within#update
call.Expected behavior
valid_password?
with old password returnstrue
password/password_confirmation fields have been submitted as empty strings within#update
call (older versions are working that way).I know that we have already methods such as
update_without_password
andupdate_with_password
. The question is what if you have a large app, that is updating user information from a form or something that contains password fields, then you have to either edit the code to check thepresence
of password/password_confirmation params, or change the user experience.If it's intended behaviour, kindly clarify.
The text was updated successfully, but these errors were encountered: