Do not set encrypted_password to nil if password is blank #5044
Conversation
|
Hmm, need to determine thought behind original change. (reasons for keeping 'password' in sync with encrypted_password) |
|
Hello, indeed now i have database constraint issue |
|
Also having the problem @JulienItard is having in my specs. Edit: I thought this was just a factory issue in my spec, but it is in fact trying to update a user record without changing their password. |
|
@timkrins My bet is that the original thought was to allow for changing other attributes on user records without changing the password. |
|
@hayesr yeah, I understand the original change now. The problem is that devise users will expect the encrypted_password attribute not to change, even though they have called |
|
Yeah everyone has to put additional logic in to get the same behaviour now. It was a very common pattern to rely on Devise for the logic to ignore a blank password update. It looks based on I’m not sure if this behaviour was taken into account when the PR was made. |
|
@timkrins regarding the impetus for the change. Why would password need to be in sync with encrypted password if it isn’t persisted? |
|
We're going to revert the change since there were no real exploits based on the attributes being unsynced. We thought this would be a simple change but since it's causing so much trouble for existing applications, we're going to revert it. Thanks. |
If the password attribute was set to a blank or
nil, this was also setting theencrypted_passwordtonil(password_digest returnsnilfor a blank)This means that calling
updateon a model with a blank password always setsencrypted_passwordtonil, which usually errors as a database constraint issue.Introduced by https://github.com/plataformatec/devise/pull/4261/files#diff-19b4dd928714c72f1338874351e8ff2dR40
Related to #5033 and #5038