User#password_required? returns false if password is nil
Reported by Jakub Suder | October 6th, 2008 @ 03:14 PM
The method User#password_required? decides that the password is
required when crypted password is not set and the password field is
not nil; but what if it is nil? Try this:
- create an empty hobo project, generate and migrate hobo
migration, start server
- go to signup - fill username and email address - using firebug or
other tool remove the two password fields completely from the
form
- submit the form
Result: params[:user][:password] is not set at all, so
user.password
is nil, and the user is able to register with an empty
password...
Comments and changes to this ticket
-
Tom Locke October 15th, 2008 @ 11:12 AM
- State changed from new to resolved
Good spot!
I have reviewed all the password validation logic and I think I have it tighter now. See d153a50.
Would appreciate another pair of eyes to look over this : )
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป