User validation allows nil password_confirmation
Reported by Jakub Suder | October 22nd, 2008 @ 10:44 AM
In User class, password confirmation is only validated using validates_confirmation_of :password. The problem is that this validation in ActiveRecord has such a line:
record.errors.add(attr_name, configuration[:message]) unless record.send("#{attr_name}_confirmation").nil? or value == record.send("#{attr_name}_confirmation")
This means that if password_confirmation is nil, it is not treated as not matching, and you can submit a form with password confirmation not set. Of course, nothing bad would really happen... but it's better to fix this. Submitting a nil password_confirmation can be done for example by removing the field from the form using Firebug.
Proposed solution: add another validation validates_presence_of :password_confirmation, :if => :new_password_required?.
Comments and changes to this ticket
-
Tom Locke December 2nd, 2008 @ 10:35 AM
- State changed from “new” to “resolved”
Thanks. I've added this in 548179d
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile ยป
People watching this ticket
- Nobody is watching this ticket.