Merge pull request #4456 from victor-am/hotfix_absent_new_password_values

Fix absent password params from Password#update Closes #4397.
2017-03-13 19:41:46 -03:00 · 2017-03-13 19:41:46 -03:00 · 0c5d78e31c
parent f7b6d78606 60dc4be8c1
commit 0c5d78e31c
3 changed files with 22 additions and 4 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -3,6 +3,10 @@
 * removals
  * `Devise::Mailer#scope_name` and `Devise::Mailer#resource` are now protected
    methods instead of public.
+* bug fixes
+  * Attempt to reset password without the password field in the request now results in a `:blank` validation error.
+    Before this change, Devise would accept the reset password request and log the user in, without validating/changing
+    the password. (by @victor-am)
 * enhancements
  * Notify the original email when it is changed with a new `Devise.send_email_changed_notification` setting.
    When using `reconfirmable`, the notification will be sent right away instead of when the unconfirmed email is confirmed.
--- a/lib/devise/models/recoverable.rb
+++ b/lib/devise/models/recoverable.rb
@ -33,10 +33,14 @@ module Devise
      # Update password saving the record and clearing token. Returns true if
      # the passwords are valid and the record was saved, false otherwise.
      def reset_password(new_password, new_password_confirmation)
-        self.password = new_password
-        self.password_confirmation = new_password_confirmation
-
-        save
+        if new_password.present?
+          self.password = new_password
+          self.password_confirmation = new_password_confirmation
+          save
+        else
+          errors.add(:password, :blank)
+          false
+        end
      end

      # Resets reset password token and send reset password instructions by email.
--- a/test/models/recoverable_test.rb
+++ b/test/models/recoverable_test.rb
@ -184,6 +184,16 @@ class RecoverableTest < ActiveSupport::TestCase
    assert_equal raw, reset_password_user.reset_password_token
  end

+  test 'should return a new record with errors if password is not provided' do
+    user = create_user
+    raw  = user.send_reset_password_instructions
+
+    reset_password_user = User.reset_password_by_token(reset_password_token: raw)
+    refute reset_password_user.errors.empty?
+    assert_match "can't be blank", reset_password_user.errors[:password].join
+    assert_equal raw, reset_password_user.reset_password_token
+  end
+
  test 'should reset successfully user password given the new password and confirmation' do
    user = create_user
    old_password = user.password