Merge pull request #4456 from victor-am/hotfix_absent_new_password_values
Fix absent password params from Password#update Closes #4397.
This commit is contained in:
commit
0c5d78e31c
|
@ -3,6 +3,10 @@
|
|||
* removals
|
||||
* `Devise::Mailer#scope_name` and `Devise::Mailer#resource` are now protected
|
||||
methods instead of public.
|
||||
* bug fixes
|
||||
* Attempt to reset password without the password field in the request now results in a `:blank` validation error.
|
||||
Before this change, Devise would accept the reset password request and log the user in, without validating/changing
|
||||
the password. (by @victor-am)
|
||||
* enhancements
|
||||
* Notify the original email when it is changed with a new `Devise.send_email_changed_notification` setting.
|
||||
When using `reconfirmable`, the notification will be sent right away instead of when the unconfirmed email is confirmed.
|
||||
|
|
|
@ -33,10 +33,14 @@ module Devise
|
|||
# Update password saving the record and clearing token. Returns true if
|
||||
# the passwords are valid and the record was saved, false otherwise.
|
||||
def reset_password(new_password, new_password_confirmation)
|
||||
self.password = new_password
|
||||
self.password_confirmation = new_password_confirmation
|
||||
|
||||
save
|
||||
if new_password.present?
|
||||
self.password = new_password
|
||||
self.password_confirmation = new_password_confirmation
|
||||
save
|
||||
else
|
||||
errors.add(:password, :blank)
|
||||
false
|
||||
end
|
||||
end
|
||||
|
||||
# Resets reset password token and send reset password instructions by email.
|
||||
|
|
|
@ -184,6 +184,16 @@ class RecoverableTest < ActiveSupport::TestCase
|
|||
assert_equal raw, reset_password_user.reset_password_token
|
||||
end
|
||||
|
||||
test 'should return a new record with errors if password is not provided' do
|
||||
user = create_user
|
||||
raw = user.send_reset_password_instructions
|
||||
|
||||
reset_password_user = User.reset_password_by_token(reset_password_token: raw)
|
||||
refute reset_password_user.errors.empty?
|
||||
assert_match "can't be blank", reset_password_user.errors[:password].join
|
||||
assert_equal raw, reset_password_user.reset_password_token
|
||||
end
|
||||
|
||||
test 'should reset successfully user password given the new password and confirmation' do
|
||||
user = create_user
|
||||
old_password = user.password
|
||||
|
|
Loading…
Reference in New Issue