update_with_password doesn't change encrypted password when it is invalid

closes #2130
2022-11-09 12:18:31 -05:00 · 2012-11-06 21:05:17 +03:00 · 2012-11-06 21:05:17 +03:00 · 10235f9d72
commit 10235f9d72
parent 5d311e7557
2 changed files with 8 additions and 0 deletions
--- a/lib/devise/models/database_authenticatable.rb
+++ b/lib/devise/models/database_authenticatable.rb
@ -64,6 +64,7 @@ module Devise
        result = if valid_password?(current_password)
          update_attributes(params, *options)
        else
+          params.delete(:password)
          self.assign_attributes(params, *options)
          self.valid?
          self.errors.add(:current_password, current_password.blank? ? :blank : :invalid)
--- a/test/models/database_authenticatable_test.rb
+++ b/test/models/database_authenticatable_test.rb
@ -108,6 +108,13 @@ class DatabaseAuthenticatableTest < ActiveSupport::TestCase
    assert_match "is invalid", user.errors[:current_password].join
  end

+  test 'should not change encrypted password when it is invalid' do
+    user = create_user
+    assert_not user.update_with_password(:current_password => 'other',
+      :password => 'pass4321', :password_confirmation => 'pass4321')
+    assert_not user.encrypted_password_changed?
+  end
+
  test 'should add an error to current password when it is blank' do
    user = create_user
    assert_not user.update_with_password(:password => 'pass4321',