From 60dc4be8c10d5af9d185e62e9a943e5dfb2ec9a2 Mon Sep 17 00:00:00 2001
From: victor-am <victor.marques@plataformatec.com>
Date: Mon, 6 Mar 2017 17:57:32 -0300
Subject: [PATCH] Fix absent password params from Password#update

Related to issue #4397

This hotfix adds a string coercion to new_password paramenters when
trying to reset an user's password.

Before that, when a user submitted a password recovery form with the
new_password and new_password_confirmation params as nil, Devise would
sign in the user with a success notice but without actually changing the
password.
---
 lib/devise/models/recoverable.rb | 12 ++++++++----
 test/models/recoverable_test.rb  | 10 ++++++++++
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/lib/devise/models/recoverable.rb b/lib/devise/models/recoverable.rb
index e1e8ed8f..14c33d6e 100644
--- a/lib/devise/models/recoverable.rb
+++ b/lib/devise/models/recoverable.rb
@@ -33,10 +33,14 @@ module Devise
       # Update password saving the record and clearing token. Returns true if
       # the passwords are valid and the record was saved, false otherwise.
       def reset_password(new_password, new_password_confirmation)
-        self.password = new_password
-        self.password_confirmation = new_password_confirmation
-
-        save
+        if new_password.present?
+          self.password = new_password
+          self.password_confirmation = new_password_confirmation
+          save
+        else
+          errors.add(:password, :blank)
+          false
+        end
       end
 
       # Resets reset password token and send reset password instructions by email.
diff --git a/test/models/recoverable_test.rb b/test/models/recoverable_test.rb
index a1cf3b43..96b36187 100644
--- a/test/models/recoverable_test.rb
+++ b/test/models/recoverable_test.rb
@@ -184,6 +184,16 @@ class RecoverableTest < ActiveSupport::TestCase
     assert_equal raw, reset_password_user.reset_password_token
   end
 
+  test 'should return a new record with errors if password is not provided' do
+    user = create_user
+    raw  = user.send_reset_password_instructions
+
+    reset_password_user = User.reset_password_by_token(reset_password_token: raw)
+    refute reset_password_user.errors.empty?
+    assert_match "can't be blank", reset_password_user.errors[:password].join
+    assert_equal raw, reset_password_user.reset_password_token
+  end
+
   test 'should reset successfully user password given the new password and confirmation' do
     user = create_user
     old_password = user.password