Fix absent password params from Password#update
Related to issue #4397 This hotfix adds a string coercion to new_password paramenters when trying to reset an user's password. Before that, when a user submitted a password recovery form with the new_password and new_password_confirmation params as nil, Devise would sign in the user with a success notice but without actually changing the password.
This commit is contained in:
parent
bf4641c8cf
commit
60dc4be8c1
|
@ -33,10 +33,14 @@ module Devise
|
||||||
# Update password saving the record and clearing token. Returns true if
|
# Update password saving the record and clearing token. Returns true if
|
||||||
# the passwords are valid and the record was saved, false otherwise.
|
# the passwords are valid and the record was saved, false otherwise.
|
||||||
def reset_password(new_password, new_password_confirmation)
|
def reset_password(new_password, new_password_confirmation)
|
||||||
self.password = new_password
|
if new_password.present?
|
||||||
self.password_confirmation = new_password_confirmation
|
self.password = new_password
|
||||||
|
self.password_confirmation = new_password_confirmation
|
||||||
save
|
save
|
||||||
|
else
|
||||||
|
errors.add(:password, :blank)
|
||||||
|
false
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
# Resets reset password token and send reset password instructions by email.
|
# Resets reset password token and send reset password instructions by email.
|
||||||
|
|
|
@ -184,6 +184,16 @@ class RecoverableTest < ActiveSupport::TestCase
|
||||||
assert_equal raw, reset_password_user.reset_password_token
|
assert_equal raw, reset_password_user.reset_password_token
|
||||||
end
|
end
|
||||||
|
|
||||||
|
test 'should return a new record with errors if password is not provided' do
|
||||||
|
user = create_user
|
||||||
|
raw = user.send_reset_password_instructions
|
||||||
|
|
||||||
|
reset_password_user = User.reset_password_by_token(reset_password_token: raw)
|
||||||
|
refute reset_password_user.errors.empty?
|
||||||
|
assert_match "can't be blank", reset_password_user.errors[:password].join
|
||||||
|
assert_equal raw, reset_password_user.reset_password_token
|
||||||
|
end
|
||||||
|
|
||||||
test 'should reset successfully user password given the new password and confirmation' do
|
test 'should reset successfully user password given the new password and confirmation' do
|
||||||
user = create_user
|
user = create_user
|
||||||
old_password = user.password
|
old_password = user.password
|
||||||
|
|
Loading…
Reference in New Issue