Ensure password confirmation is always required, closes #228

lib/devise/models/database_authenticatable.rb

@@ -58,8 +58,10 @@ module Devise
       def update_with_password(params={})
         current_password = params.delete(:current_password)
 
-        params.delete(:password)              if params[:password].blank?
-        params.delete(:password_confirmation) if params[:password_confirmation].blank?
+        if params[:password].blank?
+          params.delete(:password)
+          params.delete(:password_confirmation) if params[:password_confirmation].blank?
+        end
 
         result = if valid_password?(current_password)
           update_attributes(params)

test/integration/registerable_test.rb

@@ -113,7 +113,6 @@ class RegistrationTest < ActionController::IntegrationTest
     assert_equal "user@test.com", User.first.email
   end
 
-
   test 'a signed in user should be able to edit his password' do
     sign_in_as_user
     get edit_user_registration_path
@@ -129,6 +128,19 @@ class RegistrationTest < ActionController::IntegrationTest
     assert User.first.valid_password?('pas123')
   end
 
+  test 'a signed in user should not be able to edit his password with invalid confirmation' do
+    sign_in_as_user
+    get edit_user_registration_path
+
+    fill_in 'password', :with => 'pas123'
+    fill_in 'password confirmation', :with => ''
+    fill_in 'current password', :with => '123456'
+    click_button 'Update'
+
+    assert_contain "Password doesn't match confirmation"
+    assert_not User.first.valid_password?('pas123')
+  end
+
   test 'a signed in user should be able to cancel his account' do
     sign_in_as_user
     get edit_user_registration_path