Devise allows blank password during password reset

4
votes

I have a Rails 3.2 app setup with Devise. Everything works great except for when I reset a password ( via the built in routes and methods ), Devise is allowing a blank password. It will validate the length and if it matches the confirmation if there is at least one character. I do have it setup where in a users account they can update their profile without entering the password, but I don't think that has anything to do with resetting the password.

Any help is appreciated.

devise.rb -> http://pastie.org/3911178

user.rb -> http://pastie.org/3911187

2
ruby-on-railsdevise

2 Answers

7
votes

Thanks for pointing me in the right direction. The problem was caused by what you described. However, if I let devise handle the validation or use the same code they do, the user must provide a password when updating their account even after they are logged in. To fix this, I just checked for the rest_password_token in my validation:

def password_required?
  # If resetting the password
  return true if reset_password_token.present? && reset_password_period_valid?

   # If the person already has a pass, only validate if they are updating pass
  if !encrypted_password.blank?
    password.present? || password_confirmation.present?
  end
end

*UPDATE I just updated this to ensure the password token is not expired.

1
votes

You should let devise handler password validations: https://github.com/plataformatec/devise/blob/master/lib/devise/models/validatable.rb or use the code devise is using for validations. The issue with your code is that you're doing validations only if the user doesn't has a password set (!encrypted_password.blank?) and other conditions. When recovering the password the user already has a password set so you don't run validations on password updates ...