Search code examples
ruby-on-railsvalidationrspecruby-on-rails-3.1rspec-rails

validates_confirmation_of :password doesn't get triggered


I have a very basic Admin model:

class Admin < ActiveRecord::Base
  has_secure_password
  validates_uniqueness_of :email
  attr_accessible :email, :password, :password_confirmation
end

According to the manual has_secure_password also adds a validates_confirmation_of :password. If I'm correct validates_confirmation_of should always error if :password and :password_confirmation do not match - even if :password_confirmation is nil.

I'm testing with RSpec and this test fails and tells me that admin is valid:

admin = Admin.new
admin.email = '[email protected]'
admin.password = 'secret'
admin.should be_invalid

This one passes:

admin = Admin.new
admin.email = '[email protected]'
admin.password = 'secret'
admin.password_confirmation = ''
admin.should be_invalid

So, what the heck am I doing wrong?


Solution

  • Here's the code for has_secure_password:

    # File activemodel/lib/active_model/secure_password.rb, line 32
    def has_secure_password
      attr_reader :password
    
      validates_confirmation_of :password
      validates_presence_of     :password_digest
    
      include InstanceMethodsOnActivation
    
      if respond_to?(:attributes_protected_by_default)
        def self.attributes_protected_by_default
          super + ['password_digest']
        end
      end
    end
    

    As you can see it never ensures that a password confirmation is sent. You could add that yourself however, and as long as you have the form field on your page an empty string will be sent if it is unfilled.