Home/ Questions/Q 7492245
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-29T16:24:09+00:00

Using Ruby 1.9.3 and bcrypt-ruby 3.0.1 I’m working on the Depot app from the

  • 0

Using Ruby 1.9.3 and bcrypt-ruby 3.0.1

I’m working on the Depot app from the Agile Web Development book, and I’m having issues authenticating a user’s current password in order for them to change their password.

My Users model:

class User < ActiveRecord::Base
  validates :name, presence: true, uniqueness: true
  attr_accessible :name, :password, :current_password, :password_confirmation
  has_secure_password

  after_destroy :ensure_an_admin_remains

  private
    def ensure_an_admin_remains
      if User.count.zero?
        raise "Can't delete last user"
      end
    end
end

My update method in the Users controller looks like this:

  def update
    @user = User.find(params[:id])
    if @user.authenticate(params[:current_password])
      params[:user].delete :current_password
      respond_to do |format|
        if @user.update_attributes(params[:user])
          format.html { redirect_to users_url, notice: "User #{@user.name} was successfully updated." }
          format.json { head :no_content }
        else
          format.html { render action: "edit" }
          format.json { render json: @user.errors, status: :unprocessable_entity }
        end
      end
    else
      redirect_to edit_user_path(@user), notice: "Current password is incorrect."
    end
  end

My users form looks like this:

<%= form_for(@user) do |f| %>
  <% if @user.errors.any? %>
    <div id="error_explanation">
      <h2><%= pluralize(@user.errors.count, "error") %> prohibited this user from being saved:</h2>
      <ul>
      <% @user.errors.full_messages.each do |msg| %>
        <li><%= msg %></li>
      <% end %>
      </ul>
    </div>
  <% end %>

    <fieldset>
        <legend>Enter User Details</legend>
        <div>
        <%= f.label :name %><br />
        <%= f.text_field :name, size: 40 %>
      </div>
        <% if params[:action] == :edit %>
            <div>
                <label for="old_password">Old Password:</label>
                <%= password_field_tag :current_password, params[:current_password]%>
            </div>
        <% end %>
        <div>
        <%= f.label :password, 'Password' %><br />
        <%= f.password_field :password, size: 40 %>
      </div>
        <div>
            <%= f.label :password_confirmation, 'Confirm' %>
            <%= f.password_field :password_confirmation, size: 40%>
        </div>
      <div>
        <%= f.submit %>
      </div>
    </fieldset>
<% end %>

The issue seems to be with the @user.authenticate(params[:current_password]) line.
I am puzzled, because I think the authentication is within the scope for the param, and also because this very method on the console does pass.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I think it should be if @user.authenticate(params[:user][:current_password])

    • 0