Rails validation "failing when succeeding" - ruby-on-rails

I have this in my user.rb:
attr_accessor :old_password
def validate
unless password.nil?
errors.add_to_base("Old password entered incorrect") unless self.valid_password? old_password
end
end
I have old_password as a a virtual attribute that has to be validated as matching with the current before updating to a new password. My problem is that upon correct entering ( password == password confirmation and self.valid_password? old_password ) an error will yield and pass me back to the form. The strange part is that the data will actually be updated in the database, and it will not on wrong input; although it will yield the very same error ("Old password entered incorrect"). What on earth am I doing wrong?

Alright, found the problem.
I used a custom update attributes, which used to look like:
def custom_update_attributes(userparams, updater)
unless updater.may_change_user_role_name? self
userparams.delete(:role_name)
userparams.delete(:active)
end
self.update_attributes(userparams)
save
end
The obvious problem here is save, even though I changed my def validate to def validate_on_update this validation has been running on the save action too, and since no old_password is supplied, error will be yielded.

Related

Rails Controller runs update function anyway even though the form submit returns devise error message and nothing updated

Environment:
rails 4.2.6
devise 4.1.1
I am using a rails app, and there is a form to update user's profile. By default, devise asks the user to input user's password to update the user's data. I have put the <%=devise_error_messages! %> in the form, of course there is a update function in the controller, which looks like
def update
super
#email = resource.email
#event = resource.event
#name = resource.name
NoticeMailer.notice_confirm(#email, #name, #event).deliver_later
end
Here comes the problem. When I am editing the user's profile data, by default, devise asks the user to input the password to update the data and save it to the database. If I input the wrong password or leave the password field blank, and press the submi button(form.submit), there will be an error message, and I am still in the form. However even though there is an error message in the form, the update function in the controller still runs anyway. I think the logic is that the update function should not run if the update is failed.
Try01:
Try to input the data without password. I use the method
protected
def resource_update(params, resource)
resouce.update_without_password(params, resource)
end
in the controller,but it threw error message.
Try02
I am thinking using ajax to catch the submit click action and pass the password field to backend to check password. however i don't know how to implement this.
Try03
I tried to put a after_update filter function to do the mail sending function. However the result is the same, the mail function is sending no matter what.
Any suggestion?
I would expect the resource to be not valid? if the update failed. Therefore I would try:
def update
super
NoticeMailer.notice_confirm(
resource.email, resource.name, resource.event
).deliver_later if resource.valid?
end
Btw unless you use the instance variables somewhere else in the same
controller or its view then it should not be required assigning value to them first but you could pass the values directly to the mailer.
The correct update function in the controller:
def update
super
#email = resource.email
#event = resource.event
#name = resource.name
unless resource.errors.any?
NoticeMailer.notice_confirm(#email, #name, #event).deliver_later
end
end
Update02
def update
super
NoticeMailer.notice_confirm(
resource.email, resouce.name, resouce.event
).deliver_later unless resource.errors.any?
end

Form_for editing resource without all attributes

I have a form_for established to edit a resource (here it is a user). In the model, it is specified that some attributes cannot be blank (e.g. password). I have a second form to edit this user as an admin. This form does not require the user password but can be filled to change this user's password. The problem is that the validation fails cause no password is specified (Validation fail: Password cannot be blank).
I'd like to know if there is a way to edit the resource this way, without deleting the password field from parameters when it's blank.
#user.update!(user_params)
You can do something like a param deletetion. In your update method before the save do something like.
if params["user"].has_key? "password"
if params["user"]["password"].empty? and user_is_admin?
params["user"].delete("password")
end
end
Replace user_is_admin? with your own admin checking method.

Rails validation is still firing despite unless option evaluating to true

I use devise_invitable in my app to allow users to send invitations. I realized a bad case in which a user has been invited but ignores the invitation and later returns to the app to sign up on their own. Because devise_invitable handles invitations by creating a new user using the provided email address for the invitation, my uniqueness validation on the email field will cause Rails to complain, telling the user that the email address is already taken.
I'm trying to write some logic to handle this case. I see two paths - either figure a way to detect this and destroy the previously created user and allow the new one to be created, or detect the user was invited and execute another flow. I've decided to implement the second option, as I'd like to still utilize the invitation if possible.
My limited experience has me questioning if what I've written will work, but I can't actually fully test it because the Rails validation on the email is triggered. I've made sure Devise's :validatable module is inactive. I created a method that (I think) will detect if a user was invited and in that case the uniqueness validation should be skipped.
#user.rb
...
validates :email, uniqueness: true, unless: :was_invited?
...
def was_invited?
if self.invitation_sent_at.present? && self.sign_in_count == 0
true
else
false
end
end
FWIW, I had originally written this in shorthand rather than breaking out the if/else, but I wanted to be very explicit in an effort to find the bug/failure.
The hope is that once the form passes validation, the create action will do some detection about a user's invitation status and, if they were invited, redirect them to the accept_user_invitation_path. Again, I haven't been able to actually test this yet because I can't get around the validations.
#registrations_controller.rb
def create
if User.find_by_email(params[:email])
#existing_user = User.find_by_email(params[:email])
#existing_user.save(validate: false)
if #existing_user.was_invited?
redirect_to accept_user_invitation_path(:invitation_token => #existing_user.invitation_token)
end
else
super
end
end
In a desperate effort, you'll see I've also added the .save(validate: false) to try to short circuit it there, but it's not even getting that far.
If I comment out the email validation entirely, simply to test the rest of the logic/flow, I get a PG error complaining on uniqueness because of an index on the email address - I don't want to tear all this apart simply to test this method.
I've tried to mess with this for hours and I'm at a loss - any help is appreciated. Let me know if there's any other code you want to see.
Looking at the redirect:
redirect_to accept_user_invitation_path(:invitation_token => #existing_user.invitation_token)
I can see that there is no return which should mean that if that redirect was being called you should be getting an AbstractController::DoubleRenderError error as the parent controller's create method should be trying to render the new view.
From this I would guess that the query you are using to find the existing user is not actually returning a result, possibly because you are using params[:email] whereas if you are using the default views or a properly formatted form it should be params[:user][:email].
Maybe you should give more responsibilities to your controller...
If you find the user, use that, else create a new one. Assuming your form appears with http://yourapp/users/new, change it in your routes to http://yourapp/users/new/:email, making the user input their email before advancing to the form.
def new
#existing_user = User.find_by_email("#{params[:email]}.#{params[:format]}") || User.new
if #existing_user.was_invited? # will only work for existing user
redirect_to accept_user_invitation_path(:invitation_token => #existing_user.invitation_token)
else
render 'new'
end
end
def create
# do maybe something before saving
if #existing_user.save(user_params)
# do your magic
else
render 'new', notice: "Oops, I didn't save"
end
end

Updating password with BCrypt

When I login with a username and password by BCrypt checks no problem, everything is fine.
But when I go through the process of recovering password and try to login with the new password the BCrypt never returns true.
The code I have is as follows:
before_save :encrypt_password
before_update :encrypt_password
def authenticate
player = Player.find_by(mail: self.mail)
unless player.nil?
current_password = BCrypt::Password.new(player.password)
if current_password == self.password
player
else
nil
end
end
end
private
def encrypt_password
unless self.password.nil?
self.password = BCrypt::Password.create(self.password)
end
I'm using rails 4
You don't need the before_update callback.
When creating a new record (user in this case), only before_save is triggered. So you get the right behavior.
But when updating a record, both before_update and before_save are triggered, which means your password column is encrypted twice. That's why you get unexpected behavior.
Check this page for more information about callbacks.
What's more, I think it's a bad idea to make password a real column in database. All you need is a column called encrypted_password in database and making password a virtual attribute.
So you can write encrypt_password method like this:
def encrypt_password
unless self.password.nil?
self.encrypt_password = BCrypt::Password.create(self.password)
end
Which gave you no chance to make a mistake like you just made.

Rails: How to enter value A in Model X only if value A exists in Model Y?

I'm trying to build a registration module where user can only register if their e-mail is already in an existing database.
Models:
User
OldUser
The condition on User will be
if OldUser.find_by_email(params[:UserName]) exists, allow user registration.
If not, then indicate error message.
This is really simple to do in PHP where I can just run a function to execute a mysql query. However, I couldn't figure out how to do it on Rails. It looks like I have to create a custom validator function but seems to be overkilled for a such simple condition.
It should be pretty simple to do. What have I missed?
Any pointer?
Edit 1:
This solution by dku.rajkumar works with a slight modification:
validate :check_email_existence
def check_email_existence
errors.add(:base, "Your email does not exist in our database") if OldUser.find_by_email(self.UserName).nil?
end
For cases like this, is it better to do validation in the model or at the controller?
you can do it as
if OldUser.find_by_email(params[:UserName])
User.create(params) // something like this i guess
else
flash[:error] = "Your email id does not exist in our database."
redirect_to appropriate_url
end
UPDATE: validation in model, so the validation will be done while calling User.create
class User < ActiveRecord::Base
validates :check_mail_id_presence
// other code
// other code
private
def check_mail_id_presence
errors.add("Your email id does not exist in our database.") if OldUser.find_by_email(self.UserName).nil?
end
end
I'd recommend starting with Devise.
See https://github.com/plataformatec/devise
Even if you have unusual needs like these, you can normally adapt it. Once you get to know it, it's extremely powerful, solid and debugged, and you can do all sorts of things with it.
Bellow is just an initial implementation .../app/controller/UsersController for User registration related actions.
def new
#user = User.new
end
def create
#user = User.new(params[:user])
#old_user = User.find_by_email(user.email)
if #old_user
if #user.save
# Handle successful save
else
render 'new' # and render some error message telling why registration was not succeed
end
else
# render some page with some sort of error message of 'new' new users
end
end
Update:
Check out the following resources for more info:
Ruby on Rails Tutorial
Rails: User/Password Authentication from Scratch, Part I/II

Resources