How to disable has_secure_password validation when a condition is true?

luislavena · February 15, 2012, 5:46pm

I have a User model that can save two types of users:

Password-protected users (for this I need has_secure_password)
Facebook users (for this I don’t need has_secure_password, but two
different fields: provider and uid)

So, when a normal user registers, the model should validate password
fields
with has_secure_password and validate the presence of the password
field:

has_secure_password
validates :password, presence: true

This works. I have no problem with this.

But when a user wants to register through Facebook, the password is not
needed, because provider and uid will be filled instead. The problem is
that I don’t know how to disable has_secure_password in this case. I
have
tried this:

has_secure_password
validates :password, presence: true, unless: :facebook_user?

And this is the facebook_user method:

def facebook_user?
provider != nil && uid != nil
end

But it doesn’t work, as it is still complaining about password_digest:

@messages={:password_digest=>[“can’t be blank”]}

What am I doing wrong? Isn’t it possible to disable has_secure_password
selectively?

casper_the_ghost · February 16, 2012, 2:35am

Go to RailsCasts.com and read about OmniAuth with devise. Episodes
#235, and #236 I would totally recommend you subscribe to his site,
by the way.

SC

casper_the_ghost · February 16, 2012, 8:25am

Yes, I already watched those screencasts, but I still don’t know how to
do
it.

casper_the_ghost · April 3, 2012, 7:59pm

Did you ever get a solution to this? My app also allows authentication
outside without the password.

casper_the_ghost · May 29, 2012, 10:57am

This does not work with has_secure_password because this module
automatically adds this validation:
validates_presence_of :password_digest

so no matter how you change the condition of validation in your own
model it just doesnt work. The solution I can think of is to write
your own has_secure_password module, you can copy a lot code from the
original from rails. Or use devise instead.

casper_the_ghost · April 6, 2012, 12:28am

Hi,

I haven’t tried it but would go for this:
http://guides.rubyonrails.org/active_record_validations_callbacks.html#conditional-validation

You probably didn’t used right conditions. To figure it out I always
use Rails console. Create 2 users, a FB and a nonFB and try them out.

casper_the_ghost · July 19, 2012, 1:06am

I also have dual login types (ldap and manual, the latter using
has_secure_password) and had the same problem.

It might seem like a hack but the simple solution was to just
set a bogus password for the ldap users (in the create method
in my controller). I don’t see any security problem with this
since the ldap users cannot login manually using that password.

casper_the_ghost · April 18, 2014, 11:12am

The solution is as follows:

remove has_secure_password and use traditional method

validates_confirmation_of :password, :unless => :facebook_user?
validates_presence_of :password_digest, :unless => :facebook_user?

def facebook_user?
not uid.nil? and not provider.nil?
end

Em quarta-feira, 15 de fevereiro de 2012 14h45min16s UTC-2, David M
escreveu:

casper_the_ghost · April 19, 2014, 7:12am

Sorry, missed some details. The complete solution follows

has_secure_password(validations: false) *
validates_confirmation_of :password, :if => :password_present?*
validates_presence_of :password, :on => :create, :unless =>
:facebook_user?*

Em quinta-feira, 17 de abril de 2014 23h28min13s UTC-3, emerson mauricio
freitas de moura escreveu: