Rails core - Jan 2011 - "Confirmation" succeeds when the *_confirmation attribute was neglected from the Model.

<pre>
models/user.rb:

# Oops! I forgot to add the :password_confirmation attribute!

class User < ActiveRecord::Base
  attr_accessor :password
  attr_accessible :password #, :password_confirmation

  validates(:password,
            :confirmation => true,
            :presence => true)
end



activemodel/lib/active_model/validations/confirmation.rb:

  3   # == Active Model Confirmation Validator
  4   module Validations
  5     class ConfirmationValidator < EachValidator
  6       def validate_each(record, attribute, value)
  7         if (confirmed = record.send("#{attribute}_confirmation"))
&& (value !=     confirmed)
  8           record.errors.add(attribute, :confirmation, options)
  9         end
 10       end
</pre>

At line 7, since the attribute does not exist, no error is recorded.
That''s wrong. If password_confirmation does not exist, then it was
certainly *not* confirmed.  Sure, I would find the mistake later,
probably ... or maybe not, if I type ''password'' instead of
''password_confirmation'' elsewhere in my code.

I think that :confirmation=>true should *require* the *_confirmation
attribute, and it validate_each should issue a *different* error
message when missing (since otherwise this would be hard for a
developer to debug).

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Core" group.
To post to this group, send email to rubyonrails-core@googlegroups.com.
To unsubscribe from this group, send email to
rubyonrails-core+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-core?hl=en.