Rails authentication from scratch, skip current password validation

Question

I have an auth system from scratch, and when a user clicks on 'edit profile' it has to input the current password no matter the field he wants to edit.

def update
  if params[:user][:password].present?
    authenticated = @user.authenticate(params[:user][:current_password])
    if authenticated && @user.update(user_params)
      redirect_to root_url
      flash[:notice] = "Your profile was successfully updated!"
    else
      @user.errors.add(:current_password, 'is invalid') unless authenticated
      render :edit
    end
  elsif @user.update(user_params)
    redirect_to root_url
    flash[:notice] = "Your profile was successfully updated!"
  else
    render :edit
  end
end

How can I call authenticate or use some context model validation only for the scenario when the user wants to change his password?

Answer 1

You may create a nested if-else in this action statement that will check for existence of new_password and new_password_confirmation (or whatever the new password and confirmation fields are called) in the params[:user] object. If they are present - you may redirect to some king of page with request to enter existent password.

Another way is to use ajax to show asynchronously the dialog box with the same request (like respond_with self-invoking javascript function that handles that). Then handle submit button in of the dialog in the other action of the controller.

Update (considering use of validators):

Considering validation you may write your own validator (for password) and condition to check when the new password field come with some data from the client.

I think it could look like this:

validate :password_update?

def password_update?
    if new_password.present?
        if current_password !== self.password
          errors.add(:current_password, "must be supplied!")
        else
            # update data and password
        end
    else
        # do your regular update
    end
end

Answer 2

I wouldn't recommend mixing this logic into the model because you end up with complexity that is hard to follow as your application grows over time.

Try taking a look into form objects:

• Form-backing objects for fun and profit
• Railscast #416 Form Objects [paid subscription required]

I'd implement something like this:

class UserUpdateForm
  include ActiveModel::Model

  # Attributes
  attr_accessor :user, :new_password, :new_password_confirmation

  # Validations
  validates :current_password, if: :new_password
  validate :authenticate, if: :current_password
  validates :new_password, confirmation: true, allow_blank: true

  def initialize(user)
    self.user = user
  end

  def submit(params)
    self.new_password = params[:new_password]
    self.new_password_confirmation = params[:new_password_confirmation]

    if self.valid?
      # Set other attributes as needed, then set new password below.
      self.user.password = self.new_password if self.new_password.present?
      self.user.save
    else
      false
    end
  end

private

  def authenticate
    unless self.authenticate(self.current_password)
      self.errors.add(:current_password, 'is invalid')
    end
  end
end

Then you can call it from your controller like so:

def update
  @user_update_form = UserUpdateForm.new(@user)

  if @user_update_form.submit(params)
    flash[:notice] = "Your profile was successfully updated!"
    redirect_to root_url
  else
    render :edit
  end
end

See the links above for how to handle the view and such. This is just to get you started.