v4.6.0 breaks activeadmin forms that have `password` field

[gsar]

Environment

• Ruby 2.6.1
• Rails 5.2.2
• Devise 4.6.1

Current behavior

It appears that PR #4261 introduced a change where encrypted_password could be set to nil even when no attempt was made to change password. The relevant comment is here #4261 (comment)

This results in user model forms that have a password field in activeadmin to break with a validation failure when the password field remains empty on submit:

ActiveRecord::NotNullViolation (PG::NotNullViolation: ERROR:  null value in column "encrypted_password" violates not-null constraint

Expected behavior

No attempt should be made to set encrypted_password to nil if the password field doesn't have a value. This was the case in devise versions prior to v4.6.0.

[gsar]

In case it helps others, I am using this workaround in the activeadmin pages that have an editable devise password field:

  before_save do |user|
    if user.will_save_change_to_encrypted_password?
      user.restore_encrypted_password! unless user.encrypted_password.present?
    end
  end

[zucler]

This is occurring in our application as well. In our case, it's happening when trying to update a user record as a part of minitest framework test suite. Please fix.

[chiperific]

Same issue here.
RailsAdmin form for user with password and password_confirmation fields won't submit, throws this error.

@gsar's monkey patch works.

[phlegx]

I have the same problem on my application. I want to update an account without changing the password but changing some other fields. I get a validation error: encrypted_password can't be blank

Parameters password and password_confirmation are set to nil on update. This has worked for me on all previous versions of devise 4.6.0.

[nosretep]

Broke for me too. Just add encrypted_password: "" and that should satisfy the not null, and is also the default value of "".

t.string :encrypted_password, null: false, default: "" from the migration

[phlegx]

@nosretep your solution breaks logins! If I submit an account form to update the account and leave password and password_confirmation empty, then the account should be updated without set encrypted_password to blank! If it get set to blank, then the account can no more login with his password!

[nosretep]

@phlegx works for me on my specs, login seems to have not broken for me. I'll keep on the lookout though.

[Alexey-Lukin]

In case it helps others, I am using this workaround in the activeadmin pages that have an editable devise password field:

  before_save do |user|
    if user.will_save_change_to_encrypted_password?
      user.restore_encrypted_password! unless user.encrypted_password.present?
    end
  end

before_save do |user|
  if user.will_save_change_to_encrypted_password?
    user.restore_encrypted_password! if user.encrypted_password.blank?
  end
end

[jeremywadsack]

This is affecting our application, unrelated to ActiveAdmin (we don't use it). We have a form that allows an account admin to change a user's password through the UsersController (as opposed to the user changing their own password which runs through the RegistrationController). The form includes a password field — prior to updating Devise (to address CVE-2019-5421) leaving this field blank updated the record without changing the password. After the update it raises the ActiveRecord::NotNullViolation in the OP.

Specifically, this fails to update:

  def update
    if @user.update(user_params)
      ...
    end
  end

  def user_params
    params.require(:user).permit(%i[email password name])
  end

To work around this I've changed user_params to only include :password when the value is present.

  def user_params
    fields = %i[email name]
    fields << :password if params[:user][:password].present?
    params.require(:user).permit(fields)
  end

This is clearly a breaking change and I can't see how this doesn't affect every application that has a password field on the users#update form.

[NikoRoberts]

Also experiencing this with a custom form.

The patch on 4.6.0 was introduced for security from what I can tell so setting a password to blank would set the encrypted_password to nil because it was “expected” to do so and was a security risk not to.

As encrypted password is NOT NULL column, this isn’t the expected behaviour and I doubt ever was.

My understanding of the expected behaviour was that setting password to nil or blank would not update the users’ ability to access their account and was a common way for forms to not update the password field

You can see a more relevant discussion on #5044