9

在我的应用中,用户可以编辑他们的个人资料信息。在编辑个人资料表单上,用户可以更改所有字段(姓名、职务等)。在同一个表单上是三个字段:current_passwordpasswordpassword_confirmation。我正在使用bcrypt'shas_secure_password功能进行密码验证。我根本不使用设计。

我希望用户只有在提供正确的当前密码时才能更改密码。我之前在update我的用户控制器的方法中使用以下代码进行了此操作:

# Check if the user tried changing his/her password and CANNOT be authenticated with the entered current password
if !the_params[:password].blank? && !@user.authenticate(the_params[:current_password])
  # Add an error that states the user's current password is incorrect
  @user.errors.add(:base, "Current password is incorrect.")
else    
  # Try to update the user
  if @user.update_attributes(the_params)
    # Notify the user that his/her profile was updated
    flash.now[:success] = "Your changes have been saved"
  end
end

但是,这种方法的问题在于,如果当前密码不正确,它会丢弃对用户模型的所有更改。如果当前密码不正确,我想保存对用户模型的所有更改,但不保存密码更改。我试过像这样拆分 IF 语句:

# Check if the user tried changing his/her password and CANNOT be authenticated with the entered current password
if !the_params[:password].blank? && !@user.authenticate(the_params[:current_password])
  # Add an error that states the user's current password is incorrect
  @user.errors.add(:base, "Current password is incorrect.")
end

# Try to update the user
if @user.update_attributes(the_params)
  # Notify the user that his/her profile was updated
  flash.now[:success] = "Your changes have been saved"
end

这不起作用,因为即使当前密码不正确,用户也可以更改他/她的密码。单步执行代码时,虽然“当前密码不正确”。错误添加到@user,通过该update_attributes方法运行后,似乎忽略了此错误消息。

顺便说一句,该current_password字段是我的用户模型中的虚拟属性:

attr_accessor :current_password

几个小时以来,我一直试图解决这个问题,所以我真的可以使用一些帮助。

谢谢!

解决方案

感谢papirtiger,我得到了这个工作。我从他的回答中稍微更改了代码。下面是我的代码。请注意,任何一个代码片段都可以正常工作。

在用户模型中(user.rb)

class User < ActiveRecord::Base
  has_secure_password

  attr_accessor :current_password

  # Validate current password when the user is updated
  validate :current_password_is_correct, on: :update

  # Check if the inputted current password is correct when the user tries to update his/her password
  def current_password_is_correct
    # Check if the user tried changing his/her password
    if !password.blank?
      # Get a reference to the user since the "authenticate" method always returns false when calling on itself (for some reason)
      user = User.find_by_id(id)

      # Check if the user CANNOT be authenticated with the entered current password
      if (user.authenticate(current_password) == false)
        # Add an error stating that the current password is incorrect
        errors.add(:current_password, "is incorrect.")
      end
    end
  end
end

我的用户控制器中的代码现在很简单:

# Try to update the user
if @user.update_attributes(the_params)
  # Notify the user that his/her profile was updated
  flash.now[:success] = "Your changes have been saved"
end
4

4 回答 4

7

您可以在模型级别添加自定义验证,以检查密码是否已更改:

class User < ActiveRecord::Base
  has_secure_password

  validate :current_password_is_correct,
           if: :validate_password?, on: :update

  def current_password_is_correct
    # For some stupid reason authenticate always returns false when called on self
    if User.find(id).authenticate(current_password) == false
      errors.add(:current_password, "is incorrect.")
    end
  end

  def validate_password?
    !password.blank?
  end

  attr_accessor :current_password
end
于 2015-05-18T00:39:35.640 回答
1

因此,从用户的角度考虑,如果有人输入了错误的密码,您是否不希望其他内容也不要更改?通常人们会有一个密码更新,它只是电子邮件和密码。如果当前密码不正确,则不要更新任何内容。

如果您必须这样做,那么只需移动逻辑并拥有两组参数或从参数中删除密码。这将是它的伪代码。 

if not_authenticated_correctly
  params = params_minus_password_stuff (or use slice, delete, etc)
end

#Normal update user logic
于 2015-05-18T00:24:57.023 回答
1

另一种方法是使用自定义验证器,而不是将此验证嵌入模型中。您可以将这些自定义验证器存储在 app/validators 中,它们将由 Rails 自动加载。我称这个为password_match_validator.rb。

除了可重用之外,此策略还消除了在身份验证时重新查询 User 的需要,因为 User 实例通过 rails 作为“记录”参数自动传递给验证器。

class PasswordMatchValidator < ActiveModel::EachValidator

   # Password Match Validator
   #
   # We need to validate the users current password
   # matches what we have on-file before we change it
   #
   def validate_each(record, attribute, value)
     unless value.present? && password_matches?(record, value)
       record.errors.add attribute, "does not match"
     end
   end

   private

   # Password Matches?
   #
   # Need to validate if the current password matches
   # based on what the password_digest was. has_secure_password
   # changes the password_digest whenever password is changed.
   #
   # @return Boolean
   #
   def password_matches?(record, value)
     BCrypt::Password.new(record.password_digest_was).is_password?(value)
   end
 end

将验证器添加到项目后,您可以在任何模型中使用它,如下所示。

class User < ApplicationRecord

  has_secure_password

  # Add an accessor so you can have a field to validate
  # that is seperate from password, password_confirmation or 
  # password_digest...
  attr_accessor :current_password

  # Validation should only happen if the user is updating 
  # their password after the account has been created.
  validates :current_password, presence: true, password_match: true, on: :update, if: :password_digest_changed?

end

如果您不想将 attr_accessor 添加到每个模型中,您可以将其与关注点结合起来,但这可能是矫枉过正。如果您有针对管理员和用户的单独模型,则效果很好。请注意,文件名、类名和验证器上使用的密钥都必须匹配。

于 2018-11-01T21:38:39.097 回答
1

刚刚发布它,适用于 ror 6.x

form.erb 文件:

  <div class="field">
    <%= form.label :current_password, 'Current password:' %>
    <%= form.password_field :current_password, size: 40 %>
  </div>

  <div class="field">
    <%= form.label :password, 'Password:'%>
    <%= form.password_field :password, size:40 %>
  </div>

  <div class="field">
    <%= form.label :password_confirmation, 'Confirm:' %>
    <%= form.password_field :password_confirmation, id: :user_password_confirmation, size:40 %>
  </div>

  <div class="actions">
    <%= form.submit %>
  </div>

用户.rb:

  has_secure_password

  # virtual attribute
  attr_accessor :current_password

  # Validate current password when the user is updated
  validate :current_password_is_correct, on: :update

  # Check if the inputted current password is correct when the user tries to update his/her password
  def current_password_is_correct
    # Check if the user tried changing his/her password
    return if password.blank?

    # Get a reference to the user since the "authenticate" method always returns false when calling on itself (for some reason)
    user = User.find(id)

    # Check if the user CANNOT be authenticated with the entered current password
    if user.authenticate(current_password) == false
      # Add an error stating that the current password is incorrect
      errors.add(:current_password, "is incorrect.")
    end
  end

users_controller.rb:

只需要添加 ":current_password" 到def user_params或通过更改将不起作用,并且将在服务器日志中写入:

Unpermitted parameter: :current_password
于 2021-12-16T15:29:29.827 回答