1

I'm building a "change password" form for my user built with these fields:

  • Old password
  • New password
  • Confirmation password

I need a way to check if the current logged in user password is the same as "old password" field, are there any possibility to do this, with authlogic? I can't find a method to test a password.

Simone Carletti
  • 173,507
  • 49
  • 363
  • 364
Francesco Belladonna
  • 11,361
  • 12
  • 77
  • 147
  • I don't know anything about authlogic. However, you should never be storing passwords, only salted SHA-1 (or better) hashes, correct? So you should use the same call to test if a password is correct. – Jonathon Reinhart Jun 19 '12 at 20:03
  • I know that, that's why I'm asking this: password are hashed through authlogic in some way (which I don't know) and I would like to check my password against hashed one – Francesco Belladonna Jun 20 '12 at 01:06

1 Answers1

5

Authlogic has a valid_password? method. see: http://rubydoc.info/github/binarylogic/authlogic/master/Authlogic/ActsAsAuthentic/Password/Methods/InstanceMethods#valid_password%3F-instance_method

So you could

if @user.valid_password?(params[:old_password])
  @user.password = params[:new_password]
  @user.password_confirmation = params[:new_password_confirmation]
end

(or similar)

Jesse Wolgamott
  • 40,197
  • 4
  • 83
  • 109
  • 1
    +1, I was about to give the same answer. You might want to update the answer to pass the 2nd parameter set to true to check against the DB rather than the object in hand i.e. `@user.valid_password?(params[:password], true)` – Harish Shetty Jun 19 '12 at 21:15
  • @KandadaBoggu: I have a problem now, when I change the password, UserSession.find returns nil, even after a UserSession.new({...}).save, any solution? – Francesco Belladonna Jun 21 '12 at 17:30
  • You can find the question on this new link eventually: http://stackoverflow.com/questions/11143656/usersession-find-returns-nil-after-changing-password – Francesco Belladonna Jun 21 '12 at 17:42