ruby - 使用带有 rails : current_password being sanitized? 的设计

Question

我已经使用 Devise gem 向小型用户类添加了一些参数，但在使用 current_password 时遇到了一些问题。在我的帐户更新表单中，当我更新帐户并输入当前密码时收到错误消息“不能为空”。该帐户随后不会更新。我怀疑它正在某个地方被清理，删除了输入，然后被读取为空白。但是我不确定。我在下面列出了我认为相关的所有内容。

用户模型:

class User < ActiveRecord::Base
  # Include default devise modules. Others available are:
  # :confirmable, :lockable, :timeoutable and :omniauthable
  devise :database_authenticatable, :registerable,
         :recoverable, :rememberable, :trackable, :validatable

  attr_accessible :username, :email, :password, :password_confirmation, :remember_me, :about_me

  has_many :microposts
end

应用 Controller :

class ApplicationController < ActionController::Base
  protect_from_forgery

  protected
  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:username, :email)}
    devise_parameter_sanitizer.for(:sign_in) { |u| u.permit(:username, :email)}
    devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:username, :about_me, :email, :password, :password_confirmation, :current_password)}
  end
end

密码 Controller :

class Users::PasswordsController < Devise::PasswordsController

  def resource_params
    params.require(:user).permit(:email, :password, :password_confirmation, :current_password)
  end
  private :resource_params
end

注册 Controller

class Users::RegistrationsController < Devise::RegistrationsController

  before_filter :configure_permitted_parameters

  protected

  def configure_permitted_parameters
    devise_parameter_sanitizer.for(:sign_up) do |u|
      u.permit(:username, :about_me, :email, :password, :password_confirmation)
    end
    devise_parameter_sanitizer.for(:account_update) do |u|
     u.permit(:username, :about_me, :email, :password, :password_confirmation, :current_password)
    end
  end

end

设计路线:

  devise_for :users, :controllers => {:registrations => "users/registrations", :passwords => "users/passwords" }

有问题的 View (标准设计/注册/编辑表单):

<h2>Edit <%= resource_name.to_s.humanize %></h2>

<%= simple_form_for(resource, as: resource_name, url: registration_path(resource_name), html: { method: :put }) do |f| %>
  <%= f.error_notification %>

  <div class="form-inputs">
    <%= f.input :email, required: true, autofocus: true %>
    <%= f.input :username, required: false, autofocus: true %>
    <%= f.input :about_me, required: false, autofocus: true %>
    <% if devise_mapping.confirmable? && resource.pending_reconfirmation? %>
      <p>Currently waiting confirmation for: <%= resource.unconfirmed_email %></p>
    <% end %>

    <%= f.input :password, autocomplete: "off", hint: "leave it blank if you don't want to change it", required: false %>
    <%= f.input :password_confirmation, required: false %>
    <%= f.input :current_password, hint: "we need your current password to confirm your changes", required: true %>
  </div>

  <div class="form-actions">
    <%= f.button :submit, "Update" %>
  </div>
<% end %>

<h3>Cancel my account</h3>

<p>Unhappy? <%= link_to "Cancel my account", registration_path(resource_name), data: { confirm: "Are you sure?" }, method: :delete %></p>

同样，问题是当输入用于确认更改的密码时，该字段旁边会出现错误消息“不能为空”。有任何想法吗？谢谢

Answer 1

这是我过去遇到过的一个问题，需要一些变通办法。默认情况下，Devise 的 :registerable 模块允许用户更改他们的信息，并且需要输入 :password 和 :password_confirmation 参数。据我了解，您试图要求用户输入并确认他们的 :current_password。

为了实现您正在寻找的行为，您必须覆盖 Devise 的 RegistrationsController。我也不认为您需要 PasswordsController，因为 Devise 的 RegistrationsController 会为您处理。您需要编写并实现一个方法来检查用户的 :current_password 的有效性，然后通过 update 操作将它们重定向到正确的位置。您可以在 Users::RegistrationController 类中编写以下私有(private)方法:

def needs_password?(user, params)
  user.email != params[:user][:email] || 
   params[:user][:password].present? || 
   params[:user][:password_confirmation].present?
end

然后修改 User::RegistrationsController 中的 update 方法如下:

class Users::RegistrationsController < Devise::RegistrationsController
  def update
    @user = User.find(current_user.id)

    successfully_updated = if needs_password?(@user, params)
      @user.update_with_password(devise_parameter_sanitizer.sanitize(:account_update))
    else
      # remove the virtual current_password attribute
      # update_without_password doesn't know how to ignore it
      params[:user].delete(:current_password)
      @user.update_without_password(devise_parameter_sanitizer.sanitize(:account_update))
    end

    if successfully_updated
      set_flash_message :notice, :updated
      # Sign in the user bypassing validation in case their password changed
      sign_in @user, :bypass => true
      redirect_to after_update_path_for(@user)
    else
      render "edit"
    end
  end

希望这会有所帮助。您还可以引用 Devise 的文档了解如何执行此操作:https://github.com/plataformatec/devise/wiki/How-To%3a-Allow-users-to-edit-their-account-without-providing-a-password .