[Rails] Re: Don't clear password fields if the password is ok

Dmitry Maksyoma wrote in post #1081303:
> No, I'm not using auth engine, I only use `has_secure_password'. I've
> tried
> removing that and adding `attr_accessor :password,
> :password_confirmation'
> and it didn't change a thing, so it seems to be the default Rails
> behaviour.
>
> My view: http://pastebin.com/s7tpwN4D

I'm not 100% sure about this, but I have a feeling that behavior exists
for security reasons. The primary concern about providing a password to
a server is limiting the amount of time the cleartext version exists.

In fact I'd be willing to wager that the hashing occurs in the RACK
middleware, which means your Rails application never sees the cleartext
password, and therefore would not have it to send back in the response.

--
Posted via http://www.ruby-forum.com/.

--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.