Devise: Disable password confirmation during sign-up

O

9

46

I am using Devise for Rails. In the default registration process, Devise requires users to type the password twice for validation and authentication. How can I disable it?

Obel answered 8/5, 2010 at 19:20 Comment(4)

What do you do if a person makes a typo when they type the password in the one box? There are reasons for having a confirmation on password forms, and you should be sure about removing it – Merkley 8/5, 2010 at 19:25

yup. i would like to remove it. to simplified the registration process. any suggestion on how to disable it? – Obel 8/5, 2010 at 19:38

@Merkley Kind of a late reply, but you can use the email password reset if users type it wrong. A lot of usability people are starting to prefer this approach, as it's simpler for the user. – Mcgrath 8/12, 2011 at 11:35

#11642401 – Nonlegal 8/7, 2016 at 13:56

A

87

To disable password confirmation you can simply remove the password_confirmation field from the registration form. This disables the need to confirm the password entirely!

Generate devise views if you haven't: rails g devise:views
Remove the password_confirmation section in app\views\devise\registrations\new.html.erb

The reason why this works lies in lib/devise/models/validatable.rb in the Devise source:

module Devise
  module Models
    module Validatable
 

      def self.included(base)

        base.class_eval do
          #....SNIP...
          validates_confirmation_of :password, :if => :password_required?
        end
      end
      
      #...SNIP...
      
      def password_required?
        !persisted? || !password.nil? || !password_confirmation.nil?
      end
    end
  end
end

Note that the validation is only triggered if password_required? returns true, and password_required? will return false if the password_confirmation field is nil.

Because where the password_confirmation field is present in the form, it will always be included in the parameters hash , as an empty string if it is left blank, the validation is triggered. However, if you remove the input from the form, the password_confirmation in the params will be nil, and therefore the validation will not be triggered.

Alessi answered 27/11, 2012 at 15:9 Comment(3)

Thanks @misertim. You are correct. Actually I forget this question. You are right. The correct solution is remove the password_confirmation field. Devise will just ignore the validation. – Obel 28/11, 2012 at 15:22

@Alessi That was a smart answer. I was prepared to fight with Devise for hours, but it turned out pretty easy. Thanks. – Ravage 19/12, 2012 at 13:7

Not really getting this... If the password field exists, isn't the validation done even if the password_confirmation field doesn't? – Swellfish 3/2, 2015 at 17:9

Q

36

It seems if you just remove the attr_accessible requirement from the model it works just fine without it.

On a side note, I agree with this practice, in the rare case there was a typo, the user can simply use the password recovery to recover their password.

Queri answered 24/12, 2010 at 22:44 Comment(2)

This should be the right answer. Assuming you are using user.rb as your devise model simply remove attribute_accessible for password_confirmation and remove the field in the view. – Menorca 18/5, 2011 at 20:32

Even more. On some apps registration go asynchronous, so sending the same data is unneded, some validations (that are not critical, this one isn't) can be done in view. – Argon 6/4, 2013 at 19:2

C

11

I am not familiar with Devise but if you have access to the model in the controller before save/validation could you do something like the following

model.password_confirmation = model.password
model.save

Cush answered 9/5, 2010 at 5:29 Comment(0)

B

3

For the sake of Rails 4 users who find this question, simply delete :password_confirmation from the permitted params, which you declare in ApplicationController.rb.

before_filter :configure_permitted_parameters, if: :devise_controller?

protected

def configure_permitted_parameters
  devise_parameter_sanitizer.for(:sign_up) do |u|
    u.permit(:username, :email, :password)
  end
  devise_parameter_sanitizer.for(:account_update) do |u|
    u.permit(:username, :email, :password)
  end
end

Bioscopy answered 4/3, 2014 at 2:27 Comment(0)

C

2

Simplest solution:

Remove :validatable from

devise :database_authenticatable, :registerable,
 :recoverable, :rememberable, :trackable,
 :confirmable, :timeoutable, :validatable

;)

Contumacious answered 7/10, 2014 at 13:32 Comment(1)

The problem with this answer is that it also removes the validation on the email field and the complexity of the password. This answer should also provide a validation for the email and password complexity – Lucubration 21/11, 2020 at 12:7

O

2

You just need to remove the password_confirmation field from your form.

Outofdoors answered 16/7, 2015 at 10:20 Comment(0)

T

1

See wiki

def update_with_password(params={})
  params.delete(:current_password)
  self.update_without_password(params)
end

https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-edit-their-account-without-providing-a-password

Townsend answered 18/7, 2011 at 23:6 Comment(0)

O

0

Devise's default validations (lib/devise/models/validatable.rb):

validates_confirmation_of :password, :if => :password_required?

and method:

def password_required?
  !persisted? || !password.nil? || !password_confirmation.nil?
end

We need override Devise default password validation. Put the following code at the end in order for it not to be overridden by any of Devise's own settings.

validates_confirmation_of :password, if: :revalid
def revalid
  false
end

And your model would look like this:

class User < ActiveRecord::Base      
  devise :database_authenticatable, :registerable,
     :recoverable, :rememberable, :trackable,
     :confirmable, :timeoutable, :validatable

  validates_confirmation_of :password, if: :revalid

  def revalid
    false
  end
end

Then remove the password_confirmation field from the registration form.

Overside answered 30/9, 2014 at 21:46 Comment(0)

P

0

I think this is the simple way to disable password confirmation: https://github.com/plataformatec/devise/wiki/Disable-password-confirmation-during-registration

Some users wants to make the registration process shorter and easier. One of fields that can be removed is the Password confirmation.

Easiest solution is: you can simply remove the password_confirmation field from the registration form located at devise/registrations/new.html.erb (new.html.haml if you are using HAML), which disables the need to confirm the password entirely!

The reason for this lies in lib/devise/models/validatable.rb in the Devise source:

Note that the validation is only triggered if password_required? returns true, and password_required? will return false if the password_confirmation field is nil.

Because where the password_confirmation field is present in the form, it will always be included in the parameters hash , as an empty string if it is left blank, the validation is triggered. However, if you remove the input from the form, the password_confirmation in the params will be nil, and therefore the validation will not be triggered.

Polymorphism answered 15/7, 2016 at 6:39 Comment(0)

Recommended topics

Hot tags