Merge pull request rails#43378 from Stellenticket/set_empty_secure_password

rafaelfranca · web-flow · commit 3b5db8e8c951 · 2021-10-14T17:59:25.000-04:00
clear secure password cache if password is set to `nil`
diff --git a/activemodel/CHANGELOG.md b/activemodel/CHANGELOG.md
@@ -1,3 +1,21 @@
+*   Clear secure password cache if password is set to `nil`
+
+    Before:
+
+       user.password = 'something'
+       user.password = nil
+
+       user.password # => 'something'
+
+    Now:
+
+       user.password = 'something'
+       user.password = nil
+
+       user.password # => nil
+
+    *Markus Doits*
+
 ## Rails 7.0.0.alpha2 (September 15, 2021) ##
 
 *   No changes.
diff --git a/activemodel/lib/active_model/secure_password.rb b/activemodel/lib/active_model/secure_password.rb
@@ -94,6 +94,7 @@ def initialize(attribute)
 
         define_method("#{attribute}=") do |unencrypted_password|
           if unencrypted_password.nil?
+            instance_variable_set("@#{attribute}", nil)
             self.public_send("#{attribute}_digest=", nil)
           elsif !unencrypted_password.empty?
             instance_variable_set("@#{attribute}", unencrypted_password)
diff --git a/activemodel/test/cases/secure_password_test.rb b/activemodel/test/cases/secure_password_test.rb
@@ -91,6 +91,12 @@ class SecurePasswordTest < ActiveModel::TestCase
     assert_equal ["doesn't match Password"], @user.errors[:password_confirmation]
   end
 
+  test "resetting password to nil clears the password cache" do
+    @user.password = "password"
+    @user.password = nil
+    assert_nil @user.password
+  end
+
   test "update an existing user with validation and no change in password" do
     assert @existing_user.valid?(:update), "user should be valid"
   end
