I am following the sorcery tutorial for resetting the password. I am finding that the code works, even if my password confirmation is different. My user model
has attr_accessor :password, :password_confirmation.
The relevant code is from the update action of the app/controllers/password_resets_controller.rb i.e.
@user.password_confirmation = params[:user][:password_confirmation]
if @user.change_password!(params[:user][:password])
redirect_to(root_path, :notice => 'Password was successfully updated.')
Using pry I can confirm that @user.password_confirmation returns 'reallywrong' and (params[:user][:password] returns 'foobar', so the confirmation is different from the password, yet @user.change_password!(params[:user][:password]) returns true.
What is wrong here?
I had not set password confirmation to true in the user model validations.