Rails missing param password with blowfish

Question

I am using the blowfish gem to encrypt passwords for my users (user model).

in the schema I don't have a password field anymore but in the rails console I can (and have to) run user.password = "xxx" and user.password_confirmation = "xxx" in order to be able to call user.save. This works in the rails console but I have a webform where a user is logically able to edit his/her password.

This is my edit.html.erb

 <%= form_for(@user) do |f| %>
    <%= render(:partial => "form", :locals => {:f => f}) %> 
    <%= submit_tag("Edit User") %>
 <% end %>

the parital in _form.html.erb that pertains to passwords is this

 <table>
   ...
 <tr>
    <th>Password</th>
    <td><%= f.text_field(:password) %></td>
 </tr>
 <tr>
    <th>Confirm Password</th>
    <td><%= f.text_field(:password_confirmation)%></td>
 </tr>

In my users_controller.rb I require login password password_confirmation like this

    def update
       @user = User.find(params[:id])
       @user.update_attributes(user_params)
       if @user.save
         flash[:notice] = "Update Successful"
         redirect_to(:action => 'show', :id => @user.id)
       else
         flash[:notice] = "Error Updating"
         render('edit')
        end  
     end

and

private

def user_params
  r = params.require(:user)
  r.require(:login)
  r.require(:password)
  r.require(:password_confirmation)
  r.permit(:first_name, :last_name, :login, :password, :password_confirmation)
end

The issue is not when I submit a complete form, that updates fine. The issue is that when I leave the password field empty, instead of rendering the edit form again it gives me a Action Controller: Exception param not found: password and points to the r.require(:password) line of the user_params function

EDIT

I commented the two require lines out and validate the presence of login,password,password_confirmation in the model. However now I get this error

undefined methoduser' for #pointing to the@user.upadte_attributes(user_params)` line.

I still need to require :user and then .permit(.....) for the strong parameters in Rails 4 right?

EDIT 2 -- Update Method in users_controller.rb

def update
  @user = User.find(params[:id])
  if @user.update_attributes(user_params)
    flash[:notice] = "Update Successful"
    redirect_to(user_path(@user.id))
  else
    flash[:notice] = "Error Updating"
    render('edit')
  end  
 end

and user params private

def user_params
  params.require(:user).permit(:first_name, :last_name, :login, :password, :password_confirmation, :position, :pictureString)
end

The Error Message:

undefined method `user' for #<User:0x007f4d482b1af0>
Extracted source (around line #36):
34 def update
35 @user = User.find(params[:id])
36 if @user.update_attributes(user_params)
37  flash[:notice] = "Update Successful"
38  redirect_to(user_path(@user.id))
39 else

app/controllers/users_controller.rb:36:in `update'

EDIT

Some further investigation revealed this:

If I leave the .permit(....) out of the user_params function (i.e. have it only read params[:user]) then I don't get the undefined method error but the expected forbidden attributes error. Maybe this helps you find what's wrong.

Answer 1

Strong Parameters are not meant for form validation. They are meant for security purposes to replace the attr_accessible macro used at the model level.

Form validation should either either be performed client side, or by passing the params to some model that performs the validation (which will in turn call update_attributes if deemed valid).