Devise, validate current_password if any important fields have been changed

Specifically, I'm using Devise with Typus. But, I think my misunderstanding resides in my knowledge of Devise.

I'm trying to achieve the functionality of when you want to change an important model via form, you have to provide your current password to confirm you can change it, a la google.

Right now, I can log in and change any of the fields of my User model. Including the p开发者_开发知识库assword, without having to confirm my password prior. Not good. So, I've added current_password to the form. But that didn't do anything. Then I tried to validate presence on current_password. Then it doesn't seem to accept any value for it.

Google didn't help me. All of the relevant posts were about removing current_password instead of confirming it. Which makes me think I'm misunderstanding the use of current_password.

Anyone care to share some insight? Thanks.

You should add the password field to the form, and then in your controller's action you can validate the password using:

user.valid_password?(params[:user][:password])

Note that probably you should change params[:user][:password] to the the name of the param for your password's field in the form (perhaps just params[:password]).

Hope it helps.

Actually, devise has a builtin method for this:

user.update_with_password(params, *options) you can read the rdoc here.

Update record attributes when :current_password matches, otherwise returns error on :current_password. It also automatically rejects :password and :password_confirmation if they are blank.