Changing password not validating_confirmation_of

Cargo-culting isn't working...

User:
  attr_reader :password # Virtual attribute

  validates_presence_of :username
  validates_uniqueness_of :username

  attr_accessor :password_confirmation
  validates_confirmation_of :password

& etc from AWDR with use of a hashed password

UserController:
  def change_password
    user = User.find(session[:user_id])
    if request.post?
      opw = params[:user][:old_password]
      npw = params[:user][:password]
      if user.verify_password(opw) and opw != npw
        user.password = npw
        user.save
      else
        flash.now[:notice] = "Bad Password"
      end
    end
  end

change_password.rhtml:

<div class="CapPlanner-form">
<%= error_messages_for 'user' %>

  <fieldset>
    <legend>Changing Password</legend>

    <% form_for :user do |form| %>
      <p>
        <label for="user_old_password">Old Password:</label>
        <%= form.text_field :old_password, :size => 40 %>
      </p>

      <p>
        <label for="user_password">Password:</label>
        <%= form.text_field :password, :size => 40 %>
      </p>

      <p>
        <label for="user_password_confirmation">Confirm:</label>
        <%= form.text_field :password_confirmation, :size => 40 %>
      </p>

      <%= submit_tag "Change Password", :class => "submit" %>
    <% end %>
  </fieldset>
</div>

I'm reasonably certain that validates_confirmation_of is not being
invoked, but I have no idea why. Assigning user.password_confirmation
does not help. The parameters are coming in just fine.

I'm not sure if this will fix your particular issue, but you may want
to remove your own attr_accessor for the password_confirmation
attribute, since validates_confirmation_of provides its own
implementation.

The book has it & discussions here seem to confirm that it is
required. I'll check, though.