<pre> models/user.rb:
# Oops! I forgot to add the :password_confirmation attribute!
class User < ActiveRecord::Base attr_accessor :password attr_accessible :password #, :password_confirmation
validates(:password, :confirmation => true, :presence => true) end
activemodel/lib/active_model/validations/confirmation.rb:
3 # == Active Model Confirmation Validator 4 module Validations 5 class ConfirmationValidator < EachValidator 6 def validate_each(record, attribute, value) 7 if (confirmed = record.send("#{attribute}_confirmation")) && (value != confirmed) 8 record.errors.add(attribute, :confirmation, options) 9 end 10 end </pre>
At line 7, since the attribute does not exist, no error is recorded. That's wrong. If password_confirmation does not exist, then it was certainly *not* confirmed. Sure, I would find the mistake later, probably ... or maybe not, if I type 'password' instead of 'password_confirmation' elsewhere in my code.
I think that :confirmation=>true should *require* the *_confirmation attribute, and it validate_each should issue a *different* error message when missing (since otherwise this would be hard for a developer to debug).