-
Notifications
You must be signed in to change notification settings - Fork 403
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Devise's email validations (uniqueness and regexp) is not working with client_side_validations #710
Comments
Hi,
Uniqueness validator was removed in version 7.0. It was bugged and not secure. It exposed your app to data disclosure. Also, it was using a blocking ajax request. Hope it helps |
You're welcome @salmagomaa
Quoting from: #692 (comment)
At the moment I can't update that wiki. My suggestion is to try by yourself, but since you cannot rely on the middleware, you should add a custom controller and action in your Rails Application. Something like: # /config/routes
Rails.application.routes.draw do
# ...
namespace :validators do
get :zipcode, to: 'validators#zipcode'
end
# ...
end # /app/controllers/validators/validators_controller.rb
module Validators
class ValidatorsController < ApplicationController
def zipcode
if Zipcode.where(id: params[:id]).exists?
head :ok
else
head :not_found
end
end
end
end # /app/models/model.rb
class ZipcodeValidator < ActiveModel::EachValidator
def validate_each(record, attr_name, value)
unless Zipcode.where(id: value).exists?
record.errors.add(attr_name, 'is not unique', options.merge(value: value))
end
end
end
class Model
# ...
validates :zipcode, zipcode: true
# ...
end //application.js
window.ClientSideValidations.validators.remote['zipcode'] = function(element, options) {
if ($.ajax({
url: '/validators/zipcode',
data: { id: element.val() },
// async *must* be false
async: false
}).status == 200) { console.log(options); return options.message; }
} Please note that the above endpoint should be protected by rack attack, works in a different way if the resource is persisted and could allow information disclosure. I would not recommend this solution for an uniqueness validator I've tested this locally, if you are able to make it work, please update the wiki with the new instructions Hope it helps |
This commit reflects changes in ActiveRecord::Dirty API version 5.1 Ref: #710, heartcombo/devise#4574, rails/rails#25337
I've released an updated version of CSV, but it should not fix all devise related issues. You may still need to specify |
Hi, I'm going to close this one. For people experiencing this issue:
It doesn't work because the uniqueness middleware was removed from the gem in version 7.0 because of security issues (brute force data disclosure). You are still free to implement your own remote validator. I do not advise to downgrade to CSV 6.0
It works. Please note that in some forms (login, password recovery) you still need to pass Hope it helps |
On blurring the email's input field, an error only shown if it is empty but if it already existed or if it has invalid format, no error is shown.
I need the client_side_validations to be shown for all cases of the email errors, any help please??
The text was updated successfully, but these errors were encountered: