Devise: update_with_password should throw error on blank password

Yes, that's update_with_password's behavior. If you want to allow blank passwords to be set, create your own helper. You can use this as example:

https://github.com/plataformatec/devise/blob/master/lib/devise/models/database_authenticatable.rb#L56

Sorry I wasn't clear. Doing too many things at once.

The expected functionality is

1) throw an error on save
2) mark password field with error "Password cannot be blank"

but instead I receive a success message. I will take look at the example you sent and see if I can monkey patch a fix.

Yes, it is documented that it will simply ignore the password if it is blank.

+1 Whether it is documented or not, this is incorrect behavior. If a blank password is not allowed, an error should be raised, but it is not.

+1 I too had to work around this unexpected behaviour recently

I believe I understand the motivation. If no value is set for a parameter, the parameter is ignored in the controller method.

The trouble is when a value is provided for the "current password" and no value for the new or confirm password fields. Devise simply ignores the inconsistency by default, when the expected behavior is that the user intended to change the password but forgot to fill in the other two fails, and should be warned about this.

@phildow No. The current_password is not meant required only when updating the password but when updating all important/secure information. For example, if you allow anyone to change the e-mail without a password, the account can be easily taken by changing to the e-mail and asking the password to be reset.

So treat update_with_password as way to update any secure information ,not only the password, and make this clear in your UI. If you really don't like this default, more secure behaviour, just implement a update_with_whatever in your model and change your edit setup to use it. Devise will continue shipping as it is today.