From 8b2f93516d70fed4388c8e01c0f52b067305c09c Mon Sep 17 00:00:00 2001
From: Joseph Mastey <jmmastey@gmail.com>
Date: Wed, 27 Sep 2017 18:57:40 -0500
Subject: [PATCH] fix user password field to not accidentally re-encrypt itself
 on save

currently this is flagged manually in one place, but there's no reason not to
let the user model handle it. this way, you can update your user model from a
console or some other area without accidentally changing your password.
---
 app/controllers/users_controller.rb | 4 +---
 app/models/user.rb                  | 9 +++------
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index ac3613e..8d4a8da 100755
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -29,10 +29,8 @@ class UsersController < ApplicationController
 
     if user
       user.skip_user_id_assign = true
-      user.skip_hash_password = true
       user.update_attributes(user_params_without_password)
-      if !(params[:user][:password].empty?) && (params[:user][:password] == params[:user][:password_confirmation])
-        user.skip_hash_password = false
+      if params[:user][:password].present? && (params[:user][:password] == params[:user][:password_confirmation])
         user.password = params[:user][:password]
       end
       message = true if user.save!
diff --git a/app/models/user.rb b/app/models/user.rb
index 2ec814c..31d21ab 100755
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -11,7 +11,6 @@ class User < ApplicationRecord
   validates_uniqueness_of :email
   validates_format_of :email, :with => /.+@.+\..+/i
   attr_accessor :skip_user_id_assign
-  attr_accessor :skip_hash_password
   before_save :assign_user_id, :on => :create
   before_save :hash_password
   has_one :retirement, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
@@ -21,7 +20,7 @@ class User < ApplicationRecord
   has_many :messages, :foreign_key => :receiver_id, :primary_key => :user_id, :dependent => :destroy
   has_many :pay, :foreign_key => :user_id, :primary_key => :user_id, :dependent => :destroy
   before_create { generate_token(:auth_token) }
-	before_create :build_benefits_data
+  before_create :build_benefits_data
 
   def build_benefits_data
     build_retirement(POPULATE_RETIREMENTS.shuffle.first)
@@ -70,10 +69,8 @@ class User < ApplicationRecord
   end
 
   def hash_password
-    unless @skip_hash_password == true
-      if password.present?
-        self.password = Digest::MD5.hexdigest(password)
-      end
+    if password.present? && password_changed?
+      self.password = Digest::MD5.hexdigest(password)
     end
   end