database_authenticatable.rb in devise-1.1.0

- old
+ new

@@ -35,11 +35,11 @@
       # and then trigger any "after_changed_password"-callbacks.
       def password=(new_password)
         @password = new_password
 
         if @password.present?
-          self.password_salt = self.class.encryptor_class.salt
+          self.password_salt = self.class.password_salt
           self.encrypted_password = password_digest(@password)
         end
       end
 
       # Verifies whether an incoming_password (ie from sign in) is the user password.
@@ -91,9 +91,17 @@
         # Returns the class for the configured encryptor.
         def encryptor_class
           @encryptor_class ||= ::Devise::Encryptors.const_get(encryptor.to_s.classify)
         end
 
+        def password_salt
+          self.encryptor_class.salt(self.stretches)
+        end
+
+        # We assume this method already gets the sanitized values from the
+        # DatabaseAuthenticatable strategy. If you are using this method on
+        # your own, be sure to sanitize the conditions hash to only include
+        # the proper fields.
         def find_for_database_authentication(conditions)
           find_for_authentication(conditions)
         end
       end
     end