From 982b5b3d4e7aa671bbfadbfe42d73c7f259172f7 Mon Sep 17 00:00:00 2001
From: uu59 <k@uu59.org>
Date: Thu, 31 Jul 2014 17:34:15 +0900
Subject: [PATCH] Only store password if default password is used

---
 app/controllers/sessions_controller.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index b9cb13b..0c35400 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -38,6 +38,8 @@ class SessionsController < ApplicationController
   def sign_in(user)
     # NOTE: Cookie will encrypt by Rails, but store raw password into session is a bad practice.
     #       If we use some DB in the future, change this to store token with expire limitation (not password).
-    session[:succeed_password] = session_params[:password]
+    #
+    #       Currently, only store to session if default password is used.
+    session[:succeed_password] = session_params[:password] if session_params[:password] == Settings.default_password
   end
 end