wilson29thid
commented
6 months ago This wasn't a bug or a security issue. The in-memory User instance was simply updated with the form values in the create action before re-rendering, and User#to_s printed the short_name version if last_name had a value. I've made it so User#to_s always shows the username for users who aren't persisted, just to avoid confusion in the future.
On testing just now, I deliberately left a validation error (didn't tick yes/no on experience question), and the page it took me to (form with validation errors) showed my name as "Rec. Tester" in the navbar. So the user model was updated with the last name. That's unexpected behaviour. Maybe it's fine, but I should investigate for any bugs. The user doesn't appear to have been created in the database, but I want to understand why this happened at least.