Allow logged in user to change his password

Users were unable to change their password through the "Reset password" link that was sent to their email if they were logged in. This is due to a default controller filter from Devise that requires the user to not be logged in in order to use this link.
2017-12-31 00:08:15 -05:00 · 2017-12-31 00:08:15 -05:00 · 6304fe44ec
parent ff077cf7dc
commit 6304fe44ec
2 changed files with 21 additions and 0 deletions
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@ -1,6 +1,8 @@
 class PasswordsController < Devise::PasswordsController
  include Gitlab::CurrentSettings

+  skip_before_action :require_no_authentication, only: [:edit, :update]
+
  before_action :resource_from_email, only: [:create]
  before_action :check_password_authentication_available, only: [:create]
  before_action :throttle_reset,      only: [:create]
--- a/spec/features/password_reset_spec.rb
+++ b/spec/features/password_reset_spec.rb
@ -33,6 +33,25 @@ feature 'Password reset' do
    end
  end

+  describe 'Changing password while logged in' do
+    it 'updates the password' do
+      user = create(:user)
+      token = user.send_reset_password_instructions
+
+      sign_in(user)
+
+      visit(edit_user_password_path(reset_password_token: token))
+
+      fill_in 'New password', with: 'hello1234'
+      fill_in 'Confirm new password', with: 'hello1234'
+
+      click_button 'Change your password'
+
+      expect(page).to have_content(I18n.t('devise.passwords.updated_not_active'))
+      expect(current_path).to eq new_user_session_path
+    end
+  end
+
  def forgot_password(user)
    visit root_path
    click_on 'Forgot your password?'