Enable sign_in_after_change_password option only when changing password

heartcombo · Dec 28, 2018 · 3c71e42 · 3c71e42
1 parent c6e70b0
commit 3c71e42
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 12 deletions.
diff --git a/app/controllers/devise/registrations_controller.rb b/app/controllers/devise/registrations_controller.rb
@@ -51,7 +51,8 @@ def update
     yield resource if block_given?
     if resource_updated
       set_flash_message_for_update(resource, prev_unconfirmed_email)
-      sign_in_after_change_password
+      bypass_sign_in resource, scope: resource_name if sign_in_after_change_password?
+
       respond_with resource, location: after_update_path_for(resource)
     else
       clean_up_passwords resource
@@ -148,6 +149,7 @@ def translation_scope
 
   def set_flash_message_for_update(resource, prev_unconfirmed_email)
     return unless is_flashing_format?
+
     flash_key = if update_needs_confirmation?(resource, prev_unconfirmed_email)
                   :update_needs_confirmation
                 elsif sign_in_after_change_password?
@@ -158,15 +160,9 @@ def set_flash_message_for_update(resource, prev_unconfirmed_email)
     set_flash_message :notice, flash_key
   end
 
-  def sign_in_after_change_password
-    if sign_in_after_change_password?
-      bypass_sign_in resource, scope: resource_name
-    else
-      sign_out(resource)
-    end
-  end
-
   def sign_in_after_change_password?
-    Devise.sign_in_after_change_password && account_update_params.include?(:password)
+    return true unless resource.saved_change_to_encrypted_password?
+
+    Devise.sign_in_after_change_password
   end
 end
diff --git a/test/integration/registerable_test.rb b/test/integration/registerable_test.rb
@@ -179,7 +179,7 @@ def user_sign_up
     assert warden.authenticated?(:user)
   end
 
-  test 'a signed in user should not still be able to use the website after changing their password if config.sign_in_after_change_password is false' do
+  test 'a signed in user should not be able to use the website after changing their password if config.sign_in_after_change_password is false' do
     swap Devise, sign_in_after_change_password: false do
       sign_in_as_user
       get edit_user_registration_path
@@ -191,7 +191,24 @@ def user_sign_up
 
       assert_contain 'Your account has been updated successfully, but since your password was changed, you need to sign in again'
       assert_equal new_user_session_path, @request.path
-      assert !warden.authenticated?(:user)
+      refute warden.authenticated?(:user)
+    end
+  end
+
+  test 'a signed in user should be able to use the website after changing its email with config.sign_in_after_change_password is false' do
+    swap Devise, sign_in_after_change_password: false do
+      sign_in_as_user
+      get edit_user_registration_path
+
+      fill_in 'email', with: 'user.new@example.com'
+      fill_in 'current password', with: '12345678'
+      click_button 'Update'
+
+      assert_current_url '/'
+      assert_contain 'Your account has been updated successfully.'
+
+      assert warden.authenticated?(:user)
+      assert_equal "user.new@example.com", User.to_adapter.find_first.email
     end
   end