From 3c71e42e8804a77d9ff0903fb6dca585e0cf435d Mon Sep 17 00:00:00 2001
From: knjko <me@knjko.org>
Date: Fri, 28 Dec 2018 10:20:39 +0900
Subject: [PATCH] Enable sign_in_after_change_password option only when
 changing password

---
 .../devise/registrations_controller.rb        | 16 ++++++--------
 test/integration/registerable_test.rb         | 21 +++++++++++++++++--
 2 files changed, 25 insertions(+), 12 deletions(-)

diff --git a/app/controllers/devise/registrations_controller.rb b/app/controllers/devise/registrations_controller.rb
index 79a2bc7692..394c921a5e 100644
--- a/app/controllers/devise/registrations_controller.rb
+++ b/app/controllers/devise/registrations_controller.rb
@@ -51,7 +51,8 @@ def update
     yield resource if block_given?
     if resource_updated
       set_flash_message_for_update(resource, prev_unconfirmed_email)
-      sign_in_after_change_password
+      bypass_sign_in resource, scope: resource_name if sign_in_after_change_password?
+
       respond_with resource, location: after_update_path_for(resource)
     else
       clean_up_passwords resource
@@ -148,6 +149,7 @@ def translation_scope
 
   def set_flash_message_for_update(resource, prev_unconfirmed_email)
     return unless is_flashing_format?
+
     flash_key = if update_needs_confirmation?(resource, prev_unconfirmed_email)
                   :update_needs_confirmation
                 elsif sign_in_after_change_password?
@@ -158,15 +160,9 @@ def set_flash_message_for_update(resource, prev_unconfirmed_email)
     set_flash_message :notice, flash_key
   end
 
-  def sign_in_after_change_password
-    if sign_in_after_change_password?
-      bypass_sign_in resource, scope: resource_name
-    else
-      sign_out(resource)
-    end
-  end
-
   def sign_in_after_change_password?
-    Devise.sign_in_after_change_password && account_update_params.include?(:password)
+    return true unless resource.saved_change_to_encrypted_password?
+
+    Devise.sign_in_after_change_password
   end
 end
diff --git a/test/integration/registerable_test.rb b/test/integration/registerable_test.rb
index 3070e53b11..46f09f37b8 100644
--- a/test/integration/registerable_test.rb
+++ b/test/integration/registerable_test.rb
@@ -179,7 +179,7 @@ def user_sign_up
     assert warden.authenticated?(:user)
   end
 
-  test 'a signed in user should not still be able to use the website after changing their password if config.sign_in_after_change_password is false' do
+  test 'a signed in user should not be able to use the website after changing their password if config.sign_in_after_change_password is false' do
     swap Devise, sign_in_after_change_password: false do
       sign_in_as_user
       get edit_user_registration_path
@@ -191,7 +191,24 @@ def user_sign_up
 
       assert_contain 'Your account has been updated successfully, but since your password was changed, you need to sign in again'
       assert_equal new_user_session_path, @request.path
-      assert !warden.authenticated?(:user)
+      refute warden.authenticated?(:user)
+    end
+  end
+
+  test 'a signed in user should be able to use the website after changing its email with config.sign_in_after_change_password is false' do
+    swap Devise, sign_in_after_change_password: false do
+      sign_in_as_user
+      get edit_user_registration_path
+
+      fill_in 'email', with: 'user.new@example.com'
+      fill_in 'current password', with: '12345678'
+      click_button 'Update'
+
+      assert_current_url '/'
+      assert_contain 'Your account has been updated successfully.'
+
+      assert warden.authenticated?(:user)
+      assert_equal "user.new@example.com", User.to_adapter.find_first.email
     end
   end