This is an issue I've had trouble in the past with, and something that requires a little bit of a work-around. By default, Devise's :registerable
module allows a user to change their information, and requires the :password
and :password_confirmation
parameters to be entered. As I understand it, you're trying to require the user to enter and confirm their :current_password
.
In order to implement the behavior you're looking for, you'll have to override Devise's RegistrationsController
. I also don't think you'll need the PasswordsController
, since Devise's RegistrationsController
handles that for you. You'll need to write and implement a method that checks the validity of the user's :current_password
, and then redirects them to the right places via the update
action. You can write the following private method in your Users::RegistrationController
class:
def needs_password?(user, params)
user.email != params[:user][:email] ||
params[:user][:password].present? ||
params[:user][:password_confirmation].present?
end
Then revise your update
method in User::RegistrationsController
as follows:
class Users::RegistrationsController < Devise::RegistrationsController
def update
@user = User.find(current_user.id)
successfully_updated = if needs_password?(@user, params)
@user.update_with_password(devise_parameter_sanitizer.sanitize(:account_update))
else
# remove the virtual current_password attribute
# update_without_password doesn't know how to ignore it
params[:user].delete(:current_password)
@user.update_without_password(devise_parameter_sanitizer.sanitize(:account_update))
end
if successfully_updated
set_flash_message :notice, :updated
# Sign in the user bypassing validation in case their password changed
sign_in @user, :bypass => true
redirect_to after_update_path_for(@user)
else
render "edit"
end
end
Hopefully that will help. You can also refer to Devise's documentation on how to do this: https://github.com/plataformatec/devise/wiki/How-To%3a-Allow-users-to-edit-their-account-without-providing-a-password.