Allow logged in user to change his passwordrd-fix-reset-password-while-logged-in

Users were unable to change their password through the "Reset password"
link that was sent to their email if they were logged in. This is due to
a default controller filter from Devise that requires the user to not be
logged in in order to use this link.

2 files changed, 21 insertions, 0 deletions

diff --git a/app/controllers/passwords_controller.rb b/app/controllers/passwords_controller.rb
index 68a52f40342..57761bfbe26 100644
--- a/app/controllers/passwords_controller.rb
+++ b/app/controllers/passwords_controller.rb
@@ -1,6 +1,8 @@
 class PasswordsController < Devise::PasswordsController
   include Gitlab::CurrentSettings
 
+  skip_before_action :require_no_authentication, only: [:edit, :update]
+
   before_action :resource_from_email, only: [:create]
   before_action :check_password_authentication_available, only: [:create]
   before_action :throttle_reset,      only: [:create]
diff --git a/spec/features/password_reset_spec.rb b/spec/features/password_reset_spec.rb
index b45972b7f6b..73a526c3d8a 100644
--- a/spec/features/password_reset_spec.rb
+++ b/spec/features/password_reset_spec.rb
@@ -33,6 +33,25 @@ feature 'Password reset' do
     end
   end
 
+  describe 'Changing password while logged in' do
+    it 'updates the password' do
+      user = create(:user)
+      token = user.send_reset_password_instructions
+
+      sign_in(user)
+
+      visit(edit_user_password_path(reset_password_token: token))
+
+      fill_in 'New password', with: 'hello1234'
+      fill_in 'Confirm new password', with: 'hello1234'
+
+      click_button 'Change your password'
+
+      expect(page).to have_content(I18n.t('devise.passwords.updated_not_active'))
+      expect(current_path).to eq new_user_session_path
+    end
+  end
+
   def forgot_password(user)
     visit root_path
     click_on 'Forgot your password?'