Fixes #1466, override passwords controller from Devise

app/controllers/application_controller.rb

@@ -63,7 +63,8 @@ def pundit_unverified_modules
 
   def pundit_unverified_classes
     [
-      'RegistrationsController', 'SessionsController', 'ConfirmationsController', 'ToolboxController',
+      'RegistrationsController', 'SessionsController', 'ConfirmationsController',
+      'PasswordsController', 'ToolboxController',
       'BankDetailsController', 'ExportsController', 'WelcomeController',
       'CategoriesController', 'Peek::ResultsController', 'StyleguidesController',
       'RemoteValidationsController', 'DiscourseController'

app/controllers/passwords_controller.rb

@@ -0,0 +1,17 @@
+#   Copyright (c) 2012-2015, Fairmondo eG.  This file is
+#   licensed under the GNU Affero General Public License version 3 or later.
+#   See the COPYRIGHT file for details.
+
+class PasswordsController < Devise::PasswordsController
+  def update
+    super
+
+    # TODO: Remove duplicate code in passwords and sessions controllers
+    if cart = Cart.find_by_id(cookies.signed[:cart])
+      cart.update_attribute :user_id, current_user.id unless cart.user_id
+    else # user probably doesn't have cart cookie set
+      @current_cart = Cart.current_for current_user
+      cookies.signed[:cart] = @current_cart.id if @current_cart
+    end
+  end
+end

config/routes.rb

@@ -31,7 +31,8 @@
 
   resources :contents
 
-  devise_for :user, controllers: { registrations: 'registrations', sessions: 'sessions', confirmations: 'confirmations' }
+  devise_for :user, controllers: { passwords: 'passwords', registrations: 'registrations',
+                                   sessions: 'sessions', confirmations: 'confirmations' }
 
   namespace :toolbox do
     get 'session_expired', as: 'session_expired', constraints: { format: 'json' } # JSON info about session expiration. Might be moved to a custom controller at some point.