check_current_password_before_update still requires password when resetting password

[paulius005]

I have config.check_current_password_before_update = :password enabled. So when the user updates his/her password, the current_password field is required. This becomes a problem when implementing Password reset because the user does not know his/her current password. How do I bypass this and still require the current_password when the user is not resetting his/her password?

[tmjfitch]

I've run into the same issue when trying to handle the password reset workflow. Any suggestions?

[paulius005]

I see this

# ensure that user is confirmed
@resource.skip_confirmation! if @resource.devise_modules.include?(:confirmable) && !@resource.confirmed_at

inside of devise_token_auth/passwords_controller.rb

but update gets called instead of when I use $auth.updatePassword within ng-token-auth and it looks like @resource.allow_password_change = false this may be overriding it

[paulius005]

Hmm just overrode the controller. Edit sets @resource.allow_password_change to true, so that's fine, by the time update is called @resource.allow_password_change is false again. This makes esnse since instance variables are only live for the duration of the request. So that seems to be an issue, unless I am using something wrong.

Looking for ways around this, only way I can think of is to use a class variable a temporary solution. However, this does not seem ideal since multiple users toggling this could result in some bad collisions.

[paulius005]

Checked. This situation is not covered by unit tests and is not used in the demo code

[paulius005]

Currently going to solve by passing another resource_param called :allow and let update set @resource.allow_password_change to true until someone can help with a better solution