Password edit page available when user is signed in.

[EnotPoloskun]

Ruby version: ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-darwin13.0]
Rails version: Rails 3.2.21
Devise version: 3.4.1

Steps to reproduce.

1. Sign up
2. Log out
3. Send reset password instructions for user
4. Sign in
5. Open reset password instructions and copy reset link(You can see email at rails logs)
6. Add any invalid format to url (http://localhost:3000/users/password/edit?reset_password_token=r9ossoUefCFD3sNUGPxW -> http://localhost:3000/users/password/edit.123?reset_password_token=r9ossoUefCFD3sNUGPxW)
7. Open page

When there is no any invalid format, require_no_authentication method redirects to a after_sign_in_path(resource), but if any invalid format is manually added, require_no_authentication returns nil. But for sign_in page, if any invalid format is added, server responds with "406 Not Acceptable" and page is not displayed.

Here is github repo with sample app: https://github.com/EnotPoloskun/devise-bug

[josevalim]

The logic is that if the user was just able to sign in, should they still be able to reset their password?

[EnotPoloskun]

The logic is that user can access reset password page when he is logged in by adding invalid format to the url(described above). If there is no any invalid format, user is redirected with flash "you are already signed in"