skip_before_filter :authenticate, :only => [:edit, :update]
this is a recent addition.
I don't understand the problem. Unauthenticated users can still access this page even if you before_filter :authenticate in your ApplicationController. That was the reason for this change.
I do before_filter :authenticate in ApplicationController by default.
Clearance::PasswordsController has a 'new' action.
By skipping :authenticate only on :edit and :update by default unauthenticated users cannot access the 'new' action for password recovery.
I see what you're saying. We missed :new and :create with that commit. This problem existed before our recent addition, which was intended to fix the problem. Thanks for noticing it. Fixing it now.
[#69] Allow Rails apps to before_filter :authenticate the entire app
in ApplicationController and still have password recovery work without
overriding any controllers. (Claudio Poli, Dan Croak)