In Devise, if I change user's password and after it gets updated in the db, the site immediately logs out the user. I don't want this behavior - how do i do that. please help.
Devise logging out automatically after password change
Asked Answered
"This feature was added exactly for such scenarios, an admin, when edits someones password, can be sure that the person will be signed out. Very very useful in situations you have some device stolen and changing your password in the website will make sure the person who stole your device won't be able to access that specified website." bit.ly/1qkO7jx –
Persuasion
bypass_sign_in(@user) for rails > 5 –
Nevarez
I had the same problem and the following code seems to work for me.
Assume that the passwords controller is set for a singleton route. Also, assume that the authenticated model is an Account. With that, you have the following:
def update
if current_account.update_with_password(params[:account])
sign_in(current_account, :bypass => true)
flash[:notice] = 'Password updated.'
redirect_to account_path
else
render :action => :show
end
end
The key ingredient is the sign_in method call which seeks to re-sign-in the account, but bypasses the warden callbacks and stores the account into the session.
Thanks for the verification. My guess is that the author has moved on to other problems by now. Glad it works for you. I still owe their wiki a page to help others. –
Kape
Thanks, it worked for me too, although I'm not sure why Devise would sign out the user in the first place. –
Cide
A note for all future readers, if this doesn't work and you need to first add
sign_out above the sign_in, first capture the model in an instance variable so you can pass it in through the sign_in method otherwise you'll be passing in nil. –
Megavolt If
current_user.update_with_password(bleh) returns false then you probably are missing current_password in the params as I did. Check the source –
Eldwin @BillEisenhauer does this code go into the passwords controller or the update method of the registrations controller? Will this solution work for users who update their own passwords? –
Minute
@Questifer: this answer presumed that the implementation viewed the password as a singleton resource. As such, the update action's scope is strictly the password itself. Though it was never made clear, and its been several years since I proposed the answer, you could imagine the request is posting the old password, the new password, and the confirmation password. Hope this helps. –
Kape
This isn't working in Devise 3.4.1. #30418468 –
Gravity
You can simply set sign_in_after_reset_password in your devise.rb
config.sign_in_after_reset_password = true
Edit: As of 2020 this defaults to true
Great solution, do you know why they disable this by default? Seems like it should be the other way around. –
Tuscan
As with most things in such frameworks, I suspect backward compatibility. –
Maun
As of 2020 this defaults to true, so a user is signed in automatically after changing a password. –
Redblooded
Adding this does not seem to have an effect on a user password reset for me. I actually want the user to be logged out when an Admin resets their password but the session remains. Hmmm. –
Misquotation
The example above did not work for me using multiple scopes in Devise.
I had to add the scope/resource name in the sign_in path for it to work, and to prevent chaos I also had to sign out the old user or else all kinds of confusion would abound.
The changes I had to make would look something like this using the above example.
def update
if current_account.update_with_password(params[:account])
sign_out(current_account)
sign_in(:account, current_account, :bypass => true)
flash[:notice] = 'Password updated.'
redirect_to account_path
else
render :action => :show
end
end
Edit to add: I believe I had to forcibly sign out the user because somewhere I overrode Devise's code in order not to have users sign out during certain actions. In hindsight; not a good idea! This approach is much better! Being that it is safer to make your own Controllers versus overriding Devise's code unless it's absolutely unavoidable.
Finally! Found it! This worked! Turns out I didn't need
sign_out current_user but did need sign_in :user, @user, bypass: true. –
Gravity Use this code to avoid sign out.
sign_in(current_user, :bypass => true)
Update to Bill Eisenhauer answer above-
sign_in(current_account, :bypass => true) has been deprecated
use bypass_sign_in current_account instead
More details can be found here http://www.rubydoc.info/github/plataformatec/devise/Devise/Controllers/SignInOut#bypass_sign_in-instance_method
Add the following piece of code to your method in which you are updating the user's password, right after updating the user's password in the database:
def update
. . . . .<your code>
. . . . .<your code>
sign_in(@user, :bypass => true)
. . . . .<your code>
. . . . .<your code>
end
For some reasons, current_user is not equal to @user although current_user.id is equal to @user.id. So I have to use sign_in(@user, :bypass => true).
That's puzzling behaviour. I raised a question related to this but it got deleted because of no answer received. For reference stackoverflow.com/q/39490056/936494 is my question's link. –
Drawn
Maybe you need to reload the user object? try calling
user.reload –
Tuscan Please refer to this answer here, I tried all the above answers. It din't work for not adding the scope. https://mcmap.net/q/266148/-how-do-i-keep-the-user-signed-in-after-they-update-their-password-using-devise-duplicate
This doesn't work -
sign_in @user, bypass: true
This works -
sign_in :user, @user, bypass: true
Use the registerable module, which will give you both sign up and edit user features
https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-edit-their-password
As of 2024, use the following method as sign_in(current_user, :bypass => true) is deprecated.
bypass_sign_in(current_user)
© 2022 - 2024 — McMap. All rights reserved.