Rails Devise - Allow user to edit their account without CURRENT password

0
votes

I am using Devise and want to allow a user to edit their account without their current_password. I still want the password and password_confirmation present, just not the current_password.

I've read the Devise wiki where you can update_without_password, but haven't been able to find anything on how to only update_without_current_password.

Any ideas?

class Users::RegistrationsController < Devise::RegistrationsController
  def configure_account_update_params
    devise_parameter_sanitizer.for(:account_update) << [:first_name, :last_name, :email, :locale, :time_zone, :phone, :password, :password_confirmation]
  end
end
1
ruby-on-rails-3devise

1 Answers

0
votes

Stealing from the Wiki directly:

By default, Devise allows users to change their password using the :registerable module. But sometimes, developers want to create other actions that allow the user to change their information without requiring a password. The best option in this case is to create your own controller, that belongs to your application, and provide an edit and update actions, as you would do for any other resource in your application.

Keep in mind though to be restrictive in the parameters you allow to be changed. In particular, you likely want to permit just user data fields and avoid e-mail, password and such information to be changed:

params[:user].permit(:first_name, :last_name, :address)

The other solution would be to simply override "update resource" method in your registrations controller like that

class RegistrationsController < Devise::RegistrationsController

  protected

  def update_resource(resource, params)
    resource.update_without_password(params)
  end
end

And don't forget to tell devise use your controller in routes.rb:

devise_for :users, controllers: {registrations: 'registrations'}

Here's a link to the original: https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-edit-their-account-without-providing-a-password.