Devise automatically logs off current user on password change
Closed this issue ยท 11 comments
I am using 1.3.0.dev
Ive got an admin account which enables him to change other user's passwords. Every time this happens, Devise logs out the user. I don't understand why Devise needs to log out users whose passwords have been changed. Really strange behavior.
What is the recommended workaround / solution for this.
My code can be found here: https://gist.github.com/903366
A temporary solution I have come up with is:
def update
@admin = Admin.find(params[:id])
authorize! :manage, current_admin
respond_to do |format|
if @admin.update_attributes(params[:admin])
sign_in(@admin, :bypass => true)
format.html { redirect_to([:admin, @admin], :notice => 'Admin was successfully updated.') }
format.xml { head :ok }
else
format.html { render :action => "edit" }
format.xml { render :xml => @admin.errors, :status => :unprocessable_entity }
end
end
end
However, with above code, I am concerned that if I change an admins password who is logged on, it will force him to log off, if he is already logged in. Could be wrong here...
sign_in(@admin, :bypass => true) is correct. :bypass takes care of not executing any warden callback, it just updates the signed in credentials, so calling it even if the user has not updated his password is fine.
Hi Josevalim. Just to clarify, if I am the admin, and I edit Foobar's password (who is also logged onto the app), it won't force Foobar to log off?
Second, I believe it would have to be:
sign_in(@admin, :bypass => true) if @admin == current_admin
So as not to sign-in other admins by accident. Or am I wrong?
Oh, in this case yes. It will. This feature was added exactly for such scenarios, an admin, when edits someones password, can be sure that the person will be signed out. Very very useful in situations you have some device stolen and changing your password in the website will make sure the person who stole your device won't be able to access that specified website. Afaik, that is how most (important) websites implement it.
Thanks for clearing that up.
Hi Jose,
I just upgraded devise, and now I'm having the same issue when a user updates their own password. Is that the correct behavior?
I am having the same issue. Updating your own password logs out the user.
I saw logouts when updating password, after upgrading to devise 1.5.0. The only fix I need was to add :bypass => true to sign_in(@user).
I am also having this issue. I added :bypass => true to sign_in(@user, :bypass => true). If the password change is successful I doesn't sign_out the user but if it fails. if the new provided password and password_confirmation do not math it signs out the user...
here's my code
@artist = current_artist
password = params[:artist][:password]
verify_password = params[:artist][:password_confirmation]
@artist.update_with_password(params[:artist])
sign_in(@artist, :bypass => true)
I am not redirecting, since I am using an AJAX request to do this I just render JSON in the end.
@mabid, try changing to only call sign_in
if the user was updated successfully...
if @artist.update_with_password(params[:artist])
sign_in(@artist, :bypass => true)
end
I don't think you're supposed to sign_in
an invalid user object. (Maybe its encrypted_password
attribute was changed in memory but not saved to the database, so on the next request, warden checks based on the value from the database and finds that things don't match?)
I ran into the same problem myself until I added an if
statement around my sign_in
...
This feature was added exactly for such scenarios, an admin, when edits someones password, can be sure that the person will be signed out.
This is very reasonable. However, the current user (who made the password change) is logged out as well, which is a bit counter intuitive, IMO. BTW, I am using devise 4.1.1.