diff --git a/CHANGELOG.md b/CHANGELOG.md index fbb7fe42..a84d5a21 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,7 +1,8 @@ ### Unreleased * enhancements - * Allow resource class scopes to override the global configuration for `sign_in_after_change_password` behaviour. [#5824](https://github.com/heartcombo/devise/pull/5824) + * Allow resource class scopes to override the global configuration for `sign_in_after_change_password` behaviour. [#5825](https://github.com/heartcombo/devise/pull/5825) + * Add `sign_in_after_reset_password?` check hook to passwords controller, to allow it to be customized by users. [#5826](https://github.com/heartcombo/devise/pull/5826) ### 5.0.1 - 2026-02-13 diff --git a/app/controllers/devise/passwords_controller.rb b/app/controllers/devise/passwords_controller.rb index 3af1f864..68b8dc87 100644 --- a/app/controllers/devise/passwords_controller.rb +++ b/app/controllers/devise/passwords_controller.rb @@ -36,7 +36,7 @@ class Devise::PasswordsController < DeviseController if resource.errors.empty? resource.unlock_access! if unlockable?(resource) - if resource_class.sign_in_after_reset_password + if sign_in_after_reset_password? flash_message = resource.active_for_authentication? ? :updated : :updated_not_active set_flash_message!(:notice, flash_message) resource.after_database_authentication @@ -53,7 +53,7 @@ class Devise::PasswordsController < DeviseController protected def after_resetting_password_path_for(resource) - resource_class.sign_in_after_reset_password ? after_sign_in_path_for(resource) : new_session_path(resource_name) + sign_in_after_reset_password? ? after_sign_in_path_for(resource) : new_session_path(resource_name) end # The path used after sending reset password instructions @@ -69,6 +69,11 @@ class Devise::PasswordsController < DeviseController end end + # Check if the user should be signed in automatically after resetting the password. + def sign_in_after_reset_password? + resource_class.sign_in_after_reset_password + end + # Check if proper Lockable module methods are present & unlock strategy # allows to unlock resource on password reset def unlockable?(resource) diff --git a/app/controllers/devise/registrations_controller.rb b/app/controllers/devise/registrations_controller.rb index 33def66d..79e2b0e8 100644 --- a/app/controllers/devise/registrations_controller.rb +++ b/app/controllers/devise/registrations_controller.rb @@ -82,12 +82,6 @@ class Devise::RegistrationsController < DeviseController protected - def update_needs_confirmation?(resource, previous) - resource.respond_to?(:pending_reconfirmation?) && - resource.pending_reconfirmation? && - previous != resource.unconfirmed_email - end - # By default we want to require a password checks on update. # You can overwrite this method in your own RegistrationsController. def update_resource(resource, params) @@ -133,6 +127,13 @@ class Devise::RegistrationsController < DeviseController self.resource = send(:"current_#{resource_name}") end + # Check if the user should be signed in automatically after updating the password. + def sign_in_after_change_password? + return true if account_update_params[:password].blank? + + resource_class.sign_in_after_change_password + end + def sign_up_params devise_parameter_sanitizer.sanitize(:sign_up) end @@ -160,9 +161,9 @@ class Devise::RegistrationsController < DeviseController set_flash_message :notice, flash_key end - def sign_in_after_change_password? - return true if account_update_params[:password].blank? - - resource_class.sign_in_after_change_password + def update_needs_confirmation?(resource, previous) + resource.respond_to?(:pending_reconfirmation?) && + resource.pending_reconfirmation? && + previous != resource.unconfirmed_email end end