From bb2b4ecc1bcabc1c1797ecfe0dc0211c52cf3972 Mon Sep 17 00:00:00 2001
From: Carlos Antonio da Silva <carlosantoniodasilva@gmail.com>
Date: Wed, 18 Feb 2026 09:43:10 -0300
Subject: [PATCH] Allow model config to override
 `sign_in_after_change_password` (#5825)

The config exists at the model/resource class from the registerable
module, but it was not being honored, instead we were directly relying
on the main Devise config.

Now this can be configured and honored per-model/resource class, as
expected.

This is similar to #5429 and `sign_in_after_reset_password` fix.
---
 CHANGELOG.md                                     |  5 +++++
 .../devise/registrations_controller.rb           |  2 +-
 test/integration/registerable_test.rb            | 16 ++++++++++++++++
 3 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 6119a3e9..fbb7fe42 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,8 @@
+### Unreleased
+
+* enhancements
+  * Allow resource class scopes to override the global configuration for `sign_in_after_change_password` behaviour. [#5824](https://github.com/heartcombo/devise/pull/5824)
+
 ### 5.0.1 - 2026-02-13
 
 * bug fixes
diff --git a/app/controllers/devise/registrations_controller.rb b/app/controllers/devise/registrations_controller.rb
index f1292b4d..33def66d 100644
--- a/app/controllers/devise/registrations_controller.rb
+++ b/app/controllers/devise/registrations_controller.rb
@@ -163,6 +163,6 @@ class Devise::RegistrationsController < DeviseController
   def sign_in_after_change_password?
     return true if account_update_params[:password].blank?
 
-    Devise.sign_in_after_change_password
+    resource_class.sign_in_after_change_password
   end
 end
diff --git a/test/integration/registerable_test.rb b/test/integration/registerable_test.rb
index ad0f3bec..9289ac6a 100644
--- a/test/integration/registerable_test.rb
+++ b/test/integration/registerable_test.rb
@@ -187,6 +187,22 @@ class RegistrationTest < Devise::IntegrationTest
     end
   end
 
+  test 'a signed in user should not be able to use the website after changing their password if resource_class.sign_in_after_change_password is false' do
+    swap_model_config User, sign_in_after_change_password: false do
+      sign_in_as_user
+      get edit_user_registration_path
+
+      fill_in 'password', with: '1234567890'
+      fill_in 'password confirmation', with: '1234567890'
+      fill_in 'current password', with: '12345678'
+      click_button 'Update'
+
+      assert_contain 'Your account has been updated successfully, but since your password was changed, you need to sign in again.'
+      assert_equal new_user_session_path, @request.path
+      assert_not warden.authenticated?(:user)
+    end
+  end
+
   test 'a signed in user should be able to use the website after changing its email with config.sign_in_after_change_password is false' do
     swap Devise, sign_in_after_change_password: false do
       sign_in_as_user