Wishlist: Enter existing password to create a new one about devise HOT 8 CLOSED

Sorry Gavin, but it's not clear for me. You want a method that does it? A view?

from devise.

José, what I was trying to say is that it would be nice if Devise offered this right out of the box:

Old password:
New password:
Confirm new password:

from devise.

If we provide that as view, you would probably need to customize it anyway. I think the only reusable piece would be a method to be used in your controllers. Something like update_with_password. Wdyt?

from devise.

From a consumer's point of view, I think it would look good like this:

In Devise.config:
password_update_requires_old_password = true

Then in the view:
:old_password
:new_password
:new_password_confirmation

How's that look?

from devise.

+1 for current password validation. This is a security issue, no one should be able to change password if user forgot to lock workstation on coffee break.

from devise.

I agree to be honest. Would be nice since this is something you probably want to do in (almost) every application. Would be nasty if someone somehow XSS's a session and changes the password of an account. Of course, the developer of the app would be at fault for allows XSS to happen. But yeah, regardless, I believe adding that as a "module" or "add-on", as mentioned above, to be able to handle this would be a nice addition.

from devise.

+1 i guess this will improve security for user

from devise.

Added update_with_password, so you are able to update the password only when the :old_password is valid. Create a form like this:

form_for @user, :url => update_password_path do |f|
  f.label :old_password
  f.password_field :old_password

  f.label :password
  f.password_field :password

  f.label :password_confirmation
  f.password_field :password_confirmation
end

And use in your controller:

@user.update_with_password(params[:user])

Closing.

from devise.