rails: devise update user without password

Question

I've followed the directions in devise's wiki regarding overriding update method to update user information without adding password, but I'm still getting notice saying that I can't leave password blank. I'm stuck and I need some assistance on tracking the problem down.

<%= form_for(resource, :as => resource_name, :url => custom_update_user_registration_path, :html => { :method => :put }) do |f| %>
  <%= devise_error_messages! %>
    <%= f.text_field :first_name %>
    <%= f.text_field :last_name %>
    <%= f.email_field :email, :autofocus => true %>
  <% if devise_mapping.confirmable? && resource.pending_reconfirmation? %>
    <div>Currently waiting confirmation for: <%= resource.unconfirmed_email %></div>
  <% end %>
<%= f.submit "Update" %>

in my routes :

  devise_for :user, :controllers => { :registrations => "registrations" }, :skip => [:registrations, :sessions] do 

    get 'signup' => 'devise/registrations#new', :as => :new_user_registration 
    post 'signup' => 'devise/registrations#create', :as => :custom_user_registration 
    get 'users/cancel' => 'devise/registrations#cancel', :as => :cancel_user_registration 
    get 'account/edit' => 'devise/registrations#edit', :as => :custom_edit_user_registration 
    put 'account' => 'devise/registrations#update', :as => :custom_update_user_registration
    delete 'users/cancel' => 'devise/registrations#destroy'   
    # devise/sessions 
    get 'signin' => 'devise/sessions#new', :as => :new_user_session 
    post 'signin' => 'devise/sessions#create', :as => :user_session 
    delete 'signout' => 'devise/sessions#destroy', :as => :destroy_user_session

  end

Here's my controller:

class RegistrationsController < Devise::RegistrationsController
  before_filter :check_permissions, :only => [:new, :create, :cancel]
  skip_before_filter :require_no_authentication

  def check_permissions
    authorize! :create, resource
  end

  def update
    @user.attributes = params[:user]  
    # required for settings form to submit when password is left blank
    if params[:user][:password].blank? && params[:user][:password_confirmation].blank?
        params[:user].delete(:password)
        params[:user].delete(:password_confirmation)
    end

    @user = User.find(current_user.id)
    if @user.update_attributes(params[:user])
      set_flash_message :notice, :updated
      # Sign in the user bypassing validation in case his password changed
      sign_in @user, :bypass => true
      redirect_to after_update_path_for(@user)
    else
      render "edit"
    end

  end
end

I'm not sure why I'm getting the error that I need to submit password still? Can someone see something that I'm overlooking?

Thanks

Answer 1

In class RegistrationsController < Devise::RegistrationsController you are missing update parameters for devise.

def configure_permitted_parameters
  devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:email, :password, ...) }
end

def update
# Get all params for :account_update
account_update_params = devise_parameter_sanitizer.sanitize(:account_update)

# Allow user to update without using password.
if account_update_params[:password].blank?
  account_update_params.delete("password")
  account_update_params.delete("password_confirmation")
end

# Set current_user
@user = User.find(current_user.id)
 if @user.update_attributes(account_update_params)
   set_flash_message :notice, :updated
   sign_in @user, :bypass => true
   redirect_to after_update_path_for(@user)
 else
   render "edit"
 end
end

Answer 2

Try to change

if @user.update_attributes(params[:user])

to device method

if @user.update_without_password(params[:user])

Answer 3

You could handle that in your model normally. Just edit your valdiations. This way you normally do not need to override the whole controller..just edit the model:

validates :password, :presence => true, :on => :create

Answer 4

I just found out that I've been overriding my devise registration incorrectly.

This was the correct way of having registration controller

Rails 3 /devise seems to ignore custom controller