Allowing user to change password with Devise - Rails 4

Question

I'm setting up the last bit of devise and need to allow a user to change their password from their my account page. I've taken a look at this https://github.com/plataformatec/devise/wiki/How-To:-Allow-users-to-edit-their-password) page from devise and still can't get it to correctly work.

I'm getting the following error when I click on the link to bring up my modal.

ActionController::RoutingError (No route matches [GET] "/users/1/change_password_modal"):

When I submit my change password request I get the following error:

unknown attribute: current_password

My link to bring up the modal is:

button.btn.btn-dashboard data-target="#change_password_modal" data-toggle="modal"

and finally my modal

 <div class="modal fade" id="change_password_modal">
  <div class="modal-dialog">
    <div class="modal-content">
  <div class="modal-header">
    <button class="close" data-dismiss="modal">x</button>
    <h2 class="modal-title">Change Password</h2>
  </div>
    <div class="modal-body">
      <div class="flash"></div>
        <%= form_for(resource, :as => resource_name, :url => edit_user_registration_path, :html => { :method => :put }) do |f| %>
        <%= devise_error_messages! %>
        <div>
          <%= f.password_field :current_password, :autocomplete => "off", class: "sitewide-input", placeholder: "Current Password" %>
        </div>

        <div>
          <%= f.password_field :password, :autocomplete => "off", class: "sitewide-input", placeholder: "New Password" %>
        </div>

        <div>
          <%= f.password_field :password_confirmation, :autocomplete => "off", class: "sitewide-input", placeholder: "New Password Confirmation" %>
        </div>
    </div>
    <div class="modal-footer">
      <p>
        <div>
          <%= f.submit "Update", :class => 'advance-button' %>
        </div>
      </p>
  </div>
<% end %>
</div>
</div>
</div>

I've updated my application controller to include the following:

before_filter :configure_permitted_parameters, if: :devise_controller?

protected

    def configure_permitted_parameters
      devise_parameter_sanitizer.for(:sign_up) << :full_name
      devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:email, :password, :password_confirmation, :current_password)}
    end

Even with this code included I'm getting

ActiveRecord::UnknownAttributeError at /users/edit
unknown attribute: current_password

Server Logs

Started GET "/users/1/edit" for 127.0.0.1 at 2014-08-07 14:11:00 -0500
Processing by UsersController#edit as HTML
  Parameters: {"id"=>"1"}
  User Load (0.3ms)  SELECT `users`.* FROM `users` WHERE `users`.`id` = 1 ORDER BY `users`.`id` ASC LIMIT 1
  Rendered users/_edit_profile.html.slim (14.0ms)
  Rendered registrations/_edit.html.erb (3.4ms)
  Rendered users/_edit_billing.html.slim (9.3ms)
  Rendered users/edit.html.slim within layouts/topthird (37.1ms)
  Rendered shared/_javascript_head.html.slim (0.0ms)
  App Load (0.4ms)  SELECT `apps`.* FROM `apps` WHERE `apps`.`user_id` = 1 ORDER BY updated_at DESC
  Rendered application/_dashboard_menu.html.slim (3.4ms)
  Rendered application/_navigation.html.slim (0.1ms)
Completed 200 OK in 129ms (Views: 126.3ms | ActiveRecord: 0.7ms)


Started GET "/__rack/swfobject.js" for 127.0.0.1 at 2014-08-07 14:11:01 -0500


Started GET "/__rack/livereload.js?host=bangner.ngrok.com" for 127.0.0.1 at 2014-08-07 14:11:01 -0500


Started GET "/__rack/web_socket.js" for 127.0.0.1 at 2014-08-07 14:11:01 -0500


Started PUT "/users/edit" for 127.0.0.1 at 2014-08-07 14:11:10 -0500
Processing by UsersController#update as HTML
  Parameters: {"utf8"=>"✓", "authenticity_token"=>"4QIZriwJGaeTynF8y1JYN3x5sBfhpNabYHWTBdzhRK4=", "user"=>{"current_password"=>"[FILTERED]", "password"=>"[FILTERED]", "password_confirmation"=>"[FILTERED]"}, "commit"=>"Update", "id"=>"edit"}
  User Load (0.3ms)  SELECT `users`.* FROM `users` WHERE `users`.`id` = 1 ORDER BY `users`.`id` ASC LIMIT 1
   (0.1ms)  BEGIN
   (0.1ms)  ROLLBACK
Completed 500 Internal Server Error in 4ms

ActiveRecord::UnknownAttributeError - unknown attribute: utf8:
  activerecord (4.0.2) lib/active_record/attribute_assignment.rb:47:in `rescue in _assign_attribute'
  activerecord (4.0.2) lib/active_record/attribute_assignment.rb:42:in `_assign_attribute'
  activerecord (4.0.2) lib/active_record/attribute_assignment.rb:29:in `block in assign_attributes'
  activerecord (4.0.2) lib/active_record/attribute_assignment.rb:23:in `assign_attributes'
  activerecord (4.0.2) lib/active_record/persistence.rb:229:in `block in update'
  activerecord (4.0.2) lib/active_record/transactions.rb:326:in `block in with_transaction_returning_status'
  activerecord (4.0.2) lib/active_record/connection_adapters/abstract/database_statements.rb:202:in `block in transaction'
  activerecord (4.0.2) lib/active_record/connection_adapters/abstract/database_statements.rb:210:in `within_new_transaction'
  activerecord (4.0.2) lib/active_record/connection_adapters/abstract/database_statements.rb:202:in `transaction'
  activerecord (4.0.2) lib/active_record/transactions.rb:209:in `transaction'
  activerecord (4.0.2) lib/active_record/transactions.rb:323:in `with_transaction_returning_status'
  activerecord (4.0.2) lib/active_record/persistence.rb:228:in `update'
  app/controllers/users_controller.rb:31:in `update'

Answer 1

You need to add current_password to the sanitized parameters that Devise accepts. You should be doing something like this (I have it in my application_controller):

def configure_permitted_parameters
  devise_parameter_sanitizer.for(:sign_up) { |u| u.permit(:email, :password, :password_confirmation) }
  devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:email, :password, :password_confirmation, :current_password)}
end

Devise won't accept un-sanitized parameters, and you probably haven't added current_password to this block because you haven't needed to until trying to update an account.

You call this method in a before_filter in your application controller. Check out the Devise docs for more info here.

EDIT

For the modal, don't pass it a route. It's trying to open the path you're specifying and throwing that error. My modal buttons tend to look like this:

<button class="btn btn-dashboard" data-toggle="modal" data-target="#openLists">
            <i class="glyphicon glyphicon-list-alt"> Lists</i>
</button>

You can use Ruby helpers to do something similar if you want.

Answer 2

You need set current_password as permitted parameters on application_controller.rb:

def configure_permitted_parameters
    devise_parameter_sanitizer.for(:account_update) { |u| u.permit(:email, :password, :password_confirmation, :current_password)}
end

And skip the current_password on registration_controller.rb:

class RegistrationsController < Devise::RegistrationsController

  protected

  def update_resource(resource, params)
    resource.update_without_password(params.except(:current_password))
  end
end