Skip to content

How To: Allow users to edit their account without providing a password

Jump to bottom Edit New page
Christian Mehlmauer edited this page Dec 11, 2017 · 72 revisions

By default, Devise allows users to change their password using the :registerable module. But sometimes, developers want to create other actions that allow the user to change their information without requiring a password. The best option in this case is to create your own controller, that belongs to your application, and provide an edit and update actions, as you would do for any other resource in your application.

Keep in mind though to be restrictive in the parameters you allow to be changed. In particular, you likely want to permit just user data fields and avoid e-mail, password and such information to be changed:

params(:user).permit(:first_name, :last_name, :address)

An alternative solution would be to simply override the update_resource method in your registrations controller as follows:

class RegistrationsController < Devise::RegistrationsController

  protected

  def update_resource(resource, params)
    # needed so user is able to change his password
    if params['password'] != "" || params['password_confirmation'] != ""
      resource.update_with_password(params)
    else
      resource.update_without_password(params)
    end
  end
end

When using this solution you will need to tell devise to use your controller in routes.rb:

devise_for :users, controllers: { registrations: 'registrations' }

Finally, if you have generated views using devise, remove the corresponding form input for 'current_password' in app/views/devise/registrations/edit.html.erb.

Getting Started

MIT License. Copyright 2009-2020 Plataformatec. http://plataformatec.com.br

Add a custom sidebar
Clone this wiki locally