Merge pull request #204 from nomad-mando/master

Fixes #202 : infinite redirection bug on password change

Author: aldesantis

lib/controllers/frontend/spree/users_controller.rb

@@ -28,14 +28,17 @@ def create
   def update
     if @user.update(user_params)
       spree_current_user.reload
+      redirect_url = spree.account_url
 
       if params[:user][:password].present?
         # this logic needed b/c devise wants to log us out after password changes
-        unless Spree::Auth::Config[:signout_after_password_change]
+        if Spree::Auth::Config[:signout_after_password_change]
+          redirect_url = spree.login_url
+        else
           bypass_sign_in(@user)
         end
       end
-      redirect_to spree.account_url, notice: I18n.t('spree.account_updated')
+      redirect_to redirect_url, notice: I18n.t('spree.account_updated')
     else
       render :edit
     end

spec/controllers/spree/users_controller_spec.rb

@@ -46,6 +46,29 @@
           expect(subject.spree_current_user.email).to eq user.email
         end
       end
+
+      context 'when updating password' do
+        before do
+          stub_spree_preferences(Spree::Auth::Config, signout_after_password_change: signout_after_change)
+          put :update, params: { user: { password: 'foobar123', password_confirmation: 'foobar123' } }
+        end
+
+        context 'when signout after password change is enabled' do
+          let(:signout_after_change) { true }
+
+          it 'redirects to login url' do
+            expect(response).to redirect_to spree.login_url(only_path: true)
+          end
+        end
+
+        context 'when signout after password change is disabled' do
+          let(:signout_after_change) { false }
+
+          it 'redirects to account url' do
+            expect(response).to redirect_to spree.account_url(only_path: true)
+          end
+        end
+      end
     end
 
     it 'does not update roles' do