Fixes infinite redirection bug on password change

nomad-mando · nomad-mando · commit 9ecf81d7222a · 2021-01-21T11:51:35.000+05:30
When signout after password change was enabled, request to update user password was resulting in redirection to account edit page. Since user was signedout, this was ending up in infinite redirection (due to preveious page was being account edit page).
As a fix, changed the redirection in above case to login page as user is already signed out. Added controller test to assert this case.
diff --git a/lib/controllers/frontend/spree/users_controller.rb b/lib/controllers/frontend/spree/users_controller.rb
@@ -28,14 +28,17 @@ def create
   def update
     if @user.update(user_params)
       spree_current_user.reload
+      redirect_url = spree.account_url
 
       if params[:user][:password].present?
         # this logic needed b/c devise wants to log us out after password changes
-        unless Spree::Auth::Config[:signout_after_password_change]
+        if Spree::Auth::Config[:signout_after_password_change]
+          redirect_url = spree.login_url
+        else
           bypass_sign_in(@user)
         end
       end
-      redirect_to spree.account_url, notice: I18n.t('spree.account_updated')
+      redirect_to redirect_url, notice: I18n.t('spree.account_updated')
     else
       render :edit
     end
diff --git a/spec/controllers/spree/users_controller_spec.rb b/spec/controllers/spree/users_controller_spec.rb
@@ -46,6 +46,29 @@
           expect(subject.spree_current_user.email).to eq user.email
         end
       end
+
+      context 'when updating password' do
+        before do
+          stub_spree_preferences(Spree::Auth::Config, signout_after_password_change: signout_after_change)
+          put :update, params: { user: { password: 'foobar123', password_confirmation: 'foobar123' } }
+        end
+
+        context 'when signout after password change is enabled' do
+          let(:signout_after_change) { true }
+
+          it 'redirects to login url' do
+            expect(response).to redirect_to spree.login_url(only_path: true)
+          end
+        end
+
+        context 'when signout after password change is disabled' do
+          let(:signout_after_change) { false }
+
+          it 'redirects to account url' do
+            expect(response).to redirect_to spree.account_url(only_path: true)
+          end
+        end
+      end
     end
 
     it 'does not update roles' do
