From e8c42db1a7ce84028b9afabac31001d7e62d47da Mon Sep 17 00:00:00 2001
From: Gonzalo Riestra <gonzalor@cartodb.com>
Date: Thu, 3 Jan 2019 18:12:48 +0100
Subject: [PATCH] avoid authentication after password update

---
 app/controllers/password_change_controller.rb |  5 +----
 .../password_change_controller_spec.rb        | 21 ++++++++++++++-----
 2 files changed, 17 insertions(+), 9 deletions(-)

diff --git a/app/controllers/password_change_controller.rb b/app/controllers/password_change_controller.rb
index b6bc8b2e91..bfa77a0361 100644
--- a/app/controllers/password_change_controller.rb
+++ b/app/controllers/password_change_controller.rb
@@ -48,10 +48,7 @@ class PasswordChangeController < ApplicationController
     end
 
     if @user.update_in_central && @user.save
-      params[:email] = @user.username
-      params[:password] = pw
-
-      authenticate!(:password, scope: @user.username)
+      warden.set_user(@user, scope: @user.username)
       CartoDB::Stats::Authentication.instance.increment_login_counter(@user.email)
 
       redirect_to session.delete('return_to') ||
diff --git a/spec/requests/password_change_controller_spec.rb b/spec/requests/password_change_controller_spec.rb
index 0dd60a67dc..d026960ca4 100644
--- a/spec/requests/password_change_controller_spec.rb
+++ b/spec/requests/password_change_controller_spec.rb
@@ -92,18 +92,29 @@ describe PasswordChangeController do
       response.body.should include 'must be at least'
     end
 
-    it 'changes password and authenticate session' do
+    it 'changes password' do
       login_as(@user, scope: @user.username)
 
       put password_change_url(@user.username), payload_ok, @headers
 
-      @user.reload
-      @user.validate_old_password('password123')
-      @user.last_password_change_date.should be
+      @user.reload.last_password_change_date.should be
+    end
+
+    it 'does not require to authenticate again' do
+      login_as(@user, scope: @user.username)
+
+      PasswordChangeController.any_instance.expects(:authenticate!).never
+
+      put password_change_url(@user.username), payload_ok, @headers
+    end
+
+    it 'redirects to dashboard by default' do
+      login_as(@user, scope: @user.username)
+
+      put password_change_url(@user.username), payload_ok, @headers
 
       follow_redirect!
       request.path.should eq dashboard_path
-
     end
   end
 end