Two of the greatest boons yet to hit Railskind, IMAO, have been Platformatec's Devise and inherited_resources. Surprisingly, given how closely they're related, they don't always play nice together. If you ever get a failing feature spec that's just modifying non-password data on your user-profile page, it can really confuse you until you do some Googling around. (That's how you got here, yes?)
You'll need to update your User controller so that it doesn't send empty password fields to Devise for the update action. This won't affect creating Users; you want Devise to reject empty passwords there. Here's what I have for my users_controller.rb (also available as a Gist):
# Actions for Users. Not necessarily a finer distinction one way or another yet. class UsersController < InheritedResources::Base # FIXME respond_to :json # should spec JSON actions, too respond_to :html load_and_authorize_resource def update # Devise has the convention that, for updates where the password is NOT to # be modified, the password and password-confirmation fields MUST NOT be # submitted. inherited_resources, of course, just sees two text fields and # wraps them up along with the rest of the form. Oops. remove_password_parameters if password_fields_are_empty? super end private def password_fields_are_empty? params['user']['password'].empty? and params['user']['password_confirmation'].empty? end def remove_password_parameters params['user'].delete 'password' params['user'].delete 'password_confirmation' end end
This is still a heck of a lot cleaner/shorter than what I'd have written for a controller subclassed directly from ApplicationController.