Allow logged in user to change his password

Users were unable to change their password through the "Reset password"
link that was sent to their email if they were logged in. This is due to
a default controller filter from Devise that requires the user to not be
logged in in order to use this link.

app/controllers/passwords_controller.rb

 class PasswordsController < Devise::PasswordsController
   include Gitlab::CurrentSettings
 
+  skip_before_action :require_no_authentication, only: [:edit, :update]
+
   before_action :resource_from_email, only: [:create]
   before_action :check_password_authentication_available, only: [:create]
   before_action :throttle_reset,      only: [:create]

spec/features/password_reset_spec.rb

@@ -33,6 +33,25 @@ feature 'Password reset' do
     end
   end
 
+  describe 'Changing password while logged in' do
+    it 'updates the password' do
+      user = create(:user)
+      token = user.send_reset_password_instructions
+
+      sign_in(user)
+
+      visit(edit_user_password_path(reset_password_token: token))
+
+      fill_in 'New password', with: 'hello1234'
+      fill_in 'Confirm new password', with: 'hello1234'
+
+      click_button 'Change your password'
+
+      expect(page).to have_content(I18n.t('devise.passwords.updated_not_active'))
+      expect(current_path).to eq new_user_session_path
+    end
+  end
+
   def forgot_password(user)
     visit root_path
     click_on 'Forgot your password?'