Hi there,
I'm using Devise in a Rails 3 app, and I successfully configured it so that it uses a username as its authentication method instead of an email. The problem is that in the default registrations controller for devise, it calls an "update_with_password" method on the params passed in, which effectively allows users to change their username, and password. This behaviour makes sense if you're using email as an authentication method, since it's reasonable to expect people to be able to change their email. However, with using usernames, I'd rather users not be able to change them; I only want them to be able to change their password. Would this best way to do this be to override the RegistrationsController, and prevent the mass-assignment of params so that only the password can be changed?
Hope this is clear. Thanks!