fix password reset permission specs

app/controllers/v0/password_resets_controller.rb

@@ -28,15 +28,13 @@ def create
     # 2/3 - The associated user object is returned, indicating a valid token
     def show
       @user = User.find_by!(password_reset_token: params[:id])
-      @current_user = @user
       authorize @user, :update_password?
       render 'users/show', status: :ok
     end
 
     # 3/3 - The password reset is submitted and committed to the database
     def update
       @user = User.find_by!(password_reset_token: params[:id])
-      @current_user = @user
       authorize @user, :update_password?
       if @user.update({ password: params.require(:password), password_reset_token: nil })
         render 'users/show', status: :ok

spec/policies/user_policy_spec.rb

@@ -12,7 +12,7 @@
     it { is_expected.to_not permitz(:update) }
     it { is_expected.to_not permitz(:destroy) }
     it { is_expected.to permitz(:request_password_reset) }
-    it { is_expected.to_not permitz(:update_password) }
+    it { is_expected.to permitz(:update_password) }
   end
 
   context "for a user" do
@@ -22,7 +22,7 @@
     it { is_expected.to permitz(:update) }
     it { is_expected.to permitz(:destroy) }
     it { is_expected.to_not permitz(:request_password_reset) }
-    it { is_expected.to permitz(:update_password) }
+    it { is_expected.to_not permitz(:update_password) }
   end
 
 end

spec/requests/v0/password_resets_spec.rb

@@ -117,6 +117,7 @@
     it "can reset password with valid token" do
       expect(user.authenticate('newpass')).to be_falsey
       j = api_put "password_resets/#{user.password_reset_token}", { password: 'newpass' }
+      p response
       expect(j["username"]).to eq(user.username)
       expect(response.status).to eq(200)