users: clean up password update logic.

Pull the password reauthentication logic out of the user model and put
it in the password update controller where it belongs.

This fixes an issue where when a new user was created the user model had
an incorrect password error set on it by `encrypt_password_on_update`.
It was trying to verify the old password even though we don't have one
when creating a new user. This error caused the user create action to
redirect back to the signup page because `respond_with` thought that
creating the user failed.

app/controllers/passwords_controller.rb

@@ -8,13 +8,17 @@ class PasswordsController < ApplicationController
 
   def update
     @user = authorize User.find(params[:user_id]), policy_class: PasswordPolicy
-    @user.update(user_params)
+
+    if User.authenticate(@user.name, params[:user][:old_password])
+      @user.update(password: params[:user][:password], password_confirmation: params[:user][:password_confirmation])
+    elsif @user.authenticate_login_key(params[:user][:signed_user_id])
+      @user.update(password: params[:user][:password], password_confirmation: params[:user][:password_confirmation])
+    else
+      @user.errors[:base] << "Incorrect password"
+    end
+
     flash[:notice] = @user.errors.none? ? "Password updated" : @user.errors.full_messages.join("; ")
 
     respond_with(@user, location: @user)
   end
-
-  def user_params
-    params.fetch(:user, {}).permit(policy(:password).permitted_attributes)
-  end
 end