ruby on rails - Why does current_user session become nil when updating a user? -

i'm using devise , cancan user authentication , administrating roles restricting access parts of rails 4 app users.

i've run problems updating user. update works fine , user object in db updated should, user session lost on following redirect_to user show action. current_user becomes nil means cancan restricts access user show action.

why current_user become nil after update, when not happen on other actions (e.g create, destroy etc.)?

these devise settings in user model:

devise :database_authenticatable, :registerable,      :recoverable, :rememberable, :trackable, :validatable, :authentication_keys => [:login] 

this users_controller.rb's update method:

class userscontroller < applicationcontroller    load_and_authorize_resource   before_filter :authenticate_user!    def update     @user = user.find(params[:id])     if params[:user][:password].blank?         params[:user].delete(:password)     end      respond_to |format|       if @user.update_attributes(user_params)         format.html { redirect_to user_path, :notice => 'user updated.' }         format.json { head :ok }       else         format.html { render :action => "edit" }         format.json { render :json => @user.errors, :status => :unprocessable_entity }       end     end   end end 

and ability.rb file:

class ability   include cancan::ability    def initialize(user)     user ||= user.new # guest user (not logged in)     if defined?(user.role_id)       if user.role? :admin, user.role_id         can :manage, :all       elsif user.role? :hauler, user.role_id         can :manage, [user,trip,invoice], user_id: user.id.to_s       else         can :create, :trip       end     end   end end 

it depends on update being performed. sessions serialized bits of user data.

for instance updating password cause session nullified because encrypted password part of serialized hash, , if changed, session can no longer reference original encrypted password.