Actually work

app/views/users/show.html.erb

@@ -35,7 +35,7 @@
         row.key { 'Password' }
         row.value { '••••••••' }
         if current_user == @user
-          row.action(visually_hidden_text: 'password', href: password_edit_account_path, html_attributes: { 'data-qa': 'change-password' })
+          row.action(visually_hidden_text: 'password', href: edit_password_account_path, html_attributes: { 'data-qa': 'change-password' })
         else
           row.action()
         end

config/routes.rb

@@ -22,10 +22,6 @@ Rails.application.routes.draw do
     get "admin/two-factor-authentication/resend", to: "auth/two_factor_authentication#show_resend"
   end
 
-  resource :account, only: %i[show edit], controller: "users" do
-    get "password/edit", to: "users#edit_password"
-  end
-
   devise_for :users, {
     path: :account,
     controllers: {
@@ -40,6 +36,7 @@ Rails.application.routes.draw do
 
   devise_scope :user do
     get "account/password/reset-confirmation", to: "auth/passwords#reset_confirmation"
+    put "account", to: "users#update"
   end
 
   get "/health", to: ->(_) { [204, {}, [nil]] }
@@ -52,6 +49,10 @@ Rails.application.routes.draw do
   get "/privacy-notice", to: "content#privacy_notice"
   get "/data-sharing-agreement", to: "content#data_sharing_agreement"
 
+  resource :account, only: %i[show edit], controller: "users" do
+    get "edit/password", to: "users#edit_password"
+  end
+
   resources :users
 
   resources :organisations do

spec/requests/users_controller_spec.rb

@@ -34,7 +34,7 @@ RSpec.describe UsersController, type: :request do
 
     describe "#password" do
       it "does not let you edit user passwords" do
-        get "/users/#{user.id}/password/edit", headers: headers, params: {}
+        get "/account/edit/password", headers: headers, params: {}
         expect(response).to redirect_to("/account/sign-in")
       end
     end
@@ -63,7 +63,7 @@ RSpec.describe UsersController, type: :request do
 
           before do
             sign_in user
-            put "/users/#{user.id}", headers: headers, params: params
+            put "/account", headers: headers, params: params
           end
 
           it "shows an error if passwords don't match" do
@@ -204,7 +204,7 @@ RSpec.describe UsersController, type: :request do
       context "when the current user matches the user ID" do
         before do
           sign_in user
-          get "/users/#{user.id}/password/edit", headers: headers, params: {}
+          get "/account/edit/password", headers: headers, params: {}
         end
 
         it "shows the edit password page" do
@@ -453,7 +453,7 @@ RSpec.describe UsersController, type: :request do
       context "when the current user matches the user ID" do
         before do
           sign_in user
-          get "/users/#{user.id}/password/edit", headers: headers, params: {}
+          get "/account/edit/password", headers: headers, params: {}
         end
 
         it "shows the edit password page" do
@@ -468,11 +468,12 @@ RSpec.describe UsersController, type: :request do
       context "when the current user does not matches the user ID" do
         before do
           sign_in user
-          get "/users/#{other_user.id}/password/edit", headers: headers, params: {}
         end
 
-        it "returns not found 404" do
+        it "there is no route" do
-          expect(response).to have_http_status(:not_found)
+          expect {
+            get "/users/#{other_user.id}/password/edit", headers: headers, params: {}
+          }.to raise_error(ActionController::RoutingError)
         end
       end
     end