Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Devise tries to sign-in a user that is not active for authentication (because not-confirmed) after password reset #1306

Closed
rymai opened this Issue · 2 comments

2 participants

@rymai

Hi,

If a user resets his password without being active_for_authentication? because he's not confirmed, Devise tries to sign him in and displays the "Your password was changed successfully. You are now signed in." (by default). The problem is that there's also the "You have to confirm your account before continuing." alert at the same time. In our application, we can display only one message at a time so we only see the "Password reseted" notice.

So there's 2 problems here: the wrong notice "You are now signed in." and the fact that Devise tries to sign-in the user even if he's not active_for_authentication?.

IMHO, the best solution would be to prevent a user from resetting his password without being confirmed. Do you see any downsides?

Another solution, less rock-solid would be to not try to sign the user in, displays only "Your password was changed successfully." and redirect the user to the sign-in page.

@josevalim
Owner

It is ok if Devise tries to sign in the user even if he's not active_for_authentication?. BUT we could indeed change passwords controller to first check if the user is active before signing him in and set the error message accordingly. Could you please provide a patch?

@rymai

Thanks for your prompt reply José, this solution seems good enough. I'll try to implement it this evening!

Pull request here (#1308).

@josevalim josevalim closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.