Devise tries to sign-in a user that is not active for authentication (because not-confirmed) after password reset #1306

rymai opened this Issue Aug 31, 2011 · 2 comments


None yet

2 participants

rymai commented Aug 31, 2011


If a user resets his password without being active_for_authentication? because he's not confirmed, Devise tries to sign him in and displays the "Your password was changed successfully. You are now signed in." (by default). The problem is that there's also the "You have to confirm your account before continuing." alert at the same time. In our application, we can display only one message at a time so we only see the "Password reseted" notice.

So there's 2 problems here: the wrong notice "You are now signed in." and the fact that Devise tries to sign-in the user even if he's not active_for_authentication?.

IMHO, the best solution would be to prevent a user from resetting his password without being confirmed. Do you see any downsides?

Another solution, less rock-solid would be to not try to sign the user in, displays only "Your password was changed successfully." and redirect the user to the sign-in page.


It is ok if Devise tries to sign in the user even if he's not active_for_authentication?. BUT we could indeed change passwords controller to first check if the user is active before signing him in and set the error message accordingly. Could you please provide a patch?

rymai commented Aug 31, 2011

Thanks for your prompt reply José, this solution seems good enough. I'll try to implement it this evening!

Pull request here (#1308).

@josevalim josevalim closed this Sep 1, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment