If a user resets his password without being active_for_authentication? because he's not confirmed, Devise tries to sign him in and displays the "Your password was changed successfully. You are now signed in." (by default). The problem is that there's also the "You have to confirm your account before continuing." alert at the same time. In our application, we can display only one message at a time so we only see the "Password reseted" notice.
So there's 2 problems here: the wrong notice "You are now signed in." and the fact that Devise tries to sign-in the user even if he's not active_for_authentication?.
IMHO, the best solution would be to prevent a user from resetting his password without being confirmed. Do you see any downsides?
Another solution, less rock-solid would be to not try to sign the user in, displays only "Your password was changed successfully." and redirect the user to the sign-in page.
It is ok if Devise tries to sign in the user even if he's not active_for_authentication?. BUT we could indeed change passwords controller to first check if the user is active before signing him in and set the error message accordingly. Could you please provide a patch?
Thanks for your prompt reply José, this solution seems good enough. I'll try to implement it this evening!
Pull request here (#1308).