Devise tries to sign-in a user that is not active for authentication (because not-confirmed) after password reset #1306

Closed
rymai opened this Issue Aug 31, 2011 · 2 comments

Projects

None yet

2 participants

@rymai
Contributor
rymai commented Aug 31, 2011

Hi,

If a user resets his password without being active_for_authentication? because he's not confirmed, Devise tries to sign him in and displays the "Your password was changed successfully. You are now signed in." (by default). The problem is that there's also the "You have to confirm your account before continuing." alert at the same time. In our application, we can display only one message at a time so we only see the "Password reseted" notice.

So there's 2 problems here: the wrong notice "You are now signed in." and the fact that Devise tries to sign-in the user even if he's not active_for_authentication?.

IMHO, the best solution would be to prevent a user from resetting his password without being confirmed. Do you see any downsides?

Another solution, less rock-solid would be to not try to sign the user in, displays only "Your password was changed successfully." and redirect the user to the sign-in page.

@josevalim
Member

It is ok if Devise tries to sign in the user even if he's not active_for_authentication?. BUT we could indeed change passwords controller to first check if the user is active before signing him in and set the error message accordingly. Could you please provide a patch?

@rymai
Contributor
rymai commented Aug 31, 2011

Thanks for your prompt reply José, this solution seems good enough. I'll try to implement it this evening!

Pull request here (#1308).

@josevalim josevalim closed this Sep 1, 2011
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment