Confirmation request on email change added #1120

Closed
wants to merge 6 commits into
from

Projects

None yet

4 participants

@Mandaryn
Contributor
Mandaryn commented Jun 8, 2011

This should handle the case when user changes the email. Before it was updated with no confirmation, now the update is pending untill user confirms the new email.

@rke
rke commented Jun 28, 2011

In this line:
... +reconfirmable+: requires any email changes to be confirmed (exctly the same way as
'exctly' should be 'exactly'

But I really have a bigger question:
If I understand the code correctly this will not allow me to change an unconfirmed_email until it is confirmed. That seems a bit undesirable to me: If I want to change my email and I made a simple typo, why would I not be allowed to fix the typo? I would assume that just a new confirmation email be sent out to the revised (unconfirmed) email address and I can confirm that one.

I can see that my suggestion could be used to spam, but I am checking password when I allow the user to change the email.

Would it be possible to make the 'prevent_email_change' logic optional? Or am I missing another security hole that would get introduced by this?

@rke
rke commented Jun 28, 2011

Sorry. I just got confused by the naming 'prevent_email_change'. Now I stepped through the code and it is working just how I need it.
Perhaps a better name would be 'postpone_email_change_until_confirmation'?
prevent_email_change sounds so prohibiting...

@rke
rke commented Jul 8, 2011

Hmmm, but the way the code is currently it sends confirmation emails to the old email address. For me at least the confirmations serve the purpose that I know that an email address is valid, so I would expect them to go to the new address. Perhaps also a notification to the old one, but the main concern is to confirm the new one.
Also if I change the email twice (without confirming the first change) then record.email (not unconfirmed_email) is overwritten even without an accepted confirmation email.

@Mandaryn
Contributor
Mandaryn commented Jul 8, 2011

Shame on me, now I really wonder how the hell did I screw this so much... It's really embarrassing, will try fixing ASAP

@Mandaryn Mandaryn closed this Jul 8, 2011
@Mandaryn
Contributor
Mandaryn commented Jul 8, 2011

Shame on me, now I really wonder how the hell did I screw this so much... It's really embarrassing, will try fixing ASAP

@rke
rke commented Jul 15, 2011

Not at all! Your code was extremely helpful to me!
I had to hack a bit because the project I am working on was using devise 1.2.1, but you can look at my patch file for that slightly older devise version and how I got it to do what I needed. I am very busy atm so not sure that I can clean it up for a pull request myself but in case it might help I put my patch in git://gist.github.com/1083882.git
Thanks for your code!

@heimidal
Contributor

Hey Mandaryn, did you get a chance to update this code at all? I'd love to see this feature implemented.

@heimidal
Contributor

I've created a new pull request with updated code located here: #1266

@vkeziah
vkeziah commented Dec 26, 2014

I had a problem with reconfirmable, I have set up everything to go with reconfirmable and when I change email address it tries to send email i.e I could see on rails console that devise send email to changed email , but the problem is I am not getting email at all , this is only in the case of reconfirmable , in all remaining cases (signup,password recover) I am getting the email .

I am not sure what is the (since its not raising any errors) , how to fix this ?

and I checked my db , devise is setting the unconfirmed_email value too !!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment