Allow devise password reset only after email confirmation

3
votes

I have a pretty standard devise installation with both recoverable and confirmable enabled.

The thing is I need to disable password resetting if the user has not confirmed their email yet

For example:

  • user signs up with email [email protected]
  • confirmation mail is sent
  • user goes to and resets password before confirming his email
  • reset password email should not be sent
1
ruby-on-railsemaildevise
I have this problem to, plus one more bad side effect. When the user does that and go to the reset password screen, he can type any password he wants, and the two password don't even have to match.. Strange.Nathan B
I didn't encounter that kind of error but another one. When you do not confirm email and you go to link provided by your "email with password reset", you have just one shoot to change it, otherwise it shows 'invalid token`, but when you confirm email, everything's finesonic

1 Answers

0
votes

I know it's an old issue but I had the same use case and solved it by overriding devise send_reset_password_instructions method for a User model. Here's the final version of my method:

def self.send_reset_password_instructions(attributes={})
  recoverable = find_or_initialize_with_errors(reset_password_keys, attributes, :not_found)

  if (recoverable.persisted? && !recoverable.confirmed?)
    recoverable.errors.add(:email, I18n.t('devise.failure.not_verified'))
  else
    recoverable.send_reset_password_instructions
  end

  recoverable
end

To be more specific - if a User is persisted in the database but not verified by email add an error & omit reset password email sending.