Devise: Don't forget to lock users with soft delete

There are two ways to lock a user in devise Show archive.org snapshot .

  1. Using the lockable module Show archive.org snapshot
  2. Customizing Show archive.org snapshot the user account status validation when logging in.

It depends on your requirements which methods works best.

Locking a user on soft delete

We recommend to use option 2 when you want to couple the lock to the model's soft delete logic. Option 1 might also work when setting both the lock_strategy and unlock_strategy to none.

class User < ApplicationRecord
  def active?
    !trashed?
  end
  
  def active_for_authentication?
    # You can also choose a different I18n key (default :inactive), if you don't want to show the message "Your account is not activated yet."
    super && active?
  end  
end

Your tests should at least cover:

  • Signed in users are logged out on the next request once they get trashed
  • Resetting the password will not allow the user to sign in again
github.com
Emanuel Over 5 years ago
This website uses short-lived cookies to improve usability.
or learn more