Devise: Don't forget to lock users with soft delete
There are two ways to lock a user in devise.
It depends on your requirements which methods works best.
We recommend to use option 2 when you want to couple the lock to the model's soft delete logic. Option 1 might also work when setting both the
class User < ApplicationRecord def active? !trashed? end def active_for_authentication? # You can also choose a different I18n key (default :inactive), if you don't want to show the message "Your account is not activated yet." super && active? end end
Your tests should at least cover:
- Signed in users are logged out on the next request once they get trashed
- Resetting the password will not allow the user to sign in again