Posted over 1 year ago. Visible to the public. Repeats. Linked content.

Devise: Don't forget to lock users with soft delete

There are two ways to lock a user in devise.

  1. Using the lockable module
  2. Customizing the user account status validation when logging in.

It depends on your requirements which methods works best.

Locking a user on soft delete

We recommend to use option 2 when you want to couple the lock to the model's soft delete logic. Option 1 might also work when setting both the lock_strategy and unlock_strategy to none.

class User < ApplicationRecord def active? !trashed? end def active_for_authentication? # You can also choose a different I18n key (default :inactive), if you don't want to show the message "Your account is not activated yet." super && active? end end

Your tests should at least cover:

  • Signed in users are logged out on the next request once they get trashed
  • Resetting the password will not allow the user to sign in again

Does your version of Ruby on Rails still receive security updates?
Rails LTS provides security patches for old versions of Ruby on Rails (3.2 and 2.3).

Owner of this card:

Emanuel De
Last edit:
over 1 year ago
by Emanuel De
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by Emanuel De to makandra dev
This website uses cookies to improve usability and analyze traffic.
Accept or learn more