Read more

Devise: Don't forget to lock users with soft delete

Emanuel
November 06, 2018Software engineer at makandra GmbH

There are two ways to lock a user in devise Show archive.org snapshot .

  1. Using the lockable module Show archive.org snapshot
  2. Customizing Show archive.org snapshot the user account status validation when logging in.
Illustration money motivation

Opscomplete powered by makandra brand

Save money by migrating from AWS to our fully managed hosting in Germany.

  • Trusted by over 100 customers
  • Ready to use with Ruby, Node.js, PHP
  • Proactive management by operations experts
Read more Show archive.org snapshot

It depends on your requirements which methods works best.

Locking a user on soft delete

We recommend to use option 2 when you want to couple the lock to the model's soft delete logic. Option 1 might also work when setting both the lock_strategy and unlock_strategy to none.

class User < ApplicationRecord
  def active?
    !trashed?
  end
  
  def active_for_authentication?
    # You can also choose a different I18n key (default :inactive), if you don't want to show the message "Your account is not activated yet."
    super && active?
  end  
end

Your tests should at least cover:

  • Signed in users are logged out on the next request once they get trashed
  • Resetting the password will not allow the user to sign in again
Posted by Emanuel to makandra dev (2018-11-06 11:12)