Devise: Don't forget to lock users with soft delete

Updated . Posted . Visible to the public. Repeats.

There are two ways to lock a user in devise Show archive.org snapshot .

  1. Using the lockable module Show archive.org snapshot
  2. Customizing Show archive.org snapshot the user account status validation when logging in.

It depends on your requirements which methods works best.

Locking a user on soft delete

We recommend to use option 2 when you want to couple the lock to the model's soft delete logic. Option 1 might also work when setting both the lock_strategy and unlock_strategy to none.

class User < ApplicationRecord
  def active?
    !trashed?
  end
  
  def active_for_authentication?
    # You can also choose a different I18n key (default :inactive), if you don't want to show the message "Your account is not activated yet."
    super && active?
  end  
end

Your tests should at least cover:

  • Signed in users are logged out on the next request once they get trashed
  • Resetting the password will not allow the user to sign in again
github.com
Emanuel
makandra.com
Say thanks2
Last edit
Michael Leimstädtner
License
Source code in this card is licensed under the MIT License.
Posted by Emanuel to makandra dev (2018-11-06 10:12)
This website uses short-lived cookies to improve usability.
or learn more