Mind Dump, Tech And Life Blog
written by Ivan Alenko
published under license Attribution-ShareAlike 4.0 International (CC BY-SA 4.0)copy! share!
posted at 18. Jun '20

Unconfirmed Access in Devise Confirmable Doesn’t Work Properly

So recently I had a problem with confirmable module in Devise. According to documentation “+allow_unconfirmed_access_for+: the time you want to allow the user to access their account before confirming it”. But hell, it didn’t work. I was very confused and questioning my sanity.

The code is usual Devise setup:

devise :database_authenticatable, :recoverable, :rememberable, :timeoutable, :trackable, :validatable, :confirmable, :lockable, :registerable

Long story short, on model User there was state from aasm state machine gem called active, which also creates User#active? method. And that is bad, because Devise also uses User#active? method.

Confirmable really allows access for unconfirmed user. You don’t need fancy failure_app, hacks in controller actions, authenticate_user! or warden hacks.

But if User#active? is overridden by aasm, everything is messed up and confirmable doesn’t work. You’ll see message You have to confirm your email address before continuing. even when an account should be allowed for unconfirmed access. I tried to change active? method to handle aasm and devise at the same time and while it sort of worked, it was fragile as hell and confirmation mailer didn’t work properly. Overriding mailer checks is really long rabbit hole and actually not worth it. Just rename aasm state.

And then everything works as it should.

Add Comment