Skip to content

Disabling devise recoverable, if invitation was not accepted

gitt edited this page Dec 23, 2011 · 1 revision

Users that are invited, are just standard user records. This means that after a user has been invited, that user, without accepting the invitation can click the "forgot password" link, and still retrieve a password reset token. This may be okay for some situations, but in most situations I've found, you need to prevent this.

You can add the following to your devise resource model ( in my case user.rb ), this will check if invitation_token has been reset ( done by accepting the invitation ). If the user still has an invitation_token, the password reset token will not be sent, or even generated. You could extend this out further, and respond with an error, or raise an exception as well.

def send_reset_password_instructions
  super if invitation_token.nil?
end