Resend confirmation instructions seems to reset the window for allow_unconfirmed_access_for

129 views

Skip to first unread message

Jonathan Mason

unread,

May 29, 2014, 5:50:41 PM5/29/14

to plataforma...@googlegroups.com

Hello,

It seems like resending confirmation instructions updates the timestamp that Devise uses to decide if your user's confirmation allowed unconfirmed access period has expired.

resend_confirmation_instructions:

https://github.com/plataformatec/devise/blob/master/lib/devise/models/confirmable.rb#L115-L119

resend_confirmation_instructions just calls send_confirmation_instructions, which eventually calls generate_confirmation_token

generate_confirmation_token:

https://github.com/plataformatec/devise/blob/master/lib/devise/models/confirmable.rb#L220-L225

generate_confirmation_token sets self.confirmation_sent_at = Time.now.utc and that is the field that it uses to determine if the user is past the allowed unconfirmed access period.

It seems to me this allows the user to just resend the confirmation instructions, and keep signing in indefinitely without actually confirming. Is this a bug in confirmable? Or am I missing something? My application appears to be demonstrating this behaviour, but we're on a really old version of devise, so I don't want to immediately leap to filing a bug report.

Does anyone else have any thoughts on this?

thanks,

Jon

Christiano

unread,

Jul 31, 2014, 10:25:21 AM7/31/14

to plataforma...@googlegroups.com, jonathan...@gmail.com

Hi,

Same problem here. Did you find any solution?

Thanks in advance

Christiano

Reply all

Reply to author

Forward

0 new messages