Do not automatically login after password reset, as it would circumvent two-factor auth (if enabled)

Do not require e-mail address changes to be re-confirmed, it's only trouble for no real benefit
7 years ago · 76e970c856
parent ba192f12e3
commit 76e970c856
1 changed files with 2 additions and 2 deletions
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@ -126,7 +126,7 @@ Devise.setup do |config|
  # initial account confirmation) to be applied. Requires additional unconfirmed_email
  # db field (see migrations). Until confirmed, new email is stored in
  # unconfirmed_email column, and copied to email column on successful confirmation.
-  config.reconfirmable = true
+  config.reconfirmable = false

  # Defines which key will be used when confirming an account
  # config.confirmation_keys = [:email]
@ -197,7 +197,7 @@ Devise.setup do |config|

  # When set to false, does not sign a user in automatically after their password is
  # reset. Defaults to true, so a user is signed in automatically after a reset.
-  # config.sign_in_after_reset_password = true
+  config.sign_in_after_reset_password = false

  # ==> Configuration for :encryptable
  # Allow you to use another encryption algorithm besides bcrypt (default). You can use