From 0bf8c1b5d873aa00b31810f3ac02d49690ce38da Mon Sep 17 00:00:00 2001 From: Eugen Rochko Date: Fri, 27 Jan 2017 20:34:22 +0100 Subject: [PATCH] Do not automatically login after password reset, as it would circumvent two-factor auth (if enabled) Do not require e-mail address changes to be re-confirmed, it's only trouble for no real benefit --- config/initializers/devise.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb index 5eba34aa57..ede6640bb8 100644 --- a/config/initializers/devise.rb +++ b/config/initializers/devise.rb @@ -126,7 +126,7 @@ Devise.setup do |config| # initial account confirmation) to be applied. Requires additional unconfirmed_email # db field (see migrations). Until confirmed, new email is stored in # unconfirmed_email column, and copied to email column on successful confirmation. - config.reconfirmable = true + config.reconfirmable = false # Defines which key will be used when confirming an account # config.confirmation_keys = [:email] @@ -197,7 +197,7 @@ Devise.setup do |config| # When set to false, does not sign a user in automatically after their password is # reset. Defaults to true, so a user is signed in automatically after a reset. - # config.sign_in_after_reset_password = true + config.sign_in_after_reset_password = false # ==> Configuration for :encryptable # Allow you to use another encryption algorithm besides bcrypt (default). You can use