Password reset allows user to bypass confirmable

[dchersey]

In passwords_controller.rb, the following code:

        # ensure that user is confirmed
        @resource.skip_confirmation! if @resource.devise_modules.include?(:confirmable) && !@resource.confirmed_at

actually sets the confirmed_at property of a resource if the resource has not been confirmed.

This effectively allows the user to bypass email confirmation by resetting their password.

I'd like to remove this line, so that the user IS able to change their password with the reset link but will not be able to log in until they confirm the email.

Thoughts?

[cars10]

Why would you? There is no security issure there. If the user can change the password then he can access his email account and that means that he is able to confirm the account.

[dchersey]

But the email is passed as a parameter for reset; it could be different
than the one used for userid.

On Thu, Mar 31, 2016 at 4:07 PM Carsten [email protected] wrote:

Why would you? There is no security issure there. If the user can change
the password then he can access his email account and that means that he is
able to confirm the account.

—
You are receiving this because you authored the thread.
Reply to this email directly or view it on GitHub
#590 (comment)

[dchersey]

Also, the comment seems to communicate the correct intention but the code actually does the opposite.

[midnight-wonderer]

But in which case the email for password resetting is different than the user id?

[zachfeldman]

Seems like a nonissue from the discussion so far, so I'm closing for now.