Do not automatically login after password reset, as it would circumvent two-factor auth (if enabled)

Do not require e-mail address changes to be re-confirmed, it's only trouble for no real benefit
author: Eugen Rochko <eugen@zeonfederated.com> 2017-01-27 20:34:22 +0100
committer: Eugen Rochko <eugen@zeonfederated.com> 2017-01-27 20:35:16 +0100
commit: 76e970c856da5a04ada00ce2c540e5eed57aed50 (patch)
tree: c0edfb3bc5df320094af7ebab437a339bcf5a1e6 /config/initializers/devise.rb
parent: ba192f12e381842c90df0fab2fcb1a23cae97fc4 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index 5eba34aa5..ede6640bb 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -126,7 +126,7 @@ Devise.setup do |config|
   # initial account confirmation) to be applied. Requires additional unconfirmed_email
   # db field (see migrations). Until confirmed, new email is stored in
   # unconfirmed_email column, and copied to email column on successful confirmation.
-  config.reconfirmable = true
+  config.reconfirmable = false
 
   # Defines which key will be used when confirming an account
   # config.confirmation_keys = [:email]
@@ -197,7 +197,7 @@ Devise.setup do |config|
 
   # When set to false, does not sign a user in automatically after their password is
   # reset. Defaults to true, so a user is signed in automatically after a reset.
-  # config.sign_in_after_reset_password = true
+  config.sign_in_after_reset_password = false
 
   # ==> Configuration for :encryptable
   # Allow you to use another encryption algorithm besides bcrypt (default). You can use
author	Eugen Rochko <eugen@zeonfederated.com>	2017-01-27 20:34:22 +0100
committer	Eugen Rochko <eugen@zeonfederated.com>	2017-01-27 20:35:16 +0100
commit	76e970c856da5a04ada00ce2c540e5eed57aed50 (patch)
tree	c0edfb3bc5df320094af7ebab437a339bcf5a1e6 /config/initializers/devise.rb
parent	ba192f12e381842c90df0fab2fcb1a23cae97fc4 (diff)