Devise Soft Email Confirmation

Question

I have a rails 3 application that uses Devise and the confirmable module. However, preventing newly registered users from accessing the the site until they confirm their email is causing retention problems. Instead, we would like to instantly grant access to the user and still send them a confirmation email. We would then run a background task to lock out user's who have not confirmed their email within a fixed period of time.

Is this possible with the confirmable module? Is there a way to still create an active resource (user) who hasn't confirmed their email with the confirmable module? Any general advice on implementing this?

Answer 1

I believe you can use confirm_within to specify a lockout constraint. You can enable this when you call devise_for.

http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Confirmable

Also, you can choose to constrain certain behaviors "only" to confirmed users by checking the confirmed? status of your user model. You could do this in the controller, or using CanCan, or whatever. Some tasks on your site probably don't require confirmation; you probably need this more when the user interacts with other people or can use your site to send certain notifications/emails, etc.

Answer 2

To add a litte more detail to the accepted answer. Yes, you can use confirm_within but you need to do this when you call devise not devise_for .

class User
  devise :database_authenticatable, :encryptable, :confirmable, :rememberable,      :timeoutable, :lockable,
     :stretches => 15, :pepper => 'abcdef', :confirm_within => 5.days,
     :remember_for => 7.days, :timeout_in => 15.minutes, :unlock_in => 10.days
end

The above code comes from the models test for devise

You can also set the setting in the config/initializers/devise.rb file with config.confirm_within = 10.days

Answer 3

Hmm, I think the correct flag would be allow_unconfirmed_access_for :

config.allow_unconfirmed_access_for = 5.days

confirm_within just specifies how long the emailed token is good for.

More from config/initializers/devise.rb :

# ==> Configuration for :confirmable
# A period that the user is allowed to access the website even without
# confirming his account. For instance, if set to 2.days, the user will be
# able to access the website for two days without confirming his account,
# access will be blocked just in the third day. Default is 0.days, meaning
# the user cannot access the website without confirming his account.
# config.allow_unconfirmed_access_for = 2.days

# A period that the user is allowed to confirm their account before their
# token becomes invalid. For example, if set to 3.days, the user can confirm
# their account within 3 days after the mail was sent, but on the fourth day
# their account can't be confirmed with the token any more.
# Default is nil, meaning there is no restriction on how long a user can take
# before confirming their account.
# config.confirm_within = 3.days