Referencing reasons given in this question
Devise does not allow the immediate sign-in of a user that has clicked their confirmation email, the idea being that maybe a malicious user has access to their email, or that they mistyped their email address.
If a user has access to the email that is authorized to use the account, then what prevents them from using the reset password function to completely hijack the account? Why would we bother trying to protect a user's email account when it is entirely beyond our control?
Are there any ways in which this actually makes the Devise authentication framework safer, and not just less convenient for an already unlikely malicious user?
Aucun commentaire:
Enregistrer un commentaire