3

By default devise sends confirmation email to old email if an email is changed. In my case where a user is allowed to create an account via Twitter login, his initial email is blank since Twitter API does not give user's email. Later if user wants to update his email id, i want to send him confirmation email on new email id since his old email id is blank.

How can I achieve this in devise with confirmation email going to new email. I know its a security hole to send confirmation email to new email, but for now we can live with this issue .

furiabhavesh
  • 416
  • 3
  • 17
  • Rightly said, a security hole. If you end up coding it manually you could at least ensure that this only happens when the old email is blank/nil. If not, stick with sending an email address to the old email. – Kostas Rousis May 19 '14 at 07:31
  • Yes @rkon, we will ensure that it only happens when old email is blank. Any help with devise config for sending confirmation email to new email ? – furiabhavesh May 19 '14 at 07:34
  • Thoughts on asking a user for their email, when I they login via Twitter. I have the code if you want it. –  May 19 '14 at 13:57
  • Thats a good suggestion @AndrewCharlesPotterKelley. We are asking user to enter his email, but the issue is : User record has already been created in database with email => nil & unconfirmed_email => nil. When we ask for email, the confirmation email was being sent to blank email id. I have posted my implemented solution in 3rd comment of 1st answer of this question. – furiabhavesh May 20 '14 at 07:31

2 Answers2

1

I am manually calling 

@user.send_confirmation_instructions

and changed the following line in mailer :

mail(:to => user.email, :subject => "Confirm your email id")

to 

mail(:to => user.unconfirmed_email, :subject => "Confirm your email id")

There was no need to remove the confirmable module from User model

furiabhavesh
  • 416
  • 3
  • 17
0

I do not think that this is something you can achieve via configuration.

To avoid altering the source code directly (not so maintainable) I would have an observer or a before_save on my User model.

If I detected an e-mail change I would take appropriate action (taking care of what I mentioned in my comment - not sending to the new email unless the old one is blank).

On a related note, have also a look in this SO question: Devise, how to override send_confirmation_instructions. Maybe it provides a cleaner way to do what you want.

Community
  • 1
  • 1
Kostas Rousis
  • 5,918
  • 1
  • 33
  • 38
  • even if I add observer,devise does not allow me to send_confirmation_instructions to new email. When I do @user.send_confirmation_instructions(:email =>@user.unconfirmed_email), it results in "wrong number of arguments (1 for 0)" error :( – furiabhavesh May 19 '14 at 08:09
  • what about disabling devise's auto confirmation sending and trigger it yourself once the new email has been saved in your User model? – Kostas Rousis May 19 '14 at 08:11
  • I think I did it. Manually calling the @user.send_confirmation_instructions method and changing the line mail(:to => user.email, :subject => "Confirm your email id") to mail(:to => user.unconfirmed_email, :subject => "Confirm your email id") in mailer worked. I will test it once more. There was no need to remove the confirmable module from User model. – furiabhavesh May 19 '14 at 09:21