How to stop soft deleted user's login with Devise

Question

I currently use Devise for user registration/authentication in a Rails project. When a user wants to cancel their account, the user object is soft deleted in a way like the

Answer 1

I haven't tried anything like that but it seems if you want to catch the user before authentication you'll either have to write a Devise authentication strategy or a before_filter to be run before authenticate_user!. Something like:

before_filter :no_deleted_users

def no_deleted_users
  if User.find(params[:email]).deleted?
    redirect_to root_path, :flash => { :error => "Your user was deleted.  You cannot log in." } 
  end
end

Although it might be more complex to get the user than that. I haven't played with Devise pre-authentication.

Answer 2

To stop a user that has been 'soft deleted', the best way is to overwrite the find_for_authentication class method on the user model. Such as:

Class User < ActiveRecord::Base
  def self.find_for_authentication(conditions)
    super(conditions.merge(:deleted_flag => false))
  end

This will generate a invalid email or password flash message by devise (because it cannot find the user to authenticate)

As far as your second question though, you'll need some for of method in your controller to add a particular flash message. However, in my opinion you should treat users that are 'soft' deleted the same as if they didn't exist in the database at all. Thus if they tried to log in, they should just get an valid email or password message.

Answer 3

See my solution here: https://stackoverflow.com/a/24365051/556388 Basically you need to override the active_for_authentication? method on the devise model (User).