Allow devise password reset only after email confirmation

Question

I have a pretty standard devise installation with both recoverable and confirmable enabled.

The thing is I need to disable password resetting if the user has not confirmed their email yet

For example:

• user signs up with email [email protected]
• confirmation mail is sent
• user goes to and resets password before confirming his email
• reset password email should not be sent

Answer 1

I know it's an old issue but I had the same use case and solved it by overriding devise send_reset_password_instructions method for a User model. Here's the final version of my method:

def self.send_reset_password_instructions(attributes={})
  recoverable = find_or_initialize_with_errors(reset_password_keys, attributes, :not_found)

  if (recoverable.persisted? && !recoverable.confirmed?)
    recoverable.errors.add(:email, I18n.t('devise.failure.not_verified'))
  else
    recoverable.send_reset_password_instructions
  end

  recoverable
end

To be more specific - if a User is persisted in the database but not verified by email add an error & omit reset password email sending.