Remove registerable strategy from our generated Devise User model

[joshmcarthur]

In nearly all of our apps, we don't have open registrations the way Devise adds by default. This means that unless a developer specifically disables or removes this strategy, we risk leaving registrations open when we do not intend to.

A safer default would be to disable this strategy by commenting it out. Those apps that need registration can simply re-add it, as they would for any other disabled-by-default strategy. The bulk of our apps that do not need it will not have it enabled.

[eoinkelly]

I also think the comment should mention that if you do turn on :registerable then you should also turn on :confirmable

[eoinkelly]

If we disable the :registerable module, we lose the UI that allows users to edit their email and password i.e.

The options I see are

1. Disable the module and create that view ourselves in the devise variant.
2. Just disable the registration routes e.g.

   # config/routes.rb
   devise_for :users, skip: [:registrations] 

Thoughts? cc @joshmcarthur

[joshmcarthur]

@eoinkelly for a client project where this came up, I disabled the registration routes and removed the registerable strategy from the model, then added my own routes wrapped in as :user that pointed to Devise::RegistrationsController#edit, update (actually I added my own controller that inherited from that, but same thing essentially).

That feels like something we could quite easily make the default?

[eoinkelly]

@joshmcarthur What does that buy us over just disabling the routes?

[eoinkelly]

We want to use devise code to handle password changing etc.

We have decided to implement this using @joshmcarthur suggestion above

I disabled the registration routes and removed the registerable strategy from the model, then added my own routes wrapped in as :user that pointed to Devise::RegistrationsController#edit, update