You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Users that are invited, are just standard user records. This means that after a user has been invited, that user, without accepting the invitation can click the "forgot password" link, and still retrieve a password reset token. This may be okay for some situations, but in most situations I've found, you need to prevent this.
You can add the following to your devise resource model ( in my case user.rb ), this will check if invitation_token has been reset ( done by accepting the invitation ). If the user still has an invitation_token, the password reset token will not be sent, or even generated. You could extend this out further, and respond with an error, or raise an exception as well.