Why can I access a rodauth protected route with an unverified account? #262

pboling · 2023-12-29T18:22:23Z

pboling
Dec 29, 2023

I added this to my controller:

  before_action -> { rodauth.require_authentication }

I am logged in as a new account that hasn't been verified yet. Verification is working, but I haven't done it for this user. I am able to access the route protected by the above before action. Is this expected?

Answered by janko

Dec 29, 2023

Yes, if you're logged in, then you're able to access protected routes. You can either set create_account_autologin? to false to prevent login, or not enable the verify_account_grace_period feature.

View full answer

janko · 2023-12-29T18:54:05Z

janko
Dec 29, 2023
Maintainer

Yes, if you're logged in, then you're able to access protected routes. You can either set create_account_autologin? to false to prevent login, or not enable the verify_account_grace_period feature.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Why can I access a rodauth protected route with an unverified account? #262

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Why can I access a rodauth protected route with an unverified account? #262

pboling Dec 29, 2023

Replies: 1 comment

janko Dec 29, 2023 Maintainer

pboling
Dec 29, 2023

janko
Dec 29, 2023
Maintainer