Don't allow a user to change email address using devise with Rails

Question

I'm using devise to allow users to log in to a site. The authentication key is set to a username, which is to be unique. Also to be unique is the email address provided. It seems that somehow devise has already figured out that the email address should be unique. So that's good.

Now I want to let people change their passwords. I link over to my edit_user_registration_path, but notice that the user is allowed to change their email address. One option is to set reconfirmable to false... but I don't think I want to allow users to change their email addresses at all.

I think I could just remove the field from the devise view, but theoretically a carefully crafted PUT method could still let them change their email address. Is there a way to stop this field from being mutable? Or is it better to just let the email address be reconfirmable?

Answer 1

In my case, the "answer" was to simply allow people to edit their email addresses. There are enough use cases in which somebody could legitimately want to change their email address that I figured there was no harm in trying to stop it.

Answer 2

See http://trak3r.blogspot.com/2007/03/immutable-activerecord-attributes.html

So

class User
  def email=(address)
    if new_record?
      write_attribute(:email, address)
    else
      raise 'email is immutable!'
    end
  end 
end