Ensure inactive user cannot sign in.

lib/devise.rb

@@ -26,8 +26,19 @@ module Devise
     autoload :MongoMapper, 'devise/orm/mongo_mapper'
   end
 
-  ALL = [:authenticatable, :activatable, :confirmable, :recoverable,
-         :rememberable, :validatable, :trackable, :timeoutable, :lockable, :token_authenticatable]
+  ALL = []
+
+  # Authentication ones first
+  ALL.push :authenticatable, :token_authenticatable, :rememberable
+
+  # Misc after
+  ALL.push :recoverable, :validatable
+
+  # The ones which can sign out after
+  ALL.push :activatable, :confirmable, :lockable, :timeoutable
+
+  # Stats for last, so we make sure the user is really signed in
+  ALL.push :trackable
 
   # Maps controller names to devise modules
   CONTROLLERS = {

test/integration/recoverable_test.rb

@@ -128,4 +128,14 @@ class PasswordTest < ActionController::IntegrationTest
 
     assert warden.authenticated?(:user)
   end
+
+  test 'does not sign in user automatically after changing it\'s password if it\'s not active' do
+    user = create_user(:confirm => false)
+    request_forgot_password
+    reset_password :reset_password_token => user.reload.reset_password_token
+
+    assert_redirected_to new_user_session_path(:unconfirmed => true)
+    assert !warden.authenticated?(:user)
+  end
+
 end