Devise allows user email lookups.
This is a certain privacy issue. The problem is if you ask for a new confirmation e-mail you can type in any email address you want and if its not found in the database you get a "not found" thus enabling anyone to check if a certain email is registered.
What could be a good way to fix this? I haven't posted this to the devise group but Im not sure if this is "Wanted" behavior.
Offending route : /users/confirmation
Its not an option for me to disable the confirmations module of devise. Anyone a good workaround to fix this?
Devise has a paranoid mode that helps you to avoid user enumeration. You can get more information on Devise wiki: