argh...
I set the wrong configuration in devise.rb
# ==> Configuration for :confirmable # The time you want to give your user to confirm his account. During this time # he will be able to access your application without confirming. The default is nil. # When confirm_within is zero, the user won't be able to sign in without confirming. # You can use this to let your user access some features of your application # without confirming the account, but blocking it after a certain period # (ie 2 days). config.confirm_within = 2.days # I didn't read that the user has access at this time