Using rails, devise and cancan, a signed in user can access the sign in and sign up paths
-
28-10-2019 - |
Question
I'm not sure what I did, but a signed in user can access the new_user_session_path and new_user_registration_path. Usually in devise, a user should not be allowed to access those paths. I'm using cancan if the makes a difference. I created a new rails application and copied over the routes and extended the registrations and sessions controller and cannot replicate the problem.
If someone could even point me in the direction of where the redirecting is done in Devise, I would appreciate it.
In the initializers/devise.rb config file, the only line added to the default file is:
config.scoped_views = true
Let me know if I can supply any other useful information. I'm using Devise (1.5.3), CanCan (1.6.7), and Rails (3.1.1)
Routes File:
MyApp::Application.routes.draw do
devise_for :users, :controllers => { :sessions => "sessions", :registrations => "registrations" }, :skip => [ :sessions, :registations ] do
get '/signin' => 'sessions#new', :as => :new_user_session
post '/signin' => 'sessions#create', :as => :user_session
delete '/signout' => 'sessions#destroy', :as => :destroy_user_session
get '/signup' => 'registrations#new', :as => :new_user_registration
post '/users' => 'registrations#create', :as => :user_registration
get '/users/cancel' => 'registrations#cancel', :as => :cancel_user_registration
get '/settings' => 'registrations#edit', :as => :edit_user_registration
put '/account' => 'registrations#update'
delete '/users' => 'registrations#destroy'
end
resources :users
match '/contact', :to => 'pages#contact'
root :to => 'pages#contact'
end
Extended Devise Registrations Controller
class RegistrationsController < Devise::RegistrationsController
# POST /resource
def create
build_resource
resource.company = Company.find_by_code(params[:company_code])
resource.role = Role.find_by_name("Basic")
if resource.save
if resource.active_for_authentication?
set_flash_message :notice, :signed_up if is_navigational_format?
sign_in(resource_name, resource)
respond_with resource, :location => after_sign_up_path_for(resource)
else
set_flash_message :notice, :inactive_signed_up, :reason => inactive_reason(resource) if is_navigational_format?
expire_session_data_after_sign_in!
respond_with resource, :location => after_inactive_sign_up_path_for(resource)
end
else
clean_up_passwords resource
respond_with resource
end
end
end
Extended Devise Sessions Controller:
class SessionsController < Devise::SessionsController
layout "sessions"
end
I realize that I can add some code to the controller actions or in a before filter to check for a logged in user and redirect them. Devise, however, offers the functionality and I shouldn't have to do that. I'm afraid that by doing so I may be ignoring a larger problem, perhaps with Devise's configuration.
I appreciate any help! Thank you!
Solution 2
After a lot of searching and trying, I decided to re-implement devise and it did the trick. I'm still not sure how I managed to break the functionality in the first place.
OTHER TIPS
For devise 1.5.3; not really an answer but some pointers as to what's going on under the hood.
The filter that is used to redirect when user is signed in is require_no_authentication.
It is already called in devises's sessions and registrations controllers.
Since you extend these controllers and filters are inherited, you should have the behavior applied.
Some possible actions:
- add breakpoints to see if the filter is called or not
- introspect the controllers in console to see if filters get registered
- check the filter's control flow; have you tinkered with
Devise.navigational_formats
- double check devise version