Disallow new users from Oauth signup if `allow_single_sign_on` is disabled

Because devise will trigger a save, allowing unsaved users to login, behaviour had changed. The current implementation returns a pre-build user, which can be saved without errors. Reported in #1677

Disallow new users from Oauth signup if `allow_single_sign_on` is disabled
Because devise will trigger a save, allowing unsaved users to login, behaviour had changed. The current implementation returns a pre-build user, which can be saved without errors. Reported in #1677
92c184a5 · Jan-Willem van der Meer · 05922e71 · 92c184a5
Commit 92c184a5 authored Oct 16, 2014 by Jan-Willem van der Meer
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 2 deletions

app/controllers/omniauth_callbacks_controller.rb app/controllers/omniauth_callbacks_controller.rb +6 -2

No files found.
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -54,11 +54,15 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
        @user.save
      end

-      if @user.valid?
+      # Only allow properly saved users to login.
+      if @user.persisted? && @user.valid?
        sign_in_and_redirect(@user.gl_user)
-      else
+      elsif @user.gl_user.errors.any?
        error_message = @user.gl_user.errors.map{ |attribute, message| "#{attribute} #{message}" }.join(", ")
        redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return
+      else
+        flash[:notice] = "There's no such user!"
+        redirect_to new_user_session_path
      end
    end
  end