Disallow new users from Oauth signup if `allow_single_sign_on` is disabled

Because devise will trigger a save, allowing unsaved users to login, behaviour had changed.
The current implementation returns a pre-build user, which can be saved without errors.

Reported in #1677
parent 05922e71
...@@ -54,11 +54,15 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController ...@@ -54,11 +54,15 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
@user.save @user.save
end end
if @user.valid? # Only allow properly saved users to login.
if @user.persisted? && @user.valid?
sign_in_and_redirect(@user.gl_user) sign_in_and_redirect(@user.gl_user)
else elsif @user.gl_user.errors.any?
error_message = @user.gl_user.errors.map{ |attribute, message| "#{attribute} #{message}" }.join(", ") error_message = @user.gl_user.errors.map{ |attribute, message| "#{attribute} #{message}" }.join(", ")
redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return
else
flash[:notice] = "There's no such user!"
redirect_to new_user_session_path
end end
end end
end end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment