Devise prevent auto sign-in after registration

1k views Asked by At

TL;DR : I am trying to create a new Devise user from an admin account, but after the registration completes, the admin gets disconnected and logged in as the new user.

Here's my scenario :

Users can register on my website by entering their university login. My app checks this login against the university LDAP, and if it exists, it will duplicate the university LDAP entry on my own LDAP + create a database entry for the user on the rails app. So far this is good, and works :

I do this by overriding Devise Registration Controller

class Student::RegistrationsController < Devise::RegistrationsController

  skip_before_filter :access_denied

  def create
    login = sign_up_params[:login]
    if already_in_our_ldap?(login) 
      redirect_to root_path and return
    else
      # Ask our university LDAP
      university_ldap_entry = get_university_student(login)
      # If the entry was found on the LDAP
      if university_ldap_entry
        add_to_our_ldap(university_ldap_entry)
        # resume controller action
      else
        redirect_to new_user_registration_path and return
      end
    end

    # Rest is more or less copy paste from Devise RegistrationController
    build_resource(sign_up_params)
    resource_saved = resource.save
    yield resource if block_given?
    if resource_saved
      if resource.active_for_authentication?
        set_flash_message :notice, :signed_up if is_flashing_format?
        sign_up(resource_name, resource)
        respond_with resource, location: after_sign_up_path_for(resource)
      else
        set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_flashing_format?
        expire_data_after_sign_in!
        respond_with resource, location: after_inactive_sign_up_path_for(resource)
      end
    else
      clean_up_passwords resource
      set_minimum_password_length
      respond_with resource
    end
  end
end

In my case

An administrator must be able to register students while already connected on my website.

So, I have a view which will spawn a modal where's it's possible to query the university LDAP for names, and a form which will POST the login to the above Student::RegistrationsController...

USING AJAX

My Problem

The AJAX forms works well, it successfully duplicates the university LDAP entry in our LDAP + create the database entry

BUT

It also create a session corresponding to that of the new user (without even asking for the password). So the admin which used the modal to register a student is deconnected from his session (and on top of that, this is done via AJAX and he won't notice he's been deconnected/reconnected as another user unless he reloads the page)

Of course, the intended behavior is that using the modal should just create the LDAP+DB entry, without changing the session.

EDIT

Actually, it also connects the user after a html/POST registration. My code is sending the password by email to the user that just registered, so I don't want new user to be able to connect automatically just by entering a valid login =_= !

1

There are 1 answers

2
Cyril Duchon-Doris On BEST ANSWER

My apologies, I did not really understand the sign_up function of devise. I thought this method was finalizing the creation of a new user record, but instead it just tries to sign_in as the newly created user.

So it was enough to comment the line sign_up

I'm not a native English speaker, but I thought sign_in meant to actually connect with one's credentials while sign_up was the act of subscribing to a website (not necessarily connecting just afterwards). Am I wrong ?