TL;DR : I am trying to create a new Devise user from an admin account, but after the registration completes, the admin gets disconnected and logged in as the new user.
Here's my scenario :
Users can register on my website by entering their university login. My app checks this login against the university LDAP, and if it exists, it will duplicate the university LDAP entry on my own LDAP + create a database entry for the user on the rails app. So far this is good, and works :
I do this by overriding Devise Registration Controller
class Student::RegistrationsController < Devise::RegistrationsController
skip_before_filter :access_denied
def create
login = sign_up_params[:login]
if already_in_our_ldap?(login)
redirect_to root_path and return
else
# Ask our university LDAP
university_ldap_entry = get_university_student(login)
# If the entry was found on the LDAP
if university_ldap_entry
add_to_our_ldap(university_ldap_entry)
# resume controller action
else
redirect_to new_user_registration_path and return
end
end
# Rest is more or less copy paste from Devise RegistrationController
build_resource(sign_up_params)
resource_saved = resource.save
yield resource if block_given?
if resource_saved
if resource.active_for_authentication?
set_flash_message :notice, :signed_up if is_flashing_format?
sign_up(resource_name, resource)
respond_with resource, location: after_sign_up_path_for(resource)
else
set_flash_message :notice, :"signed_up_but_#{resource.inactive_message}" if is_flashing_format?
expire_data_after_sign_in!
respond_with resource, location: after_inactive_sign_up_path_for(resource)
end
else
clean_up_passwords resource
set_minimum_password_length
respond_with resource
end
end
end
In my case
An administrator must be able to register students while already connected on my website.
So, I have a view which will spawn a modal where's it's possible to query the university LDAP for names, and a form which will POST the login to the above Student::RegistrationsController
...
USING AJAX
My Problem
The AJAX forms works well, it successfully duplicates the university LDAP entry in our LDAP + create the database entry
BUT
It also create a session corresponding to that of the new user (without even asking for the password). So the admin which used the modal to register a student is deconnected from his session (and on top of that, this is done via AJAX and he won't notice he's been deconnected/reconnected as another user unless he reloads the page)
Of course, the intended behavior is that using the modal should just create the LDAP+DB entry, without changing the session.
EDIT
Actually, it also connects the user after a html/POST registration. My code is sending the password by email to the user that just registered, so I don't want new user to be able to connect automatically just by entering a valid login =_= !
My apologies, I did not really understand the
sign_up
function of devise. I thought this method was finalizing the creation of a new user record, but instead it just tries tosign_in
as the newly created user.So it was enough to comment the line
sign_up
I'm not a native English speaker, but I thought
sign_in
meant to actually connect with one's credentials whilesign_up
was the act of subscribing to a website (not necessarily connecting just afterwards). Am I wrong ?