Question

I m not sure what I did, but a signed in user can access the new_user_session_path and new_user_registration_path. Usually in devise, a user should not be allowed to access those paths. I m using cancan if the makes a difference. I created a new rails application and copied over the routes and extended the registrations and sessions controller and cannot replicate the problem.

如果有人甚至可以向我指出在Devise进行改道的方向,我将不胜感激。

在最初的准备者/开发者.rb config档案中,在缺省档案中增加的唯一线是:

config.scoped_views = true

Let me know if I can supply any other useful information. I m using Devise (1.5.3), CanCan (1.6.7), and Rails (3.1.1)

航道:

MyApp::Application.routes.draw do

  devise_for :users, :controllers => { :sessions => "sessions", :registrations => "registrations" }, :skip => [ :sessions, :registations ] do

    get     /signin    =>  sessions#new ,     :as => :new_user_session
    post    /signin    =>  sessions#create ,  :as => :user_session
    delete  /signout   =>  sessions#destroy , :as => :destroy_user_session

    get     /signup        =>  registrations#new ,    :as => :new_user_registration
    post    /users         =>  registrations#create , :as => :user_registration
    get     /users/cancel  =>  registrations#cancel , :as => :cancel_user_registration
    get     /settings      =>  registrations#edit ,   :as => :edit_user_registration

    put     /account       =>  registrations#update 
    delete  /users         =>  registrations#destroy 
  end

  resources :users

  match  /contact ,   :to =>  pages#contact 

  root :to =>  pages#contact 

end

扩大的Devise登记主计长

class RegistrationsController < Devise::RegistrationsController

  # POST /resource
  def create
    build_resource

    resource.company = Company.find_by_code(params[:company_code])
    resource.role = Role.find_by_name("Basic")

    if resource.save
      if resource.active_for_authentication?
        set_flash_message :notice, :signed_up if is_navigational_format?
        sign_in(resource_name, resource)
        respond_with resource, :location => after_sign_up_path_for(resource)
      else
        set_flash_message :notice, :inactive_signed_up, :reason => inactive_reason(resource) if is_navigational_format?
        expire_session_data_after_sign_in!
        respond_with resource, :location => after_inactive_sign_up_path_for(resource)
      end
    else
      clean_up_passwords resource
      respond_with resource
    end
  end

end

助理会计

class SessionsController < Devise::SessionsController
  layout "sessions"
end

我认识到,我可以给控制人员的行动增加一些代码,或在过滤前添加一些代码,以检查安装在使用者身上的 lo,并将其改用。然而,发展提供了这一功能,我不必这样做。我担心,通过这样做,我可能会忽视一个更大的问题,或许是Devise的组合。

我欣赏任何帮助! 谢谢!

Answer 1

在进行了大量搜捕和尝试之后,我决定重新实施设计,并做了trick。我仍然无法确定我如何首先打破这一功能。

Answer 2

For devise 1.5.3; not really an answer but some pointers as to what s going on under the hood.
The filter that is used to redirect when user is signed in is require_no_authentication.
It is already called in devises s sessions and registrations controllers.
Since you extend these controllers and filters are inherited, you should have the behavior applied.

Some possible actions:

add breakpoints to see if the filter is called or not
introspect the controllers in console to see if filters get registered
check the filter s control flow; have you tinkered with Devise.navigational_formats
double check devise version

友情链接