I'm using Devise and devise_ldap_authenticatable to allow users to login. I'm using only session controller
class Users::SessionsController < Devise::SessionsController
layout 'landing'
before_action :configure_sign_in_params, only: [:new]
# GET /resource/sign_in
def new
super
end
def destroy
super
end
protected
def configure_sign_in_params
devise_parameter_sanitizer.permit(:sign_in, keys: [:username])
end
end
I want only the administrator to be able to search the domain and add a new user. Now, any user in the domain can log in to the application, even though they do not have access to any resources without a role assigned. This don't change the fact that such user's data are automatically saved in the model and are included in the list of all users. I want only previously added users to be able to log in to the application. I thought that if I threw out the create method from the controller I would get this effect. Nevertheless, I see in the logs that it is being invoked anyway.
How can I block the possibility of logging in if the user is not in the database?
I found the solution. In devise.rb just need to set up ldap_create_user to false:
Devise.setup do |config|
#some other config
config.ldap_create_user = false
end
This is the part of devise_ldap_authenticatable configuration.