From 92c184a57f7698e79288b380cebc68b839afb4f5 Mon Sep 17 00:00:00 2001
From: Jan-Willem van der Meer <mail@jewilmeer.nl>
Date: Thu, 16 Oct 2014 11:46:40 +0200
Subject: [PATCH] Disallow new users from Oauth signup if
 `allow_single_sign_on` is disabled

Because devise will trigger a save, allowing unsaved users to login, behaviour had changed.
The current implementation returns a pre-build user, which can be saved without errors.

Reported in #1677
---
 app/controllers/omniauth_callbacks_controller.rb | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/app/controllers/omniauth_callbacks_controller.rb b/app/controllers/omniauth_callbacks_controller.rb
index f46b36568f3..589f8387b03 100644
--- a/app/controllers/omniauth_callbacks_controller.rb
+++ b/app/controllers/omniauth_callbacks_controller.rb
@@ -54,11 +54,15 @@ class OmniauthCallbacksController < Devise::OmniauthCallbacksController
         @user.save
       end
 
-      if @user.valid?
+      # Only allow properly saved users to login.
+      if @user.persisted? && @user.valid?
         sign_in_and_redirect(@user.gl_user)
-      else
+      elsif @user.gl_user.errors.any?
         error_message = @user.gl_user.errors.map{ |attribute, message| "#{attribute} #{message}" }.join(", ")
         redirect_to omniauth_error_path(oauth['provider'], error: error_message) and return
+      else
+        flash[:notice] = "There's no such user!"
+        redirect_to new_user_session_path
       end
     end
   end