I’m not sure what I did, but a signed in user can access the new_user_session_path and new_user_registration_path. Usually in devise, a user should not be allowed to access those paths. I’m using cancan if the makes a difference. I created a new rails application and copied over the routes and extended the registrations and sessions controller and cannot replicate the problem.

If someone could even point me in the direction of where the redirecting is done in Devise, I would appreciate it.

In the initializers/devise.rb config file, the only line added to the default file is:

config.scoped_views = true

Let me know if I can supply any other useful information.
I’m using Devise (1.5.3), CanCan (1.6.7), and Rails (3.1.1)

Routes File:

MyApp::Application.routes.draw do

  devise_for :users, :controllers => { :sessions => "sessions", :registrations => "registrations" }, :skip => [ :sessions, :registations ] do

    get    '/signin'   => 'sessions#new',     :as => :new_user_session
    post   '/signin'   => 'sessions#create',  :as => :user_session
    delete '/signout'  => 'sessions#destroy', :as => :destroy_user_session

    get    '/signup'       => 'registrations#new',    :as => :new_user_registration
    post   '/users'        => 'registrations#create', :as => :user_registration
    get    '/users/cancel' => 'registrations#cancel', :as => :cancel_user_registration
    get    '/settings'     => 'registrations#edit',   :as => :edit_user_registration

    put    '/account'      => 'registrations#update'
    delete '/users'        => 'registrations#destroy'
  end

  resources :users

  match '/contact',   :to => 'pages#contact'

  root :to => 'pages#contact'

end

Extended Devise Registrations Controller

class RegistrationsController < Devise::RegistrationsController

  # POST /resource
  def create
    build_resource

    resource.company = Company.find_by_code(params[:company_code])
    resource.role = Role.find_by_name("Basic")

    if resource.save
      if resource.active_for_authentication?
        set_flash_message :notice, :signed_up if is_navigational_format?
        sign_in(resource_name, resource)
        respond_with resource, :location => after_sign_up_path_for(resource)
      else
        set_flash_message :notice, :inactive_signed_up, :reason => inactive_reason(resource) if is_navigational_format?
        expire_session_data_after_sign_in!
        respond_with resource, :location => after_inactive_sign_up_path_for(resource)
      end
    else
      clean_up_passwords resource
      respond_with resource
    end
  end

end

Extended Devise Sessions Controller:

class SessionsController < Devise::SessionsController
  layout "sessions"
end

I realize that I can add some code to the controller actions or in a before filter to check for a logged in user and redirect them. Devise, however, offers the functionality and I shouldn’t have to do that. I’m afraid that by doing so I may be ignoring a larger problem, perhaps with Devise’s configuration.

I appreciate any help! Thank you!