Home/ Questions/Q 7030609
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T00:41:37+00:00

I’ve added devise invitable and then my own completely separate controller that handles everything

  • 0

I’ve added devise invitable and then my own completely separate controller that handles everything with the class method User.invite! etc. –> That all works fine.

Just wondering what is the best method to disable the route users/invitation/new

–> If someone looked at the app and figured out it was rails, and then guessed it was using devise, and then saw it had invites, they might try and post to the users/invitation controller to create invites outside of the code I’ve written. Edge case for sure, but a security hole.

But I’m not seeing what is a sensible way of destroying that route? Thought I could override in routes.rb with:

match '/users/invitation/new', :to => 'home#cp'

But that’s not working. Do I have to add the controller for invitations and then redefine it (I tried it, but crashed my app on heroku in the process) – is there no simple way of just killing that route from within my app?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Check the documentation, You will find that you can modify and configure routes for devise on your own. I am using Devise in my project and there is only a little modification we have made.

    Here’s a snippet:

    devise_for :users, 
           :controllers => { :sessions => 'users/sessions', 
                             :registrations => 'users/registrations' } do
    get 'sign_in' => 'users/sessions#new'
    get 'sign_up' => 'users/registrations#new'
    get 'signup_success' => 'users/registrations#signup_success'
    get 'users/profile' => 'users/registrations#profile', 
        :as => 'user_profile_settings'
end

    Railscasts episode – part 2 on devise.

    • 0