I wanna send mail to user confirms it, but it's not interesting by now to block users access, although would be amazing to have the control about who confirmed and who did not, and in the future make confirmation required.
Added the block below on my User model, but it makes devise not sending even a mail
protected
def confirmation_required?
false
end
Any suggestions?
You have to set config.allow_unconfirmed_access_for = nil on your devise.rb to allow unconfirmed access.
Related
I am using Rails 3.2.15 and Devise 2.2.8. I want to have different email confirmation behaviour for same model depending on certain conditions.
Case 1: User signs up on his own using an email and password, gets Mail Template 1 (the mail only asks for email confirmation, he has already set the password)
Case 2: A new user is added in model explicitly by another registered user. The new user gets Mail Template 2, which asks him to reset the password (reset should by default confirm his account as well)
Is this possible to achieve?
I was going through Devise page where we can override confirmation process to let user set the password and auto-confirm the account during this process. But I think this will happen for all users added in model. I want to customize this.
You probably found your answer; but for future ref, if the answer is needed, I just wanted to say that YES, this is possible...
As usual with Rails, you can override anything so this is also true for the confirmation process in Devise.
I'm working on a project where we have different ways of accepting/confirming new users.
If you/somebody needs details, feel free to ask...
Cheers
I don't mean sending a confirmation email, I mean checking to make sure they entered the same email twice. I'm using the has_secure_password functionality which automatically checks to make sure the password and password_confirmation fields match up. Just not sure how to do it with the email.
This is the purpose of the Confirmation validation.
By default, WebSecurity.Login method returns false when the user is not confirmed.
How can I make it work regardless of the user confirmation status?
If confirmation is not important to you then when you call CreateUserAndAccount() or CreateAccount() make sure you pass requireConfirmationToken as false.
That way once the account is created it will not require confirmation and Login() should work with the right credentials.
EDIT: The general need for confirmation is to make sure you have a reliable means of communication with the user (like an email address) if the user has forgotten their password. Without confirmation you will not have this "confirmed" means of communication.
You can also try flipping bits in the webpages_Membership database (IsConfirmed == 1) but I wouldn't recommend that either.
In my application I have one case when I must create a user to save a message.
This case occurs when a visitor creates something by clicking a button for example. Other users who don't click the button can save a message without their email.
I was thinking to set a session variable so that other parts of the application can adapt.
something like:
session[:require_email] = true
In the controller for the message.
def create
Update
More detail.
A visitor creates a book. Then they add information to the book. To save their changes they must leave an email as they are the creator of the book and manage it. I use this email to create an account so I validate the email.
This new user then invites friends to participate in two ways. A: They fill out a form supplying their emails. B: They send a message via facebook with a link. I already have their emails so they can leave a message and edit it or delete it.
The friends who receive the email link have accounts as I create them as soon as I have their email.
The friends who click the link from facebook do not have accounts. They can visit the book and leave a message but do not have to leave their email. Its up to them. If they leave their email I create a user account and then they can edit their message or delete it etc. If they don't leave their email the cannot edit or delete their message.
So its this third group I have to manage. I was thinking that if they click the link I can set a session variable session[:guest] = true.
Then in the controller I could do the following
unless session[:guest] && params[:user][:email].blank?
#user = User.new(params[:user])
end
Is this ok to do?
Should this be done somehow in the model?
You should never include any logic like that in the controller. Remember, one of the basic principle of MVC is tiny controller, fat models. This validation sounds, to me, to be needed in the user model.
validates_presence_of :email, :if => :should_validate_email?
def should_validate_email?
# your logic that says if the email should be validated.
end
Hope that helps!
Here's my scenario.
First, I log in as Alice:
http://localhost:3000/?auth_token=eMXBk8cuJMA1ETZfMIgB
Then, without logging out, I log in as Bob:
http://localhost:3000?auth_token=Z9Ui7Cw_xCnOmGWOEUEH
What happens is, after the second GET request, I'm still logged in as Alice, not Bob.
If I do a http://localhost:3000/users/sign_out in between the two auth_token logins, everything's OK.
Without the sign_out, Bob can't login using his token.
Is this a bug, or the way things should be due to some security issues I'm ignorant of?
Can this behavior be overriden through hooks?
I've run into this with restful_authentication and devise. Here is what I use to handle it (put in application_controller.rb) and call it where needed. Note that I use :ak for the auth token. Change to whatever you're using.
def switch_session(api_key_passed)
if api_key_passed != current_user.authentication_token
logger.info("******Switching session as token is different.*******")
user = User.find_by_authentication_token(api_key_passed)
sign_out(user)
if #api_login_enabled.present?
redirect_to(new_user_session_path(:ak => api_key_passed))
else
logger.info("***API Login Setting is Disabled.***")
end
end
end
Devise's token_authenticatable strategy is a login path. Sending a User's authentication_token to Devise will log in that user and set a session, just as logging in via the web would. It is not supposed to act as an API Key, which would be required to be sent on every request and knowledge of that request disappears once the server responds.
Take a look at this issue here for more information: https://github.com/plataformatec/devise/issues/300
#jschorr's answer will work if you wish to use it more like an API key, but you should be aware that the original issue will not actually persist the previous user's session between different clients, this is not a security issue of sessions leaking between clients, and this is exactly how the authors of Devise intended. Just as you would need to log out of your Significant Other's webmail account in order to check your own if they just checked their mail from the same computer, you would need to send a logout message to your Rails app before you can switch accounts.
You are missing a setting on devise.rb initializer:
# By default Devise will store the user in session. You can skip storage for
# :http_auth and :token_auth by adding those symbols to the array below.
# Notice that if you are skipping storage for all authentication paths, you
# may want to disable generating routes to Devise's sessions controller by
# passing :skip => :sessions to `devise_for` in your config/routes.rb
config.skip_session_storage = [:token_auth]
So no session is used when a user authenticates with an auth_token.