Definition of strange:
My app's session model seems to work fine. The cookie (user.remember_token = SecureRandom.urlsafe_base64) is stored, the signin persists. Life is good.
Yet, when a user edits their profile and clicks submit, they are logged out.
This SO Question makes me think that Rails is ending the session because of XSRF.
But why?
Instead of posting all my code here, one link gets it all: https://github.com/chiperific/arcwmi_reports
Help!
Your problem is in the User model:
before_save :create_remember_token
def create_remember_token
self.remember_token = SecureRandom.urlsafe_base64
end
This will modify the remember_token whenever the user is saved - that is, when the user is created or updated. And when a user updates his/her profile, the remember_token is changed. This causes the login system to notice that the cookie no longer matches the user - and logs the user out.
The fix - use before_create instead of before_save.
Related
When I use FB.logout() the user gets logged out fine, but then the next time I do FB.login() it logs in the last user without the option to enter in new credentials. I can't find any information on how to forget the previously signed on user. Is there a parameter I can pass into logout or login that would forget the previous user?
I found out that the behavior I wanted could be achieved by deleting the users permissions with the following snippet before logging the user out.
FB.api(`/${fbUserId}/permissions`,
'delete',
{access_token: fbUserAccessToken})
I am developing a Rails 3.2 app. When a user signs up or when I create a user account in my admin panel, a welcome email is sent to them. I want to include a link on which the user can click to get to the password reset page (where they can set/change their password).
So what I want to do basically is to manually create a reset password token, create a link to the reset password page (where they select a new password) and include it in the welcome email. I do not want to send two emails (welcome and reset password).
I guess some of this code could be used but I do not know how.
https://github.com/plataformatec/devise/blob/master/lib/devise/models/recoverable.rb
How can I do this?
Thankful for all help!
Just had to do something similar to this and thought I'd post an answer if someone stumbles on this. Assuming you have devise correctly set up, all you need to do is make sure the user exists in the database and then redirect to the devise route. I leveraged their code here: goo.gl/cE5USm.
def password_reset_controller
user = User.find_by_email( params[:email] )
if user
redirect_to password_path(:user, email: user.email)
else
# do something different
end
end
In console if you call password_path(:user, email: user.email) -> "/users/password?email='email'"
Edit:
Alternatively, you can just use user.send_reset_password_instructions from goo.gl/aPQ8MU
I have a rails app using devise and even with the remember me button clicked when i close the browser and reopen it it loses all history of the user ever being logged in.
The session should persist well beyond that. How do i change this?
I am not using timeoutable or anything that auto logs the user out.
Thanks!
Did you look at the 'Rememberable' module in Devise?
http://rubydoc.info/github/plataformatec/devise/master/Devise/Models/Rememberable
On the user Model =>
:rememberable
I am considering doing this -
Any url (excecpt those I disallow specifically) can be accessed directly without signing-in, however if you click on any of the links on the page, it will redirect you to the sign-up page
I am thinking of several ways of doing it, but neither is flexible enough to work with devise
Create a new link_to_not_registered helper which I will use on every link_to and it will check if the user is logged in or not
create a before_filter to check if the user is logged in. This is a bit problematic, as I don't know how to create a filter only when linking and not when directly accessing a page
Have an external flag to test if the user is logged in and change the page accordingly.
neither way helps me redirect the user after sign-in/sign up (new helper links to sign up, before filter becomes too complex, flags are too simple)
Is there a way to create a functionality of direct access to show actions while clicking on links requires login?
I think the best approach is a before_filter. You can check previous page by request.referrer, so if it's a page inside your app, you redirect user to signin path
def to_signin
redirect_to singin_path if request.referrer["http://myapp.com"]
end
I installed rails_admin first with model name as rails_admin_user.
The first time I logged in, I clicked 'sign up' and created admin user account.
Now every time I want to login; there is a 'sign up' link still there.
Seems that anyone can create account for admin interface of rails_admin.
If this is true, please let me know how to restrict admin user creation process.
Hey, here is how you do it. Go to your user or member model, depending on how you set up devise, and remove registerable from devise attributes. This way the sign up link will disappear.
Late but still good to share I think. You could do this to show signup for first user only, which will hopefully be you.
devise :registerable if User.empty?