I am using devise plugin for resetting the user password, i have this problem, so the scenario is like , when i send link for resetting the password it lands to a custom reset page, which have view for resetting the password , but the weird thing the user is already logged in , when it lands to that page, if i click on main tab without resetting the password, i can navigate like i am already logged in.
How can i make sure that user should not be already logged in, once i reset the password then it should login again to use the account.
Maybe you missing this line in your controller:
before_action :authenticate_user! except: :change_password
This will not login the user for that particular controller action.
Note that change_password will be the name of your controller action for changing the password.
Unexpected login sometimes happen if routes.rb allows two different signin path when different user models are used.
Run rake routes and check if there is new_user_session_path along with, for example, new_buyer_session_path.
If there is, fixing your routes might solve your problem.
Related
I have a base installation of Devise with everything setup and working correctly. I have a 'welcome' page and a 'dashboard' page which only logged in users can get to.
What I'm trying to achieve is to make all logged in users automatically skip the landing page and land straight on the dashboard when they come back to the site.
e.g.
I sign up from the landing page
I'm logged in
I close off chrome and go for food
I open chrome and go to the root url (example.com)
I get presented with my dashboard instead of the welcome page as I am logged in.
Any help is greatly appreciated
You should be able to do a simple check in the controller for if the session is active and if so redirect_to dashboard_path
I havent used devise in forever so I don't remember if they have a built in current_user (see the current_user setup here) method or not, but checking if that is nil would be a good check.
You need to create an after sign in devise method in your application controller:
def after_sign_in_path_for(resource)
your_after_sign_in_path
end
That should redirect all users to your_after_sign_in_path after they sign in.
This Rails project has an API side to send data to the iOS version of the app. It uses Devise::Lockable to lock user accounts when they fail login 3 times.
This is a strange edge case, but maybe not that uncommon: The situation begins with being already logged in to the desktop version. If I then go fail login in the iOS app 3 times, but then click the reset password link in my email from the desktop version, because I'm already logged in, the request for the edit_password_url gets unauthorized (because the account is locked) and I get redirected to the login page.
What are some ways I could have it still go to the edit_password_url while keeping the params (specifically the password reset token)? I'm thinking either:
Skip authenticating the password edit page (seems bad, but I still haven't see how to do this)
Create some series of filters that check requests then redirect back
to the edit_password_url ... but how do I keep that reset password
token?
Alternatively, I could somehow force sign out of the user in the main
app somewhere in the process of that user failing login through the API. But these are namespaced and under different controllers and I haven't found a way to force a sign out that way.
There are several actions in devise where it redirects if there's an active session. I never liked this behavior and usually override it. If I hit a link, it's because I want to perform that action, after all.
For example, visiting the sign-in link, you might want to sign in as a different user, so you could override that action to sign out if it's hit directly, rather than redirecting. So for my example you would subclass Devise::SessionsController
class SessionsController < Devise::SessionsController
skip_before_filter :require_no_authentication, only: [:new]
def new
if warden.authenticated?(resource_name)
sign_out
end
super
end
private
def sign_out
# From Devise::SessionsController#destroy
Devise.sign_out_all_scopes ? sign_out : sign_out(resource_name)
end
end
and override it in routes:
devise_for :users, controllers: {sessions: 'sessions'}
I am using devise for authentication. Recently when I integrated bootstrap into my rails app the devise login system stopped working.
When I enter the email and password the URL gets updated with the parameters of the user but I am not getting redirected to the homepage and the session is not getting created.
As I am using the logged in condition to display the options in the navbar and the logout option is not showing so I think the session is not getting created.
Like the normal URL of the signin page is,
https://example.com/users/sign_in
after I click on the login button after entering my details, the url changes to this I stay at the login page.
https://example.com/users/sign_in?utf8=%E2%9C%93&authenticity_token=OeR8e3thZu4SnUQeNO8zYpHJ4vWMxiIaWcHkEbRDb9o%3D&user[email]=na.nishantarora%40gmail.com&user[password]=hashfloat&user[remember_me]=0&commit=Log+in
I am not able to figure out where the problem is, I have tried adding a method in my application controller for redirection but it didn't work. Here is the method I tried using,
def after_sign_in_path_for(resource)
current_user
end
Over that I also want the user to get redirected to his own profile after he logs in to the website.
and here is what my routes file looks like,
Rails.application.routes.draw do
get 'static_pages/home'
get 'static_pages/help'
devise_for :users
resources :users
root 'static_pages#home'
end
I have a persistent error that keeps on popping up. Here's the use case:
User is logged in & has multiple tabs/windows of the app open.
User logs out (session is successfully destroyed) & is redirected back to home page (root_path).
User reloads or takes action on any of the other already open tabs.
User encounters error and must manually navigate to root_path via address bar.
Is there a best practice to prevent this altogether? Is it better to have an error page that has a link to the root path where they can log back in?
I appreciate any help at all. Thanks!
According to the documentation if a user is not authenticatable you can redirect to a specific page.
https://github.com/plataformatec/devise/wiki/How-To:-Redirect-to-a-specific-page-when-the-user-can-not-be-authenticated
Maybe it is also helpful :
Redirect to log in page if user is not authenticated with Devise
I'm using Rail3 with Devise gem. It does a great job when you need to lock user from signing in.
But it works just for new login attempts.
If he is already logged in - it won't sign him out immediately.
Here's is the typical use case:
Given admin user
when detects suspicious activity of certain user he locks it with malicious_user.lock('locking-reason')
% can config/initializers/session_store.rb
AppFoo::Application.config.session_store :cookie_store, :key => '_foo_session'
Given HTTP's statelessness, you can't immediately log out a user because you will need to wait until they make another request to your server. You could get around this via a push service I suppose, but that would be overkill.
My solution would be to add that person to a blacklist and then check if they're on the blacklist whenever they try to access a section intended for logged-on users only. This will render them unable to log on until you decide whether or not their activity is suspicious.
Example:
User is suspected of intolerable activity
Admin wants to check this out, so they temporarily add the user to the blacklist.
User clicks on an area of the page they were currently on when added to the blacklist.
Code checks for loggin status and blacklisted users.
Since the user is blacklisted, they are informed that they need to sign in to access the content
Once the user tries to sign in again you can inform them that their account has been temporarily disabled (or you can do this in the previous step).
perhaps the easiest way would be to redirect the user to the logout action when you lock them so:
malicious_user.lock('locking-reason')
redirect_to '/logout' and return
I'm not familiar with Devise so this may not be the best solution or even possible but it's how I would approach the problem
Use a before_filter in the ApplicationController that will do the following
before_filter :kick_out_blocked_user
protected
def kick_out_blocked_user
unless current_user.try(:active?)
redirect_to destroy_user_session_path
end
end