Email based interaction with rails app - ruby-on-rails

I need some gem that will allow users to interact with rails app through email, without need to register. For example: I publish something for sale, accompanied with email, and all of controls (CRUD, and submitting) I get on my email as links (delete, update, and so on). I'll like to, somehow connect it to devise, with opportunity of further registration using the same email with shopping history.
To publish something(services or products) for sale User has to fill:
name, email (validates unique), phone. That may or may not be used for future registration using devise.
in the same form may be: pictures, description, and other fields of product.........
the idea is to store: id, name, email, phone in user db without password, or be somehow pending for registration

Just create your own CRUD controller with authorization based on some hash that you will add to the URL. Store those hashes in the database and verify if user is legitimate to perform action.
Warning: anyone with the valid URL will be able to perform these actions.
Well, in comment you wrote that you want it to integrate with Devise. Devise supports login tokens but for existing users. You should then somehow virtually register them. Easiest approach would be to:
Include user email in the URL with some tolen
Check if we already have such user - add token verification here
user = User.find_by_email(params[:email])
if user.nil?
user = User.create(field_1: value1, field_2: value2)
end
sign_in(user)
redirect_to after_sign_in_path(user)
Done. User is authenticated based on the email and token included in the URL.

Related

How to conditionally ignore that a user is not confirmed in Rails, Devise?

Basically what I have is that a user is created upon a booking (from their booking details), but they have to tick an option to actually have an account on the website. The latter type of user needs confirmation of email, but the previous - does not.
How do I ignore that a user is not confirmed dynamically based on some model attribute?
You can use skip_confirmation_notification! from the Confirmable module.
This would create the user but wouldn't send them a confirmation email. It would still require being confirmed for the user to become a devise user, but you can still retrieve the user using either the user.confirmation_token which would eq a unique token (NULL for confirmed users), or the user.confirmed_at would be NULL for non confirms, as a date is added when confirmed.

Invite system design for Ruby on Rails application

I have a requirement for an authenticated user to be able to send an invite to someones email address. On clicking this invite, the user would be prompted to sign up, and on completion, would be associated with the same account as the originator.
I am struggling to design a secure mechanism for ensuring the invited user is associated with the intended account, and no other.
(If it's of help, I am using Ruby 2, Rails 4, and the sorcery gem for authentication)
The following works:
Use Sorcery User Activation submodule
On 'invite' action create User (non-active) and attach her to the account. Send invitation email with activation link, e.g. http://example.com/users/:token/activate.
In your users_controller#activate:
user = User.load_from_activation_token(params[:token])
... # update user fields, e.g. set password
user.activate!

Multi-tenant, is this process safe for adding users?

I am building a multi-tenant app. When a user creates an account they are required to enter an email + password. Once signed in, that user (the "Admin") can add additional users to their account. I'd like the ability to add users to be simple - requiring only an email address. Is the following process safe for adding users?
Admin goes to Add User form
Admin enters user's email address and clicks submit
Email + unique registration_key + registration_expiration gets entered into Users model
New user is sent an email with link to registration (like: http://account.myapp.com/registration/o4iwerl23msl424keree)
New user opens registration form and enters required password + password_confirmation fields
If registration_key in URL matches the one in the DB and it is before the registration expiration, then the user can register
Would you recommend an alternative? If this is safe, how do I get around the required password + password_confirmation fields in steps 2 & 3 of this process?
Seems reasonable enough to me.
I would add a state column to the User model. When you invite someone their stated would be invited until they've clicked the registration link and done all that stuff.
Then you can set the validations on password (or anything else that is not relevant at this stage) to not apply in this case
validates_presence_of :blah, :if => confirmed?
def confirmed?
state == 'confirmed'
end
This might also come in handy if the use wants to see which invited users successfully registered. If your users are going to have lots of states you might want to look at the aasm gem but that would be overkill for this.

How to restrict user action from email link without login?

As part of my app, users get to approve certain "requests" via email. Requests have their own model and therefore each has a unique id.
Users get an email with a named route in a link: 'approve/:id' where :id is the id of the request. The approve method then handles the approval logic, etc.
How can I prevent a user from approving requests made to other users without having the user login beforehand? Since the ids are freely displayed in the URL, I guess a GUID would be needed or?
If you really want to do that, then yes, you'd need a GUID of some sort. Perhaps a cryptographic hash of the user_id or email address(?). so you end up using /approve/:id/:GUID.
I'm surprised you don't want the user to login though, remember that if they login you can redirect them on to the approval automatically. Also if the cookie is still valid a user may already be logged in.

Send custom confirmation email in Devise depending on role defined in the database

I am using Devise for registration of a site with confirmable. However, I have two different roles for this site. The first role is the "main" role that uses the regular Devise signup procedure. Accounts in a second role are supposed to be created after the original user confirms their account, logs in for the first time and saves a certain model. For example, if a user signs up for the site (as role type 1) the get a confirmation email from Devise as normal. Next, they visit the confirmation link, verify their account and then fill out a form where they specify some friends that should also get accounts. The friends are role type 2 and they should get a different confirmation email than the original person who signed up their friends for the account. The accounts for the friends are created when the form filled out by the original user is saved. In addition, a person can edit and add more friends later so accounts might also need to be created on the update method of the relevant form/object and those new users will need to be sent the correct email. To be clear, I do not want to skip confirmation - I just want to send different confirmation emails to the user depending on their roles. I cannot figure out how to handle this properly. If I try to create the friends accounts in code when the form is saved with User.new, calling user.skip_confirmation! will automatically confirm them. However, I do not want anyone automatically confirmed - I just want to select a different customizable confirmation email to send depending on various conditions. Can someone point me in the right direction?
Check out send_on_create_confirmation_instructions method and comments for it in your /gems/devise-x.x.x/lib/devise/models/confirmable.rb

Resources