After a user is registered on a rails 3 + devise app. If the user wants to change their email, how can you only allow the change once their confirm the new email via a validation link?
User Story:
User signs into app (already a user)
User changes their email address
User receives an email at the new address, with a link to click and validate the email
Once the user clicks the link, the new email is saved into the db
Anyone tackel this before? Or is this 100% custom?
Same question here
It's 100% custom, you (and I) have to wait for the Devise team to implement it.
Related
I have devise invitable gem
Hooked up in my app as well as devise.
Everything working fine. When I create new user, they are saved in database and mailer sends email an email address. User clicks on email, sets password and then is logged in.
But sometimes these users lose their email or rather can’t find it in their email inbox. I’d like to have a resend invite button on the users index page.
When user clicks resend, I want the invites user to get another email sent to them.
Had anyone successfully accomplished this with devise invitable? If so, can you share how?
The gem adds a resend_invitation configuration parameter on your invitable-enabled model. From the docs:
resend_invitation: resend invitation if user with invited status is invited again. Enabled by default.
So, calling .invite! again on a record that's marked as invited will do the trick for you.
I have a requirement for an authenticated user to be able to send an invite to someones email address. On clicking this invite, the user would be prompted to sign up, and on completion, would be associated with the same account as the originator.
I am struggling to design a secure mechanism for ensuring the invited user is associated with the intended account, and no other.
(If it's of help, I am using Ruby 2, Rails 4, and the sorcery gem for authentication)
The following works:
Use Sorcery User Activation submodule
On 'invite' action create User (non-active) and attach her to the account. Send invitation email with activation link, e.g. http://example.com/users/:token/activate.
In your users_controller#activate:
user = User.load_from_activation_token(params[:token])
... # update user fields, e.g. set password
user.activate!
Users can register an account on my site via the default authentication method that requires a username, email and password.
To allow users to login via facebook, I am using the facebook gem with Omniauth gem.
Existing guides shows me how to authenticate the users up to the point where they can confirm their details ("is your first and last name correct?") before successfully tying the uid and provider to the user record.
However, it does not check if the email is the same.
Does anyone know how to check if the email is the same and if it is, request the user to provide their password to the account already registered on my site either on the same screen for confirming user details or a new screen with just a password field and a message indicating that he needs to confirm he owns an account on my site with the same email facebook provides.
Should this be done on the model or controller layer? How would you go about doing this?
I am building a multi-tenant app. When a user creates an account they are required to enter an email + password. Once signed in, that user (the "Admin") can add additional users to their account. I'd like the ability to add users to be simple - requiring only an email address. Is the following process safe for adding users?
Admin goes to Add User form
Admin enters user's email address and clicks submit
Email + unique registration_key + registration_expiration gets entered into Users model
New user is sent an email with link to registration (like: http://account.myapp.com/registration/o4iwerl23msl424keree)
New user opens registration form and enters required password + password_confirmation fields
If registration_key in URL matches the one in the DB and it is before the registration expiration, then the user can register
Would you recommend an alternative? If this is safe, how do I get around the required password + password_confirmation fields in steps 2 & 3 of this process?
Seems reasonable enough to me.
I would add a state column to the User model. When you invite someone their stated would be invited until they've clicked the registration link and done all that stuff.
Then you can set the validations on password (or anything else that is not relevant at this stage) to not apply in this case
validates_presence_of :blah, :if => confirmed?
def confirmed?
state == 'confirmed'
end
This might also come in handy if the use wants to see which invited users successfully registered. If your users are going to have lots of states you might want to look at the aasm gem but that would be overkill for this.
I would like to implement the following registration system :
User signs up and is redirected
to a thank you for signing up page
(is NOT sent an email and cannot yet log in)
Admin logs in and sees list of newly registered (but as yet unapproved) users
Admin edits user details and clicks 'Approved' which then sends email with password to new user
How can I do this with Devise?
This is answered in a page on the Devise wiki.