I have a form that users can fill out, and hitting the "Create" button will issue a POST request to create a new entry in the database with the form data.
Now, only logged in users should be allowed to create the database entry, but I want all users to be able to fill out the form. Only when clicking "Create" do I want my application to redirect users who are not logged in to the login page. Once logged in, I want to continue processing the POST request and create the database entry, without the user having to enter all the form data again.
What's the best way of handling that? Putting the POST data in the session? But then, after successful login, I want to create the database entry in the original controller/action (so as to not duplicate code), and issuing a POST request from within my application (in the after-successful-login-method) seems strange. Any better ideas?
Thanks!
You're not mentioning how you do your authentication, so i suspect that you do it manually. If you use(and i would strongly recommend you do), a gem like Devise for registration, you just need to add Devise's authentication helper to your controllers, to do that.
To do it manually, every time the user registers, you set a session id variable that is tied to him/her. Then, you just check that to see whether he/she is registered. If not, you just do not allow the action and redirect.
Related
I have a Post model, and anyone can create a post. But before it is saved, the user must be logged in.
I am using Devise. How do I force them to login/register before it is saved, and then just complete the operation once they do that?
I was initially thinking of doing a before_save on my Post model. The issue with that approach is that I don't have access to the current_user object in my model.
I am also unsure about how to save the record, and just continue the operation once they successfully login.
Edit 1
Another hacky way to do this is to simply change my f.submit to be a regular button that redirects them to the login page. The issue with that approach is that it doesn't save their info and allow them to just hit "submit" upon successful login. They have to go through the entire post/_form again - which is what I am trying to avoid.
Sounds to me like all problems could be avoided if you forbid people to access post-creating if they aren't logged in. If there are no cases where a user can create a post without being logged in, then make them log in first.
One way to do that would be to make the link that leads to post-creating (if there is such a thing) check if the user is logged in, and if they aren't send them to login form.
For an application, I've users which have a profile. This application is only "with invitation", and I need that the user fills its profile before doing anything else.
I've a "IsCompleted" boolean attribute on its profile, so I've no problem to know if the user has to finish its inscription or not.
But how can I create something which check, on all page that the user has to be authenticated, that the user must be completed?
I thought to create an custom AuthorizeAttribute(in fact I've already one custom, which check some roles), but I don't know if it's the right place to make this kind of controls, and how can I distinct in the HandleUnauthorizedRequest if the request has been rejected because the login wasn't valid or because the user didn't fullfilled it's informations?
You could either:
a) Put them into a 'limited' role until they enter their profile, and let the base authorisation code handle it, then add them to a 'full' role on entry of details.
b) Override the OnActionExecuting method in your controllers (or better on base controller that you use), to check to see if the user has entered their profile, before processing the rest of the action.
IF I understood what you mean then you have that, simply use the standard authentication method. Do not forget you can use groups and roles so even if a user is authenticated it can be excluded from some pages.
I'm trying to build the backend for a subscription-only area for a website.
When the customer first pays for the subscription, he is going to be registered automatically by a callback from an external app confirming the user has paid.
I want to create the user automatically with several blank attributes. Once the user tries to login for the first time, he has to change or update all of these attributes. Then I want to run the validation routine for the attributes.
Assume the user knows his username and first password as he completes the payment.
The authentication is currently being done with Devise, but it is subject to change.
How would you go about implementing this on Rails?
You could use :on => :update after the relevant validations to bypass them on registration. Then, create a before_filter that redirects logged in users to their profile edit page throughout your application if at least one required attribute is missing.
You can just .save(false) on creation to prevent the validation completely
Not as good of a solution for your problem, but for others like me who got here through Google...
http://guides.rubyonrails.org/v2.3.11/activerecord_validations_callbacks.html#skipping-validations
How do miscellaneous account management pages fit into a RESTful design in Rails 3?
For example, a user registers (create action) and is then forwarded to a registration success page (? action) where they are asked to now verify their email address via a url with a token (emailed to them).
When they click the link in the email, technically they are "updating" their account as part of the verification process right? So I'm thinking that would somehow map to the "update" action but the update action is expecting a PUT request. Is that correct? How do you make that work via the email?
I'm also wondering how forgot password, reset password, etc also fit into a RESTful design? Just trying to wrap my head around this.
Just because you have a result design, doesn't mean you HAVE to restrict yourself to only CRUD verbs that map 1:1 to Get/Post/Put/Delete. That said, if you want to get really RESTful, you can start to think of some of these things in terms of being their own resources. For example user verification:
User signs up, and gets sent a verification email, you already have that all squared away RESTfully it looks like
Verification url looks like: http://app.com/user_verifications/new?token=foobar (GET)
They follow the url and maybe are presented with a "Hello Dan, welcome back! Click here to verify your account" at that point you submit a form to http://app.com/user_verifications to trigger the create action there. Now on the backend, you can perform whatever actions you want, updating the user, setting them to active, or actually creating a "UserVerification" model.
Not a perfect example, but the idea is that the RESTful interface you are providing has an additional resource, in this case "user_verifications" and a user is acting upon it via HTTP methods in order to achieve the user's goals. You can apply similar logic to reset/forgot password either with a "UserSession" type resource or even as specific as a specific "ForgotPassword" resource.
Success page is just create.html.erb file. Usually you are redirecting from create action, but here you can just render success template.
Verifying. If you want to stay REST you should add one more step: GET verify, where is the form with your token present, which will lead to PUT update action. User recieves a link to this page.
But I prefer to use simple GET request here, which will update information without any additional clicks.
The same way you work with restoring passwords and other functionality. You add a page to with form that gets email, then you send a letter with link to a page with form filled with tokens and so on.
I am working on an application where users can post different kind of requirements. And each requirement is tied with a user. For posting a requirement, users are first redirected to a page("/select_requirement_type"). And on that page, user selects the type of requirement he wants and then he is redirected to the respective form. I basically use current_user.id to link it with a user.
Now also i have an admin user who can post requirements on behalf of other users. So the flow is still kind of the same. I list users on a page("/manage/users") and there the admin selects a user for which he want to post the requirement for and the page redirects to ("/select_requirement_type") and then the page redirects to the form. In the form instead of current_user.id I have to add the selected_user.id.
There are 2 redirects through which I have to pass the selected_user's id, how can accomplish this. And this cannot be passed as params along the url.
Im stuck with this. Thanks.
Save the param to their session before the first redirect.