I want to generate a unique url for each user that signs up for my app. The urls should all lead to the same sign up page but each one will be associated with the one user that received it when signing up. Then every time a new user signs up through the unique url, the number of signups associated with that url will increment by one. Therefore, I can track the number of signups generated by each user. How do I build such a system?
This is for a Ruby on Rails app.
i am not exactly sure what your requirement is. But if you thinking of a use case like: User A invites Not_yet_a_user_B. And B gets a unique signup url. B clicks that and register him self in the site and the site records in its db that B was invited by A.
You could implement something like this.
Have a model (and a underlying table) called Invitations with fields (invitation code:string, inviter_user_id:integer). A User can have one (one to one mapping.. oh you can just keep the invitation code in the User table) Invitations. And in the User model have a field called invited_by_user_id:integer).
When A send a sign up request to B, it will look like: www.site.com/signup?invitation_code=ABC. So in your sign up action you can check for the invitation_code parameter and then check it against the Invitations table to find out who invited B. Then record that User ID in B's invited_by_user_id.
Then you can tell who was invited by who. And how many people (and who they are) were invited by a given user.
Related
I'm writing an ASP.NET MVC application, which uses the Membership database to store user registrations. I use email addresses as usernames. When a user registers in my app, I send out an email-confirmation to the address they have used during registration. i.e. I send out an email with a link, which the user is supposed to click, to verify that the address belongs to him.
Until that link is clicked, the account remains 'Unconfirmed' (i.e. EmailConfirmed column equals False). Which means, the account is created, just not active.
How do I deal with a hacker who brute-force creates accounts? I see two big problems here:
Ever-increasing size of the Membership database. A single user, from
a single computer is not a threat, but what if he has 'zombie'
computers?
If User1 creates account with User2#example.com email and
User2 ignores the activation email, the account will essentially
remain locked (unconfirmed), but existing. If User2 decides later to
actually create an account, they can't use their email to register
(account already exists) and they can't Reset Password either -
because even if they reset the password, that does not necessarily
Activate the account.
As for 2) I see a couple of options:
Set expiration date on unconfirmed accounts - i.e. allow the username/email to be claimed again, if the email is not confirmed with 24hrs
Modify my Reset Password method to also activate the account, if it has not been activated. Is that a good idea? I mean, the person would receive an email for that, which is essentially a confirmation, if they click the reset password link in it.
Anything else?
What about 1)? How do I protect myself against bulk create of accounts? Aside from limiting 1 account per IP, per day, using code.
One simple way to deal with this kind of problem is crude but effective.
I usually add an additional field to the form that doesn't form part of what I need - but has a legitmate sounding name like 'Company' - and then I hide it from screen view using CSS. Real user's will never see this on screen, but a bot crawling through the HTML will find it.
Then, when the form is submitted, first I check to see if that form field has a value. If it has - I stop the page from executing any further or just return an HTTP Error as in 99.9% of times only a bot would have filled out that field - not a real user.
//anti-bot measure
if (!String.IsNullOrEmpty(Company.Text))
{
HttpContext.Current.Response.StatusCode = 400;
HttpContext.Current.Response.Status = "400 Bad Request";
HttpContext.Current.Response.End();
}
//carry on processing the form...
I've been using this technique on forms for several years and it's been extremely effective!
The idea is not to use email addresses for uniquely identifying users for a contest submission form I need to build. Since emails are not unique and google allows emails with periods in them which makes it difficult to say if email is unique or not.
My requirement is the user is able to submit 2 ballots against an entry which gives them two spots. When the user lands on the page, I ask them if they are a new user or a returning user. If they are new user I generate a unique guid on server side and give it to them. If they are returning user I ask them to enter the guid provided and then I check this on my db to make sure its there and then show them the thank you page if they have casted all 3 votes or take them back to the page where they vote on facebook or twitter.
any thoughts? I think using guids I can guarantee noone would cheat the contest unlike emails which are not truly unique.
I have a form where user can submit a review to a product without having to log in first. When user clicks the submit button, ReviewsController calls auth_user method which creates a new Review object with the review content updated. But, I want to associate this Review object with the user who is going to sign up. Right now, I'm simply retrieving the last Review object like this, Review.last. However, I know that this is vulnerable to multiple users creating reviews and signing up at the same time. Suppose that User A submits a review, User B submits a review, and User A signs up. In this scenario, it will retrieve the Review object created by the User B instead of the one created by the User A and associate the record with the User A. But, I want the one created by the User A and associate it with the User A regardless of how many users are creating the records simultaneously. Does anybody have an idea of how to go about doing this?
You could store the IP of the request when storing the reviews and then when the user logs in, match the IP's and associate the user. You can get the IP as below
remote_ip = request.env["HTTP_X_FORWARDED_FOR"]
Also you could use user agents and cookies apart from IP address. Also check this question
Currently we are using devise for our users to login into our site, but we have two devise models. One for users and one for landlords. Right now our users are created atomically when a user opens our iOS app for the first time. When a user goes to create a listing they create another user account called landlords. I need a way to make those into one but keep the current functionality for our iOS app and add the ability to sign in via facebook. Any thoughts or input on how to solve this problem?
Perhaps when a User makes a Landlord account, pass in the user_id, and then transfer all fields to the Landlord user type, then delete the user, or something like that. Alternatively you could set a boolean determining if the user is a landlord.
For facebook, use omniauthable with Devise. The example is for facebook https://github.com/plataformatec/devise/wiki/OmniAuth:-Overview
I am using Devise for registration of a site with confirmable. However, I have two different roles for this site. The first role is the "main" role that uses the regular Devise signup procedure. Accounts in a second role are supposed to be created after the original user confirms their account, logs in for the first time and saves a certain model. For example, if a user signs up for the site (as role type 1) the get a confirmation email from Devise as normal. Next, they visit the confirmation link, verify their account and then fill out a form where they specify some friends that should also get accounts. The friends are role type 2 and they should get a different confirmation email than the original person who signed up their friends for the account. The accounts for the friends are created when the form filled out by the original user is saved. In addition, a person can edit and add more friends later so accounts might also need to be created on the update method of the relevant form/object and those new users will need to be sent the correct email. To be clear, I do not want to skip confirmation - I just want to send different confirmation emails to the user depending on their roles. I cannot figure out how to handle this properly. If I try to create the friends accounts in code when the form is saved with User.new, calling user.skip_confirmation! will automatically confirm them. However, I do not want anyone automatically confirmed - I just want to select a different customizable confirmation email to send depending on various conditions. Can someone point me in the right direction?
Check out send_on_create_confirmation_instructions method and comments for it in your /gems/devise-x.x.x/lib/devise/models/confirmable.rb