I'm using Devise in a Rails 3 app, and I successfully configured it so that it uses a username as its authentication method instead of an email. The problem is that in the default registrations controller for devise, it calls an "update_with_password" method on the params passed in, which effectively allows users to change their username, and password. This behaviour makes sense if you're using email as an authentication method, since it's reasonable to expect people to be able to change their email. However, with using usernames, I'd rather users not be able to change them; I only want them to be able to change their password. Would this best way to do this be to override the RegistrationsController, and prevent the mass-assignment of params so that only the password can be changed?
Hope this is clear. Thanks!
Ok, I solved it. I added attr_readonly to the username variable, so that it cannot be changed with mass assignment.
Related
I am trying to override update method from PasswordsController from Devise to work for an api rest application (so from the client only come values for password and password_confirmation, without the value for reset_password_token). My question is: how to override update method to not require reset_password_token.
It is not possible, because without the token, you cannot find the existing user record.
And then it's not clear for the app, for which user the password should be updated.
I'm using Authlogic to password protect particular routes. The user is able to share certain pages, and can protect them with a password. I have this working fine for one password, but want to be able to let users have multiple passwords for the same pages.
I want to keep it simple, and not resort to a full username and password. The goal is for simple protection of content via a password.
I know I can override the login method, but it is expecting one object to be returned, and the verify password method is expecting to evaluate one value.
Any thoughts?
Im trying to customize Devise registration process to generate a random password and sends it with the confirmation mail.
What I have already done is to override the default Devise's :validtable and to generate a new random password if needed.
before_validation :password_generation
def password_generation
password_confirmation = password = Devise.friendly_token.first(7) if password.nil? || password.blank?
end
Now my problem is to include the newly generated random password with the original confirmation mail.
Is there any possibility to keep up with the original usability of Devise while customizing it's new user process or should I build the authentication process from scratch ?
Thanks,
Hadar.
(four months too late, but perhaps someone else can use this)
Mostly what you need to do is copy the default Devise mailer and views to your project and in the config/initializers/devise.rb specify your local class in config.mailer. At that point, you can customize the email as you like. (note that Devise uses the term resource as an abstraction, but mostly it means an instance of User).
The only trick will be to find a way to remember the generated password between the time that the new user account is created and when the email is generated and sent. What Devise will store, when saving the user record is an encrypted version of the password. I would have to follow the path of logic in Devise to be sure, but I'll bet you could store it in an instance variable on User, perhaps params or maybe the flash. Be very careful about this; you want this value to be as short-lived as possible -- presumably just the lifetime of the request.
I want users to interact with my site without having to create an account and then later create an account (supply password, name info..etc) if they want more.
This works fine but if user thought they've created an account and then tried to login (likely using a password they use all the time) Devise will through an Exception:
BCrypt::Errors::InvalidHash in Devise/sessionsController#create
Because password is nil. If they go through the signup and then signin again, it works.
I'm using devise (1.2.0), Rails (3.0.4) and Ruby 1.9.2
I mean I can go around it by creating a dummy password and have a field to say if the user has signed up (or check if other mandatory fields have been provided) then resetting the password on actual sign up but I think in all cases it shouldn't through the above exception.
Is there anything I can do/set to go around the problem?
The easiest way is probably to just generate a random one, using something like Devise.friendly_token[0..20] but you could also override the Devise controller and method for logging in, rescue the exception, and just redirect.
As the title says: how can I use the Restful Authentication Plugin with Ruby on Rails. When I want to create a new user, it requires me to set the (wrong-named, confusing field) login (= username), email address and password. However, I want, like Facebook does, to require the user to enter only an email address and password, not a username. People will also login with this email address.
Can anyone help me?
Can you hash the email to a unique user-name and just never expose the field to the user?
Restful Authentication includes generators that set up your models and migrations. You're free to edit those as you see fit.
You would just need to edit the validations in the User model for the login field. I'm not sure if the default users table migration include :null=>false for the login field, but that's a simple fix as well.
Set the username and email to the same value?
What BlueRaja says, or use authlogic, which can easily be modified to support what you are trying to achieve.
Also, if you're going to do this, why not go the next step and support OpenId? It's available as an addon to authlogic.
I forked a version of restful auth and modified it to not use usernames. Not thouroughly tested with all options but it passes the tests. Check it out if you want: https://github.com/jamiequint/restful-authentication