Design Question for multiple user models and cross creation of users
Daniel
I am writing a rails 3 app, which uses 2 different devise models.
Basically Customers and Employees. I want the employees to be able to
create accounts for customers. Based on a switch, a customer should
get a random password via e-mail or not. If not (aka the password is
empty) the customer should not be able to log into his account. I'm
not sure, what would be the best way to achieve that using devise.
What I tried is to not touch the generated devise methods, so the
customer can sign up on its own. Furthermore I created custom actions
for the form a employee should use to create a customer. But what
happens now is, that an employee can't create a customer unless he
supplies a passphrase, which should be, as I mentioned before
optional. Do I need to overwrite/extend the devise Controller actions
to achieve that or is there a built in way?
I tried to look through the existing discussions for a post related to
my problem. I didn't find anything, but if this kind of question has
already been answered, I'm sorry for asking again and it would be
nice, if you could point out the discussion for me.
Thanks,
Daniel
Andrés Mejía
I think this is hard to do in Devise, and I wouldn't suggest it anyway. What's wrong with setting up a random password in both cases?
Daniel
question, how I can create a user without a password, who would be
deactivated by the definition of not having a password. Which leads me
to the question: Is it possible to disable a user account in a way
that the user is not able to log in? Because in this case i could
generate a random password, which won't get used anyway.
I thought about just using random paswords, too. I would use this
solution if there isn't a better one available, because, at least in
theory this creates a vulnerability if someone obtaines and cracks the
encryptes password, he could logon as this user and access all data
related to that user.
Andrés Mejía
John McGrath
Andrea Campi
solution is not to include :validatable in your Customer model, and
add your own validations instead.
You would copy most validations to be the same, but make you custom
ones conditional, like this:
with_options :if => Proc.new { |user| !Authorization.current_user ||
!Authorization.current_user.role_symbols.include?(:admin) } do |v|
v.validates_inclusion_of :accepted_tos, :in => [true, false]
v.validates_acceptance_of :accepted_tos, :accept => true
end
In this case however, since it's just the password, you only need to
override #password_required? in your model.
Devise has:
def password_required?
new_record? || !password.nil? || !password_confirmation.nil?
end
You just need to add your custom conditions and you're set. Something like:
class User
attr_accessor :password_required
def password_required?
if called_by_employee && unspecified_password
false
else
password_required?
end
end
def called_by_employee
current_employee # this will need tweaking based on how you do
authorization
end
end
This way, your controller only needs to pass :password_required from
your checkbox.
Hope this helps,
Andrea
Andrés Mejía
It's just one line of code.
Andrea Campi
> I still think it's simpler, cleaner and safer to just set a random password.
>
> It's just one line of code.
Whatever floats your boat :)
But do note that "safer" depends on your context: whether your
application authorizes users for commenting on some blog or firing
nukes.
I can easily argue my solution is safer than using a random password,
since that has a small but non-zero likelihood of being cracked,
whereas a nil password is guaranteed to never allow login.
Also, a random password doesn't help you if, a year from now, you'll
need to find all users who don't have a real password.
But again, whatever works for you.
Andrea