devise : simple log in system

[Roelof Wobben]

Hello,

I want to use Devise for authecation.

The only thing I need is that I as admin can register user with a password.

If the user looses her/his password then I get a mail and I as admin can make a new one.

Which modules can I use the best ?

Roelof

[Walter Lee Davis]

Take a look at devise_invitable. That lets you invite a new user to your site (and if you close off the registration module, then you can't just sign up yourself). The user gets to set her own password when she accepts the invitation mail, and then use the password reset system if she forgets it later.

Walter

>
> Roelof
>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/5494b057-ed4f-4df2-8630-dd34ece4ab2e%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.

[Roelof Wobben]

Op zaterdag 30 augustus 2014 07:18:55 UTC+2 schreef Walter Lee Davis:

On Aug 29, 2014, at 4:24 PM, Roelof Wobben wrote:

> Hello,
>
> I want to use Devise for authecation.
> The only thing I need is that I as admin can register user with a password.
> If the user looses her/his password then I get a mail and I as admin can make a new one.
>
> Which modules can I use the best ?

Take a look at devise_invitable. That lets you invite a new user to your site (and if you close off the registration module, then you can't just sign up yourself). The user gets to set her own password when she accepts the invitation mail, and then use the password reset system if she forgets it later.

Walter
 

My app does not invite people,

I trying to make a financial app.

The problem is that I have customers which are also a staff member.

Staff members need a password which I will provide but customers will and must not log into my app,

Roelof

 

 

[Walter Lee Davis]

I'm not aware of any authentication design pattern where the user does not get to set their own password, either through initial registration or through automated reset later. Why do you want to know their password at all, even initially? If the word invitation sets you off, think of it as sending someone their initial account credentials. The first thing they will do is set their own password, and from then on, it's just another account. It doesn't matter if that account is for a customer or a staff person.

I've used invitable in several applications that had multiple user levels (authorization) but that's getting outside of Devise's wheelhouse (authentication). Can you widen the frame a little and explain why you need to set the password for the staff members?

Walter

>
>
>
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/6ca45e52-51f7-4d29-8957-e9cd9d278787%40googlegroups.com.

[Roelof Wobben]

Op zaterdag 30 augustus 2014 16:52:26 UTC+2 schreef Walter Lee Davis:

On Aug 30, 2014, at 3:22 AM, Roelof Wobben wrote:

>
>
> Op zaterdag 30 augustus 2014 07:18:55 UTC+2 schreef Walter Lee Davis:
>
> On Aug 29, 2014, at 4:24 PM, Roelof Wobben wrote:
>
> > Hello,
> >
> > I want to use Devise for authecation.
> > The only thing I need is that I as admin can register user with a password.
> > If the user looses her/his password then I get a mail and I as admin can make a new one.
> >
> > Which modules can I use the best ?
>
> Take a look at devise_invitable. That lets you invite a new user to your site (and if you close off the registration module, then you can't just sign up yourself). The user gets to set her own password when she accepts the invitation mail, and then use the password reset system if she forgets it later.
>
> Walter
>  
>
>
>
> My app does not invite people,
>
> I trying to make a financial app.
> The problem is that I have customers which are also a staff member.
>
> Staff members need a password which I will provide but customers will and must not log into my app,
>
> Roelof

I'm not aware of any authentication design pattern where the user does not get to set their own password, either through initial registration or through automated reset later. Why do you want to know their password at all, even initially? If the word invitation sets you off, think of it as sending someone their initial account credentials. The first thing they will do is set their own password, and from then on, it's just another account. It doesn't matter if that account is for a customer or a staff person.

I've used invitable in several applications that had multiple user levels (authorization) but that's getting outside of Devise's wheelhouse (authentication). Can you widen the frame a little and explain why you need to set the password for the staff members?

What  I have in mind is a app for a toy library.

So the customers chooses a plan and get yearly a invoice.

but some customers are work for the toy library.

Later on I will try to implement payments by cash or by bank.

Also later on I will try to implement that we know which customer has borrowed which toy and when he/she has to bring it bac

Why I need a password for staff members so they can only see which invoice is not payed or add a payment.

I do not want that customers can see the financial thing of thier own of from another person.

All the data in my 'accounting" system is private for staff members.

 

[Roelof Wobben]

@Walter:

Maybe your suggestion about invite can work.

Do you have a project where I can look how things are working then ?

Roelof

Op zaterdag 30 augustus 2014 17:05:11 UTC+2 schreef Roelof Wobben:

[Hassan Schroeder]

On Sat, Aug 30, 2014 at 8:05 AM, Roelof Wobben <rwo...@hotmail.com> wrote:

>> > > The only thing I need is that I as admin can register user with a
>> > > password.
>> > > If the user looses her/his password then I get a mail and I as admin
>> > > can make a new one.

> Why I need a password for staff members so they can only see which invoice
> is not payed or add a payment.

Requiring staff to authenticate makes sense.

Having *you set the password* for each staff member does not.

For one thing, it doesn't scale. More importantly, how do you plan
to communicate this password to the person? By email? Extremely
insecure. By phone? In person? Not always convenient.

Enabling each staff member to *set/reset their own password* is a
far more efficient (and common) pattern.

--
Hassan Schroeder ------------------------ hassan.s...@gmail.com
http://about.me/hassanschroeder
twitter: @hassan

[Roelof Wobben]

Op zaterdag 30 augustus 2014 18:22:14 UTC+2 schreef Hassan Schroeder:

Oke, So im on the wrong path. That is why I could not make it work.

Anyone suggestions how I can make it work with invites or another way ? 

Roelof

 

[Hassan Schroeder]

On Sat, Aug 30, 2014 at 9:28 AM, Roelof Wobben <rwo...@hotmail.com> wrote:

> Anyone suggestions how I can make it work with invites or another way ?

There are a ton of resources available for using devise. Besides
the README, I'd recommend spending some time here:

https://github.com/plataformatec/devise/wiki

Good luck,

[Jason Fleetwood-Boldt]

I agree generally with the sentiment that self-directed password resetting (involving email) is generally best practice.

However, I would defend the user experience convenience of having another way to have their password reset. For example, a company I worked for had a call center where you could reach customer support agents. Although there was a password reset on the site, the customer support agents could also reset someone's password on the phone (Yes, I know -- this makes them responsible for verifying that the person calling is really the person whose account it is, and could abused).

On the back-end, I'm pretty sure the code was as simple as

@user.update_attributes(:password => @new_password, :password_confirmation => @new_password)

OF course, this was called from an Admin controller that only the customer support agents themselves had access to.

Did you try that in the latest version of Devise? I'm pretty sure it works technically speaking (leaving aside the question of whether it's a good idea).

-Jason

> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-ta...@googlegroups.com.
> To post to this group, send email to rubyonra...@googlegroups.com.

> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/CACmC4yA9RZMSiDGDoEbXkmDVVC_OdARC301fEYM25Qqu3p9Ryg%40mail.gmail.com.