强制用户在第一次使用 Devise 登录时重置密码 [英] Force user to reset password on first login with Devise

问题描述

[ETA 以我当前的解决方案结尾更新]

[ETA updated at end with my current solution]

我希望能够为高价值用户手动创建帐户，这意味着我们必须为他们生成密码并让他们在首次登录时更改密码.我在这里找到了解决方案，但是它似乎可以解决设计问题，而不是使用它.

I want to be able to manually create accounts for high value users, which means we have to generate a password for them and get them to change it on first login. I found a solution to doing this here, but it seems to work around Devise rather than with it.

我目前的工作是覆盖 Devise ConfirmationsController 中的 #after_confirmation_path_for 方法，使其包含以下代码段:

My current effort is to overwrite the #after_confirmation_path_for method in the Devise ConfirmationsController so that it includes this snippet:

if resource.sign_in_count == 1
  resource.send(:set_reset_password_token)
  edit_password_path(resource, reset_password_token: @token)
else
  # etc
end

但是当它遵循路径时，它重定向远离密码更改，似乎是因为 Devise::PasswordsController 中的这一行:

But when it follows the path, it redirects away from the password change, seemingly because of this line in the Devise::PasswordsController:

# Render the #edit only if coming from a reset password email link
append_before_filter :assert_reset_token_passed, only: :edit

所以我可以覆盖那个调用，但我很担心它为什么会出现在那里，以及这是否会导致其他问题 - 即使没有，感觉就像我在做很多黑客攻击来启用我想象的场景是比较常见的.有没有更像 Devise-y 的方法来解决这个问题?

So I could overwrite that call, but I'm wary about why it was there in the first place and whether that could cause other problems - even if not, it feels like I'm doing a lot of hacking to enable a scenario that I would imagine is relatively common. Is there a more Devise-y way to approach this?

ETA:我使用以下代码成功地跳过了过滤器:

ETA: I've made this successfully skip the filters with the following code:

class PasswordsController < Devise::PasswordsController
  skip_before_filter :require_no_authentication,
                     :assert_reset_token_passed, 
                     only: :edit
end

这适用于相关的用户旅程，但这是一个验收测试相对较少的应用程序，所以我有点担心这会在其他地方产生连锁反应 - 比如意外要求用户更改其他用户的密码旅程.

This is working in the relevant user journey, but this is an app with relatively few acceptance tests, so I'm slightly wary this will have knock-on effects elsewhere - like unexpectedly requiring users to change their password in some other user journey.

任何人都可以建议使用这种方法是否正常，或者是否有更安全的替代方法?

Can anyone advise whether it's normal to use this approach, or is there a safer alternative?

推荐答案

在您的应用程序控制器上，覆盖after_sign_in_path"方法.使用 sign_in_count 来测试它是否是第一次登录:

On your application controller, override the "after_sign_in_path" method. use the sign_in_count to test if it's a first login :

def after_sign_in_path_for(resource)
 if current_user.sign_in_count == 1
  edit_passwords_path
 else
  root_path
 end
end

这篇关于强制用户在第一次使用 Devise 登录时重置密码的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！