强制用户在第一次使用 Devise 登录时重置密码 [英] Force user to reset password on first login with Devise
问题描述
[ETA 以我当前的解决方案结尾更新]
[ETA updated at end with my current solution]
我希望能够为高价值用户手动创建帐户,这意味着我们必须为他们生成密码并让他们在首次登录时更改密码.我在这里找到了解决方案,但是它似乎可以解决设计问题,而不是使用它.
I want to be able to manually create accounts for high value users, which means we have to generate a password for them and get them to change it on first login. I found a solution to doing this here, but it seems to work around Devise rather than with it.
我目前的工作是覆盖 Devise ConfirmationsController 中的 #after_confirmation_path_for 方法,使其包含以下代码段:
My current effort is to overwrite the #after_confirmation_path_for method in the Devise ConfirmationsController so that it includes this snippet:
if resource.sign_in_count == 1
resource.send(:set_reset_password_token)
edit_password_path(resource, reset_password_token: @token)
else
# etc
end
但是当它遵循路径时,它重定向远离密码更改,似乎是因为 Devise::PasswordsController 中的这一行:
But when it follows the path, it redirects away from the password change, seemingly because of this line in the Devise::PasswordsController:
# Render the #edit only if coming from a reset password email link
append_before_filter :assert_reset_token_passed, only: :edit
所以我可以覆盖那个调用,但我很担心它为什么会出现在那里,以及这是否会导致其他问题 - 即使没有,感觉就像我在做很多黑客攻击来启用我想象的场景是比较常见的.有没有更像 Devise-y 的方法来解决这个问题?
So I could overwrite that call, but I'm wary about why it was there in the first place and whether that could cause other problems - even if not, it feels like I'm doing a lot of hacking to enable a scenario that I would imagine is relatively common. Is there a more Devise-y way to approach this?
ETA:我使用以下代码成功地跳过了过滤器:
ETA: I've made this successfully skip the filters with the following code:
class PasswordsController < Devise::PasswordsController
skip_before_filter :require_no_authentication,
:assert_reset_token_passed,
only: :edit
end
这适用于相关的用户旅程,但这是一个验收测试相对较少的应用程序,所以我有点担心这会在其他地方产生连锁反应 - 比如意外要求用户更改其他用户的密码旅程.
This is working in the relevant user journey, but this is an app with relatively few acceptance tests, so I'm slightly wary this will have knock-on effects elsewhere - like unexpectedly requiring users to change their password in some other user journey.
任何人都可以建议使用这种方法是否正常,或者是否有更安全的替代方法?
Can anyone advise whether it's normal to use this approach, or is there a safer alternative?
推荐答案
在您的应用程序控制器上,覆盖after_sign_in_path"方法.使用 sign_in_count 来测试它是否是第一次登录:
On your application controller, override the "after_sign_in_path" method. use the sign_in_count to test if it's a first login :
def after_sign_in_path_for(resource)
if current_user.sign_in_count == 1
edit_passwords_path
else
root_path
end
end
这篇关于强制用户在第一次使用 Devise 登录时重置密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!