I have the following situation:
Users can sign-up in my web application with single sign on . In that case there is no password set. I mark this in the users table with the boolean column no_password_set .
In the settings page when I see the boolean is true, instead of giving the users the option to choose a new password, I have put a button which sends them a mail with a link to set a password.
For this I use devise: send_reset_password_instructions and in the email template I change the text a bit so Forgot password is changed to Set a password .
So far so good, however when a user clicks the link they get a message saying: You are already signed in. How can I avoid this? I want the users to only be able to choose a password after they confirm this through their mail. Otherwise an attacker could open the browser on somebody's pc, set a password and use that.
Logging the user out when he clicks on the link to set a password would be acceptable too...
I have found a working solution for this.
Create this controller:
class PasswordsController < Devise::PasswordsController
prepend_before_action :require_no_authentication, only: [:cancel ]
end
And alter routes file like this:
devise_for :user, controllers: { passwords: 'passwords' }
Hopefully that'll work...
class Devise::PasswordsController < DeviseController
prepend_before_action :remove_session, only: [:edit]
prepend_before_action :require_no_authentication
private
def remove_session
sign_out resource if user_signed_in?
end
end
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.