Verifying whether or not a person has been invited to register._问答_开发者

Verifying whether or not a person has been invited to register.

开发者 https://www.devze.com 2023-03-24 17:02 出处：网络

I\'m trying to code a basic invitee-verification page in Ruby on Rails 3.开发者_高级运维 I\'m trying to code a basic website page that has a text field for the user to enter their email address and t

I'm trying to code a basic invitee-verification page in Ruby on Rails 3.开发者_高级运维

I'm trying to code a basic website page that has a text field for the user to enter their email address and then the prograverify whether or not that email address has been invited. If it has been invited, they will be directed to the register page. If it hasn't they'll be given some simple "haven't been invited" message and will not be taken to sign up.

I'm having a hard time figuring out how exactly to take this information back into the controller and run the check.

My current set-up is:

the user starts out at Manager/WelcomePage Rails opens ManagerController and goes to WelcomePage action; There's an Invite model and table, which has an invitee-email column. On WelcomePage, there's a form to take in the user's email address and then to pass it back to ManagerController and see if the user's address has been invited.

<%= form_for(:invite, :url => {:action => 'authenticate'}) do |f| %>
    <div class="field">
        <p class="Invitee Verification">Enter your e-mail. If you've been invited, we'll take you to sign up</p>
        <%= f.text_field(:email) %>

        <div class="form-buttons">
            <%= submit_tag("enter") %>
        </div>
<% end %>

Then back in the ManagerController code:

def authenticate()
  invite_input_email = params[:email]
  if Invite.where(:email => invite_input_email).size > 0
    render('new_user_form')
  else
    render(:text => "nah")
  end
end

Any ideas about what needs to be changed?

Sorry I am not aware of the Ruby on Rails syntax but from a Design point of view I think your appraoch to the problem is not right..

If a person has been invited then he should get an email with the registration url with a hash that is uniquely generated for that email and stored in your database. The moment the user visits the url and registers with the email you disable that hash for further registration. The problem with your approach is that if an hacker knows some person who has been invited he can easily use his email and register into your website.

You should keep the registration as intuitive as possible and not add extra pages.

What do you think of the above approach?

invite_input_email = params[:email]

I believe this is not correct since form_for will generate parameter names in an array-like pattern.

Correct version:

invite_input_email = params[:invite][:email]

I agree with @user350374 and would add to the message by saying that you could add some validation to your user model to check for an invitation record.

If you've not done so already checkout the Devise gem and get that working, then when you've got that up and running add in your validation.