Hi Everyone i am using devise for authentication for my app. Is there any way, Admin user can view other users password as normal string. Without storing there password as string in database? Please advise.
on 2013-01-07 07:40
on 2013-01-07 08:33
Hi, With Devise vanilla config it's not possible. You should look to custom encryptor (https://github.com/plataformatec/devise/wiki/How-T...) with reversible encryption. But you should really don't do that, it's a security breach and client private life violation. As a sysadmin for many years now I've never seen a good reason to keep password readable. Le 07/01/2013 07:39, Saravanan P a crit :
on 2013-01-07 08:54
Ok thanks Jrmie Horhant :) On Mon, Jan 7, 2013 at 1:01 PM, Jrmie Horhant <jeremie.horhant@titinux.net > wrote: > password readable. > > -- > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Regards by Saravanan.P
on 2013-01-07 08:55
On 7 January 2013 06:39, Saravanan P <saravanan.p@shriramits.com> wrote: > Hi Everyone > > i am using devise for authentication for my app. > Is there any way, Admin user can view other users password as normal string. Why would you want to do that? Colin
on 2013-01-07 09:00
In my case, Admin user can create many different sub-users. And he can view their password too.. :( On Mon, Jan 7, 2013 at 1:23 PM, Colin Law <clanlaw@googlemail.com> wrote: > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Regards by Saravanan.P
on 2013-01-07 10:25
On 7 January 2013 07:59, Saravanan P <saravanan.p@shriramits.com> wrote: > In my case, Admin user can create many different sub-users. And he can view > their password too.. :( That does not explain /why/ he needs to be able to view the passwords. Colin
on 2013-01-07 10:37
As a admin he can create many sub user and he will email user detail to the person who going to use that with application. On Mon, Jan 7, 2013 at 2:53 PM, Colin Law <clanlaw@googlemail.com> wrote: > > > >> > string. > >> To unsubscribe from this group, send email to > > > -- > You received this message because you are subscribed to the Google Groups > "Ruby on Rails: Talk" group. > To post to this group, send email to rubyonrails-talk@googlegroups.com. > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Regards by Saravanan.P
on 2013-01-07 11:29
Here it is, the huge security hole... Mails are sent in clear text and virtually anyone can read it. I suggest you to generate a random password when an admin create a sub user. Then in the same time send it by mail with obligation to change it when the user login Or the simplest solution, generate a random password and don't send it. So the password is "lost" and when the user will want to login he can use the "Forgottent password" link. Simple (all is ready in Devise) and secure Le 07/01/2013 10:35, Saravanan P a crit :
on 2013-01-07 18:15
I recommend you never set a password for a user. Instead, use the very flexible Devise Invitable module to create a user without any password set, and the requirement that s/he create a password before logging in. The only thing sent to the new user is a cryptic token link (and these time-bomb out after a definable time). As an admin, I do not want to be in the business of knowing (or having to remind my users of) their passwords -- that's what the "I forgot..." link is for! Walter
on 2013-01-08 06:40
Ok Thank you walter. On Mon, Jan 7, 2013 at 10:43 PM, Walter Lee Davis <waltd@wdstudio.com>wrote: > On Jan 7, 2013, at 5:27 AM, Jrmie Horhant wrote: > > the "Forgottent password" link. Simple (all is ready in Devise) and > wrote: > >> > > >> >> > string. > rubyonrails-talk@googlegroups.com. > >> > Saravanan.P > >> > > >> > >> To unsubscribe from this group, send email to > > To unsubscribe from this group, send email to > To unsubscribe from this group, send email to > rubyonrails-talk+unsubscribe@googlegroups.com. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- Regards by Saravanan.P
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.