Protecting Your Rails Ecommerce Application

Creating the Form Templates

We need form templates for both the request and password resetting actions. Let’s start by creatingapp/views/account/forgot_password.rhtmland adding the following code to it:

<p>Give your email address and we'll send you instructions on how to
create a new one.</p>
<%= form_tag %>
<label for="email">Email</label><br />
<%= text_field_tag "email" %><br />
<%= submit_tag "Submit" %>
<%= end_form_tag %>

The form is extremely simple, consisting of one text field for the e-mail address and a Submit button, as shown in Figure 8-4.

Figure 8-4.  Forgot password? form

Notice that since we’re posting the form back to the current action, we don’t even need to specify an address forform_tag.

The reset form inapp/views/account/reset_password.rhtmlis almost as simple as the request form:

<%= error_messages_for :user %>
<%= form_tag %>
<p><label for="user_password">Password:</label><br />
<%= password_field :user, :password %></p> <p><label for="user_password_confirmation">Confirm password:</label><br />
<%= password_field :user, :password_confirmation %></p>
<p><%= submit_tag "Submit" %></p>
<%= end_form_tag %>

Here, we just show two password fields: one for the actual password and one for a confirmation. Since theUserclass has avalidates_confirmation_ofvalidation specified for thepasswordattribute, the password confirmation is automatically checked against the password. After that, it is stripped from the newUserobject before saving. If the two passwords don’t match,@usercan’t be saved, and the form is shown with an error notification by using theerror_messages_forcall, as shown in Figure 8-5.

Figure 8-5.  Error message when passwords do not match

We now have a working authentication system in our application. It could be easily extended to support open user registration, role-based authentication, reversible encrypted passwords, and “remember me” functionality. For instructions on how to implement these functions, refer to the plugin’s homepage athttp://technoweenie.stikipad.com/plugins/ show/Acts+as+Authenticated.

Note  In the implementation described in this chapter, the current password of a user is not reversible. When a user forgets her password, she must create a new one. The system will not mail her the old one.