Home arrow Ruby-on-Rails arrow Page 2 - Passwords and More Security for a Rails Ecommerce Application

Passwords and More Security for a Rails Ecommerce Application

In this third part to a four-part series on building the security into a Ruby-on-Rails ecommerce application, we'll focus on the changes we need to make to the program so that users can change their passwords. This article is excerpted from chapter eight of the book Practical Rails Projects, written by Eldon Alameda (Apress; ISBN: 1590597818).

Author Info:
By: Apress Publishing
Rating: 5 stars5 stars5 stars5 stars5 stars / 2
June 18, 2010
  1. · Passwords and More Security for a Rails Ecommerce Application
  2. · Updating the User Model
  3. · Using Observers
  4. · Modifying the Controller

print this article

Passwords and More Security for a Rails Ecommerce Application - Updating the User Model
(Page 2 of 4 )

To accommodate resetting a password, we need to add a new field to theUsermodel. This field will hold the generated random token that the system will e-mail to George when he forgets his password. Only with this token can he get to a page where he can change to a new password. Run the following code to generate the migration file:

$ script/generate migration add_pw_reset_code_to_users

--------------------------------------------  exists  db/migrate
create db/migrate/010_add_pw_reset_code_to_users.rb Loaded suite script/generate

Now open the new file (db/migrate/010_add_pw_reset_code_to_users.rb) and change it to add the new column, as follows:

class AddPwResetCodeToUsers < ActiveRecord::Migration
  def self.up
add_column :users, :pw_reset_code, :string, :limit => 40

  def self.down
remove_column :users, :pw_reset_code

Runrake db:migratefor the changes to take effect.

Next, we need to change theUsermodel inapp/models/user.rbso that we can create a new reset code when needed:

require 'digest/sha1'
class User < ActiveRecord::Base
  # Virtual attribute for the unencrypted password
  attr_accessor :password, :password_forgotten

  # ... scroll 'til the end of the file

  def forgot_password
    self.password_forgotten = true

  def reset_password
    update_attributes(:password_reset_code => nil)

def create_pw_reset_code
      self.pw_reset_code = Digest::SHA1.hexdigest("secret-#{Time.now}")

    # before filter
def encrypt_password
      return if password.blank?
      self.salt = Digest::SHA1.hexdigest("--#{Time.now.to_s}--#{login}--")➥
if new_record?
      self.crypted_password = encrypt(password)

    def password_required?
      crypted_password.blank? || !password.blank?

In the beginning of the file, we declare an instance variable called@password_forgottenand accessor methods for it. Then we create a new method,forgot_password, which uses this variable to state whether a password reset has been requested. This method sets the@password_forgottenvariable totrueusing its accessor method, and then calls the protected methodcreate_pw_reset_codeto create a random, unique 40-character token for this resetting case.reset_passwordwill be called when George has successfully completed the process. All it does is set thepassword_reset_codeattribute tonil, awaiting the next time George’s memory shows signs of deterioration.

blog comments powered by Disqus

- Ruby-on-Rails Faces Second Security Flaw in ...
- Ruby 2.0 Prepped for February 2013 Release
- Why LinkedIn Switched from Ruby on Rails
- Adding Style with Action Pack
- Handling HTML in Templates with Action Pack
- Filters, Controllers and Helpers in Action P...
- Action Pack and Controller Filters
- Action Pack Categories and Events
- Logging Out, Events and Templates with Actio...
- Action Pack Sessions and Architecture
- More on Action Pack Partial Templates
- Action Pack Partial Templates
- Displaying Error Messages with the Action Pa...
- Action Pack Request Parameters
- Creating an Action Pack Registration Form

Watch our Tech Videos 
Dev Articles Forums 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us 
Weekly Newsletter
Developer Updates  
Free Website Content 
Contact Us 
Site Map 
Privacy Policy 

Developer Shed Affiliates


© 2003-2019 by Developer Shed. All rights reserved. DS Cluster - Follow our Sitemap
Popular Web Development Topics
All Web Development Tutorials