I agree generally with the sentiment that self-directed password resetting (involving email) is generally best practice.
However, I would defend the user experience convenience of having another way to have their password reset. For example, a company I worked for had a call center where you could reach customer support agents. Although there was a password reset on the site, the customer support agents could also reset someone's password on the phone (Yes, I know -- this makes them responsible for verifying that the person calling is really the person whose account it is, and could abused).
On the back-end, I'm pretty sure the code was as simple as
@user.update_attributes(:password => @new_password, :password_confirmation => @new_password)
OF course, this was called from an Admin controller that only the customer support agents themselves had access to.
Did you try that in the latest version of Devise? I'm pretty sure it works technically speaking (leaving aside the question of whether it's a good idea).
-Jason
On Aug 30, 2014, at 12:21 PM, Hassan Schroeder <hassan.schroeder@gmail.com> wrote:
> On Sat, Aug 30, 2014 at 8:05 AM, Roelof Wobben <rwobben@hotmail.com> wrote:
>
>>>>> The only thing I need is that I as admin can register user with a
>>>>> password.
>>>>> If the user looses her/his password then I get a mail and I as admin
>>>>> can make a new one.
>
>> Why I need a password for staff members so they can only see which invoice
>> is not payed or add a payment.
>
> Requiring staff to authenticate makes sense.
>
> Having *you set the password* for each staff member does not.
>
> For one thing, it doesn't scale. More importantly, how do you plan
> to communicate this password to the person? By email? Extremely
> insecure. By phone? In person? Not always convenient.
>
> Enabling each staff member to *set/reset their own password* is a
> far more efficient (and common) pattern.
>
> --
> Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
> http://about.me/hassanschroeder
> twitter: @hassan
>
> --
> You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
> To post to this group, send email to rubyonrails-talk@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/CACmC4yA9RZMSiDGDoEbXkmDVVC_OdARC301fEYM25Qqu3p9Ryg%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rubyonrails-talk+unsubscribe@googlegroups.com.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/rubyonrails-talk/D70A498A-C0FD-4747-A570-17B87C20C4F5%40datatravels.com.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment