Rails - Jun 2010 - best practices for putting rails site out on the internet with authentication

I''m using Devise for authentication on a corporate website which is
now only in our intranet.  I need to build an interface (controllers
and views) for our customers to access the site out on the internet,
on a publicly addressable url.  Right now, you can sign up for an
account on the site simply by furnishing a valid email address (you
need a valid email address, since Devise sends you a confirmation
email which you must click through to gain access).  If I make this
site publicly available I''ll have all sorts of Tom, Dick and Harry
nefarious users and bots joining in and posting porn links in text
fields and deleting sensitive. I do log all activity, so I''d know who
did the dirty deed, but recovering from vandalism won''t be fun.

Does Devise support protection from bots creating accounts?

Is there a best practices for giving access to only a few people on
the internet (our customers) without allowing everyone to create an
account?

-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

You could do one or more of the following:

1. Isolate all content by user, if possible: if your design permits it,
allow users only to view and edit content under their own user id, and that
way, they cannot damage other users'' content.

2. Dont use the registerable and confirmable options in devise - have a mail
account where people send requests to register, and validate the request and
add the user yourself (you can do that from the rails console, or by adding
an admin form for this purpose).

3. I know you can customize the views generated by devise, so it may be
possible to validate the registration email field with any custom
validations you require (say, if you want only people from specific domain
email accounts to be allowed to register).

HTH,
Anand
On Fri, Jun 25, 2010 at 7:01 AM, chewmanfoo
<chewmanfoo-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> I''m using Devise for authentication on a corporate website which
is
> now only in our intranet.  I need to build an interface (controllers
> and views) for our customers to access the site out on the internet,
> on a publicly addressable url.  Right now, you can sign up for an
> account on the site simply by furnishing a valid email address (you
> need a valid email address, since Devise sends you a confirmation
> email which you must click through to gain access).  If I make this
> site publicly available I''ll have all sorts of Tom, Dick and Harry
> nefarious users and bots joining in and posting porn links in text
> fields and deleting sensitive. I do log all activity, so I''d know
who
> did the dirty deed, but recovering from vandalism won''t be fun.
>
> Does Devise support protection from bots creating accounts?
>
> Is there a best practices for giving access to only a few people on
> the internet (our customers) without allowing everyone to create an
> account?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org<rubyonrails-talk%2Bunsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org>
> .
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

I found a gem devise_invitable which allows you to initiate the
confirmable sequence from inside the app only after you''ve been
authenticated.  You can tweak this to allow only certain users to
invite other users.  In addition to what you''ve suggested, I''m
adding
this functionality.

Thanks for your help!



On Fri, Jun 25, 2010 at 2:11 PM, Anand Ramanathan
<rcanand-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> You could do one or more of the following:
> 1. Isolate all content by user, if possible: if your design permits it,
> allow users only to view and edit content under their own user id, and that
> way, they cannot damage other users'' content.
> 2. Dont use the registerable and confirmable options in devise - have a
mail
> account where people send requests to register, and validate the request
and
> add the user yourself (you can do that from the rails console, or by adding
> an admin form for this purpose).
> 3. I know you can customize the views generated by devise, so it may be
> possible to validate the registration email field with any custom
> validations you require (say, if you want only people from specific domain
> email accounts to be allowed to register).
> HTH,
> Anand
> On Fri, Jun 25, 2010 at 7:01 AM, chewmanfoo
<chewmanfoo-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>>
>> I''m using Devise for authentication on a corporate website
which is
>> now only in our intranet.  I need to build an interface (controllers
>> and views) for our customers to access the site out on the internet,
>> on a publicly addressable url.  Right now, you can sign up for an
>> account on the site simply by furnishing a valid email address (you
>> need a valid email address, since Devise sends you a confirmation
>> email which you must click through to gain access).  If I make this
>> site publicly available I''ll have all sorts of Tom, Dick and
Harry
>> nefarious users and bots joining in and posting porn links in text
>> fields and deleting sensitive. I do log all activity, so I''d
know who
>> did the dirty deed, but recovering from vandalism won''t be
fun.
>>
>> Does Devise support protection from bots creating accounts?
>>
>> Is there a best practices for giving access to only a few people on
>> the internet (our customers) without allowing everyone to create an
>> account?
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Ruby on Rails: Talk" group.
>> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
>> To unsubscribe from this group, send email to
>>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
>> For more options, visit this group at
>> http://groups.google.com/group/rubyonrails-talk?hl=en.
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Ruby on Rails: Talk" group.
> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> To unsubscribe from this group, send email to
>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> For more options, visit this group at
> http://groups.google.com/group/rubyonrails-talk?hl=en.
>
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.

I have a similar case here. My project also using Devise and we are
trying to restrict access to users even robots to the public site.
What we have done is using Devise http_authenticatable to authenticate
users in our database, which is working quite well.

Cheers,
Lecky

On Jun 26, 5:24 am, Jason Michael
<chewman...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
> I found a gem devise_invitable which allows you to initiate the
> confirmable sequence from inside the app only after you''ve been
> authenticated.  You can tweak this to allow only certain users to
> invite other users.  In addition to what you''ve suggested,
I''m adding
> this functionality.
>
> Thanks for your help!
>
> On Fri, Jun 25, 2010 at 2:11 PM, Anand Ramanathan
<rcan...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > You could do one or more of the following:
> > 1. Isolate all content by user, if possible: if your design permits
it,
> > allow users only to view and edit content under their own user id, and
that
> > way, they cannot damage other users'' content.
> > 2. Dont use the registerable and confirmable options in devise - have
a mail
> > account where people send requests to register, and validate the
request and
> > add the user yourself (you can do that from the rails console, or by
adding
> > an admin form for this purpose).
> > 3. I know you can customize the views generated by devise, so it may
be
> > possible to validate the registration email field with any custom
> > validations you require (say, if you want only people from specific
domain
> > email accounts to be allowed to register).
> > HTH,
> > Anand
> > On Fri, Jun 25, 2010 at 7:01 AM, chewmanfoo
<chewman...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> >> I''m using Devise for authentication on a corporate
website which is
> >> now only in our intranet.  I need to build an interface
(controllers
> >> and views) for our customers to access the site out on the
internet,
> >> on a publicly addressable url.  Right now, you can sign up for an
> >> account on the site simply by furnishing a valid email address
(you
> >> need a valid email address, since Devise sends you a confirmation
> >> email which you must click through to gain access).  If I make
this
> >> site publicly available I''ll have all sorts of Tom, Dick
and Harry
> >> nefarious users and bots joining in and posting porn links in text
> >> fields and deleting sensitive. I do log all activity, so
I''d know who
> >> did the dirty deed, but recovering from vandalism won''t
be fun.
>
> >> Does Devise support protection from bots creating accounts?
>
> >> Is there a best practices for giving access to only a few people
on
> >> the internet (our customers) without allowing everyone to create
an
> >> account?
>
> >> --
> >> You received this message because you are subscribed to the Google
Groups
> >> "Ruby on Rails: Talk" group.
> >> To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org.
> >> To unsubscribe from this group, send email to
> >>
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> >> For more options, visit this group at
> >>http://groups.google.com/group/rubyonrails-talk?hl=en.
>
> > --
> > You received this message because you are subscribed to the Google
Groups
> > "Ruby on Rails: Talk" group.
> > To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> > To unsubscribe from this group, send email to
> >
rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
> > For more options, visit this group at
> >http://groups.google.com/group/rubyonrails-talk?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Ruby on Rails: Talk" group.
To post to this group, send email to
rubyonrails-talk-/JYPxA39Uh5TLH3MbocFF+G/Ez6ZCGd0@public.gmane.org
To unsubscribe from this group, send email to
rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/rubyonrails-talk?hl=en.