Registration
Users can be registered for your site in three ways:
- By the administrator.
- Via self-registration.
- By a trusted user with limited permissions to set up and edit other users.
Self-Registration
Self-registration allows user to enter and edit their own details. For security reasons this feature is strictly limited: self-registered users can't change their own role, and obviously they can't see or edit the details of other users.
Self-registration needs to be enabled in System Settings.
| Option | Choice | Description |
| Self-registration enabled | true/false | Whether the self-registration system is enabled. If not enabled, none of the following options apply. |
| Self-registration Role | Role | This role is applied to any self-registered users by default. Self-registered users can't change their own role, but an administrator can edit it later if necessary. |
| Self-registration confirmation required | true/false | Whether self-registered users need to be confirmed before they can start using the site. |
| Self-registration confirmation error page | Page | The content page to be displayed if a self-registered user tries logging into the site before their registration has been confirmed (refer to above setting). |
| Self-registration confirmation email | true/false | Whether a confirmation email is sent to self-registered users, enabling them to confirm their own registration. |
Confirmation
If confirmation is required self-registered users can't start using the site straight away: their registration has to be confirmed either by an administrator or via self-confirmation. If a self-registered user who is not confirmed tries logging into the site an error page is displayed, possibly containing further instructions on how their registration is to be completed.
If self-registration confirmation by email is enabled, the user will receive an email with a hyperlink. In the URL will be a confirmation key - a long string of digits. When the user clicks on the link, they are taken to a page where they can enter their username and password. If the confirmation key, user name and password all match the user's registration is confirmed and they can start using the site.
Email confirmation requires the correct configuration of Rails' ActionMailer, which means that you need to put your SMTP server's settings in your RAILS_ROOT/config/environment.rb file. Setting up ActionMailer is beyond the scope of this guide.
Password Reset
Self-registered users have the option of resetting their password by email (provided their registration was confirmed via email). There is a link on the login page for users who have forgotten their password. The procedure is quite similar to self-confirmation: the user receives an email with a hyperlink containing a confirmation key. When they use that link they are sent a second email message with an automatically-generated password, which they can change.
Actions and Security
Self-registration and self-editing involve a number of methods from Goldberg::UsersController. Some of these methods are actually aliases of equivalent methods pertaining to the administrator, but with various security restrictions.
| Self-registration method |
Equivalent administrator method |
Description |
| self_register | new | Display new user form. |
| self_create | create | On POST: create new user. |
| self_show | show | Show user details. |
| self_edit | edit | Display edit form. |
| self_update | update | On POST: update user details. |
| confirm_registration | The action in the email hyperlink for a user to confirm their registration. | |
| confirm_registration_submit | On POST: confirm the user's registration. | |
| forgot_password | Display a form for the user to request a password reset. | |
| forgot_password_submit | On POST: an email is sent to the user with a password reset hyperlink. | |
| reset_password | The action in the email hyperlink for a user to reset their password. | |
| reset_password_submit | On POST: send a new password to the user. |
An important part of setting up self-registration is assigning appropriate permissions to these actions. The following actions will need to be performed by users who are not logged in (either because they are not yet registered, or they have forgotten their password):
- self_register
- self_create
- confirm_registration, confirm_registration_submit
- forgot_password, forgot_password_submit
- reset_password, reset_password_submit
The other actions - self_show, self_edit and self_update - should have permissions belonging to the self-registered role, so that self-registered users can log in and use them.
Delegate Registration
Delegate registration is an arrangement whereby trusted users can maintain an organisation's users on behalf of the administrator. A delegate is therefore a user with some administrative functions, but without full administrative privileges.
Delegate registration is a superset of self-registration: delegates can add, edit or delete any users who have a role equal to or less than the role of the delegates themselves (where a role "less than" a delegate's role is defined as one of the roles from which the delegate's role inherits). This is to prevent privilege escalation (where a delegate might assign to herself an innapropriate role) or lockout (where a delegate demotes the administrator by assigning her a lower role).
As with self-registration, a number of Goldberg::UsersController methods are aliased to provide methods for delegates, but with various security restrictions.
| Delegate method |
Equivalent administrator method |
Description |
| delegate_register | new | Display new user form. |
| delegate_create | create | On POST: create new user. |
| delegate_show | show | Show user details. |
| delegate_edit | edit | Display edit form. |
| delegate_update | update | On POST: update user details. |
| delegate_destroy | destroy | Destroy a user record. |
| delegate_list | list | List all users for which the delegate has edit rights. |
Enabling delegate registration involves setting up a role (or roles) that will apply to delegates, then assigning permissions to those roles so they can perform the actions listed above.
