-
Notifications
You must be signed in to change notification settings - Fork 5.5k
How To: Create a guest user
In some applications, it's useful to have a guest User
object to pass around even before the (human) user has registered or logged in. Normally, you want this guest user to persist as long as the browser session persists.
Our approach is to create a guest user object in the database and store its id in session[:guest_user_id]
. When (and if) the user registers or logs in, we delete the guest user and clear the session variable. A helper function, current_or_guest_user
, returns guest_user
if the user is not logged in and current_user
if the user is logged in.
class ApplicationController < ActionController::Base
protect_from_forgery
# if user is logged in, return current_user, else return guest_user
def current_or_guest_user
if current_user
if session[:guest_user_id]
logging_in
guest_user.destroy
session[:guest_user_id] = nil
end
current_user
else
guest_user
end
end
# find guest_user object associated with the current session,
# creating one as needed
def guest_user
# Cache the value the first time it's gotten.
@cached_guest_user ||= User.find(session[:guest_user_id] ||= create_guest_user.id)
rescue ActiveRecord::RecordNotFound # if session[:guest_user_id] invalid
session[:guest_user_id] = nil
guest_user
end
private
# called (once) when the user logs in, insert any code your application needs
# to hand off from guest_user to current_user.
def logging_in
# For example:
# guest_comments = guest_user.comments.all
# guest_comments.each do |comment|
# comment.user_id = current_user.id
# comment.save!
# end
end
def create_guest_user
u = User.create(:name => "guest", :email => "guest_#{Time.now.to_i}#{rand(99)}@example.com")
u.save!(:validate => false)
session[:guest_user_id] = u.id
u
end
end
Finally in order to fix the problem with ajax requests you have to turn off protect_from_forgery for the controller action with the ajax request:
skip_before_filter :verify_authenticity_token, :only => [:name_of_your_action]
Another option is to remove protect_from_forgery from application_controller.rb and put in each of your controllers and use :except on the ajax ones:
protect_from_forgery :except => :receive_guest
Last but not least, don't forget to add helper_method :current_or_guest_user
to the controller to make the method accessible in views.
If you wish to continue using before_filter :authenticate_user!
and have it apply to the guest user, you will need to add a new Warden strategy. For example:
In initializers/some_initializer.rb
Warden::Strategies.add(:guest_user) do
def valid?
session[:guest_user_id].present?
end
def authenticate!
u = User.find(session[:guest_user_id])
success!(u) if u.present?
end
end
And in initializers/devise.rb
Devise.setup do |config|
# ...
config.warden do |manager|
manager.default_strategies(scope: :user).unshift :guest_user
end
end