What's the correct way to complete a Rails create action?

Question

I have a User.create action that provisionally registers a new user and sends an email with a generated password. What is the most Rails-like way to complete that action? I want to do everything exactly right from now on. No more nonsense. This time I'm serious.

I'm thinking these are the options...

1. Create a view called login_email_sent.html.haml and render it. (It would have a message like "thanks, an email has been sent with your login.")

2. Create a view called create.html.haml and let Rails render that by default.

3. Redirect the user to the same page as the form they just submitted with a message in the flash.

Or something else...?

Answer 1

Definitely option 3, redirecting to the show action. When you do this the user will be redirected when the action completes, and thus can't accidentally repost by going back in the history. Also, this ensures the rendered pages can be bookmarked/saved.

Answer 2

This is more of a user experience question.

Leave the create action as something that just creates and has no output (or just a simple 201 Created header if created by an API call). Do a redirect_to to either:

1. A thanks page telling them how to wait and what will happen next
2. The homepage with a very visible flash message letting them know what just happened.

In 99.9% of cases you shouldn't ever need a template for create.

def create
  User.create(...)
  respond_to do |format|
    format.html { redirect_to signup_complete_url }
    format.xml  { render :head => :created }
  end
end

For instance.

Answer 3

Redirect them to the login page, with a flash message telling them to check their email for further instructions on validating and logging into their account. Many people suggest logging the user in automatically on user validation, but in my opinion, this is a security problem for any sensitive sites.

Answer 4

It depends on if there is anything they can usefully do on your site without registering. If there is then redirect them to the home page and use the flash to display a message explaining that an email was sent and inviting them to look around in the meantime.

If there is nothing they can do then you could redirect them to a welcoming page with information/faqs to help them get a head start and make them feel like they have signed up to something worthwhile.

Also instead of sending them a password in the email, consider sending them a link to the user account set up page where they can set up their password and other details. The link would contain a back door access code associated with the new user account. When this page is submitted and validated the back door code can be deleted.

The same approach can be used for forgotten passwords, as soon as the user sets a new password or if they remember it and sign in normally the back door code is deleted.

The only problem with this approach is that they can end up with two browser windows or tabs open on your site. But it does give you a chance to ask for any other information you might require - address, DOB or whatever - without scaring people away by putting too many questions on your initial sign up form.