Guest mode with pledging

[HunterKingNola]

So my family hasn't been playing ball with using this. My wife is onboard, but just about everybody else seems to find it a little obnoxious that they have to create an account and that I won't just give them an amazon wishlist (the whole point of this for me was to move away from that).

I've been trying to think of a more friendly way for people to do this and feel like there's less effort involved. I've switched my instance to public, which I don't love but it'll have to do for now. But I think I've thought of a way that might be a little more friendly.

Login page either accepts users or a universal guest password that I could provide along with the URL to family members.

Guest password allows everybody to see everything -- so users with an account might not want to use it!

Pledging still works, but opens a text field where people need to write their names in. Assuming this is still shared within a small community of people, none of these names should be a surprise.

I realize this is a pretty big feature, but I thought I would float it. I still like an appreciate this and will continue to use it whether everybody else likes it or not :)

[Wingysam]

What would work better? Guest password in a form when your family logs in, or include a secret token in the url? Maybe have ?pw=... as an option?

Then when someone wants to pledge something, they are prompted for a name? And it should allow anyone to unpledge anything?

[HunterKingNola]

My first thought was guest password on a form. I thought about passing it in the URL and decided against it, but I think most of my concerns are unfounded. I think it would be best if it were optional, just because I have mine at a pretty memorizable URL and I think having to pass along an argument would mess that up. But that's not exactly a huge dealbreaker.

That's a good point about unpledging. Part of me says if it's a small community like a family anybody that would unpledge would be acting in good faith, part of me says only let admins remove it and leave anything else for the family to remove. To be honest I'm fine with either approach.

[Wingysam]

Maybe allow unpledging while you're still logged into a session id? so you can unpledge something if you decide against it a minute later.

I think I'll add ?pw=... but not encourage using it because it's a bit unsafe

I'll look into adding this after a few other issues, thanks!

[koeberlue]

I would love to see some feature like this, because to many people just won't take the time to create an account, which is very unfortunate.

Borrowing some ideas from other projects with shareable and editable content like Nextcloud or doodle, here is how I imagine this problem could be solved.

When I created a list, I see a button to share this list. A popup appears, where I can configure some options. Something like this:

[  ] Allow pledging
[  ] Allow editing
[  ] Expires at <date>

This would then create a shareable link like https://wishlist.example.com/share?token=some-autogenerated-uuid

I can then share this link via email, messenger, etc.. Basically just like an Amazon wishlist.

So when e.g. my mother visits this link, she will be greeted by a simple choice dialog:

* Log In
* Create account
* Continue as guest

When she chooses the guest option, she will be asked for a name. After entering her name, a guest account will be created for her automatically. It will have her name as username and a very long autogenerated password.

She will then be shown a dialog like this:

Hello mum,

please save this link if you ever want to revisit this list:

https://wishlist.example.com/login?user=mum&token=<the-randomly-generated-password>

(if we could configure an smtp server, we could even ask for her mail and send her this link)

Additionally a cookie is set so she will already be logged in when she visits the site from the same browser.

From this moment onwards she could be treated just like every other user. If she would change her password, she would have a normal account.

This mechanism would probably be pretty time consuming to implement and i'm sure I forgot some cases (on mobile). Also note that I just discovered this project a few hours ago, ao maybe it doesn't even make sense what I'm proposing.

I would love to hear what you think of this idea :)

[Wingysam]

This could work, maybe the account confirmation links should be permanent and the user that visits them will be immediately logged in without having to set a password, but is prompted to?

[eroc1990]

I've been watching this over the holidays and was wondering if it would become a thing. Out of curiosity, were you able to get something working that would allow this capability? I know my family wouldn't want to bother creating an account just to mark a gift as claimed.

[Wingysam]

I haven't yet, but I likely will be able to get to this late this year. I tend to be active on this project in the months before Christmas.

[eroc1990]

That would be awesome. And thanks again for the work you've done on this project.

[PeteS4]

@Wingysam Would you accept code contributions for this one? (Hypothetically, I have not yet looked into how long that would take me and whether I've got the spare time)

[Wingysam]

Yes, thank you!

You can ask any questions or ask for help here. If it doesn't work out, I'll hopefully be able to do this late this year.

[wjbeckett]

With Christmas of 2022 inbound in the next few months, is there any chance of this happening?

[Wingysam]

I've been busy with school for the past few weeks, but I should be able to find time to implement at least a basic guest password system before November.

[Wingysam]

Basic implementation has landed on master!

Better implementation depends on #25

[ohare93]

To help others out, here's how you currently use this feature:

• Add in GUEST_PASSWORD: 'test' into the compose file
• Send a link to your family/friend like so: [christmas-planning-url]?pw=test
  • http://192.168.0.105:8094?pw=test
  • https://myfamilygiftplanningurl.com?pw=test
  • Does Not Work-----------------------v
    • http://192.168.0.105:8094/login?pw=test

Test it out in a private browser before sending :+1:

[Wingysam]

This should be added to the README. I'll add that if nobody makes a PR for it before Hacktoberfest is over.

[HunterKingNola]

Thanks so much for this feature!

I'll add that you should set lists_public to false if it you had it set to true

[Wingysam]

That should be done automatically, I'll add that now.

[toastie89]

To help others out, here's how you currently use this feature:

• Add in GUEST_PASSWORD: 'test' into the compose file
• Send a link to your family/friend like so: [christmas-planning-url]?pw=test

Thanks for the example, very helpful!

I've set in addition DEFAULT_FAILURE_REDIRECT=?pw=test so relatives only need to remember the base url, e.g. https://wishes.example.com

Concerning security, I've put http basic auth in front, which will at least stop scripts poking around to find easy targets.

[Eschguy]

Has there been any movement on better guest access?

[Wingysam]

There hasn't really. What implementation do you think would be ideal? How should pledging/unpledging work for non-users?

[Eschguy]

The biggest thing for my non-user family members would be password based guest access that doesn't require the password baked into the URL. They go to gift.domain.com and can click a "I'm a guest" or "I'm buying a gift" and enter the password we've provided them.