OffAxis

Seed Migrations for Ruby on Rails

Tue, 03 Nov 2009 16:21:46 +0000

Seed Migrations provides migration-like support for seed data. Ruby on Rails versions 3 and 2.3.4 introduced the db:seed Rake task that executes a db/seeds.rb file containing normal ruby code. There's nothing special about the code that goes in this file, and no other special features for managing seed data are provided. Depending on how you write your code, running rake db:seed multiple times yields duplicate data inserts.

The main features provided:

a seedings table in your database to track which seeds have been previously loaded
support for Rails versions before 2.3.4 which lack the db:seed Rake task
db/seeds/seed_order.yaml controls the seed load order
script/generate seed descriptive-name generates an empty, timestamped seed file and appends an appropriate entry to db/seeds/seed_order.yaml

Installation is simply:

  script/plugin git://github.com/n3bulous/seed_migrations.git
  cp vendor/plugins/n3bulous-seed_migrations/db/seeds.rb db/

ASCIIcasts Summary #178: Seven Rails Security Tips

Sun, 13 Sep 2009 04:24:16 +0000

ASCIIcasts rock. There's a place for screencasts and video demonstrations, but conveying something like the points in Seven Security Tips isn't one of them. The only thing better is just giving a summary, so here it goes.

1. Use attr_accessible in your model to avoid side effects with mass assignment.

When assigning object values with something like User.new(params[:user]) or update_attributes(params[:user]), unintended fields, like allow_admin or has_many relations, may be set with a tool like curl. To prevent this, use attr_accessible in the model to whitelist the fields mass assignment may use.

2. Use `validates_attachment_content_type` to whitelist upload content types.

You do not want users to upload PHP scripts and whatnot to an accessible portion of your site.

3. Enable `filter_parameter_logging` for fields that should not be saved in the log files.

It's bad enough when developers fail to encrypt passwords in a database. The next worse blunder is logging the unencrypted passwords. Use this in your application_controller.rb to filter occurrences of parameters. See the Rails API entry for more info. API summary: the filter operates on case-insensitive substrings of all parameters defined.

4. Protect against CSRF by adding `protect_from_forgery` to your ApplicationController.

Simple yet effective.

5. Scope your Active Record finds to the current user.

This is an easy one to overlook. The first trick is making sure your relationships are defined in your models. Once they are in place you can leverage the association magic: current_user.orders.find(params[:id]).

6. Fer cryin' out loud, parameterize your SQL already!

This should be self-explanatory. In fact, it shouldn't even need mentioning. OK, here's a snippet stolen from the ASCIIcast which borrowed from the Railscast:

@projects = current_user.projects.all(
    :conditions => ["name like ?", "%#{params[:search]}%"])

7. Sanitize user provided values when displaying HTML.

The Railscast instructs you to use the h method (e.g. <%= h comment.naughty_value =>), but since Rails 3 will do this automatically, you might be better off using xss_terminate which is a handy "install and forget" plugin.

ActiveScaffold and FCKeditor

Mon, 07 Sep 2009 04:24:25 +0000

To paraphrase a common saying, "open source software is only free if your time has no value." Such was the last day of work while trying to integrate ActiveScaffold and FCKeditor. The sad thing is that it really shouldn't have been this way.

For starters, people really need to update their project's documentation (see most of the README files on github). Secondly, the documentation should include a somewhat logical example. Each code snippet should meaningfully pertain to the other, related code snippets. Thirdly, the example code should actually work. Fourthly, the previous three rules go doubly if you are dealing with JavaScript.

OK, I'm finished venting. Let's get to the meat and potatoes. I'm assuming you have a model working with ActiveScaffold, which is generally pretty simple to get up and running.

The two primary resources for installing were the (a) github page for the github fckeditor plugin and the most useful, but slightly incomplete, FCK Editor Plugin in ActiveScaffold. Without further commentary, here are the steps, minus the premature balding inducing frustration.

Install the FCKeditor plugin from within your Rails application:

script/plugin install git://github.com/davividal/fckeditor.git
rake fckeditor:install

The following steps relate to a simple admin controller for an equally simple About model.

script/generate model about content:text published:boolean
rake db:migrate
mkdir app/controllers/admin
mkdir app/helpers/admin/
mkdir -p app/views/admin/about
touch app/controllers/admin/about_controller.rb
touch app/helpers/admin/about_helper.rb
touch app/views/layouts/admin.html.erb
cp vendor/plugins/active_scaffold/frontends/default/views/_create_form.html.erb app/views/admin/about/
cp vendor/plugins/active_scaffold/frontends/default/views/_update_form.html.erb app/views/admin/about/

The Admin::About controller:

class Admin::AboutController < ApplicationController
  layout 'admin'
  active_scaffold :about
end

The following lines need to be included in your admin layout:

<%= javascript_include_tag :defaults, "builder", "scriptaculous", "fckeditor/fckeditor" %>
<%= active_scaffold_includes %>

Here's the about helper:

module Admin::AboutHelper
  def content_form_column(record, input_name)
    fckeditor_textarea(:record, :content, :ajax => true, :width => '800px', :height => '200px')
  end

  def content_column(record)
    sanitize(record.content)
  end
end

In the two admin/about partials, you need to replace submit button code with the following:

&lt;input type="submit" value="Update" class="submit"
       onClick="var oEditor = FCKeditorAPI.GetInstance('record_<%=@record.id%>_<%='content'%>_editor');
       $('record_<%=@record.id%>_<%='content' %>_editor_hidden').value = oEditor.GetXHTML();" /&gt;

Substitute Update for Create as appropriate. This last bit is very important, and not mentioned pretty much anywhere except Ganesh's post. You'll notice one important difference from his code though: when assigning the hidden variable you need to actually add the "_hidden" part to the id.

Hopefully this helps someone roll with FCKeditor and ActiveScaffold (or Ajax in general) without wasting their Labor Day Sunday as I did. Let me know if something doesn't work. I know that input statement needs real angle brackets, but I'm too tired to debug that display issue just this minute.

UPDATE: Since all my new projects use jQuery, I'll be switching to this jQuery.wysiwyg.

Identically Named Methods in a Rails Controller

Tue, 26 May 2009 18:17:07 +0000

First off, never do this. Of course, you wouldn't. Except by accident. I'm only admitting to it in the hopes someone else out there doesn't waste too much time with something so simple.

I was RESTifying a controller by whitelisting methods and then testing. For #show I forgot to delete the private version before testing. Hilarity ensued. Neither Mongrel or Thin would tell me there was a problem, but, even though I had a show method, I was told it didn't exist. On a whim, I scrolled to the bottom of the file and noticed that show existed as a private method, and removing it promptly solved my problem.

While playing with routes to figure out the problem, I also encountered #show rendering show.rhtml, (it's old code) -- the server appeared to be running the private method instead of the public version. This is probably a bug, but in Ruby or Rails?

Careful with that config.gem, Eugene

Fri, 10 Apr 2009 18:02:11 +0000

With the advent of Github as the Ruby Gem hosting platform of choice, you have to be specific when you use config.gem in you config/environment.rb file.

Recently, I noticed that my Rails application generated from a You've Got Rails template was choking on the rubyist-aasm library. Given the following configuration in config/environment.rb:

  config.gem "rubyist-aasm"

Which would yield the following errors initially discovered when running Rake:

  no such file to load -- rubyist-aasm
  ...
  Missing these required gems:
    rubyist-aasm

The problem appears due to Github namespacing gems by prefixing the username to the Gem name. The solution is to specify the actual library name:

  config.gem "rubyist-aasm", :lib => "aasm", :source => "http://gems.github.com"