« Home | Parsing Names with Honorifics » | Copyright Disputes are usually Failures of Imagina... » | The power of a good visualization » | The 2007 Feltron Annual Report » | More things I wish someone else will write » | Reference Cards » | Owning my Metadata » | 50 years of Baseball Play-by-play data mashed with... » | Time Machine is neat-o, but I want a Time and Spac... » | Old-School Shop Guide »

Rails Lessons Learned the Hard Way

Things I've learned the hard way in Rails:
  • Layouts run inside views, not the other way round. Set an instance variable in app/views/monkeys/show.html.erb and it will be defined in app/views/layouts/monkey.html.erb but not vice versa.
    • set instance vars in view
      @foo_val = find_foo_val
    • pass variables to partials using
      <%= render :partial => "root/license", :locals => { :foo => @foo_val } -%>
    • use the instance var freely in the layout; it will take the value defined in the view
  • Dump an object for bobo debugging through the console or log:
    $stderr.puts tag_list.to_yaml
  • In a migration, if you define a unique index on an attribute, make sure both the index AND attribute are :unique => true, or else you'll get no uniqueness validation from Rails:
    
   create_table  :monkeys do |t|
     # set :unique here
     t.string :name, :default => "", :null => false, :unique => true
   end
   # if you have :unique here
   add_index :datasets, [:name], :name => :name,  :unique => true
  • If you scaffold a User or other object with private data, MAKE SURE you strip out fields you don't want a user setting or viewing:
    • Set attr_accessible, which controls data coming *in* -- prevents someone setting an attribute by stuffing in a form value.
    • In each view (.html.erb &c) and render method (to_xml), strip out fields you don't want anyone to see using the :only => [:ok_to_see, :this_too] parameter.
    • Set filter_parameter_logging, which controls what goes into your logs. (Logs should of course be outside the public purview, but 'Defense in Depth' is ever our creed.)
    Using the the restful-authentication generator as an example:
    • In the model, whitelist fields the user is allowed to set (this excludes things like confirmation code or usergroup):
      attr_accessible :login, :email, :password, :password_confirmation
    • In the controller file, whitelist only the fields you wish to xml serialize:
      format.xml { render :xml => @user.to_xml(:only => [:first_name, :last_name]) }
    • Obviously,In the show.html.erb and edit.html.erb strip out fields that shouldn't be seen.
    • In the model file, blacklist fields from the logs:
      filter_parameter_logging :password, :salt, "activation-code"
  • I won't even tell you how often this happens to me: If you edit or install code in a plugin, restart the server.

Labels: , , , , , , , , , , , , , , , ,

Posted by flip on Sunday, January 27, 2008 at 1/27/2008 07:42:00 PM |

For someone who thinks "unicorns kick ass" this blog has a definite lack of "unicorniness". Where are the cute bunnies, where are the balloons, where are the dancing elephants. I beg of you grant the viewers of this blog the relief that is animated cuteness.

Sean

Posted by Blogger piper.luna | March 28, 2008 at 11:37 AM  

Take a large rubber doorstop with you. Keep it handy when you enter or leave the room. You can put it in a wheelchair backpack or a purse. It is a real help in keeping room doors open long enough to get a wheelchair into or out of the room, and it keeps your toes from getting run over!
*******************************
morshaldock
New Mexico Treatment Centers

Posted by Anonymous Anonymous | August 8, 2008 at 3:12 AM  

Post a Comment