-
watch on iTunes
-
follow on Twitter
-
follow on Facebook
-
subscribe to RSS feed
watch on iTunes
follow on Twitter
follow on Facebook
subscribe to RSS feed
I suggest doing a screencast on Captcah. http://ruby-toolbox.com/categories/rails_captcha.html
I see that you have added one just as I'm posting this.
That's just what I needed for an application. Thank
obviously the form can be hacked quite easily so i.e. a user can crop another users avatar/image by playing with HTML source,
I added an extra field to the model
photo.security_code
on creation assign security_code to Digest::SHA1.hexdigest("--#{Time.now.to_s}--#{rand(50000)}--")[0,18]
in the model
attr_accessor :crop_left, :crop_top, :crop_width, :crop_height, :security_code
def reprocess_image
photo.reprocess! if self.security_code ==security_code
end
in the crop image form ...
<%= form.hidden_field security_code, :value=>@current_user.photo.security_code %>
I'm sure you get the idea of the above code, its stops anyone from cropping/hacking the source for an image that they dont own :-)
I got it to work with Rails 3.
def coderay(text)
text.gsub!(/\<code(?: lang="(.+?)")?\>(.+?)\<\/code\>/m) do
code = CodeRay.scan($2, $1).div(:css => :class)
"<notextile>#{code}</notextile>"
end
return text.html_safe
end
And to override the scaffold pre style, added background-color: black
.CodeRay pre {
margin: 0px;
padding: 0px;
background-color: black;
}
I have not been able to make it work with Rails 3.
I tried using your suggestions from the XSS screencast with combinations of html_safe and raw, but so far no luck. I can get it to output it escaped once or twice, but never unescaped!
Anyone made it work for Rails 3?
You rock! Thank You!
Thank for covering CodeRay - you did an outstanding job of explaining its strengths, weaknesses, and how to use it.
Only one addition: There's a built-in option to combine called (require) "coderay/for_redcloth" which enables the textile-style @[lang]...@ and bc[lang] shortcuts for syntax highlighting.
another +1 for OAuth/Twitter/Facebook/Google integration!
Great cast as always. Devise seems to be a great all around solution for our application, so far, but we are now getting into the customization aspect of it so we will see!
forgot...this is the "this" in my post:
request.format = :html if request.format == "image/jpeg"
Great screencast, but having an issue.
Using this setup, ALL major browsers work just fine, switching between mobile and full without issue, except IE8, which will shows the full site on the home page, but switches to the mobile site for all other pages, clicking the "fullsite" button does not help.
Debugging shows IE was passing the following as the request.format:
#<Mime::Type:0x103699f48 @synonyms=[], @symbol=nil, @string="image/jpeg">
added this to a before filter that runs before prepare_for_mobile and all is good...but feels lame.
Anyone else have this issue with IE8 and this setup
Great tutorial! One question - If I wanted to always have one question per survey and one answer per question by default that the user can't remove, how would I do that?
great rails cast. is delete automatically understood as the destroy action? and the post method will also be understood as create action? how is that possible? super noob here or should i just trust that that works?
I was having trouble creating a pdf.table with ruby 1.8.6 on rails 2.3.5 I kept getting a NoMethodError undefined method 'table' . It turns out, the prawnto plugin only requires prawn in the prawnto/lib/prawnto.rb file. You need to also require 'prawn/console' and 'prawn/layout' Hopefully this will save someone some heartache.
Oh and BTW, another +1 for Twitter/Facebook/Google integration!
Very useful code
Hi,
Maybe is better to modify js file with something like this:
-----file.js.erb
('#paginate').html("<%=escape_javascript(will_paginate(@pets))-%>")
---view
<div id='paginate'>
<div id='pagination'>
where paginate is a div o span thath include pagination:
Because the page update with Jquery produce a nested side effect:
<div id='paginate'>
<div id='paginate'>
<div id='paginate'>
Regards
Ryan, thanks for another awesome screencast.
I'd like to suggest something for the next episode on devise:
- How to add roles to the user model, and then assign a role in the user signup form, (in order to then use cancan or declarative_auth) - I think this will be clear when you'll try to modify the views.
- How to override some of the gems methods
Thanks and really looking forward to it!
Ryan,
Can something like this be used for protecting files as well?
For example, a protected document @ site.com/directory/protected.doc.
Can this intercept the request and verify the user's identity?
My initial thought is No as this might be something for apache, but i would love to hear what you have to say, thanks!
Hi Brian! Thanks a lot for the last 3 years. Your work is amazing and keeps me loving rails. You are my Rails Hero #1!
I should add that I am only looking at the View component in terms of backward compatibility; I don't see that the other improvements/revisions will have a substantive impact.
@Fabiano
Ok, I understand your point and I apologise for my assumptions of what you meant.
However, I still feel that backward compatibility woul be appropriate for at least 18 months after the final Rails 3.0.
Also, the file.pdf.prawn needs to end with an empty line, otherwise there will be a compile error. Running Rails 2.3.5 Ruby 1.8.6 on WinXP. I had trouble downloading the plugin also. Simple way is to download the zip file and unzip it into the vendor/plugin/prawnto folder of your rails application. http://github.com/thorny-sun/prawnto/zipball/v2.0
awesome Rails! I have fallen love one more time with Rails :)
Maybe customize with using twitter/facebook/google/yahoo connect.
+1 is facebooker Rails3 ready?
I've been trying to get this working as well. the .js.erb will always get html entity escaping done on it, as if it is a regular html file. The problem is that I am returning the script as content to an iframe to handle file submitions using ajax, and basically the content injected winds up not working.
$("<div>..."); and so on winds up not parsing into dom elements.
Ryan, great podcast there! Look fwd to many more.:D
Sorry, I probably expressed myself in the wrong manner, english is not my mother language.
Correcting, my point was that: in order to keep backwards compatibility, the framework/language/core must keep it open to the old format, and when you think just about 1 or 2 functions it doesn't really matter, but if becomes a policy and everything is backwards compatible, when you take the time to analise, every page request takes hundreds of IFs more than the non-compatible way.
I'm not saying that backwards c. is all bad, not whole! But if your app uses too much an old function and you decide *must* upgrade, just add your own path to that function
@Bijan, unfortunately the previous video encoding I was using had buggy playback in Snow Leopard so I'm forced to switch. I'm still experimenting with different compression settings.
@Chris, attr_accessible is not part of Devise at all, it's just best practice. If you don't have the attr_accessible line then all database columns would be settable by the user. This is a major security problem especially with the User model, so you should always use attr_accessible there. See Railscasts episode #26 for details.
Awesome, thank you very much for the cast!
@Joes
I'm not sure what you mean. Are you saying Devise does not require you to use attr_accessible in order to access your attributes?
@Riccardo Devise uses Warden which has the concept of strategies.
Each role (like User and Admin) can have several strategies for authentication and you specify when they are triggered.
Devise ships with both :database_authenticatable (which validates the password given with one stored in the database, both using encryption) and a :token_authenticatable (where users can sign in using a token).
It's easy to add a new strategy. For instance, this guy developed one to authenticate through Imap:
http://github.com/joshk/devise_imapable
There are other extensions around.
@Chris using attr_accessible is a good practice. Your issue would easily be caught if you had write tests before deploying. Anyway, Devise does not push that, it's up to you to use it or not.
@Soleone Devise still has most of its logic in the model and not in the rack middleware. Take a look at Warden, you will find interesting to know how it works. :)
I'm a little late to this party, but a couple of weeks ago I put together a post discussing some interesting things about the kinds of values that are accepted by Relation#where.
In particular, you can feed Arel predicates to #where directly, or for that matter, anything that responds to #to_sql. Kind of neat I think. It's at http://bit.ly/dhSjPJ if you're interested. :)
I hate that you have to define all your model attributes with attr_accessible. This could easily lead to cockups where you add a column to your table and forget to add it to the attr_accessible list
I recently wrote an application with the Clearance authentication gem, which uses the same attr_accessible technique as devise. Just before deployment I added a new column to my db and forgot to add it to the attr_accessible list for the user model. I only noticed the problem a month later, and so did my client. This caused a lot of useful data to be lost forever.
It seems silly to have to define the columns, and its a against the ActiveRecord standard
i didn't understand why *names is uses instead of names
Is it possible to use devise with LDAP (Active Directory)?
Does devise use an adapter pattern to switch from one auth type to another?
... seems this routine is outdated - spent a day in silent sweat only to relize that ruby 1.9.2 is where the music plays. An update would have been nice.
Ryan,
I had already decided to use Devise with my new Rails 3 app so your screencast was perfect. Thanks and I'm looking forward to the next one!
Doug
Maybe customize with using twitter/facebook/google/yahoo connect.
Fantastic tutorial, explaining exactly what I was looking for... kudos Ryan.
and indeed, I cry a little when I see this JS soup....
Using Rails3 beta2, here's the routing code that works for me:
resources :faqs do
collection do
post :sort
end
end
Hi Ryan,
thx for another great screencast. One thing I wanted to mention is that your older screencasts were somehow sharper and had more authentic colors. You changed the screencapture tool?
KR
Bijan
Just a minor suggestion:
# config/application.rb
config.filter_parameters << :password << :password_confirmation
Ryan,
One of the things I like about having gems packaged up in the project is the ability to look at the source code of the gems. This has come in handy on several occasions for debugging as well as extending gems. Do you have any pointers on how I would go about doing that when I start working on a Rails 3 project?
Thanks!
Nick
@Ryan Bates, Thanks for your detailed answer!
Gotchas:
If you already have a
resources :users
you must remove it or put it after
devise_for :users
I found some of the documentation thin - it would have been nice if more comments were added to the code that was generated.
Bug (I will be submitting it):
If you app is not at the root
http://myhost/my_app/
devise will not get the right URLs for sign_in/out paths.
@Soleone, I'd be interested in reading a more detailed article on the practical reasons against handling authentication in Rack middleware. MVC is a great principle, but it should not be followed blindly.
@BradM, subdomain handling has changed a little in Rails 3 so I'll likely be covering it in a future episode. However I don't consider it to be specific to a given authentication solution. You can apply my existing subdomain screencast (episode 123) to the Basecamp style. Just replace blogs there with projects.
Amazing, I just tried to get this working yesterday :P
Hi, Ryan.
I think on this page the migration code has been pasted twice, right?
BTW, just curious: why don't you like confirmation emails for registration?
I just so happened to find Devise last week and I was particularly interested in the Subdomain tutorial (Linked above).
I understand that you will be getting into manipulating Devise such as changing the views etc, but I think it may be beneficial to the community (and Devise) if there was a tutorial based on 'Basecamp-style-Account-Subdomains'
Where is User under a specific account/subdomain security type model.
BTW, great work! My Monday mornings have become Railscasts and Tim Horton (Best Coffee in Canada) type of mornings.