Fantastic! I stumbled upon your railcast site whilst trying to work out how to handle HABTM checkboxes and bam, there's the solution right there! I found other stuff on the net but they were confusing or not quite what I wanted. Your railcast on this topic was exactly the solution I was looking for plus it was quick, easy and straight to the point. I'm very impressed. I'll be subscribing in iTunes and I'll be looking back over your previous railcasts now. Many thank!!
Thanks Ryan. I'll probably start downloading the iPod versions though... that way I can take the casts with me on trips (Sadly, I don't have a laptop yet). As much as I like the higher quality, I find no reason to download the videos twice (and I might as well save you a little bandwidth). Thanks and keep up the good work!
@jjk2, no magic going on here. I'm just typing in that information manually. I'm sure there's some smart ways to have Ruby fetch the movie metadata, but the movies are on a separate server so that makes things considerably more difficult. If I do automate it, I will probably fetch the metadata on my local which has acccess to everything then have it automatically upload that info. So far I'm okay with typing it in manually though.
As for the thumbnail image, I'm not sure how useful it will be since half of the time it will display code which you can't read. I'll consider doing it if I get more requests though.
Good question. It's 640x480 instead of 800x600 and the compression doesn't look as nice, so if you don't need to play it back on an iPod/Apple TV it's definitely better to stick with the higher quality version.
Ryan, I haven't yet tried the download for iPod option, but I was just curious: what's the difference between that version and the regular one? Is it just more compressed?
Please let me know if you are unable to transfer the iPod version to your iPod/Apple TV. I may have got the compression settings incorrect or something.
btw, how are you able to display the length running time for your .mov files? have you considered, displaying a snapshot of a random frame from a .mov file as a thumbnail? im just curious as how you are able to access the metadata of .mov files such as length, title, and etc.
Please disregard my previous post, as I forgot about the routing.rb file. I modified it according to your tutorial and it now works! Thanks again for such a great service!
Ryan, I was wondering if you could explain to me as to how the variables you are using such as 'home_path' and 'sessions_path' are set. Furthermore, I am trying to use these past 3 videos to create a simple auth system for a program I'm working on, but I can't seem to figure out 2 problems: 1 - how did you have your 'new.rhtml' load when you browsed to '/login', and 2 - how did you decide where to put the same file (I assumed it would be 'views\login'. I can explain more in detail if I can contact you via email, as I don't really want to make such a long comment on your website. Also if you or anybody on this site feel like they can help please do.
Finally, thank you for doing such a great favor to so many people by creating these wonderful screencasts.
I think this is perhaps the best screencast yet. I especially appreciated the curl examples showing what a malicious user might do. Now I'm off to add attr_accessible to my models.
This security series is excellent and this episode is the best of the bunch so far. I really like it that you showed how a hacker might abuse the site. I think it really helps developers see how easy it is to formulate attacks. That should me addressing security more of a concern. Well, I hope...
So if it's not through mass assignment, and you need to declare someone an admin, or set someone as an owner of the comment - then would you place it manually in the controller?
Very helpful. I had no idea ActiveRecord relationships could be hiijacked like that. I guess it's better to use a white-list than a black-list since you never really know what attributes are available in your models.
There's a blog about securing RoR applications, http://www.rorsecurity.info/ which covers a wide range of topcis (from security within rails to securing √MySQL installation). HTH :)
To clarify, in the screencast I was referring to the data inside the session, not the authenticity of it. Friday I'll be posting about cross site scripting which kind of goes along with this.
Although it's not directly relevant to what you're talking about in this video, I'd be a little careful about telling folks they can trust sessions blindly, as those can be hijacked in a variety of ways.
Yeah, that's a little confusing. The "category_ids" method accepts an array of ids, so:
product.category_ids = [1, 2, 3]
Will set categories with ids 1, 2 and 3 to that product. Normally in Rails forms you put the name of the attribute in square brackets and use that as the name of the field:
product[category_ids]
This way Rails knows it's an attribute of product. But if you just did this, it would take only one check box value and set that:
product.category_ids = 1
But here the category_ids method expects an array, so you need those empty square brackets in the name of the check box. Rails will then gather up all values with this same name and place them in an array. This is what the empty square brackets do:
True, it can make caching a little more difficult. A solution that I like is to create an "admin" subdomain for the site (admin.example.com) then just have the "admin?" method return true for this subdomain. This way you can easily cache pages without this subdomain.
@Vicent, I try to squeeze in TextMate tips when I can, but I don't want to make it a focus of the episode because not every viewer is using it. Unless I make a few separate screencasts which is a possibility.
@Jack, I don't think SEO is related enough to Rails to create an episode about it. SEO is all client-side and Rails is server side. You can have Rails spit out any HTML you want in order to improve the SEO.
However, there are a few things like permalink titles in the URL which can improve SEO and are Rails specific. I'll consider creating an episode on this. Thanks for the suggestion!
@Corina, check your "~/Library/Application Support/TextMate/Bundles" folder to see if you have a custom Rails bundle in there. If you do it will override the one provided by TextMate. Try moving it out of that folder and relaunching TextMate.
Also, this is just a normal rails plugin so there's no need to install it through TextMate, you can just check it out of the repository and place it in the "vendor/plugins" directory. See this article for details:
Correct, it doesn't work the same way with has_many :through because this association doesn't have the "category_ids=" setter method. You need to create this on your own. See this thread for details:
Another great screencast as always! Definitely my favorite place for RoR info. Would really love to see a screencast one day about SEO, seen as almost every client I get these days screams on and on about it for every project. Many are skeptical about RoR with respect to SEO, I think this should be something to be squished sooner rather then later.
Ryan, I'm using TM 1.5.5 and can't find "Install Bundled Plugin" or "Install Plugin" either. Googling around, it turns out textmate_footnotes is included in the the SyncPEOPLE bundle. But after installing that, I'm not seeing it or the above two commands anywhere. The rest of SyncPEOPLE bundle works; the footnoting feature just doesn't seem to be there. I wonder if there's a compatibility issue with recent version of TM...?
Am I right in saying this isn't quite as straightforward when we try to implement with a has_many :through association?
I can get my checkboxes displaying (and checking) properly, but struggle to update - I think it's something to do with the ids being passed being those of the 'join' table.
Anyone cracked this, or am I going about it the wrong way?
Hi Ryan i enjoy your casts as much as this tremendous framework. I'm still learning the basics in building an app in RAILS for my company, and there are so many usefull things you show in your episodes.
I hope you keep on going with this stuff -
not only because of the high quality of your casts but of your style keeping things easy and neat!
Are you using some form of pagination here? I can't tell why it is querying with just that code. I suggest starting a thread on http://railsforum.com instead of discussing it here. That way you can post more code. I'll try to respond there if I know the answer.
Oy, I was using an older version of the Rails bundle. Looks like the newer one has a command called "Install Plugin", is that showing up for you?
The interface is a bit different too, you need to type in textmate_footnotes in the search field then click the arrow button to download and install it. Pretty slick.
I can't find the "Install Bundled plugin" in Textmate. I tried to find it using the included default Rails bundle and the one in the svn repository. Is there another Rails Bundle floating around I should know about? Thanks.
Extremely useful!
Hi!
First of all, congratulations.
And second, I've a suggestion; Why not to use a ul,li list? We can write CSS to display it as a columns and the MVC will be respected.
Fantastic! I stumbled upon your railcast site whilst trying to work out how to handle HABTM checkboxes and bam, there's the solution right there! I found other stuff on the net but they were confusing or not quite what I wanted. Your railcast on this topic was exactly the solution I was looking for plus it was quick, easy and straight to the point. I'm very impressed. I'll be subscribing in iTunes and I'll be looking back over your previous railcasts now. Many thank!!
Very useful issue!
Hey Ryan,
I was JUST about to whine about the iPod version. :) Thanks for another great tute and for reading my mind!
For those interested, the iPod format should be working now. Sorry about the incompatable file format.
Thanks Ryan for these excelent screencasts.
Keep it up
congrats from México.
ah, i just realized it as i hit teh click...a thumbnail wouldn't do much for screencasts hahaha.
yea you would have to use rmovie, ffmpeg....to do what i described. it can be a quite a load on the server cpus.
keep up the good work!
Thanks Ryan. I'll probably start downloading the iPod versions though... that way I can take the casts with me on trips (Sadly, I don't have a laptop yet). As much as I like the higher quality, I find no reason to download the videos twice (and I might as well save you a little bandwidth). Thanks and keep up the good work!
@jjk2, no magic going on here. I'm just typing in that information manually. I'm sure there's some smart ways to have Ruby fetch the movie metadata, but the movies are on a separate server so that makes things considerably more difficult. If I do automate it, I will probably fetch the metadata on my local which has acccess to everything then have it automatically upload that info. So far I'm okay with typing it in manually though.
As for the thumbnail image, I'm not sure how useful it will be since half of the time it will display code which you can't read. I'll consider doing it if I get more requests though.
Thanks for the suggestions.
Good question. It's 640x480 instead of 800x600 and the compression doesn't look as nice, so if you don't need to play it back on an iPod/Apple TV it's definitely better to stick with the higher quality version.
Ryan, I haven't yet tried the download for iPod option, but I was just curious: what's the difference between that version and the regular one? Is it just more compressed?
Please let me know if you are unable to transfer the iPod version to your iPod/Apple TV. I may have got the compression settings incorrect or something.
Good topic, Ryan. Cross-site scripting is such a common problem and really needs plenty of attention.
I knew some hackers triks, but not this one. Really Good!!
Ah, yes. makes so much sense.
btw, how are you able to display the length running time for your .mov files? have you considered, displaying a snapshot of a random frame from a .mov file as a thumbnail? im just curious as how you are able to access the metadata of .mov files such as length, title, and etc.
Thanks. I missed this security hole in many places :).
Thanks for another great screencast tutorial!
Keep up the great work!
Please disregard my previous post, as I forgot about the routing.rb file. I modified it according to your tutorial and it now works! Thanks again for such a great service!
Ryan, I was wondering if you could explain to me as to how the variables you are using such as 'home_path' and 'sessions_path' are set. Furthermore, I am trying to use these past 3 videos to create a simple auth system for a program I'm working on, but I can't seem to figure out 2 problems: 1 - how did you have your 'new.rhtml' load when you browsed to '/login', and 2 - how did you decide where to put the same file (I assumed it would be 'views\login'. I can explain more in detail if I can contact you via email, as I don't really want to make such a long comment on your website. Also if you or anybody on this site feel like they can help please do.
Finally, thank you for doing such a great favor to so many people by creating these wonderful screencasts.
Ryan,
I think this is perhaps the best screencast yet. I especially appreciated the curl examples showing what a malicious user might do. Now I'm off to add attr_accessible to my models.
@Daniel,
Yes, you can set someone as the owner of the comment that way. Or better you could build the comment through the user:
@comment = current_user.comments.build(params[:comment])
If you want to set the user admin attribute you could do it like this:
@user.admin = true
This security series is excellent and this episode is the best of the bunch so far. I really like it that you showed how a hacker might abuse the site. I think it really helps developers see how easy it is to formulate attacks. That should me addressing security more of a concern. Well, I hope...
Thanks for visualizing http://www.rorsecurity.info/2007/03/20/do-not-create-records-directly-from-form-parameters/
So if it's not through mass assignment, and you need to declare someone an admin, or set someone as an owner of the comment - then would you place it manually in the controller?
@comment.user_id = current_user
What about the admin? How would that be set?
Very helpful. I had no idea ActiveRecord relationships could be hiijacked like that. I guess it's better to use a white-list than a black-list since you never really know what attributes are available in your models.
Amazing! I imagine this may and actually WILL be overlooked on many rails sites.
Thanks again Ryan for this screencast. That one was very interesting and the solution if so easy to setup... Nice !
Nice 'cast, as always :)
There's a blog about securing RoR applications, http://www.rorsecurity.info/ which covers a wide range of topcis (from security within rails to securing √MySQL installation). HTH :)
@Robort, good point! Thanks for bringing that up.
To clarify, in the screencast I was referring to the data inside the session, not the authenticity of it. Friday I'll be posting about cross site scripting which kind of goes along with this.
Great tips.
Although it's not directly relevant to what you're talking about in this video, I'd be a little careful about telling folks they can trust sessions blindly, as those can be hijacked in a variety of ways.
See: http://en.wikipedia.org/wiki/Session_hijacking
Yeah, that's a little confusing. The "category_ids" method accepts an array of ids, so:
product.category_ids = [1, 2, 3]
Will set categories with ids 1, 2 and 3 to that product. Normally in Rails forms you put the name of the attribute in square brackets and use that as the name of the field:
product[category_ids]
This way Rails knows it's an attribute of product. But if you just did this, it would take only one check box value and set that:
product.category_ids = 1
But here the category_ids method expects an array, so you need those empty square brackets in the name of the check box. Rails will then gather up all values with this same name and place them in an array. This is what the empty square brackets do:
product[category_ids][]
I hope that made some sense.
one thing im still not obvious to me is the
product[category_ids][] u wrote in the view.
does this mean product.category_ids => []
what does category_ids method do by itself only without the [].
@Nathan,
True, it can make caching a little more difficult. A solution that I like is to create an "admin" subdomain for the site (admin.example.com) then just have the "admin?" method return true for this subdomain. This way you can easily cache pages without this subdomain.
Of course Ryan, the idea is doing some screencast tagged as 'Textmate'. You can explain in it some basic issues.
Regards.
@Vicent, I try to squeeze in TextMate tips when I can, but I don't want to make it a focus of the episode because not every viewer is using it. Unless I make a few separate screencasts which is a possibility.
@Jack, I don't think SEO is related enough to Rails to create an episode about it. SEO is all client-side and Rails is server side. You can have Rails spit out any HTML you want in order to improve the SEO.
However, there are a few things like permalink titles in the URL which can improve SEO and are Rails specific. I'll consider creating an episode on this. Thanks for the suggestion!
@Corina, check your "~/Library/Application Support/TextMate/Bundles" folder to see if you have a custom Rails bundle in there. If you do it will override the one provided by TextMate. Try moving it out of that folder and relaunching TextMate.
Also, this is just a normal rails plugin so there's no need to install it through TextMate, you can just check it out of the repository and place it in the "vendor/plugins" directory. See this article for details:
http://blog.inquirylabs.com/2006/09/28/textmate-footnotes-v16-released/
@Ian,
Correct, it doesn't work the same way with has_many :through because this association doesn't have the "category_ids=" setter method. You need to create this on your own. See this thread for details:
http://railsforum.com/viewtopic.php?id=803
Thanks for the screencasts. They're great.
I am wondering why this approach is better than simply using length instead of size?
Another great screencast as always! Definitely my favorite place for RoR info. Would really love to see a screencast one day about SEO, seen as almost every client I get these days screams on and on about it for every project. Many are skeptical about RoR with respect to SEO, I think this should be something to be squished sooner rather then later.
Hi Ryan,
congratulations, these screencast are excenlent.
Please, can you consider to make a new one about Textmate and Rails?
Ryan, I'm using TM 1.5.5 and can't find "Install Bundled Plugin" or "Install Plugin" either. Googling around, it turns out textmate_footnotes is included in the the SyncPEOPLE bundle. But after installing that, I'm not seeing it or the above two commands anywhere. The rest of SyncPEOPLE bundle works; the footnoting feature just doesn't seem to be there. I wonder if there's a compatibility issue with recent version of TM...?
Am I right in saying this isn't quite as straightforward when we try to implement with a has_many :through association?
I can get my checkboxes displaying (and checking) properly, but struggle to update - I think it's something to do with the ids being passed being those of the 'join' table.
Anyone cracked this, or am I going about it the wrong way?
I forgot to say that i am using plugins:
acts_as_tree
acts_as_list :scope => :parent_id
Good Tip! I'm always waiting for new tip from Railscasts TOO!
很好的技巧!我也常常等待Railscasts处新的技巧.
Hi Ryan i enjoy your casts as much as this tremendous framework. I'm still learning the basics in building an app in RAILS for my company, and there are so many usefull things you show in your episodes.
I hope you keep on going with this stuff -
not only because of the high quality of your casts but of your style keeping things easy and neat!
Great work!
@InMan,
Are you using some form of pagination here? I can't tell why it is querying with just that code. I suggest starting a thread on http://railsforum.com instead of discussing it here. That way you can post more code. I'll try to respond there if I know the answer.
@Victor,
Oy, I was using an older version of the Rails bundle. Looks like the newer one has a command called "Install Plugin", is that showing up for you?
The interface is a bit different too, you need to type in textmate_footnotes in the search field then click the arrow button to download and install it. Pretty slick.
I can't find the "Install Bundled plugin" in Textmate. I tried to find it using the included default Rails bundle and the one in the svn repository. Is there another Rails Bundle floating around I should know about? Thanks.
I have code in helper:
def page_methods(page)
str = " "
str += ( link_to blabla ) unless page.first?
str += ( link_to blublu ) unless page.last?
str
end
I found that first? and last? makes new query to database. How can i tell to use already made page query where i fetch all data.