railties 3.1.0.rc4 → 3.1.0.rc5
Sign up to get free protection for your applications and to get access to all the features.
- data/CHANGELOG +7 -9
- data/bin/rails +2 -0
- data/guides/assets/images/rails_welcome.png +0 -0
- data/guides/rails_guides/generator.rb +1 -1
- data/guides/rails_guides/textile_extensions.rb +18 -17
- data/guides/source/3_0_release_notes.textile +21 -21
- data/guides/source/action_controller_overview.textile +1 -1
- data/guides/source/action_mailer_basics.textile +27 -6
- data/guides/source/action_view_overview.textile +6 -6
- data/guides/source/active_record_querying.textile +77 -7
- data/guides/source/active_record_validations_callbacks.textile +78 -81
- data/guides/source/active_support_core_extensions.textile +87 -31
- data/guides/source/ajax_on_rails.textile +1 -1
- data/guides/source/api_documentation_guidelines.textile +12 -8
- data/guides/source/asset_pipeline.textile +416 -0
- data/guides/source/association_basics.textile +2 -4
- data/guides/source/caching_with_rails.textile +7 -6
- data/guides/source/command_line.textile +78 -116
- data/guides/source/configuring.textile +34 -17
- data/guides/source/contribute.textile +1 -1
- data/guides/source/contributing_to_ruby_on_rails.textile +3 -3
- data/guides/source/debugging_rails_applications.textile +2 -2
- data/guides/source/form_helpers.textile +40 -51
- data/guides/source/getting_started.textile +641 -197
- data/guides/source/initialization.textile +4 -4
- data/guides/source/layouts_and_rendering.textile +2 -2
- data/guides/source/migrations.textile +114 -32
- data/guides/source/nested_model_forms.textile +6 -6
- data/guides/source/performance_testing.textile +6 -6
- data/guides/source/plugins.textile +23 -22
- data/guides/source/rails_application_templates.textile +8 -14
- data/guides/source/routing.textile +57 -51
- data/guides/source/ruby_on_rails_guides_guidelines.textile +3 -3
- data/guides/source/security.textile +10 -10
- data/guides/source/testing.textile +1 -1
- data/lib/rails.rb +27 -1
- data/lib/rails/all.rb +1 -0
- data/lib/rails/application.rb +4 -10
- data/lib/rails/application/configuration.rb +3 -12
- data/lib/rails/application/railties.rb +1 -1
- data/lib/rails/engine.rb +53 -42
- data/lib/rails/generators.rb +1 -1
- data/lib/rails/generators/app_base.rb +36 -15
- data/lib/rails/generators/generated_attribute.rb +1 -1
- data/lib/rails/generators/js/assets/assets_generator.rb +13 -0
- data/lib/rails/generators/js/assets/templates/javascript.js +2 -0
- data/lib/rails/generators/rails/app/app_generator.rb +3 -1
- data/lib/rails/generators/rails/app/templates/Gemfile +11 -7
- data/lib/rails/generators/rails/app/templates/config/application.rb +7 -3
- data/lib/rails/generators/rails/app/templates/config/databases/jdbc.yml +62 -0
- data/lib/rails/generators/rails/app/templates/config/databases/jdbcmysql.yml +3 -3
- data/lib/rails/generators/rails/app/templates/config/databases/jdbcpostgresql.yml +3 -12
- data/lib/rails/generators/rails/app/templates/config/databases/jdbcsqlite3.yml +3 -3
- data/lib/rails/generators/rails/app/templates/config/environments/production.rb.tt +0 -3
- data/lib/rails/generators/rails/assets/assets_generator.rb +2 -9
- data/lib/rails/generators/rails/plugin_new/plugin_new_generator.rb +12 -10
- data/lib/rails/generators/rails/plugin_new/templates/%name%.gemspec +5 -2
- data/lib/rails/generators/rails/plugin_new/templates/Gemfile +6 -3
- data/lib/rails/generators/rails/plugin_new/templates/Rakefile +5 -1
- data/lib/rails/generators/rails/plugin_new/templates/app/views/layouts/application.html.erb.tt +14 -0
- data/lib/rails/generators/rails/plugin_new/templates/rails/application.rb +5 -3
- data/lib/rails/info.rb +4 -0
- data/lib/rails/paths.rb +5 -5
- data/lib/rails/railtie.rb +4 -4
- data/lib/rails/tasks.rb +0 -1
- data/lib/rails/tasks/documentation.rake +3 -3
- data/lib/rails/tasks/engine.rake +2 -0
- data/lib/rails/tasks/framework.rake +3 -3
- data/lib/rails/tasks/tmp.rake +1 -1
- data/lib/rails/test_unit/testing.rake +2 -2
- data/lib/rails/version.rb +1 -1
- metadata +19 -33
- data/lib/rails/generators/rails/assets/templates/javascript.js.coffee +0 -3
- data/lib/rails/tasks/assets.rake +0 -21
@@ -1,6 +1,6 @@
|
|
1
1
|
h2. Rails Application Templates
|
2
2
|
|
3
|
-
Application templates are simple
|
3
|
+
Application templates are simple Ruby files containing DSL for adding plugins/gems/initializers etc. to your freshly created Rails project or an existing Rails project.
|
4
4
|
|
5
5
|
By referring to this guide, you will be able to:
|
6
6
|
|
@@ -11,22 +11,18 @@ endprologue.
|
|
11
11
|
|
12
12
|
h3. Usage
|
13
13
|
|
14
|
-
To apply a template, you need to provide the Rails generator with the location of the template you wish to apply, using -m option
|
14
|
+
To apply a template, you need to provide the Rails generator with the location of the template you wish to apply, using -m option. This can either be path to a file or a URL.
|
15
15
|
|
16
16
|
<shell>
|
17
17
|
$ rails new blog -m ~/template.rb
|
18
|
+
$ rails new blog -m http://example.com/template.rb
|
18
19
|
</shell>
|
19
20
|
|
20
|
-
|
21
|
-
|
22
|
-
<shell>
|
23
|
-
$ rails new blog -m https://gist.github.com/755496.txt
|
24
|
-
</shell>
|
25
|
-
|
26
|
-
Alternatively, you can use the rake task +rails:template+ to apply a template to an existing Rails application:
|
21
|
+
You can use the rake task +rails:template+ to apply templates to an existing Rails application. The location of the template needs to be passed in to an environment variable named LOCATION. Again, this can either be path to a file or a URL.
|
27
22
|
|
28
23
|
<shell>
|
29
24
|
$ rake rails:template LOCATION=~/template.rb
|
25
|
+
$ rake rails:template LOCATION=http://example.com/template.rb
|
30
26
|
</shell>
|
31
27
|
|
32
28
|
h3. Template API
|
@@ -58,14 +54,12 @@ gem "bj"
|
|
58
54
|
gem "nokogiri"
|
59
55
|
</ruby>
|
60
56
|
|
61
|
-
Please note that this will NOT install the gems for you
|
57
|
+
Please note that this will NOT install the gems for you and you will have to run +bundle install+ to do that.
|
62
58
|
|
63
59
|
<ruby>
|
64
|
-
|
60
|
+
bundle install
|
65
61
|
</ruby>
|
66
62
|
|
67
|
-
And let Rails take care of installing the required gems if they’re not already installed.
|
68
|
-
|
69
63
|
h4. add_source(source, options = {})
|
70
64
|
|
71
65
|
Adds the given source to the generated application's +Gemfile+.
|
@@ -229,7 +223,7 @@ rake("rails:freeze:gems") if yes?("Freeze rails gems ?")
|
|
229
223
|
no?(question) acts just the opposite.
|
230
224
|
</ruby>
|
231
225
|
|
232
|
-
h4. git(:
|
226
|
+
h4. git(:command)
|
233
227
|
|
234
228
|
Rails templates let you run any git command:
|
235
229
|
|
@@ -68,7 +68,7 @@ Rails would dispatch that request to the +destroy+ method on the +photos+ contro
|
|
68
68
|
|
69
69
|
h4. CRUD, Verbs, and Actions
|
70
70
|
|
71
|
-
In Rails, a resourceful route provides a mapping between HTTP verbs and URLs
|
71
|
+
In Rails, a resourceful route provides a mapping between HTTP verbs and URLs to controller actions. By convention, each action also maps to particular CRUD operations in a database. A single entry in the routing file, such as
|
72
72
|
|
73
73
|
<ruby>
|
74
74
|
resources :photos
|
@@ -94,8 +94,8 @@ Creating a resourceful route will also expose a number of helpers to the control
|
|
94
94
|
|
95
95
|
* +photos_path+ returns +/photos+
|
96
96
|
* +new_photo_path+ returns +/photos/new+
|
97
|
-
* +edit_photo_path(id)+ returns +/photos/:id/edit+ (for instance, +edit_photo_path(10)+ returns +/photos/10/edit+)
|
98
|
-
* +photo_path(id)+ returns +/photos/:id+ (for instance, +photo_path(10)+ returns +/photos/10+)
|
97
|
+
* +edit_photo_path(:id)+ returns +/photos/:id/edit+ (for instance, +edit_photo_path(10)+ returns +/photos/10/edit+)
|
98
|
+
* +photo_path(:id)+ returns +/photos/:id+ (for instance, +photo_path(10)+ returns +/photos/10+)
|
99
99
|
|
100
100
|
Each of these helpers has a corresponding +_url+ helper (such as +photos_url+) which returns the same path prefixed with the current host, port and path prefix.
|
101
101
|
|
@@ -163,14 +163,14 @@ end
|
|
163
163
|
|
164
164
|
This will create a number of routes for each of the +posts+ and +comments+ controller. For +Admin::PostsController+, Rails will create:
|
165
165
|
|
166
|
-
|_.HTTP Verb |_.Path
|
167
|
-
|GET |/admin/posts
|
168
|
-
|GET |/admin/posts/new
|
169
|
-
|POST |/admin/posts
|
170
|
-
|GET |/admin/posts
|
171
|
-
|GET |/admin/posts/
|
172
|
-
|PUT |/admin/posts
|
173
|
-
|DELETE |/admin/posts
|
166
|
+
|_.HTTP Verb |_.Path |_.action |_.named helper |
|
167
|
+
|GET |/admin/posts |index | admin_posts_path |
|
168
|
+
|GET |/admin/posts/new |new | new_admin_post_path |
|
169
|
+
|POST |/admin/posts |create | admin_posts_path |
|
170
|
+
|GET |/admin/posts/:id |show | admin_post_path(:id) |
|
171
|
+
|GET |/admin/posts/:id/edit |edit | edit_admin_post_path(:id) |
|
172
|
+
|PUT |/admin/posts/:id |update | admin_post_path(:id) |
|
173
|
+
|DELETE |/admin/posts/:id |destroy | admin_post_path(:id) |
|
174
174
|
|
175
175
|
If you want to route +/posts+ (without the prefix +/admin+) to +Admin::PostsController+, you could use
|
176
176
|
|
@@ -204,12 +204,12 @@ In each of these cases, the named routes remain the same as if you did not use +
|
|
204
204
|
|
205
205
|
|_.HTTP Verb |_.Path |_.action |_.named helper |
|
206
206
|
|GET |/admin/posts |index | posts_path |
|
207
|
-
|GET |/admin/posts/new |new |
|
207
|
+
|GET |/admin/posts/new |new | new_post_path |
|
208
208
|
|POST |/admin/posts |create | posts_path |
|
209
|
-
|GET |/admin/posts
|
210
|
-
|GET |/admin/posts/
|
211
|
-
|PUT |/admin/posts
|
212
|
-
|DELETE |/admin/posts
|
209
|
+
|GET |/admin/posts/:id |show | post_path(:id) |
|
210
|
+
|GET |/admin/posts/:id/edit|edit | edit_post_path(:id)|
|
211
|
+
|PUT |/admin/posts/:id |update | post_path(:id) |
|
212
|
+
|DELETE |/admin/posts/:id |destroy | post_path(:id) |
|
213
213
|
|
214
214
|
h4. Nested Resources
|
215
215
|
|
@@ -236,13 +236,13 @@ end
|
|
236
236
|
In addition to the routes for magazines, this declaration will also route ads to an +AdsController+. The ad URLs require a magazine:
|
237
237
|
|
238
238
|
|_.HTTP Verb |_.Path |_.action |_.used for |
|
239
|
-
|GET |/magazines/
|
240
|
-
|GET |/magazines/
|
241
|
-
|POST |/magazines/
|
242
|
-
|GET |/magazines/
|
243
|
-
|GET |/magazines/
|
244
|
-
|PUT |/magazines/
|
245
|
-
|DELETE |/magazines/
|
239
|
+
|GET |/magazines/:id/ads |index |display a list of all ads for a specific magazine |
|
240
|
+
|GET |/magazines/:id/ads/new |new |return an HTML form for creating a new ad belonging to a specific magazine |
|
241
|
+
|POST |/magazines/:id/ads |create |create a new ad belonging to a specific magazine |
|
242
|
+
|GET |/magazines/:id/ads/:id |show |display a specific ad belonging to a specific magazine |
|
243
|
+
|GET |/magazines/:id/ads/:id/edit |edit |return an HTML form for editing an ad belonging to a specific magazine |
|
244
|
+
|PUT |/magazines/:id/ads/:id |update |update a specific ad belonging to a specific magazine |
|
245
|
+
|DELETE |/magazines/:id/ads/:id |destroy |delete a specific ad belonging to a specific magazine |
|
246
246
|
|
247
247
|
|
248
248
|
This will also create routing helpers such as +magazine_ads_url+ and +edit_magazine_ad_path+. These helpers take an instance of Magazine as the first parameter (+magazine_ads_url(@magazine)+).
|
@@ -560,13 +560,19 @@ would match +zoo/woo/foo/bar/baz+ with +params[:a]+ equals +"zoo/woo"+, and +par
|
|
560
560
|
NOTE: Starting from Rails 3.1, wildcard routes will always match the optional format segment by default. For example if you have this route:
|
561
561
|
|
562
562
|
<ruby>
|
563
|
-
|
563
|
+
match '*pages' => 'pages#show'
|
564
564
|
</ruby>
|
565
565
|
|
566
566
|
NOTE: By requesting +"/foo/bar.json"+, your +params[:pages]+ will be equals to +"foo/bar"+ with the request format of JSON. If you want the old 3.0.x behavior back, you could supply +:format => false+ like this:
|
567
567
|
|
568
568
|
<ruby>
|
569
|
-
|
569
|
+
match '*pages' => 'pages#show', :format => false
|
570
|
+
</ruby>
|
571
|
+
|
572
|
+
NOTE: If you want to make the format segment mandatory, so it cannot be omitted, you can supply +:format => true+ like this:
|
573
|
+
|
574
|
+
<ruby>
|
575
|
+
match '*pages' => 'pages#show', :format => true
|
570
576
|
</ruby>
|
571
577
|
|
572
578
|
h4. Redirection
|
@@ -628,16 +634,16 @@ resources :photos, :controller => "images"
|
|
628
634
|
|
629
635
|
will recognize incoming paths beginning with +/photos+ but route to the +Images+ controller:
|
630
636
|
|
631
|
-
|_.HTTP Verb |_.Path
|
632
|
-
|GET |/photos
|
633
|
-
|GET |/photos/new
|
634
|
-
|POST |/photos
|
635
|
-
|GET |/photos
|
636
|
-
|GET |/photos/
|
637
|
-
|PUT |/photos
|
638
|
-
|DELETE |/photos
|
637
|
+
|_.HTTP Verb |_.Path |_.action |_.named helper |
|
638
|
+
|GET |/photos |index | photos_path |
|
639
|
+
|GET |/photos/new |new | new_photo_path |
|
640
|
+
|POST |/photos |create | photos_path |
|
641
|
+
|GET |/photos/:id |show | photo_path(:id) |
|
642
|
+
|GET |/photos/:id/edit |edit | edit_photo_path(:id) |
|
643
|
+
|PUT |/photos/:id |update | photo_path(:id) |
|
644
|
+
|DELETE |/photos/:id |destroy | photo_path(:id) |
|
639
645
|
|
640
|
-
NOTE: Use +photos_path+, +
|
646
|
+
NOTE: Use +photos_path+, +new_photo_path+, etc. to generate paths for this resource.
|
641
647
|
|
642
648
|
h4. Specifying Constraints
|
643
649
|
|
@@ -672,14 +678,14 @@ resources :photos, :as => "images"
|
|
672
678
|
|
673
679
|
will recognize incoming paths beginning with +/photos+ and route the requests to +PhotosController+, but use the value of the :as option to name the helpers.
|
674
680
|
|
675
|
-
|_.HTTP verb|_.Path
|
676
|
-
|GET |/photos
|
677
|
-
|GET |/photos/new
|
678
|
-
|POST |/photos
|
679
|
-
|GET |/photos
|
680
|
-
|GET |/photos/
|
681
|
-
|PUT |/photos
|
682
|
-
|DELETE |/photos
|
681
|
+
|_.HTTP verb|_.Path |_.action |_.named helper |
|
682
|
+
|GET |/photos |index | images_path |
|
683
|
+
|GET |/photos/new |new | new_image_path |
|
684
|
+
|POST |/photos |create | images_path |
|
685
|
+
|GET |/photos/:id |show | image_path(:id) |
|
686
|
+
|GET |/photos/:id/edit |edit | edit_image_path(:id) |
|
687
|
+
|PUT |/photos/:id |update | image_path(:id) |
|
688
|
+
|DELETE |/photos/:id |destroy | image_path(:id) |
|
683
689
|
|
684
690
|
h4. Overriding the +new+ and +edit+ Segments
|
685
691
|
|
@@ -776,14 +782,14 @@ end
|
|
776
782
|
|
777
783
|
Rails now creates routes to the +CategoriesController+.
|
778
784
|
|
779
|
-
|_.HTTP verb|_.Path
|
780
|
-
|GET |/kategorien
|
781
|
-
|GET |/kategorien/neu
|
782
|
-
|POST |/kategorien
|
783
|
-
|GET |/kategorien
|
784
|
-
|GET |/kategorien/
|
785
|
-
|PUT |/kategorien
|
786
|
-
|DELETE |/kategorien
|
785
|
+
|_.HTTP verb|_.Path |_.action |_.named helper |
|
786
|
+
|GET |/kategorien |index | categories_path |
|
787
|
+
|GET |/kategorien/neu |new | new_category_path |
|
788
|
+
|POST |/kategorien |create | categories_path |
|
789
|
+
|GET |/kategorien/:id |show | category_path(:id) |
|
790
|
+
|GET |/kategorien/:id/bearbeiten |edit | edit_category_path(:id) |
|
791
|
+
|PUT |/kategorien/:id |update | category_path(:id) |
|
792
|
+
|DELETE |/kategorien/:id |destroy | category_path(:id) |
|
787
793
|
|
788
794
|
h4. Overriding the Singular Form
|
789
795
|
|
@@ -880,7 +886,7 @@ h3. Changelog
|
|
880
886
|
|
881
887
|
* April 10, 2010: Updated guide to remove outdated and superfluous information, and to provide information about new features, by "Yehuda Katz":http://www.yehudakatz.com
|
882
888
|
* April 2, 2010: Updated guide to match new Routing DSL in Rails 3, by "Rizwan Reza":http://www.rizwanreza.com/
|
883
|
-
*
|
889
|
+
* February 1, 2010: Modifies the routing documentation to match new routing DSL in Rails 3, by Prem Sichanugrist
|
884
890
|
* October 4, 2008: Added additional detail on specifying verbs for resource member/collection routes, by "Mike Gunderloy":credits.html#mgunderloy
|
885
891
|
* September 23, 2008: Added section on namespaced controllers and routing, by "Mike Gunderloy":credits.html#mgunderloy
|
886
892
|
* September 10, 2008: initial version by "Mike Gunderloy":credits.html#mgunderloy
|
@@ -62,10 +62,10 @@ To force process of all the guides, pass +ALL=1+.
|
|
62
62
|
|
63
63
|
It is also recommended that you work with +WARNINGS=1+. This detects duplicate IDs and warns about broken internal links.
|
64
64
|
|
65
|
-
If you want to generate guides in languages other than English, you can keep them in a separate directory under +source+ (eg. <tt>source/es</tt>) and use the +
|
65
|
+
If you want to generate guides in languages other than English, you can keep them in a separate directory under +source+ (eg. <tt>source/es</tt>) and use the +GUIDES_LANGUAGE+ environment variable:
|
66
66
|
|
67
67
|
<plain>
|
68
|
-
rake generate_guides
|
68
|
+
bundle exec rake generate_guides GUIDES_LANGUAGE=es
|
69
69
|
</plain>
|
70
70
|
|
71
71
|
h3. HTML Validation
|
@@ -73,7 +73,7 @@ h3. HTML Validation
|
|
73
73
|
Please validate the generated HTML with:
|
74
74
|
|
75
75
|
<plain>
|
76
|
-
rake validate_guides
|
76
|
+
bundle exec rake validate_guides
|
77
77
|
</plain>
|
78
78
|
|
79
79
|
Particularly, titles get an ID generated from their content and this often leads to duplicates. Please set +WARNINGS=1+ when generating guides to detect them. The warning messages suggest a way to fix them.
|
@@ -15,7 +15,7 @@ endprologue.
|
|
15
15
|
|
16
16
|
h3. Introduction
|
17
17
|
|
18
|
-
Web application frameworks are made to help developers building web applications. Some of them also help you with securing the web application. In fact one framework is not more secure than another: If you use it correctly, you will be able to build secure apps with many frameworks. Ruby on Rails has some clever helper methods, for example against SQL injection, so that this is hardly a problem. It
|
18
|
+
Web application frameworks are made to help developers building web applications. Some of them also help you with securing the web application. In fact one framework is not more secure than another: If you use it correctly, you will be able to build secure apps with many frameworks. Ruby on Rails has some clever helper methods, for example against SQL injection, so that this is hardly a problem. It's nice to see that all of the Rails applications I audited had a good level of security.
|
19
19
|
|
20
20
|
In general there is no such thing as plug-n-play security. Security depends on the people using the framework, and sometimes on the development method. And it depends on all layers of a web application environment: The back-end storage, the web server and the web application itself (and possibly other layers or applications).
|
21
21
|
|
@@ -23,7 +23,7 @@ The Gartner Group however estimates that 75% of attacks are at the web applicati
|
|
23
23
|
|
24
24
|
The threats against web applications include user account hijacking, bypass of access control, reading or modifying sensitive data, or presenting fraudulent content. Or an attacker might be able to install a Trojan horse program or unsolicited e-mail sending software, aim at financial enrichment or cause brand name damage by modifying company resources. In order to prevent attacks, minimize their impact and remove points of attack, first of all, you have to fully understand the attack methods in order to find the correct countermeasures. That is what this guide aims at.
|
25
25
|
|
26
|
-
In order to develop secure web applications you have to keep up to date on all layers and know your enemies. To keep up to date subscribe to security mailing lists, read security blogs and make updating and security checks a habit (check the <a href="#additional-resources">Additional Resources</a> chapter). I do it manually because that
|
26
|
+
In order to develop secure web applications you have to keep up to date on all layers and know your enemies. To keep up to date subscribe to security mailing lists, read security blogs and make updating and security checks a habit (check the <a href="#additional-resources">Additional Resources</a> chapter). I do it manually because that's how you find the nasty logical security problems.
|
27
27
|
|
28
28
|
h3. Sessions
|
29
29
|
|
@@ -209,7 +209,7 @@ The HTTP protocol basically provides two main types of requests - GET and POST (
|
|
209
209
|
* The interaction _(highlight)changes the state_ of the resource in a way that the user would perceive (e.g., a subscription to a service), or
|
210
210
|
* The user is _(highlight)held accountable for the results_ of the interaction.
|
211
211
|
|
212
|
-
If your web application is RESTful, you might be used to additional HTTP verbs, such as PUT or DELETE. Most of today
|
212
|
+
If your web application is RESTful, you might be used to additional HTTP verbs, such as PUT or DELETE. Most of today's web browsers, however do not support them - only GET and POST. Rails uses a hidden +_method+ field to handle this barrier.
|
213
213
|
|
214
214
|
_(highlight)POST requests can be sent automatically, too_. Here is an example for a link which displays www.harmless.com as destination in the browser's status bar. In fact it dynamically creates a new form that sends a POST request.
|
215
215
|
|
@@ -386,7 +386,7 @@ params[:user] # => {:name => “ow3ned”, :admin => true}
|
|
386
386
|
|
387
387
|
So if you create a new user using mass-assignment, it may be too easy to become an administrator.
|
388
388
|
|
389
|
-
Note that this vulnerability is not restricted to database columns.
|
389
|
+
Note that this vulnerability is not restricted to database columns. Any setter method, unless explicitly protected, is accessible via the <tt>attributes=</tt> method. In fact, this vulnerability is extended even further with the introduction of nested mass assignment (and nested object forms) in Rails 2.3+. The +accepts_nested_attributes_for+ declaration provides us the ability to extend mass assignment to model associations (+has_many+, +has_one+, +has_and_belongs_to_many+). For example:
|
390
390
|
|
391
391
|
<ruby>
|
392
392
|
class Person < ActiveRecord::Base
|
@@ -469,7 +469,7 @@ A more paranoid technique to protect your whole project would be to enforce that
|
|
469
469
|
config.active_record.whitelist_attributes = true
|
470
470
|
</ruby>
|
471
471
|
|
472
|
-
This will create an empty whitelist of attributes available for mass-assignment for all models in your app. As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an +attr_accessible+ or +attr_protected+ declaration.
|
472
|
+
This will create an empty whitelist of attributes available for mass-assignment for all models in your app. As such, your models will need to explicitly whitelist or blacklist accessible parameters by using an +attr_accessible+ or +attr_protected+ declaration. This technique is best applied at the start of a new project. However, for an existing project with a thorough set of functional tests, it should be straightforward and relatively quick to use this application config option; run your tests, and expose each attribute (via +attr_accessible+ or +attr_protected+) as dictated by your failing tests.
|
473
473
|
|
474
474
|
h3. User Management
|
475
475
|
|
@@ -540,7 +540,7 @@ Most bots are really dumb, they crawl the web and put their spam into every form
|
|
540
540
|
Here are some ideas how to hide honeypot fields by JavaScript and/or CSS:
|
541
541
|
|
542
542
|
* position the fields off of the visible area of the page
|
543
|
-
* make the elements very small or
|
543
|
+
* make the elements very small or color them the same as the background of the page
|
544
544
|
* leave the fields displayed, but tell humans to leave them blank
|
545
545
|
|
546
546
|
The most simple negative CAPTCHA is one hidden honeypot field. On the server side, you will check the value of the field: If it contains any text, it must be a bot. Then, you can either ignore the post or return a positive result, but not saving the post to the database. This way the bot will be satisfied and moves on. You can do this with annoying users, too.
|
@@ -567,7 +567,7 @@ h4. Good Passwords
|
|
567
567
|
|
568
568
|
-- _Do you find it hard to remember all your passwords? Don't write them down, but use the initial letters of each word in an easy to remember sentence._
|
569
569
|
|
570
|
-
Bruce Schneier, a security technologist, "has
|
570
|
+
Bruce Schneier, a security technologist, "has analyzed":http://www.schneier.com/blog/archives/2006/12/realworld_passw.html 34,000 real-world user names and passwords from the MySpace phishing attack mentioned <a href="#examples-from-the-underground">below</a>. It turns out that most of the passwords are quite easy to crack. The 20 most common passwords are:
|
571
571
|
|
572
572
|
password1, abc123, myspace1, password, blink182, qwerty1, ****you, 123abc, baseball1, football1, 123456, soccer, monkey1, liverpool1, princess1, jordan23, slipknot1, superman1, iloveyou1, and monkey.
|
573
573
|
|
@@ -617,7 +617,7 @@ This is alright for some web applications, but certainly not if the user is not
|
|
617
617
|
|
618
618
|
Depending on your web application, there will be many more parameters the user can tamper with. As a rule of thumb, _(highlight)no user input data is secure, until proven otherwise, and every parameter from the user is potentially manipulated_.
|
619
619
|
|
620
|
-
Don
|
620
|
+
Don't be fooled by security by obfuscation and JavaScript security. The Web Developer Toolbar for Mozilla Firefox lets you review and change every form's hidden fields. _(highlight)JavaScript can be used to validate user input data, but certainly not to prevent attackers from sending malicious requests with unexpected values_. The Live Http Headers plugin for Mozilla Firefox logs every request and may repeat and change them. That is an easy way to bypass any JavaScript validations. And there are even client-side proxies that allow you to intercept any request and response from and to the Internet.
|
621
621
|
|
622
622
|
h3. Injection
|
623
623
|
|
@@ -825,7 +825,7 @@ Network traffic is mostly based on the limited Western alphabet, so new characte
|
|
825
825
|
&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>
|
826
826
|
</html>
|
827
827
|
|
828
|
-
This example pops up a message box. It will be recognized by the above sanitize() filter, though. A great tool to obfuscate and encode strings, and thus “get to know your enemy”, is the "Hackvertor":http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php. Rails
|
828
|
+
This example pops up a message box. It will be recognized by the above sanitize() filter, though. A great tool to obfuscate and encode strings, and thus “get to know your enemy”, is the "Hackvertor":http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php. Rails' sanitize() method does a good job to fend off encoding attacks.
|
829
829
|
|
830
830
|
h5. Examples from the Underground
|
831
831
|
|
@@ -885,7 +885,7 @@ The "moz-binding":http://www.securiteam.com/securitynews/5LP051FHPE.html CSS pro
|
|
885
885
|
|
886
886
|
h5(#css-injection-countermeasures). Countermeasures
|
887
887
|
|
888
|
-
This example, again, showed that a blacklist filter is never complete. However, as custom CSS in web applications is a quite rare feature, I am not aware of a whitelist CSS filter. _(highlight)If you want to allow custom
|
888
|
+
This example, again, showed that a blacklist filter is never complete. However, as custom CSS in web applications is a quite rare feature, I am not aware of a whitelist CSS filter. _(highlight)If you want to allow custom colors or images, you can allow the user to choose them and build the CSS in the web application_. Use Rails' +sanitize()+ method as a model for a whitelist CSS filter, if you really need one.
|
889
889
|
|
890
890
|
h4. Textile Injection
|
891
891
|
|
@@ -944,7 +944,7 @@ The built-in +test/unit+ based testing is not the only way to test Rails applica
|
|
944
944
|
* "Factory Girl":https://github.com/thoughtbot/factory_girl/tree/master, a replacement for fixtures.
|
945
945
|
* "Machinist":https://github.com/notahat/machinist/tree/master, another replacement for fixtures.
|
946
946
|
* "Shoulda":http://www.thoughtbot.com/projects/shoulda, an extension to +test/unit+ with additional helpers, macros, and assertions.
|
947
|
-
* "RSpec":http://rspec
|
947
|
+
* "RSpec":http://relishapp.com/rspec, a behavior-driven development framework
|
948
948
|
|
949
949
|
h3. Changelog
|
950
950
|
|
data/lib/rails.rb
CHANGED
@@ -4,6 +4,7 @@ require 'pathname'
|
|
4
4
|
|
5
5
|
require 'active_support'
|
6
6
|
require 'active_support/core_ext/kernel/reporting'
|
7
|
+
require 'active_support/core_ext/array/extract_options'
|
7
8
|
require 'active_support/core_ext/logger'
|
8
9
|
|
9
10
|
require 'rails/application'
|
@@ -14,7 +15,7 @@ require 'action_dispatch/railtie'
|
|
14
15
|
|
15
16
|
# For Ruby 1.8, this initialization sets $KCODE to 'u' to enable the
|
16
17
|
# multibyte safe operations. Plugin authors supporting other encodings
|
17
|
-
# should override this
|
18
|
+
# should override this behavior and set the relevant +default_charset+
|
18
19
|
# on ActionController::Base.
|
19
20
|
#
|
20
21
|
# For Ruby 1.9, UTF-8 is the default internal and external encoding.
|
@@ -87,6 +88,31 @@ module Rails
|
|
87
88
|
RAILS_CACHE
|
88
89
|
end
|
89
90
|
|
91
|
+
# Returns all rails groups for loading based on:
|
92
|
+
#
|
93
|
+
# * The Rails environment;
|
94
|
+
# * The environment variable RAILS_GROUPS;
|
95
|
+
# * The optional envs given as argument and the hash with group dependencies;
|
96
|
+
#
|
97
|
+
# == Examples
|
98
|
+
#
|
99
|
+
# groups :assets => [:development, :test]
|
100
|
+
#
|
101
|
+
# # Returns
|
102
|
+
# # => [:default, :development, :assets] for Rails.env == "development"
|
103
|
+
# # => [:default, :production] for Rails.env == "production"
|
104
|
+
#
|
105
|
+
def groups(*groups)
|
106
|
+
hash = groups.extract_options!
|
107
|
+
env = Rails.env
|
108
|
+
groups.unshift(:default, env)
|
109
|
+
groups.concat ENV["RAILS_GROUPS"].to_s.split(",")
|
110
|
+
groups.concat hash.map { |k,v| k if v.map(&:to_s).include?(env) }
|
111
|
+
groups.compact!
|
112
|
+
groups.uniq!
|
113
|
+
groups
|
114
|
+
end
|
115
|
+
|
90
116
|
def version
|
91
117
|
VERSION::STRING
|
92
118
|
end
|
data/lib/rails/all.rb
CHANGED
data/lib/rails/application.rb
CHANGED
@@ -11,7 +11,7 @@ module Rails
|
|
11
11
|
# == Initialization
|
12
12
|
#
|
13
13
|
# Rails::Application is responsible for executing all railties, engines and plugin
|
14
|
-
# initializers.
|
14
|
+
# initializers. It also executes some bootstrap initializers (check
|
15
15
|
# Rails::Application::Bootstrap) and finishing initializers, after all the others
|
16
16
|
# are executed (check Rails::Application::Finisher).
|
17
17
|
#
|
@@ -78,10 +78,6 @@ module Rails
|
|
78
78
|
require environment if environment
|
79
79
|
end
|
80
80
|
|
81
|
-
def eager_load! #:nodoc:
|
82
|
-
railties.all(&:eager_load!)
|
83
|
-
super
|
84
|
-
end
|
85
81
|
|
86
82
|
def reload_routes!
|
87
83
|
routes_reloader.reload!
|
@@ -100,22 +96,18 @@ module Rails
|
|
100
96
|
|
101
97
|
def load_tasks(app=self)
|
102
98
|
initialize_tasks
|
103
|
-
railties.all { |r| r.load_tasks(app) }
|
104
99
|
super
|
105
100
|
self
|
106
101
|
end
|
107
102
|
|
108
103
|
def load_generators(app=self)
|
109
104
|
initialize_generators
|
110
|
-
railties.all { |r| r.load_generators(app) }
|
111
|
-
|
112
105
|
super
|
113
106
|
self
|
114
107
|
end
|
115
108
|
|
116
109
|
def load_console(app=self)
|
117
110
|
initialize_console
|
118
|
-
railties.all { |r| r.load_console(app) }
|
119
111
|
super
|
120
112
|
self
|
121
113
|
end
|
@@ -168,7 +160,9 @@ module Rails
|
|
168
160
|
middleware.use ::Rails::Rack::Logger # must come after Rack::MethodOverride to properly log overridden methods
|
169
161
|
middleware.use ::ActionDispatch::ShowExceptions, config.consider_all_requests_local
|
170
162
|
middleware.use ::ActionDispatch::RemoteIp, config.action_dispatch.ip_spoofing_check, config.action_dispatch.trusted_proxies
|
171
|
-
|
163
|
+
if config.action_dispatch.x_sendfile_header.present?
|
164
|
+
middleware.use ::Rack::Sendfile, config.action_dispatch.x_sendfile_header
|
165
|
+
end
|
172
166
|
middleware.use ::ActionDispatch::Reloader unless config.cache_classes
|
173
167
|
middleware.use ::ActionDispatch::Callbacks
|
174
168
|
middleware.use ::ActionDispatch::Cookies
|