Due to a circular dependency issue. We needed deprecate and reserved a parameter foo. However, we also want to continue supplanting that parameter on older versions of our App for foo.
Instead of making a reserved parameter: Is it okay to return it as a google.protobuf.Any with no repercussions?
No you shouldn't. This is a breaking contract that compromised several platforms. The best way is to create new files subverting it.
Related
I am about to start implementing an API in my Rails application that will respond to the requests it receives from my mobile application. Whenever I check resources about creating an API with Rails, everyone seems to talk about versioning from the get go. I was wondering what could be the drawbacks of not versioning from the get go, besides I might regret it if I ever decide to go public with the API?
Versioning helps you deal with problems. If you have a product named Foo, you may start at 1. (Foo 1) That first version was perfect and you decide to make a change. Your next version will be Foo 2. You have found a bug in Foo 2, and you can't fix it. Therefore, you revert back to Foo 1.
If you didn't version your product, then how would you know which Foo is stable? You may look at modification times, but that's not good enough.
Also, what if you go public (as you mentioned), and you haven't versioned the product? Then you will have to adapt and get used to the idea of versioning.
Is there a reason why ActiveRecord's bang methods are public, but not documented nor mentioned anywhere?
For example, where!, order!, limit! and others are all public and used by their non-bang counterparts.
I understand that they change the query object instead of its clone (and caution is necessary), but so do other bang methods, which are usually very well-documented.
They want to keep the API to be immutable, see the comments on this commit:
https://github.com/rails/rails/commit/8c2c60511beaad05a218e73c4918ab89fb1804f0
And as for all undocumented methods (with # :nodoc:), they are part of the private API.
You should not use them as they could be removed without a warning.
hth
Disclaimer: I'm not a RoR contributor, so if there is some RoR specific reason to it, I don't know.
As you said, they are wrapped by their non-bang counterparts. The where method for example checks if the method has the correct number of arguments and applies a the current scope to it. Moreover it provides the polymorphic behavior outlined in the documentation.
Source: https://github.com/rails/rails/blob/4c0d6680ee011b822e6beaa1ee84f835e89550a1/activerecord/lib/active_record/relation/query_methods.rb#L550
My impression is that they are this way for abstraction reasons. The bang methods implement a lower level of functionality, while the non-bang methods provide a more user-friendly interface. As to why they are not documented but are public, I think the library authors wanted to provide the option to use them if you really know what you're doing.
I’m looking for the best approach to extend the Grails CRUD generation functionality. It should be a Grails plugin which provides additional generators for following functionality:
Any changes on extended domain instance should be saved (as a version
of it) for history
Only one version of an instance can be active
User should be able to activate a version of the instance (the
currently active instance should be deactivated) which is not created
by him (4 eyes principle)
A diff view is nice to have
The intervention into Grails out of the box scripts should be as small as possible.
I identified so far 3 design strategies for implementation:
Mirror table with the same schema, which contains versions (doubles
the count of domains/tables). The activated version will be copied
to the native domain and vice versa.
Using discriminator in the domain class. Some new columns will be added to the domain (like state [active,notActive], lastUpdatedBy,
lastUpdatedDate…)
(De-)Serializing instances to a special domain with BLOB (e.g domain.properties as JSON)
Any of the solutions has pros and cons. What is the best approach to implement it? Perhaps there is a more simple way.
I've been developing a system in Grails that makes intense use of the version concept (as you related above). My approach was the 2nd one listed in your question.
I've created two fields: internalVersion e disabled. Every class that needs to be Versionable, must implement an interface called Versionable.
I'll try explain here one of the scenarios which it's necessary to use the version functionality (forgive my english).
The system that uses this concept is a Commercial System where there is a class called Quote.
Every Quote can has one or more versions where only the last version is valid. Every Quote and its versions are generated based in negotiations with an specific client. This way, a client asks us a Quote and if for some reason he doesn't like the prices (for instance), we can generate a new version with some discount. Every Quote has a unique code following by the current version, example: QT-000022/0 (first version), QT-000022/1 (second version).
To generate a new Version I use a method that clones the current object (using a kind of complete and deep Save As). I copy everything (properties and collections) to a new object.
The clone method identifies that the class implements the Versionable interface and does the following:
oldQuote.disabled = true
newQuote.internalVersion = oldQuote.internalVersion + 1
This way it's possible assure that only one version will be enabled.
I hope you understand my approach.
I'm working on a project that has two different Rails apps. One is the web app, and another is the API app. They both use the same database. How, or what, is the proper way for them to use the same models and schema? Currently, it appears as though the model files are copied from one app to the other, and they seem woefully out of synch when checking the differences.
A few options come to mind:
Git submodules. Store your models in a separate repo (or repos), and then include it as a Git submodule in each app. This allows you to reuse them without having redundancy, though you’ll likely have to ensure that you keep which revision each app is using in-sync.
Make it one app, with two distinct parts. Maybe your API could be a simple Sinatra (or other microframework) app, and reside within the Rails app, and then mounted to a path/subdomain. This may be the least amount of work and the simplest, but it’s also probably the most cluttered.
Use your own API. You already have an API, why not use it? Your front-end app can just talk to that and doesn’t have to have any the model logic inside it. This also has the nice side-effect of ensuring that your API works and is full-featured, as you’re now a consumer of it instead of just third-parties.
Which one you pick is up to you, though I happen to prefer the last. While it’s probably more work, you’ll likely end up with an overall better design by making your business logic external (and making MVC violations harder, if not impossible).
I am a Java programmer mostly, and it's actually amazing that we don't have to worry about a lot of security concerns that php or even rails developers have to worry about. We have to worry about them, but I think our job is actually a lot easier. You just use Java (already big bonus points there) and use Spring with Spring security... and you're basically done. Java and servlets are actually really good in this respect.
Now that I'm working in Rails, I think the biggest security concerns that I am the most scared of are parameters - both in the ones that are coming from the controllers (since they dynamic hashes, unlike in SpringMVC) and having to include more hidden values in forms.
But that got me thinking - you really have to be careful what you accept when you create new models or even update models. If you just blindly pass in parameters to your models, bad things can happen. In fact, things like the user role and stuff could be changed if you're not too careful.
It's almost like I want to write the setter code by hand to make sure it's not overwriting something that it shouldn't. And even if there's a framework mechanism to handle this... I would still want to test every risky model attribute just to be extra sure that it won't get overwritten on a create and on an update.
As much as Java gets a bad rep about productivity, it feels like it handles this stuff a lot better.
Anyway, my question is - what is the best resource/tips/advice for dealing with common security pitfalls/concerns/gotchas using rails - especially geared towards a Java/Spring developer who got used to working in a more stateful environment.
Even better, what would be a good checklist to go through every once in awhile?
And last, what tests would you recommend to make sure things are solid?
At least for your concern about assigning data to your model objects without proper checking, look into the attr_accessible declaration; it allows only specified attributes to be assigned via the bulk assignment:
user = User.new(params[:user])
user.approved = params[:user][:approved]
user.role = params[:user][:role]
You might find the entire 27th chapter of the Ruby on Rails 3rd edition book useful. (I haven't updated my 4th Edition book yet, not sure which chapter to recommend from the newer book. :)
I don't use ActiveRecord (I use DataMapper), but as a rule, I never do mass-assignment and I always expressly pass only the attributes I want to change. Rails 3 defaults to escaping all content in your views, unless you expressly output that data raw into into the .erb.
Also, it really bugs me that ActiveRecord doesn't help you out very much if you need to drop down to using SQL for something. You have to escape input yourself, which can expose you to the risk of human error allowing arbitrary SQL to be executed in your queries. DataMapper's underlying DataObjects connection supports prepared statements out of the box and in fact, it would actually require more work to avoid using them.
Rails 3 does have CSRF protection turn on by default too. It also makes session cookies HTTP-only by default, which makes them harder to steal via JavaScript.
I actually think, aside from Rails encouraging the use of mass-assignment, you're pretty well-covered for security.