Say one is in need to create Ruby On Rails application using third party's database without the possibility to see/get the database credentials.
Above may seem pretty crazy, but I am in this exact situation right now. The application will run on my server (only I have physical/remote access), the database will be theirs (third party company) and I cannot have access to it.
Any way of encrypting the database.yml file is pointless since I can do the following:
config = Rails.configuration.database_configuration
username = config[Rails.env]["username"]
password = config[Rails.env]["password"]
I desperately need a way to achieve given goals, and I hope it is possible. Any idea will be greatly appreciated.
Well you can always run a rails console and do whatever you want on their database :/ I don't really see the point in this.
They can create a new user on the database and give you it's credentials and then limit what you can see and do on database level. You can read how to do it for PostgreSQL here.
Related
I am quite new at Ruby/Rails. I am building a service that make an API available to users and ends up with some files created in the local filesystem, without any need to connect to any database. Then, once every few hours, I want to run a piece of ruby code that takes these local files, uploads them to Amazon S3 and registers their location into a Postgres database.
Right now both codes live together in the same project. I am observing that every time a user does something the system connects to the database. I have seen this answer which recommends to eliminate all traces of ActiveRecord in my code, but given that I want to have my background bookkeeping process connect to the database I am stuck on what to do.
Is it possible to define two different profiles (one with database and one without) and specify which profile a certain function call should run on? would this work?
I'm a bit confused by this, the db does not magically connect to the database for kicks on every request, it does so because of a specific request requires it. Generally through ActiveRecord but not exclusively
If your system is connecting every time you make a request, then that implies you have some sort of user metric or authorisation based code in there. Just killing off the database will cause this to fail, and likely you'll have to find it anyways, to then get your system to work. I'd advise locating it.
Things to look for are before_filters in controllers, or database session management, for example, or look for what is in the logs - the query should appear - and that will tell you what is being loaded, modified or whatnot.
It might even work to stop your database, just before doing a user activity, and see where the error leads you. Rinse and repeat until the user activity works, without the database.
I need some advice on a Rails app where I want to have signing up to be private (or not have one at all with users pre-registered in the seeds.rb file). In other words, I do not want random people off of the internet to be able to sign up. I know that I could easily not making a signup form and tweak my app accordingly, but the problem lies with the seeds.rb file containing sensitive information (i.e., passwords). The passwords need to somehow be encrypted. Any advice would help. Thanks.
You have multiple options:
Disable sign up and do it manually using an admin user (thinking about ActiveAdmin gem).
Register that users at DB (without rails' knowledge). I don't know what DB you're using, but imagine you're using postgreSQL (for instance). Go to your DB and manually insert the users on DB using some kind of user interface (command-line or graphic/visual)
Use environment variables at deployment that contain passwords.
Give them a default password and make them change password once they log in.
... there are more options, but you need to be explicit about what you want to achieve. Do you want to start with X users and don't add more? Do you want to start with X users and be able to expand to more users?
I'm a fairly new developer and I've encountered my first project where it will be important to be able to store certain fields encrypted within the database.
I'm on the most current version of Ruby/Rails, hosted on Heroku and using Git for source control. I installed the symmetric-encryption gem and SORT of have it working. But, when it comes to security, I know "sort of" doesn't cut it.
So, I set up the env variable with a key inside Heroku and have created a column in my database called :encrypted_access_code. When I submit a form, passing an :access_code parameter, it stores an encrypted version inside the :encrypted_access_code column. If I call the .decrypt method on that string, the method properly decrypts it and returns the original value. That seems, by what I can tell, to all be working correctly.
The problem is that I am still able to call MyModel.access_code, both in console and in the view, and it returns the unencrypted value. That column is no longer present in my database but it's still letting me call it - not good and I'm not sure where I went wrong. I'm sure it has something to do with symmetric-encryption and my not understanding it fully, but I haven't been able to find a truly comprehensive guide on getting it up and running. Using the creator's site I used his example to add the bits I needed in my model but I must be missing something. Any help would be super, super appreciated.
Thanks!
What is the simplest way how to check if user is online and display list of online users?
The only way I can think of is some periodic polling server to update last action timestamp, and when last timestamp is more than xx ago, user is considered to be offline. But it doesn't seem like too eficient solution.
Authlogic can do this by default, and is a great authentication system that is very powerful. I would suggest migrating your current authentication system over to it (maybe a days worth of work, depending how customized your system is).
If you can't (or simply don't want to) move your application over to Authlogic, you can check out the source code at the link above, as well as an example project here.
You could potentially check the session time, if you use database session store. When the updated_at extends past a certain time, assume the user is no longer active. This could be problematic as well, however.
Being honest, it's a somewhat difficult scenario to tell the active number of users without some form of periodic server polling. Your thought is not a bad one.
We can list the online users using active record session store, please see this github app https://github.com/mohanraj-ramanujam/online-users
It's quite common in sites- you have a "demo" version with a guest account full of data/posts/comments that you can play with, and all the data is reset every few hours so users wont spam the demo site.
I thought to have another rails environment, "mysite_demo" and use a cron job to call rake to reset it's database every X hours, and populate the seed data.
Then it hit me that all over my app I'll have to check if I'm running in "demo-mode":
For example, if the demo site has a login/register page too, a user might register, insert some data and wonder why his account is deleted after he logged in again.. so demosite shouldn't have a register option at all.
So I thought I'll make a "demo" branch of the code.. with the difference and just merge changes as I go... sounds like an overkill.
ideas?
In my application I started with a fixed demo user with an account that resets every hour. Something about that model didn't quite sit right - if there were multiple users hitting the demo at the same time you could get into some weird concurrency issues. And what if a user is in the middle of a demo and your reset the demo account? What happens?
I don't know if this model works for you but I ended up creating a brand new user account with a demo flag set in the database - I also automatically log the user in. This way the user gets to play around for as long as they like and I don't have to worry about data getting deleted/changed while a user demos my app. I run a cron job every night that deletes users with the demo flag set that are older than 24 hours.
If the demo version is running from its own database, how is it any different from the real thing? The demo site is just an instance of your product.
Just clean up the DB and redeploy the demo as needed. Is it just this simple or am I missing something?
Then it hit me that all over my app I'll have to check if I'm running in "demo-mode" (e.g, you cant register a new user in the demo) and make the site behave accordingly.
If the site is in demo, why does it matter what the users do? Anything they do will be wiped in a few hours, so they won't be able to actually do work with it.
It sounds like you are trying to handicap the site so they will pay. I don't know what your site does, but if its a host based service(web page that stores & display information) then the limited life span of the data should deter squatters.
If you website does something that can be used elsewhere, then I can see limiting it. An example might be a service that transforms media formats, or writes resumes. If the user can do something useful in the 2 hour window and walk away with it, then you might consider branching.
Why not allow the user to make an account even if it is deleted in an hour?
That allows them to see how the registration process of the script works for at least an hour, maybe give a message on the signup page that the account is only valid for an hour.
Just my thoughts
Is there any other functionality that is different in the demo version than the production environment? If it is just an issue of making the user register, you could just create a registered demo account in production, and give out the user name/password for people. Although this may not be an option depending on other business requirements.
If you are willing to use Authlogic you can take a look at this, then every X hours you can look through the database for users that start with anonymous_ and delete records that are associated with them.
Just make a separate demo site that works exactly like the production one, but the DB gets reset once an hour to clean example data. The only change you need to make is a banner across the top of every page that says its a demo. There are several ways to do it, (modify your site theme, or maybe use frames) but basically you should only have to change the code in one place, instead of throughout the site.
You could setup a new environment demo on your database.yml, with read-only privileges for the User table, and an additional demo_database. Then place some checks on your code to see if your RAILS_ENV is on DEMO.
That way, you only need to work with the same codebase and just show whatever you feel like it.
You can deploy it as a separate app with its own database to a separate domain or subdomain and then check the domain to decide what options should be available. For instance if you put it on demo.example.com you would use:
if request.domain =~ /demo/
If you use Capistrano you can set it up to update both apps when you deploy so they are in sync.