i am using like
def to_param
"#{self.attr1}-#{self.attr2}"
end
and my urls look as I want to, though when I :edit,(editing) the url redirects/goes back to showing the :id.
Im letting guest users change some specific record without logging in sending them through a specific link and I want users to not be able to manually change the url or at least show them a large slug so they can't guess the id.
Thanks in advance for any help, theres many posts around this but can't find a solution to fit my needs.
credit to #Dipak for pointing me in the right direction.
I managed to do it with Friendly_ID gem,
though it gave me some trouble because i had some redirects before the actions and it didn't want to pick up the slugs.
I had my redirects as 'redirect_to mymodel_path'
I finally got it working passing 'redirect_to mymodel_path(mymodel)'
Thanks!
Related
I would like some advice on how could I ban a visitor, I created a board where you can post without having account and other user can report if you are abusing. After 50 report the post is deleted and the visitor should be ban (cannot post or comment anymore) with his IP address.
I took a look to the gem rack-attack but it doesn't seems to fit to my problem. If I understand well I have to add IP in the blocklist or allow2ban by myself and it's not what I'm looking for.
Also I was think about saving the Ip in a table like user_ban but I don't know how I could unban them automatically after few hours or days.
This is why I'm looking for advice or ideas.
Thank you
O.k. so based on what you said, I would recommend a before action in the application controller to just redirect out if the user's ip is in the banned list. Since IP is the only thing you are tracking it is the only thing we have to work with, which, as you mentioned, is not 100%, but it seems like it is the best we can do. In the code below banned_ip_list would include all your banned ips. since you do not specifically say what you would like to do to the banned user I left that open for you inside the method to fill in.
application_controller.rb
before_action :check_if_user_is_banned
...
private
def check_if_user_is_banned
if banned_ip_list.includes?(request.remote_ip)
# what do you want to do here? Keep redirecting to a page and display a message?
end
end
first off all please excuse me if i dont use all the right terminology. I have the URL issue with my rails app. Basically it works but I just find the url to be a bit too "obvious" and maybe a security issue.
example i have a user resource the users show page will go to websitename.com/users/user_id right ? This is probably convention but how do i go about changing that to display something random ? I tried using a secure token (not sure if it was the right thing to do) and sessions are saved in the token but the url is still quite obvious. Authorization works and non-signed in users cant just visit lets say user with id one lol. Please if this dosent make sense I will try and clarify just ask. Thanks.
Edit.
Also can some one explain to me what a token does then, my understanding was instead of saving a user session with the user id and the id hets displayed, a users session was saved in a secure token and the token (generally random string) got displayed. wrong??
You can overwrite the to_param method for your user object. You could then have i.e. a column in the database, where you store a hash that is your param for the object. See also the Rails guides section for that.
Try https://rubygems.org/gems/friendly_id
It allows to have permalinks in urls instead of plain IDs
I might be approaching this problem the wrong way ... so if you have a more elegant solution I'm all ears.
Imagine I'm making a system like Kickstarter. I want my users to be able to specify how much they want to pledge before I ask them to sign up.
Then, if they're not registered I need them to sign up before putting them back in the flow that they would have been on had they just signed in. Devise makes this easy by redirecting a user back to the after_sign_up_path_for which ends up being after_sign_in_path_for by default.
So this will always issue a GET request. But if I have data that I received from the POST with the amount they wanted to pledge, but that's lost.
Is the only way to do this to store that posted data in the session? Or is there a clever way to start creating the pledge record without the user (without needing to run jobs to destroy orphaned pledge records)?
I found the approach described in this blog post over at highgroove.com quite interesting in this regard:
http://highgroove.com/articles/2012/10/09/lazy-user-registration-for-rails-apps.html
The basic idea is to always have an anonymous user at hand, even if the current vistor is not registered. Like this you can create e.g. associations as usual and — once the visitor actually does sign–up — you edit the user rather than all associated objects.
If the user does not ever register, you can simply look for abandoned user accounts and delete them including their associations, rather than look for all kind of abandoned models.
I'm stuck figuring out the best practice...
I want to create a "following" system in a way that a user can follow a car (getting email updates when car price changes, etc). The part of implementation that's giving me headaches is when I want to introduce lazy registration by only using email.
Everything needs to work as AJAX requests.
In the interface, there will be a button to trigger the follow action, which will check if the user is registered or not. If a user is logged in, create a new CarSubscription item, otherwise display a form where he could type his email address. Once submitted, the form should create a user with no password (if email exists, ask for the password and log in) and then it should create the relationship item.
The challenge here is to use redirection after submission of the form to the CREATE action of the CarSubscriptionController. Since I can't redirect using POST I can't simulate the CREATE or DESTROY action.
The non-RESTful solution would be to create 2 actions under cars_controller: follow and unfollow and let them do the logic of creating entries and deleting them. That would enable me to just store the request path and use it after the user enters their email and logs in.
How can I achieve what I want using RESTful resources?
After trying to describe my problem here, it seems it's way too complicated and I am indeed very stuck... There are 3 different controllers and possibly 4 requests in this scenario.
Any help would be tremendously appreciated!
Please see my flow chart below:
Not an expert here, I don't know if it's the best solution, but what I have done in similar situation is :
In your controller, respond with javascript instead of redirecting the user
In your javascript file, use $.post(...) to issue a POST to your controller action
Et voilà!
You can also use ActiveResource to achieve this, but I actually never tried that solution : http://api.rubyonrails.org/classes/ActiveResource/Base.html#label-Custom+REST+methods
Person.new(:name => 'Ryan').post(:register)
Hope this helps
I had a very similar need and had trouble pulling the various bits of info on how to do this with Devise and Rails together into a working example. Here's a fully working example based on Rails 4, Ruby 2, and Devise 3.0:
https://github.com/mwlang/lazy_registration_demos
In my Rails 3 application, I list many items on the homepage. Some of them are obscure, and I would like to limit my list to only popular items unless the user clicks a specific link that basically "zeroes out" the limiter.
What I have now works, but when the user chooses to "Show all items", I end up with a ugly url:
http://myapp.com/?limiter=0
Is there any way that I can strip that out so that the user does not see the ugly attribute at the end of the url?
No, don't use POST. POST is only supposed to be used when you are making a state change on the server. Use an AJAX GET if you really need to do this.
Better yet, get used to seeing GET parameters like this. It's normal. And, it's like that for a reason: it allows bookmarking a resource, including whatever settings are needed to reproduce the request later.
Read up on REST. Learn it. Live it. Love it.
There's a number of approaches you could take. Probably the most obvious one is to have a separate page for your show_all. It sounds like you're trying to do too much with your homepage.
If you must have these on the homepage, and your link is also on the homepage, you could use an ajax call to load up your items without having to redirect to that url.
Finally I suppose you could try making a route just for this situation. I don't really have any experience with Rails3 routes, though, so I can't suggest any syntax.
Really, though, this smells like an application design problem, not a technical problem. I strongly encourage you to rethink how you are trying to do this. This doesn't sound like a feature that is appropriate to put on your homepage. Make a separate show_all action.