Does anyone know how to stop spam in rails? I've tried many solutions, which all has failed.
I have tried:
Captcha: I am currently not a fan of captcha since it interrupts when the user is signing up but upon putting captcha on signup page bots still managed to get passed it.
Honeypot: I've created a hidden field set the max character value to 0 and push the form -9999px off the screen and for some reason that does not stop the spam.
askimet: While this works well with wordpress it comes with a monthly fee so I am not interested in something like this.
Is there anyway to stop the spam bots in rails from signing up?
For a honeypot solution, you can use invisible_captcha.
It works pretty nice for small and medium sites, with a simple and configurable approach.
More or less:
In your form:
<%= form_tag(create_topic_path) %>
<%= invisible_captcha %>
...
<% end %>
In your controller:
class TopicsController < ApplicationController
invisible_captcha only: [:create, :update]
...
end
Aggressive Spam Bots are using (most of the times) the same tld or selected names, strings or numbers.
You can try Filters Spam to filter out Words etc. you don't like in your App.
And if you have a Really Big Problem with Spam just go with Rakismet (Ruby Akismet), for only 4.99/Month. I dont think this is to much to ask.
Try projecthoneypot gem https://github.com/cmaxw/project-honeypot. It uses Http:BL service which maintains a list of suspicious IP's.Check this out http://www.projecthoneypot.org/httpbl.php
Related
I am developing a crypto-related application and since those people who deal in crypto will always try some sort of scam or script kiddie "hack" I'd like to figure out the best way to clean up content in user-to-user chat boxes and comments fields.
I don't want any HTML/CSS/JS in there.
I want to leave email addresses, URLs, phone numbers and "normal" text untouched.
Right now I am doing a .gsub(/[^0-9a-zA-Z\#\;\:\-\_\,\.\ ]/i, '') before_save but it removes the newlines.
I tried adding .gsub(/[^0-9a-zA-Z\R\#\;\:\-\_\,\.\ ]/i, '') to make it leave newlines alone but it does not seem to work.
Would prefer not having to add any gems.
Rails has an excellent sanitizer built in, that I would recommend you use instead of trying to figure out your own regular expressions.
See:
http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html
Before you render any user's input out the page wrap it in santize
<%= sanitize #comment.body %>
If you want to sanitize before saving to the database, you can include the helper into your controller
class MyController < ApplicationController
include ActionView::Helpers::SanitizeHelper
def create
content = sanitize(params[:content])
Thing.save(content: content)
end
end
I am adding an issue button to my site. My intent is to allow the user to report an issue they have had in use of the site. This would be a usability issue, as I already trap and report actual failures. Currently, the button simply collects a textual response and writes an a SQL record in my XLog. I could show you that code, but it means nearly nothing in terms of the larger question.
What I really would like to do is collect as much as I can of the state that was current at the end of the last request/response cycle. I plan on emailing this state to my support team using Action Mailer. I know I can gather the standard ($...) global variables, at minimum. However, I would like more than that.
It would be very nice to go so far as to grab a screenshot of the screen where the button was clicked. At minimum, I'd like to know the URL, state of all the variables, etc. I'd go so far as to raise and trap an error to do this. However, even that would occur at the start of the next request.
I have considered creating an after_action for every controller action that would store the state. That may be heavy handed, but I don't know if I have another choice. Or, if even that would be enough but it likely would.
In any case, I often find that when I work on a particularly difficult question, there is a gem for that. Is there a gem for that? Or, can someone show me the starting point on this tangled ball of twine? Thanks!
Having heard no response, I decided to try this and see what happens. It gives me some basic information. I'd be happy to hear any suggestions.
In my application controller, I have:
before_action :gather_response
after_action :gather_request
helper_method :gather_request
helper_method :gather_response
...
private
def gather_request
session[:kac_debug] = Hash.new if session[:kac_debug].blank?
session[:kac_debug][:request_trace] = Array.new if session[:kac_debug][:request_trace].blank?
session[:kac_debug][:request_request] = request.env['HTTP_REFERER']
session[:kac_debug][:request_trace] =
session[:kac_debug][:request_trace].unshift("#{request["controller"]}, #{request["action"]}").take(12)
true
end
def gather_response
session[:kac_debug] = Hash.new if session[:kac_debug].blank?
session[:kac_debug][:response_request] = response.request.env['HTTP_REFERER']
session[:kac_debug][:response_status] = response.status
true
end
In the controller where I gather and report the information, I want to ensure that the information isn't overwritten, so I have:
before_action :gather_response, except: [:new, :create]
after_action :gather_request, except: [:new, :create]
First impression is that it seems to be doing what I want. I haven't done extensive debugging using it yet, however. I may need to add more information. But, I want to keep it to the minimal amount that I need to understand what was happening before the user issued the report. I may need more, or less...
Advice desired. Thanks.
ok, bear with me here, please.
i'm asking a question in which i'm not fully conversant of all the technical details, etc. (in other words, please take it easy on me for not being fully up on the par).
i've created a ROR application with Devise's gem ... it allows you to sign in, sign up, and log out.
it's very simple, and it just has a page in which you fill in your name, favorite hobby, & book. (hey, it's just an example)
i've also used their redirect code to go this page:
def after_sign_in_path_for(resource)
posts_path
end
the thing is that ... this page is public to everyone who logs in.
how do i redirect the user to their own page? and not see everyone's else "notes."
i've looked around ... and Devise has a link on sessions_controllers ...
do i use that? i don't fully understand the purpose of it.
if yes, how? still trying to figure out how all the puzzle pieces fit together, and it's hard to do that when you don't have full understanding of the topic itself.
or is there another way that's simpler?
if this question is too broad, please let me know ... but i'm not really quite sure how to break it down.
in essence, what i'm really asking is how do i have a user be directed to their own page and not see anyone else's page.
thanks in advance for any help/advice/pointers/etc.
First, let's assume your User model has_many :posts. In your PostsController index action (the default RESTful route would be posts_path) you can put something like this:
#posts = current_user.posts
and when visiting the index view you will only see the current user's posts.
That being said, you are not limited to the index view. You can customize any view you'd like and have a corresponding Controller action with declared instance variables which you can manipulate in your views.
Does that makes sense?
Try with:
def after_sign_in_path_for(user) # note: user or w/e your model is named
users_path(current_user)
end
I am currently building a Rails app, and trying to figure out the best way to authenticate that a user owns whatever data object they are trying to edit.
I already have an authentication system in place (restful-authentication), and I'm using a simple before_filter to make sure a user is logged in before they can reach certain areas of the website.
However, I'm not sure the best way to handle a user trying to edit a specific piece of data - for example lets say users on my site can own Books, and they can edit the properties of the book (title, author, pages, etc), but they should only be able to do this for Books that -they- own.
In my 'edit' method on the books controller I would have a find that only retrieved books owned by the current_user. However, if another user knew the id of the book, they could type in http://website.com/book/7/edit , and the controller would verify that they are logged in, then show the edit page for that book (seems to bypass the controller).
What is the best way to handle this? Is it more of a Rails convention routing issue that I don't understand (being able to go straight to the edit page), or should I be adding in a before_find, before_save, before_update, after_find etc callbacks to my model?
check out the following gems:
cancan
devise
authlogic
and don't miss Ryan's great railscasts on the above
this will give access to anyone who changes the value in the address bar
#book = Book.find(params[:id])
but if you go through the association of the logged on user rails (ActiveRecord) will automatically update the sql query
#book = current_user.books.find(params[:id])
of course this assumes that your books table has a user_id column
You may need an authorization plugin. I had some experience use this plugin a while back. This article also has an overview:
You might also take a look at Declarative Authorization
Hey I have recently done this myself. The easiest way to do this is to have the edit feature display on the page but incase it in a method such as the following:
<%if current_user %>
<% if current_user.id == wishlist.user_id %>
<div id="text3"><%= link_to 'Edit', edit_wishlist_path(#wishlist) %></div><br />
<%end%>
<%end%>
Is this what you were hoping for?
I have a live rails website and I want to have a form with a lot of fields on it. I have set up validations and allowed formatting for every field. I've tested it quite a bit and it seems to catch anything I throw at it.
I think it's almost ready to go live, but I want to quadruple check if there's anything else I should do to protect it. My site has a low volume of visitors, but I want it to be a safe as possible. I'd like to avoid using a captcha if I can. I've read that you can use a hidden field to protect forms against bots.
Do people recommend this instead of using a captcha, or even using it with a captcha?
my form is really standard:
<% form_for(#entry) do |f| %>
...
<%= f.submit 'Create' %>
<% end %>
Any suggestions or code samples would be greatly appreciated.
You should whitelist a list of attributes that the user is allowed to edit in your model using attr_accessible
Write tests/specs for your models/controllers/views?