I'm a beginner with ember.js, and i don't know the best way to do this:
my application has devise gem, and it's a server side mvc application until you log in. Then it's ingle page. So all my ember code is declared inside the "inner" layout. In this layout, obviously, i also have my current_user.name method. I would like to use this information, and not doing an http request to get it.
I think that if there could be a way to put it inside my applicationController... it would be perfect!
Any ideas? Or maybe i'm trying to do the wrong thing?
thanks,
Marco
You can embed your current_user's json in a data-current-user attribute on the body.
<body data-current-user="<%= current_user.to_json %>">
This way you can check if they are authenticated, and get their attributes without an HTTP call.
Ryan Bats goes into detail on this: http://railscasts.com/episodes/324-passing-data-to-javascript
Related
I am looking for a way to access a model via its :id.
My project looks like this:
First someone can register himself in a form. Then he gets forwarded to a page where he can edit the things he entered. Now I do not want that you can see something in the URL.
Edit:
I was maybe a little unclear:
There is a form, where you can enter some things. After you submitted those things, you will be forwarded to another page with an URL like 'www.example.com/entry'. There I want to show what the person entered. And I do not want an URL like 'www.example.com/entry?id=12'
I hope that clarified some things
Your answer is a bit lacking in details, so I'll do my best here. Essentially, if you do not want to display the url parameters, then you will have to use the post HTTP method to submit your forms (which you should be doing anyway).
In your routes.rb file, you'll need to define your route to look something like this:
post 'route', to: 'controller#action'
Data submitted via the post method is typically submitted via a form. I would recommend using rails conventions like:
the rails form_for helper --> more details
resources since they typically give you the routes you want. To modify your routes beyond the defaults, I'd advise looking at the rails routing guide.
I am using Ruby on Rails 4.1.1 and I am thinking to accept parameters (through URL query strings) that are passed directly to the url_for method, this way:
# URL in the browser
http://www.myapp.com?redirect_to[controller]=users&redirect_to[action]=show&redirect_to[id]=1
# Controller
...
redirect_to url_for(params[:redirect_to].merge(:only_path => true))
Adopting the above approach users can be redirected after performing an action. However, I think people can enter arbitraryparams that can lead to security issues...
Is it safe to accept URL parameters for populating the url_for method? What are pitfalls? What can happen in the worst case?
By logging params during requests to my application I noted Rails adds always :controller and action parameters. Maybe that confirms url_for can be used the above way since it is protected internally and works as-like Rails is intended to.
This it is safe internally as Ruby On Rails will only be issuing a HTTP redirect response.
As you are using only_path this will protect you from an Open redirect vulnerability. This is where an email is sent by an attacker containing a link in the following format (say your site is example.com).
https://example.com?foo=bar&bar=foo&redirect=http://evil.com
As the user checks the URL and sees it is on the example.com domain they beleive it is safe so click the link. However, if there's an open redirect then the user ends up on evil.com which could ask for their example.com password without the user noticing.
Redirecting to a relative path only on your site fixes any vulnerability.
In your case you are giving users control of your controller, action and parameters. As long as your GET methods are safe (i.e. no side-effects), an attacker could not use this by creating a crafted link that the user opens.
In summary, from the information provided I don't see any risk from phishing URLs to your application.
Rails redirect_to sets the HTTP status code to 302 Found which tells the browser to GET the new path as you defined it by url_for. GET is a considered a safe method in contrast to
... methods such as POST, PUT, DELETE and PATCH [which] are intended for
actions that may cause side effects either on the server, or external
side effects ...
The only problem would have been if someone could gain access to methods such as create and destroy. Since these methods use HTTP methods other than GET (respectively POST and DELETE) it should be no problem.
Another danger here is if you go beyond CRUD methods of REST and have a custom method which responses to GET and changes the database state:
routes.rb
resources something do
member do
get :my_action
end
end
SomethingController
def my_action
# delte some records
end
For future ref:
Rails has a number of security measurements which may also interest you.
It's not exactly an answer, just wanted to point out that you shouldn't use something like
url_for(params)
because one could pass host and port as params and thus the url could lead to another site and it can get worse if it gets cached or something.
Don't know if it threatens anything, but hey, it's worth pointing out
I'm adding an api to an existing application.
I created a controller "api" and am using rabl to handle my views and return json.
Ideally I want the routes to be something like this: (We have a User controller and model set up).
/api/users/show.json?id=1 etc...
I have the api/index.json working and returning my rabl template, but I can't seem to get the /api/users/show.json to do anything
I set this up:
scope "/api" do
resources :users
end
But that redirects from "/api/users" to "/users/new"
I'd like to keep everything in the api section to itself, and not have to mix up my rabl templates within the views/users or in the users controller.
Thanks for any light you might be able to shed on this.
Im not sure if i got your problem, but i think your route may be wrong.
It should be something like
/api/users/1.json
Sorry, I have a Rails newbie question. In my Rails application, how can I call a method defined in my controller from the view? For example, let's say I wrote a custom method that retrieves stock information. In my view, I want to have a regular HTML button, that upon clicking, will call my custom method and populate the stock results.
How is that done? I've looked around and couldn't find a straightforward way to do this. But I'm sure I'm missing something here.
Edit: I took the question by its title which wasn't what the question was. The answer to the title of your question is at the bottom
What you want is an ajax request, which is a separate controller action. You'll need:
javascript to request a route and populate its DOM object when the button is clicked
an action that returns whatever the ajax request was asking for
There are many ways to do this, but if you search for "howto rails ajax" you'll find a gazillion tutorials to help you on your way. One way that I like is called pjax: https://github.com/rails/pjax_rails
Old answer...
Declare a helper_method, like so:
In your controlller:
private
def find_stock
...
end
helper_method :find_stock
In your view:
<% find_stock.each do |stock| -%>
Documentation: http://api.rubyonrails.org/classes/AbstractController/Helpers/ClassMethods.html#method-i-helper_method
You can check the documentation for the button_to view helper
This is one way, of course, you could use the remote option to do this via an AJAX request.
I use require_admin! frequently in my controllers. It works great.
Now, I want to add named route like so:
# config/routes.rb
match "poniesandrainbows" => redirect("https://poniesandrainbows.com")
# ^sadly, not really a website, btw.^
How do I restrict access to that route? Is this possible? Obviously it redirects to a public URL, but I still want to keep the route private.
You cannot restrict access from routes.
The safest way to match "poniesandrainbows" with a controller where you can use require_admin! and then redirect them to the public url.
You can try to solve the problem on the front end. Maybe only show the link to admin users.
It won't stop other users to paste the link directly to their browser url though
That kind of functionality should be encapsulated in the controller. The router handles the plumbing of passing a request to the correct controller. It is the controller's job to correctly figure out how to process the request. In this cause, the controller would use the auth service (such as require_admin!) to determine if the user is allowed to be redirected or if they are doom to another fate.
It is actually possible although as the other posters mentioned very rarely a good idea. You can read about how in this blog post: (scroll down to the routes section)
http://collectiveidea.com/blog/archives/2011/05/31/user-centric-routing-in-rails-3/