session[:current_user] = @user => BAD!

I’m sure most of you already would know this, or use restful authentication that handles it for you. However, if you have some custom setup where you are loading a user object, and then storing it in session, slap to you! Basically what I am talking about is doing this in your login method:

session[:current_user] = @user

Instead you should do:

session[:current_user] =

And then in your application controller, setup a before filter like so:

def set_current_user
  @current_user = User.find(session[:current_user])

One main reason not to do that would be if you had to update some user information. If you had it stored in session, then the user would have to log out and log back in for the changes to take effect. This is of course a basic rough draft, but you get the idea.

Rails Security – SQL Injection – Sanitize User Input!

Even though rails makes every effort to help with security in your apps, you should still be proactive about it. Don’t just assume that your data will be safe no matter how you code. Here is a prime example. You have a login form and you process the request like this:

user = User.find(:first, :conditions=>["login = '#{params[:login]}'"])

You just essentially told every hacker to kill your data by doing something like “‘; delete from users;–“, or even worse a database drop. The appropriate way would be like this:

user = User.find(:first, :conditions=>['login = ?', params[:login]])

Other things you want to make sure you do is to sanitize your views as well:

<%= h @model.value %>

Assume the worse and check all your user input to make sure they can’t do anything you don’t want them to and you will have a happy APP!

Capistrano, CVS, and connection refused issue

If you ever find yourself using CVS as your repository, and are trying to deploy your projects via capistrano, you may run into a connection refused issue. The easiest way I found a solution around this was to modify the capistrano file: “/capistrano-2.1.0/lib/capistrano/recipes/deploy/scm/cvs.rb”. This of course is in your ruby gems folder.I could have added just the change to my project, but I am lazy, and need this for multiple CVS project deploying from this machine. The change I made was on line 145, which I added the CVS_RSH=ssh line:

"export CVS_RSH=ssh && mkdir -p #{ dest } && cd #{ dest }"

Simple & Clean Rails Date/Time Format

Here is a quick, clean and easy way to get use from strftime on your date/time fields. Create a file called date_format.rb in the config/initializers directory and add the following code:

  :datetime_military => '%Y-%m-%d %H:%M',
  :datetime          => '%Y-%m-%d %I:%M%P',
  :time              => '%I:%M%P',
  :time_military     => '%H:%M%P',
  :datetime_short    => '%m/%d %I:%M'

Then in your views, you can do the following:

@object.time_field.to_s(:datetime)     # Or any other format you created

Rails TypeError (can’t dump File)

For a while, I kept getting exceptions from my app in the form of "TypeError (can't dump File):". I finally found out that this was caused when I was using active_record_store with something like file_column, attachment_fu, or paperclip. Basically whenever you’re storing a file in session, that was too large for the session, you would experience this issue. Here is how to get around it: Say you have a model like so (This is using file_column):

class Model < ActiveRecord::Base
  file_column :filename

Then in your controller you would want to add a line before you redirect off to clear that session:

class Controller < ApplicationController
  def create
    @model = Model.find(params[:model])!
    params[:model][:filename] = nil rescue nil # Reset value here
    redirect_to models_path(@model)

As you can see, I am resetting the filename value on the model. Now it shouldn’t complain that it can’t dump the file. Happy RAILSING!

How are website with Ruby on Rails built?

RobbDogg asked: I’ve gone throu the Sitepoint book “Build Your Own Ruby on Rails Web Applications” by Patrick Lenz, and have a good understanding of how web applications are built, but I don’t understand how an entire website is built using RoR. Is every page gernerated by one or more Ruby scripts or are their static HTML or RHTML pages that use a small amount of Ruby code to pull content from a database? I’m working on a site that uses PHP, but would like to convert it to RoR. Most of the pages use PHP to generate some content from infomation fetched from a database, and are fairly static except for the small part of the page that gets it content form the database. Would you use Ruby the same way you use PHP? Where would I put my website page files in the Ruby directory structure? under rails_root/public ?

Learn Ruby on Rails or Python?

someoneoutthereishere asked: I have some experience with C, and am looking to learn a language that can do some web based stuff. I’ve done a bit of Perl, but don’t really want to learn it. PHP is there also, but again, seems like it may be a bit outdated(?)I’ve heard a lot about Ruby on Rails, but from the description on their website it seems to mainly be used for database driven sites. Python is also popular and seems to be learnable (for my level of experience). My web host supports both, so I’m mostly just looking for a direction on which would be more useful to learn. The projects I would like to use it for would not be strictly database driven things (which as mentioned seem to be Ruby’s specialty), just general web things like um for example a simple calculator or form processor or things like that. Any suggestions, and if so, why? Thank you!

Rails Unit Test multi-array params

While writing some tests the other day, I came across a little bit of a stump. I have an action that required the use of a multi-dimensional param such as:


This is exactly what I was doing, but you get the picture. I could have easily changed it to a single array, but that not the point. The solution in this example, would be to nest your hash in the test such as:

def test_should_do_something
  post :create, :some_object=>{
  }, :user=>{ :name=>'Something' }

Full message for error_messages_for

I found this somewhere while looking around for the easiest way to provide my own full message for the rails error_messages_for output. Basically what we are going to do here is provide a humanized string for a variable of the model, and when the error message is printed out, it will display that message. This give more control instead of just having “Email is required.”

class Person < ActiveRecord::Base

    :name => "Please provide a name for this person.",
    :email => "You must specify an email address."

  def self.human_attribute_name(attr)
    HUMANIZED_ATTRIBUTES[attr.to_sym] || super

  validates_presence_of :name,  :message=>''
  validates_presence_of :email, :message=>''


Override default find conditions for model

Here is a little trick I use when I want to override a find method for a model, instead of adding the conditions option to my association. While I don’t think you should avoid using the conditions options in your associations, this will provide an alternative:

class ModelName < ActiveRecord::Base
  def self.find(*args)
    with_scope(:find=>{ :conditions=>LIMIT_CONDITION }) do

Basically what is happening, is that you are overriding the default find function for a model, and wrapping its own find method with a with_scope call. So now every time you call Model.find(:all) or whatever options you want, it will execute it under that scope, with the conditions you specify.