Browsing posts in: Ruby on Rails

Some console commands on linux.

netstat -lpn | grep :8080

-- it is combination of two commands with a pipe. It gives you the process that listens port 8080. It is really beneficial, if you're dealing with some server things on linux.


mv <current name> <new name> or mv <current_location> <new_location>

--mv moves your folder or file to wherever you want as a second argument. Or you might use it to rename your file. (I've been using linux for three years and I did not know it up to now 🙂


gem list | cut -d" " -f1 | xargs gem uninstall -aIx

--this is not a generic console command but it is really useful for rails developer especially for reinstalling all the rails and the gem files from the scratch. It removes all the gem files installed before.


Understand Rails Authenticity Token!

What happens:
When the user views a form to create, update, or destroy a resource, the rails app would create a random authenticity_token, store this token in the session, and place it in a hidden field in the form. When the user submits the form, rails would look for the authenticity_token, compare it to the one stored in the session, and if they match the request is allowed to continue.

Why this happens:
Since the authenticity token is stored in the session, the client can not know its value. This prevents people from submitting forms to a rails app without viewing the form within that app itself. Imagine that you are using service A, you logged into the service and everything is ok. Now imagine that you went to use service B, and you saw a picture you like, and pressed on the picture to view a larger size of it. Now, if some evil code was there at service B, it might send a request to service A (which you are logged into), and ask to delete your account, by sending a request to This is what is known as CSRF (Cross Site Request Forgery).

If service A is using authenticity tokens, this attack vector is no longer applicable, since the request from service B would not contain the correct authenticity token, and will not be allowed to continue.

Notes: Keep in mind, rails only checks POST, PUT, and DELETE requests. GET request are not checked for authenticity token. Why? because the HTTP specification states that GET requests should NOT create, alter, or destroy resources at the server, and the request should be idempotent (if you run the same command multiple times, you should get the same result every time).

Lessons: Use authenticity_token to protect your POST, PUT, and DELETE requests. Also make sure not to make any GET requests that could potentially modify resources on the server.


Using active record (database) for session information storage

If you have a problem about the cookie size (4KB) in your application, you may use database storage help. With this manipulation your app will keep an id in cookie and store other information in "sessions" table in DB and it will call the data from table by the id that is kept in cookie.

First: Execute following (it will create the table structure that is ready to be migrated)

rake db:sessions:create

Second: It'll create the table

rake db:migrate

Third: inside the config/initializers/session_store.rb add following

MyApp::Application.config.session_store :active_record_store

That s all folks...



Gem Error while try to execute Rails commads

to_specs': Could not find rails (>= 0) amongst [] (Gem::LoadError) from /usr/local/lib/site_ruby/1.8/rubygems/dependency.rb:256:in

if you get such an error while execution "rails new [project_name]" it means there is a conflict on your machine between gem installations and you need to get rid one of them.

I just start to use rvm instead of plain ruby installation and there were an such error. As a solution I deleted the "site_ruby" folder in ~/opt/local/lib path, then everything is working fine


What I learnt about Ruby and Rails today?

Difference beween attr_accessor and attr_accesible:

attr_accessor is a ruby method that makes a getter and a setter. attr_accessible is a Rails method that allows you to pass in values to a mass assignment: new(attrs) or up update_attributes(attrs).

Here's a mass assignment:{ :type => 'Corn', :quantity => 6 })

You can imagine that the order might also have a discount code, say :price_off. If you don't tag :price_off as attr_accessible you stop malicious code from being able to do like so:{ :type => 'Corn', :quantity => 6, :price_off => 30 })

Even if your form doesn't have a field for :price_off, if it's just in your model by default it's available so a crafted POST could still set it. Using attr_accessible white lists those things are can be mass assigned.