aboutsummaryrefslogtreecommitdiffstats
path: root/railties
diff options
context:
space:
mode:
authorPratik Naik <pratiknaik@gmail.com>2009-01-19 02:17:38 +0000
committerPratik Naik <pratiknaik@gmail.com>2009-01-19 02:17:38 +0000
commit1e550ccd0d5827bf7cf8de4c5b92938a9fabc96f (patch)
treefaceebb2051af8829a0f3e9215b1107574275cbb /railties
parent0de89f815083886c8c98f91972cc717c6b42602f (diff)
downloadrails-1e550ccd0d5827bf7cf8de4c5b92938a9fabc96f.tar.gz
rails-1e550ccd0d5827bf7cf8de4c5b92938a9fabc96f.tar.bz2
rails-1e550ccd0d5827bf7cf8de4c5b92938a9fabc96f.zip
Regen guides
Diffstat (limited to 'railties')
-rw-r--r--railties/doc/guides/html/form_helpers.html308
-rw-r--r--railties/doc/guides/html/security.html2
2 files changed, 147 insertions, 163 deletions
diff --git a/railties/doc/guides/html/form_helpers.html b/railties/doc/guides/html/form_helpers.html
index 1054aa8ff5..6169574d35 100644
--- a/railties/doc/guides/html/form_helpers.html
+++ b/railties/doc/guides/html/form_helpers.html
@@ -31,35 +31,29 @@
<h2>Chapters</h2>
<ol>
<li>
- <a href="#_basic_forms">Basic forms</a>
+ <a href="#_dealing_with_basic_forms">Dealing With Basic Forms</a>
<ul>
<li><a href="#_generic_search_form">Generic search form</a></li>
<li><a href="#_multiple_hashes_in_form_helper_attributes">Multiple hashes in form helper attributes</a></li>
- <li><a href="#_checkboxes_radio_buttons_and_other_controls">Checkboxes, radio buttons and other controls</a></li>
-
- <li><a href="#_how_do_forms_with_put_or_delete_methods_work">How do forms with PUT or DELETE methods work?</a></li>
+ <li><a href="#_helpers_for_generating_form_elements">Helpers for generating form elements</a></li>
</ul>
</li>
<li>
- <a href="#_different_families_of_helpers">Different Families of helpers</a>
+ <a href="#_dealing_with_model_objects">Dealing With Model Objects</a>
<ul>
- <li><a href="#_barebones_helpers">Barebones helpers</a></li>
-
<li><a href="#_model_object_helpers">Model object helpers</a></li>
- </ul>
- </li>
- <li>
- <a href="#_forms_that_deal_with_model_attributes">Forms that deal with model attributes</a>
- <ul>
+ <li><a href="#_binding_a_form_to_an_object">Binding a form to an object</a></li>
<li><a href="#_relying_on_record_identification">Relying on record identification</a></li>
+ <li><a href="#_how_do_forms_with_put_or_delete_methods_work">How do forms with PUT or DELETE methods work?</a></li>
+
</ul>
</li>
<li>
@@ -77,10 +71,10 @@
</ul>
</li>
<li>
- <a href="#_date_and_time_select_boxes">Date and time select boxes</a>
+ <a href="#_using_date_and_time_form_helpers">Using Date and Time Form Helpers</a>
<ul>
- <li><a href="#_barebones_helpers_2">Barebones helpers</a></li>
+ <li><a href="#_barebones_helpers">Barebones helpers</a></li>
<li><a href="#_model_object_helpers_2">Model object helpers</a></li>
@@ -89,27 +83,13 @@
</ul>
</li>
<li>
- <a href="#_form_builders">Form builders</a>
- <ul>
-
- <li><a href="#_scoping_out_form_controls_with_tt_fields_for_tt">Scoping out form controls with <tt>fields_for</tt></a></li>
-
- </ul>
- </li>
- <li>
- <a href="#_file_uploads">File Uploads</a>
+ <a href="#_uploading_files">Uploading Files</a>
<ul>
<li><a href="#_what_gets_uploaded">What gets uploaded</a></li>
<li><a href="#_dealing_with_ajax">Dealing with Ajax</a></li>
- </ul>
- </li>
- <li>
- <a href="#_parameter_names">Parameter Names</a>
- <ul>
-
<li><a href="#_basic_structures">Basic structures</a></li>
<li><a href="#_combining_them">Combining them</a></li>
@@ -119,7 +99,7 @@
</ul>
</li>
<li>
- <a href="#_complex_forms">Complex forms</a>
+ <a href="#_building_complex_forms">Building Complex forms</a>
</li>
<li>
<a href="#_changelog">Changelog</a>
@@ -165,7 +145,7 @@ Learn what makes a file upload form different;
</div>
</div>
</div>
-<h2 id="_basic_forms">1. Basic forms</h2>
+<h2 id="_dealing_with_basic_forms">1. Dealing With Basic Forms</h2>
<div class="sectionbody">
<div class="paragraph"><p>The most basic form helper is <tt>form_tag</tt>.</p></div>
<div class="listingblock">
@@ -196,7 +176,7 @@ Learn what makes a file upload form different;
</div>
<h3 id="_generic_search_form">1.1. Generic search form</h3>
<div class="paragraph"><p>Probably the most minimal form often seen on the web is a search form with a single text input for search terms. This form consists of:</p></div>
-<div class="olist"><ol>
+<div class="olist arabic"><ol class="arabic">
<li>
<p>
a form element with "GET" method,
@@ -294,7 +274,19 @@ a submit element.
<td class="content">Do not delimit the second hash without doing so with the first hash, otherwise your method invocation will result in an <tt>expecting tASSOC</tt> syntax error.</td>
</tr></table>
</div>
-<h3 id="_checkboxes_radio_buttons_and_other_controls">1.3. Checkboxes, radio buttons and other controls</h3>
+<h3 id="_helpers_for_generating_form_elements">1.3. Helpers for generating form elements</h3>
+<div class="paragraph"><p>Rails provides a series of helpers for generating form elements such as checkboxes, text fields, radio buttons and so. These basic helpers, with names ending in _tag such as <tt>text_field_tag</tt>, <tt>check_box_tag</tt> just generate a single <tt>&lt;input&gt;</tt> element. The first parameter to these is always the name of the input. This is the name under which value will appear in the <tt>params</tt> hash in the controller. For example if the form contains</p></div>
+<div class="listingblock">
+<div class="content">
+<pre><tt>&lt;%= text_field_tag(:query) %&gt;</tt></pre>
+</div></div>
+<div class="paragraph"><p>then the controller code should use</p></div>
+<div class="listingblock">
+<div class="content">
+<pre><tt>params[:query]</tt></pre>
+</div></div>
+<div class="paragraph"><p>to retrieve the value entered by the user. When naming inputs be aware that Rails uses certain conventions that control whether values appear at the top level of the params hash, inside an array or a nested hash and so on. You can read more about them in the <a href="#parameter_names">parameter names</a> section. For details on the precise usage of these helpers, please refer to the <a href="http://api.rubyonrails.org/classes/ActionView/Helpers/FormTagHelper.html">API documentation</a>.</p></div>
+<h4 id="_checkboxes">1.3.1. Checkboxes</h4>
<div class="paragraph"><p>Checkboxes are form controls that give the user a set of options they can enable or disable:</p></div>
<div class="listingblock">
<div class="content">
@@ -310,6 +302,8 @@ output:
&lt;input id="pet_cat" name="pet_cat" type="checkbox" value="1" /&gt;
&lt;label for="pet_cat"&gt;I own a cat&lt;/label&gt;</tt></pre>
</div></div>
+<div class="paragraph"><p>The second parameter to <tt>check_box_tag</tt> is the value of the input. This is the value that will be submitted by the browser if the checkbox is ticked (i.e. the value that will be present in the params hash). With the above form you would check the value of <tt>params[:pet_dog]</tt> and <tt>params[:pet_cat]</tt> to see which pets the user owns.</p></div>
+<h4 id="_radio_buttons">1.3.2. Radio buttons</h4>
<div class="paragraph"><p>Radio buttons, while similar to checkboxes, are controls that specify a set of options in which they are mutually exclusive (user can only pick one):</p></div>
<div class="listingblock">
<div class="content">
@@ -325,6 +319,7 @@ output:
&lt;input id="age_adult" name="age" type="radio" value="adult" /&gt;
&lt;label for="age_adult"&gt;I'm over 21&lt;/label&gt;</tt></pre>
</div></div>
+<div class="paragraph"><p>As with <tt>check_box_tag</tt> the second parameter to <tt>radio_button_tag</tt> is the value of the input. Because these two radio buttons share the same name (age) the user will only be able to select one and <tt>params[:age]</tt> will contain either <tt>child</tt> or <tt>adult</tt>.</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
@@ -333,7 +328,8 @@ output:
<td class="content">Always use labels for each checkbox and radio button. They associate text with a specific option and provide a larger clickable region.</td>
</tr></table>
</div>
-<div class="paragraph"><p>Other form controls worth mentioning are the text area, password input and hidden input:</p></div>
+<h4 id="_other_helpers_of_interest">1.3.3. Other helpers of interest</h4>
+<div class="paragraph"><p>Other form controls worth mentioning are the text area, password input and hidden input:</p></div>
<div class="listingblock">
<div class="content">
<pre><tt>&lt;%= text_area_tag(:message, "Hi, nice site", :size =&gt; "24x6") %&gt;
@@ -346,7 +342,7 @@ output:
&lt;input id="password" name="password" type="password" /&gt;
&lt;input id="parent_id" name="parent_id" type="hidden" value="5" /&gt;</tt></pre>
</div></div>
-<div class="paragraph"><p>Hidden inputs are not shown to the user, but they hold data same as any textual input. Values inside them can be changed with JavaScript.</p></div>
+<div class="paragraph"><p>Hidden inputs are not shown to the user, but they hold data like any textual input. Values inside them can be changed with JavaScript.</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
@@ -355,42 +351,12 @@ output:
<td class="content">If you&#8217;re using password input fields (for any purpose), you might want to prevent their values showing up in application logs by activating <tt>filter_parameter_logging(:password)</tt> in your ApplicationController.</td>
</tr></table>
</div>
-<h3 id="_how_do_forms_with_put_or_delete_methods_work">1.4. How do forms with PUT or DELETE methods work?</h3>
-<div class="paragraph"><p>Rails framework encourages RESTful design of your applications, which means you&#8217;ll be making a lot of "PUT" and "DELETE" requests (besides "GET" and "POST"). Still, most browsers <em>don&#8217;t support</em> methods other than "GET" and "POST" when it comes to submitting forms. How does this work, then?</p></div>
-<div class="paragraph"><p>Rails works around this issue by emulating other methods over POST with a hidden input named <tt>"_method"</tt> that is set to reflect the desired method:</p></div>
-<div class="listingblock">
-<div class="content">
-<pre><tt>form_tag(search_path, :method =&gt; "put")
-
-output:
-
-&lt;form action="/search" method="post"&gt;
- &lt;div style="margin:0;padding:0"&gt;
- &lt;input name="_method" type="hidden" value="put" /&gt;
- &lt;input name="authenticity_token" type="hidden" value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /&gt;
- &lt;/div&gt;
- ...</tt></pre>
-</div></div>
-<div class="paragraph"><p>When parsing POSTed data, Rails will take into account the special <tt>_method</tt> parameter and act as if the HTTP method was the one specified inside it ("PUT" in this example).</p></div>
</div>
-<h2 id="_different_families_of_helpers">2. Different Families of helpers</h2>
+<h2 id="_dealing_with_model_objects">2. Dealing With Model Objects</h2>
<div class="sectionbody">
-<div class="paragraph"><p>Most of Rails' form helpers are available in two forms.</p></div>
-<h3 id="_barebones_helpers">2.1. Barebones helpers</h3>
-<div class="paragraph"><p>These just generate the appropriate markup. These have names ending in _tag such as <tt>text_field_tag</tt>, <tt>check_box_tag</tt>. The first parameter to these is always the name of the input. This is the name under which value will appear in the <tt>params</tt> hash in the controller. For example if the form contains</p></div>
-<div class="listingblock">
-<div class="content">
-<pre><tt>&lt;%= text_field_tag(:query) %&gt;</tt></pre>
-</div></div>
-<div class="paragraph"><p>then the controller code should use</p></div>
-<div class="listingblock">
-<div class="content">
-<pre><tt>params[:query]</tt></pre>
-</div></div>
-<div class="paragraph"><p>to retrieve the value entered by the user. When naming inputs be aware that Rails uses certain conventions that control whether values appear at the top level of the params hash, inside an array or a nested hash and so on. You can read more about them in the <a href="#parameter_names">parameter names</a> section. For details on the precise usage of these helpers, please refer to the <a href="http://api.rubyonrails.org/classes/ActionView/Helpers/FormTagHelper.html">API documentation</a>.</p></div>
-<h3 id="_model_object_helpers">2.2. Model object helpers</h3>
-<div class="paragraph"><p>These are designed to work with a model object (commonly an Active Record object but this need not be the case). These lack the _tag suffix, for example <tt>text_field</tt>, <tt>text_area</tt>.</p></div>
-<div class="paragraph"><p>For these helpers the first arguement is the name of an instance variable and the second is the name a method (usually an attribute) to call on that object. Rails will set the value of the input control to the return value of that method for the object and set an appropriate input name. If your controller has defined <tt>@person</tt> and that person&#8217;s name is Henry then a form containing:</p></div>
+<h3 id="_model_object_helpers">2.1. Model object helpers</h3>
+<div class="paragraph"><p>A particularly common task for a form is editing or creating a model object. While the <tt>*_tag</tt> helpers could certainly be used for this task they are somewhat verbose as for each tag you would have to ensure the correct parameter name is used and set the default value of the input appropriately. Rails provides helpers tailored to this task. These helpers lack the _tag suffix, for example <tt>text_field</tt>, <tt>text_area</tt>.</p></div>
+<div class="paragraph"><p>For these helpers the first argument is the name of an instance variable and the second is the name of a method (usually an attribute) to call on that object. Rails will set the value of the input control to the return value of that method for the object and set an appropriate input name. If your controller has defined <tt>@person</tt> and that person&#8217;s name is Henry then a form containing:</p></div>
<div class="listingblock">
<div class="content">
<pre><tt>&lt;%= text_field(:person, :name) %&gt;</tt></pre>
@@ -411,10 +377,10 @@ output:
</td>
</tr></table>
</div>
-</div>
-<h2 id="_forms_that_deal_with_model_attributes">3. Forms that deal with model attributes</h2>
-<div class="sectionbody">
-<div class="paragraph"><p>While the helpers seen so far are handy Rails can save you some work. For example typically a form is used to edit multiple attributes of a single object, so having to repeat the name of the object being edited is clumsy. The following examples will handle an Article model. First, have the controller create one:</p></div>
+<div class="paragraph"><p>Rails provides helpers for displaying the validation errors associated with a model object. These are covered in detail by the <a href="./activerecord_validations_callbacks.html#_using_the_tt_errors_tt_collection_in_your_view_templates">Active Record Validations and Callbacks</a> guide.</p></div>
+<h3 id="_binding_a_form_to_an_object">2.2. Binding a form to an object</h3>
+<div class="paragraph"><p>While this is an increase in comfort it is far from perfect. If Person has many attributes to edit then we would be repeating the name of the edited object many times. What we want to do is somehow bind a form to a model object which is exactly what <tt>form_for</tt> does.</p></div>
+<div class="paragraph"><p>Assume we have a controller for dealing with articles:</p></div>
<div class="listingblock">
<div class="title">articles_controller.rb</div>
<div class="content">
@@ -422,7 +388,7 @@ output:
@article = Article.new
end</tt></pre>
</div></div>
-<div class="paragraph"><p>Now switch to the view. The first thing to remember is to use the <tt>form_for</tt> helper instead of <tt>form_tag</tt>, and that you should pass the model name and object as arguments:</p></div>
+<div class="paragraph"><p>The corresponding view using <tt>form_for</tt> looks like this</p></div>
<div class="listingblock">
<div class="title">articles/new.html.erb</div>
<div class="content">
@@ -433,10 +399,10 @@ end</tt></pre>
&lt;% end %&gt;</tt></pre>
</div></div>
<div class="paragraph"><p>There are a few things to note here:</p></div>
-<div class="olist"><ol>
+<div class="olist arabic"><ol class="arabic">
<li>
<p>
-<tt>:article</tt> is the name of the model and <tt>@article</tt> is the record.
+<tt>:article</tt> is the name of the model and <tt>@article</tt> is the actual object being edited.
</p>
</li>
<li>
@@ -446,7 +412,7 @@ There is a single hash of options. Routing options are passed inside <tt>:url</t
</li>
<li>
<p>
-The <tt>form_for</tt> method yields <strong>a form builder</strong> object (the <tt>f</tt> variable).
+The <tt>form_for</tt> method yields a <strong>form builder</strong> object (the <tt>f</tt> variable).
</p>
</li>
<li>
@@ -466,8 +432,27 @@ Methods to create form controls are called <strong>on</strong> the form builder
</div></div>
<div class="paragraph"><p>The name passed to <tt>form_for</tt> controls where in the params hash the form values will appear. Here the name is <tt>article</tt> and so all the inputs have names of the form <tt>article[attribute_name]</tt>. Accordingly, in the <tt>create</tt> action <tt>params[:article]</tt> will be a hash with keys <tt>:title</tt> and <tt>:body</tt>. You can read more about the significance of input names in the <a href="#parameter_names">parameter names</a> section.</p></div>
<div class="paragraph"><p>The helper methods called on the form builder are identical to the model object helpers except that it is not necessary to specify which object is being edited since this is already managed by the form builder.</p></div>
-<h3 id="_relying_on_record_identification">3.1. Relying on record identification</h3>
-<div class="paragraph"><p>In the previous chapter you handled the Article model. This model is directly available to users of our application, so&#8201;&#8212;&#8201;following the best practices for developing with Rails&#8201;&#8212;&#8201;you should declare it <strong>a resource</strong>.</p></div>
+<div class="paragraph"><p>You can create a similar binding without actually creating <tt>&lt;form&gt;</tt> tags with the <tt>fields_for</tt> helper. This is useful for editing additional model objects with the same form. For example if you had a Person model with an associated ContactDetail model you could create a form for editing both like so:</p></div>
+<div class="listingblock">
+<div class="content">
+<pre><tt>&lt;% form_for @person do |person_form| %&gt;
+ &lt;%= person_form.text_field :name %&gt;
+ &lt;% fields_for @person.contact_detail do |contact_details_form| %&gt;
+ &lt;%= contact_details_form.text_field :phone_number %&gt;
+ &lt;% end %&gt;
+&lt;% end %&gt;</tt></pre>
+</div></div>
+<div class="paragraph"><p>which produces the following output:</p></div>
+<div class="listingblock">
+<div class="content">
+<pre><tt>&lt;form action="/people/1" class="edit_person" id="edit_person_1" method="post"&gt;
+ &lt;input id="person_name" name="person[name]" size="30" type="text" /&gt;
+ &lt;input id="contact_detail_phone_number" name="contact_detail[phone_number]" size="30" type="text" /&gt;
+&lt;/form&gt;</tt></pre>
+</div></div>
+<div class="paragraph"><p>The object yielded by <tt>fields_for</tt> is a form builder like the one yielded by <tt>form_for</tt> (in fact <tt>form_for</tt> calls <tt>fields_for</tt> internally).</p></div>
+<h3 id="_relying_on_record_identification">2.3. Relying on record identification</h3>
+<div class="paragraph"><p>The Article model is directly available to users of our application, so&#8201;&#8212;&#8201;following the best practices for developing with Rails&#8201;&#8212;&#8201;you should declare it <strong>a resource</strong>.</p></div>
<div class="paragraph"><p>When dealing with RESTful resources, calls to <tt>form_for</tt> can get significantly easier if you rely on <strong>record identification</strong>. In short, you can just pass the model instance and have Rails figure out model name and the rest:</p></div>
<div class="listingblock">
<div class="content">
@@ -493,7 +478,7 @@ form_for(@article)</tt></pre>
<td class="content">When you&#8217;re using STI (single-table inheritance) with your models, you can&#8217;t rely on record identification on a subclass if only their parent class is declared a resource. You will have to specify the model name, <tt>:url</tt> and <tt>:method</tt> explicitly.</td>
</tr></table>
</div>
-<h4 id="_dealing_with_namespaces">3.1.1. Dealing with namespaces</h4>
+<h4 id="_dealing_with_namespaces">2.3.1. Dealing with namespaces</h4>
<div class="paragraph"><p>If you have created namespaced routes <tt>form_for</tt> has a nifty shorthand for that too. If your application has an admin namespace then</p></div>
<div class="listingblock">
<div class="content">
@@ -504,12 +489,29 @@ form_for(@article)</tt></pre>
<div class="content">
<pre><tt>form_for [:admin, :management, @article]</tt></pre>
</div></div>
-<div class="paragraph"><p>For more information on Rails' routing system and the associated conventions, please see the <a href="../routing_outside_in.html">routing guide</a>.</p></div>
+<div class="paragraph"><p>For more information on Rails' routing system and the associated conventions, please see the <a href="./routing_outside_in.html">routing guide</a>.</p></div>
+<h3 id="_how_do_forms_with_put_or_delete_methods_work">2.4. How do forms with PUT or DELETE methods work?</h3>
+<div class="paragraph"><p>Rails framework encourages RESTful design of your applications, which means you&#8217;ll be making a lot of "PUT" and "DELETE" requests (besides "GET" and "POST"). Still, most browsers <em>don&#8217;t support</em> methods other than "GET" and "POST" when it comes to submitting forms. How does this work, then?</p></div>
+<div class="paragraph"><p>Rails works around this issue by emulating other methods over POST with a hidden input named <tt>"_method"</tt> that is set to reflect the desired method:</p></div>
+<div class="listingblock">
+<div class="content">
+<pre><tt>form_tag(search_path, :method =&gt; "put")
+
+output:
+
+&lt;form action="/search" method="post"&gt;
+ &lt;div style="margin:0;padding:0"&gt;
+ &lt;input name="_method" type="hidden" value="put" /&gt;
+ &lt;input name="authenticity_token" type="hidden" value="f755bb0ed134b76c432144748a6d4b7a7ddf2b71" /&gt;
+ &lt;/div&gt;
+ ...</tt></pre>
+</div></div>
+<div class="paragraph"><p>When parsing POSTed data, Rails will take into account the special <tt>_method</tt> parameter and act as if the HTTP method was the one specified inside it ("PUT" in this example).</p></div>
</div>
-<h2 id="_making_select_boxes_with_ease">4. Making select boxes with ease</h2>
+<h2 id="_making_select_boxes_with_ease">3. Making select boxes with ease</h2>
<div class="sectionbody">
-<div class="paragraph"><p>Select boxes in HTML require a significant amount of markup (one <tt>OPTION</tt> element for each option to choose from), therefore it makes the most sense for them to be dynamically generated from data stored in arrays or hashes.</p></div>
-<div class="paragraph"><p>Here is what our wanted markup might look like:</p></div>
+<div class="paragraph"><p>Select boxes in HTML require a significant amount of markup (one <tt>OPTION</tt> element for each option to choose from), therefore it makes the most sense for them to be dynamically generated.</p></div>
+<div class="paragraph"><p>Here is what the markup might look like:</p></div>
<div class="listingblock">
<div class="content">
<pre><tt>&lt;select name="city_id" id="city_id"&gt;
@@ -519,8 +521,8 @@ form_for(@article)</tt></pre>
&lt;option value="12"&gt;Berlin&lt;/option&gt;
&lt;/select&gt;</tt></pre>
</div></div>
-<div class="paragraph"><p>Here you have a list of cities where their names are presented to the user, but internally the application only wants to handle their IDs so they are used as the options' value attributes. Let&#8217;s see how Rails can help out here.</p></div>
-<h3 id="_the_select_tag_and_options">4.1. The select tag and options</h3>
+<div class="paragraph"><p>Here you have a list of cities whose names are presented to the user. Internally the application only wants to handle their IDs so they are used as the options' value attribute. Let&#8217;s see how Rails can help out here.</p></div>
+<h3 id="_the_select_tag_and_options">3.1. The select tag and options</h3>
<div class="paragraph"><p>The most generic helper is <tt>select_tag</tt>, which&#8201;&#8212;&#8201;as the name implies&#8201;&#8212;&#8201;simply generates the <tt>SELECT</tt> tag that encapsulates an options string:</p></div>
<div class="listingblock">
<div class="content">
@@ -565,7 +567,7 @@ output:
</td>
</tr></table>
</div>
-<h3 id="_select_boxes_for_dealing_with_models">4.2. Select boxes for dealing with models</h3>
+<h3 id="_select_boxes_for_dealing_with_models">3.2. Select boxes for dealing with models</h3>
<div class="paragraph"><p>Until now you&#8217;ve seen how to make generic select boxes, but in most cases our form controls will be tied to a specific database model. So, to continue from our previous examples, let&#8217;s assume that you have a "Person" model with a <tt>city_id</tt> attribute.</p></div>
<div class="paragraph"><p>Consistent with other form helpers, when dealing with models you drop the <tt>_tag</tt> suffix from <tt>select_tag</tt>.</p></div>
<div class="listingblock">
@@ -598,7 +600,7 @@ output:
</td>
</tr></table>
</div>
-<h3 id="_option_tags_from_a_collection_of_arbitrary_objects">4.3. Option tags from a collection of arbitrary objects</h3>
+<h3 id="_option_tags_from_a_collection_of_arbitrary_objects">3.3. Option tags from a collection of arbitrary objects</h3>
<div class="paragraph"><p>Until now you were generating option tags from nested arrays with the help of <tt>options_for_select</tt> method. Data in our array were raw values:</p></div>
<div class="listingblock">
<div class="content">
@@ -621,19 +623,19 @@ output:
<pre><tt>&lt;%= collection_select(:person, :city_id, City.all, :id, :name) %&gt;</tt></pre>
</div></div>
<div class="paragraph"><p>To recap, <tt>options_from_collection_for_select</tt> is to <tt>collection_select</tt> what <tt>options_for_select</tt> is to <tt>select</tt>.</p></div>
-<h3 id="_time_zone_and_country_select">4.4. Time zone and country select</h3>
+<h3 id="_time_zone_and_country_select">3.4. Time zone and country select</h3>
<div class="paragraph"><p>To leverage time zone support in Rails, you have to ask our users what time zone they are in. Doing so would require generating select options from a list of pre-defined TimeZone objects using <tt>collection_select</tt>, but you can simply use the <tt>time_zone_select</tt> helper that already wraps this:</p></div>
<div class="listingblock">
<div class="content">
<pre><tt>&lt;%= time_zone_select(:person, :city_id) %&gt;</tt></pre>
</div></div>
<div class="paragraph"><p>There is also <tt>time_zone_options_for_select</tt> helper for a more manual (therefore more customizable) way of doing this. Read the API documentation to learn about the possible arguments for these two methods.</p></div>
-<div class="paragraph"><p>Rails <em>used</em> to have a <tt>country_select</tt> helper for choosing countries but this has been extracted to the <a href="http://github.com/rails/country_select/tree/master">country_select plugin</a>. When using this do be aware that the exclusion or inclusion of certain names from the list can be somewhat controversial (and was the reason this functionality was extracted from rails)</p></div>
+<div class="paragraph"><p>Rails <em>used</em> to have a <tt>country_select</tt> helper for choosing countries but this has been extracted to the <a href="http://github.com/rails/country_select/tree/master">country_select plugin</a>. When using this do be aware that the exclusion or inclusion of certain names from the list can be somewhat controversial (and was the reason this functionality was extracted from rails).</p></div>
</div>
-<h2 id="_date_and_time_select_boxes">5. Date and time select boxes</h2>
+<h2 id="_using_date_and_time_form_helpers">4. Using Date and Time Form Helpers</h2>
<div class="sectionbody">
<div class="paragraph"><p>The date and time helpers differ from all the other form helpers in two important respects:</p></div>
-<div class="olist"><ol>
+<div class="olist arabic"><ol class="arabic">
<li>
<p>
Unlike other attributes you might typically have, dates and times are not representable by a single input element. Instead you have several, one for each component (year, month, day etc...). So in particular, there is no single value in your params hash with your date or time.
@@ -646,7 +648,7 @@ Other helpers use the _tag suffix to indicate whether a helper is a barebones he
</li>
</ol></div>
<div class="paragraph"><p>Both of these families of helpers will create a series of select boxes for the different components (year, month, day etc...).</p></div>
-<h3 id="_barebones_helpers_2">5.1. Barebones helpers</h3>
+<h3 id="_barebones_helpers">4.1. Barebones helpers</h3>
<div class="paragraph"><p>The <tt>select_*</tt> family of helpers take as their first argument an instance of Date, Time or DateTime that is used as the currently selected value. You may omit this parameter, in which case the current date is used. For example</p></div>
<div class="listingblock">
<div class="content">
@@ -665,7 +667,7 @@ Other helpers use the _tag suffix to indicate whether a helper is a barebones he
<pre><tt>Date::civil(params[:start_date][:year].to_i, params[:start_date][:month].to_i, params[:start_date][:day].to_i)</tt></pre>
</div></div>
<div class="paragraph"><p>The :prefix option controls where in the params hash the date components will be placed. Here it was set to <tt>start_date</tt>, if omitted it will default to <tt>date</tt>.</p></div>
-<h3 id="_model_object_helpers_2">5.2. Model object helpers</h3>
+<h3 id="_model_object_helpers_2">4.2. Model object helpers</h3>
<div class="paragraph"><p><tt>select_date</tt> does not work well with forms that update or create Active Record objects as Active Record expects each element of the params hash to correspond to one attribute.
The model object helpers for dates and times submit parameters with special names. When Active Record sees parameters with such names it knows they must be combined with the other parameters and given to a constructor appropriate to the column type. For example</p></div>
<div class="listingblock">
@@ -685,7 +687,7 @@ The model object helpers for dates and times submit parameters with special name
<pre><tt>{:person =&gt; {'birth_date(1i)' =&gt; '2008', 'birth_date(2i)' =&gt; '11', 'birth_date(3i)' =&gt; '22'}}</tt></pre>
</div></div>
<div class="paragraph"><p>When this is passed to <tt>Person.new</tt>, Active Record spots that these parameters should all be used to construct the <tt>birth_date</tt> attribute and uses the suffixed information to determine in which order it should pass these parameters to functions such as <tt>Date::civil</tt>.</p></div>
-<h3 id="_common_options">5.3. Common options</h3>
+<h3 id="_common_options">4.3. Common options</h3>
<div class="paragraph"><p>Both families of helpers use the same core set of functions to generate the individual select tags and so both accept largely the same options. In particular, by default Rails will generate year options 5 years either side of the current year. If this is not an appropriate range, the <tt>:start_year</tt> and <tt>:end_year</tt> options override this. For an exhaustive list of the available options, refer to the <a href="http://api.rubyonrails.org/classes/ActionView/Helpers/DateHelper.html">API documentation</a>.</p></div>
<div class="paragraph"><p>As a rule of thumb you should be using <tt>date_select</tt> when working with model objects and <tt>select_date</tt> in others cases, such as a search form which filters results by date.</p></div>
<div class="admonitionblock">
@@ -697,61 +699,7 @@ The model object helpers for dates and times submit parameters with special name
</tr></table>
</div>
</div>
-<h2 id="_form_builders">6. Form builders</h2>
-<div class="sectionbody">
-<div class="paragraph"><p>As mentioned previously the object yielded by <tt>form_for</tt> and <tt>fields_for</tt> is an instance of FormBuilder (or a subclass thereof). Form builders encapsulate the notion of displaying a form elements for a single object. While you can of course write helpers for your forms in the usual way you can also subclass FormBuilder and add the helpers there. For example</p></div>
-<div class="listingblock">
-<div class="content">
-<pre><tt>&lt;% form_for @person do |f| %&gt;
- &lt;%= text_field_with_label f, :first_name %&gt;
-&lt;% end %&gt;</tt></pre>
-</div></div>
-<div class="paragraph"><p>can be replaced with</p></div>
-<div class="listingblock">
-<div class="content">
-<pre><tt>&lt;% form_for @person, :builder =&gt; LabellingFormBuilder do |f| %&gt;
- &lt;%= f.text_field :first_name %&gt;
-&lt;% end %&gt;</tt></pre>
-</div></div>
-<div class="paragraph"><p>by defining a LabellingFormBuilder class similar to the following:</p></div>
-<div class="listingblock">
-<div class="content"><!-- Generator: GNU source-highlight 2.9
-by Lorenzo Bettini
-http://www.lorenzobettini.it
-http://www.gnu.org/software/src-highlite -->
-<pre><tt><span style="font-weight: bold"><span style="color: #0000FF">class</span></span> LabellingFormBuilder <span style="color: #990000">&lt;</span> FormBuilder
- <span style="font-weight: bold"><span style="color: #0000FF">def</span></span> text_field attribute<span style="color: #990000">,</span> options<span style="color: #990000">=</span><span style="color: #FF0000">{}</span>
- label<span style="color: #990000">(</span>attribute<span style="color: #990000">)</span> <span style="color: #990000">+</span> text_field<span style="color: #990000">(</span>attribute<span style="color: #990000">,</span> options<span style="color: #990000">)</span>
- <span style="font-weight: bold"><span style="color: #0000FF">end</span></span>
-<span style="font-weight: bold"><span style="color: #0000FF">end</span></span></tt></pre></div></div>
-<div class="paragraph"><p>If you reuse this frequently you could define a <tt>labeled_form_for</tt> helper that automatically applies the <tt>:builder =&gt; LabellingFormBuilder</tt> option.</p></div>
-<div class="paragraph"><p>The form builder used also determines what happens when you do</p></div>
-<div class="listingblock">
-<div class="content">
-<pre><tt>&lt;%= render :partial =&gt; f %&gt;</tt></pre>
-</div></div>
-<div class="paragraph"><p>If <tt>f</tt> is an instance of FormBuilder then this will render the <em>form</em> partial, setting the partial&#8217;s object to the form builder. If the form builder is of class LabellingFormBuilder then the <em>labelling_form</em> partial would be rendered instead.</p></div>
-<h3 id="_scoping_out_form_controls_with_tt_fields_for_tt">6.1. Scoping out form controls with <tt>fields_for</tt></h3>
-<div class="paragraph"><p><tt>fields_for</tt> creates a form builder in exactly the same way as <tt>form_for</tt> but doesn&#8217;t create the actual <tt>&lt;form&gt;</tt> tags. It creates a scope around a specific model object like <tt>form_for</tt>, which is useful for specifying additional model objects in the same form. For example if you had a Person model with an associated ContactDetail model you could create a form for editing both like so:</p></div>
-<div class="listingblock">
-<div class="content">
-<pre><tt>&lt;% form_for @person do |person_form| %&gt;
- &lt;%= person_form.text_field :name %&gt;
- &lt;% fields_for @person.contact_detail do |contact_details_form| %&gt;
- &lt;%= contact_details_form.text_field :phone_number %&gt;
- &lt;% end %&gt;
-&lt;% end %&gt;</tt></pre>
-</div></div>
-<div class="paragraph"><p>which produces the following output:</p></div>
-<div class="listingblock">
-<div class="content">
-<pre><tt>&lt;form action="/people/1" class="edit_person" id="edit_person_1" method="post"&gt;
- &lt;input id="person_name" name="person[name]" size="30" type="text" /&gt;
- &lt;input id="contact_detail_phone_number" name="contact_detail[phone_number]" size="30" type="text" /&gt;
-&lt;/form&gt;</tt></pre>
-</div></div>
-</div>
-<h2 id="_file_uploads">7. File Uploads</h2>
+<h2 id="_uploading_files">5. Uploading Files</h2>
<div class="sectionbody">
<div class="paragraph"><p>A common task is uploading some sort of file, whether it&#8217;s a picture of a person or a CSV file containing data to process. The most important thing to remember with file uploads is that the form&#8217;s encoding <strong>MUST</strong> be set to multipart/form-data. If you forget to do this the file will not be uploaded. This can be done by passing <tt>:multi_part =&gt; true</tt> as an HTML option. This means that in the case of <tt>form_tag</tt> it must be passed in the second options hash and in the case of <tt>form_for</tt> inside the <tt>:html</tt> hash.</p></div>
<div class="paragraph"><p>The following two forms both upload a file.</p></div>
@@ -766,7 +714,7 @@ http://www.gnu.org/software/src-highlite -->
&lt;% end %&gt;</tt></pre>
</div></div>
<div class="paragraph"><p>Rails provides the usual pair of helpers: the barebones <tt>file_field_tag</tt> and the model oriented <tt>file_field</tt>. The only difference with other helpers is that you cannot set a default value for file inputs as this would have no meaning. As you would expect in the first case the uploaded file is in <tt>params[:picture]</tt> and in the second case in <tt>params[:person][:picture]</tt>.</p></div>
-<h3 id="_what_gets_uploaded">7.1. What gets uploaded</h3>
+<h3 id="_what_gets_uploaded">5.1. What gets uploaded</h3>
<div class="paragraph"><p>The object in the params hash is an instance of a subclass of IO. Depending on the size of the uploaded file it may in fact be a StringIO or an instance of File backed by a temporary file. In both cases the object will have an <tt>original_filename</tt> attribute containing the name the file had on the user&#8217;s computer and a <tt>content_type</tt> attribute containing the MIME type of the uploaded file. The following snippet saves the uploaded content in <tt>#{RAILS_ROOT}/public/uploads</tt> under the same name as the original file (assuming the form was the one in the previous example).</p></div>
<div class="listingblock">
<div class="content"><!-- Generator: GNU source-highlight 2.9
@@ -788,14 +736,50 @@ http://www.gnu.org/software/src-highlite -->
<td class="content">If the user has not selected a file the corresponding parameter will be an empty string.</td>
</tr></table>
</div>
-<h3 id="_dealing_with_ajax">7.2. Dealing with Ajax</h3>
+<h3 id="_dealing_with_ajax">5.2. Dealing with Ajax</h3>
<div class="paragraph"><p>Unlike other forms making an asynchronous file upload form is not as simple as replacing <tt>form_for</tt> with <tt>remote_form_for</tt>. With an AJAX form the serialization is done by javascript running inside the browser and since javascript cannot read files from your hard drive the file cannot be uploaded. The most common workaround is to use an invisible iframe that serves as the target for the form submission.</p></div>
-</div>
-<h2 id="_parameter_names">8. Parameter Names</h2>
-<div class="sectionbody">
-<div class="paragraph" id="parameter_names"><p>As you&#8217;ve seen in the previous sections values from forms can appear either at the top level of the params hash or may appear nested in another hash. For example in a standard create
+<div class="paragraph"><p>Customising Form Builders</p></div>
+<div class="listingblock">
+<div class="content">
+<pre><tt>As mentioned previously the object yielded by `form_for` and `fields_for` is an instance of FormBuilder (or a subclass thereof). Form builders encapsulate the notion of displaying a form elements for a single object. While you can of course write helpers for your forms in the usual way you can also subclass FormBuilder and add the helpers there. For example</tt></pre>
+</div></div>
+<div class="paragraph"><p>&lt;% form_for @person do |f| %&gt;
+ &lt;%= text_field_with_label f, :first_name %&gt;
+&lt;% end %&gt;</p></div>
+<div class="listingblock">
+<div class="content">
+<pre><tt>can be replaced with</tt></pre>
+</div></div>
+<div class="paragraph"><p>&lt;% form_for @person, :builder =&gt; LabellingFormBuilder do |f| %&gt;
+ &lt;%= f.text_field :first_name %&gt;
+&lt;% end %&gt;</p></div>
+<div class="listingblock">
+<div class="content">
+<pre><tt>by defining a LabellingFormBuilder class similar to the following:
+
+[source, ruby]</tt></pre>
+</div></div>
+<div class="paragraph"><p>class LabellingFormBuilder &lt; FormBuilder
+ def text_field attribute, options={}
+ label(attribute) + text_field(attribute, options)
+ end
+end</p></div>
+<div class="listingblock">
+<div class="content">
+<pre><tt>If you reuse this frequently you could define a `labeled_form_for` helper that automatically applies the `:builder =&gt; LabellingFormBuilder` option.
+
+The form builder used also determines what happens when you do</tt></pre>
+</div></div>
+<div class="paragraph"><p>&lt;%= render :partial =&gt; f %&gt;</p></div>
+<div class="listingblock">
+<div class="content">
+<pre><tt>If `f` is an instance of FormBuilder then this will render the 'form' partial, setting the partial's object to the form builder. If the form builder is of class LabellingFormBuilder then the 'labelling_form' partial would be rendered instead.
+
+Understanding Parameter Naming Conventions</tt></pre>
+</div></div>
+<div class="paragraph" id="parameter_names"><p>As you&#8217;ve seen in the previous sections, values from forms can appear either at the top level of the params hash or may appear nested in another hash. For example in a standard create
action for a Person model, <tt>params[:model]</tt> would usually be a hash of all the attributes for the person to create. The params hash can also contain arrays, arrays of hashes and so on.</p></div>
-<div class="paragraph"><p>Fundamentally HTML forms don&#8217;t know about any sort of structured data. All they know about is name-value pairs. Rails tacks some conventions onto parameter names which it uses to express some structure.</p></div>
+<div class="paragraph"><p>Fundamentally HTML forms don&#8217;t know about any sort of structured data, all they generate is name-value pairs. The arrays and hashes you see in your application are the result of some parameter naming conventions that Rails uses.</p></div>
<div class="admonitionblock">
<table><tr>
<td class="icon">
@@ -811,7 +795,7 @@ action for a Person model, <tt>params[:model]</tt> would usually be a hash of al
</td>
</tr></table>
</div>
-<h3 id="_basic_structures">8.1. Basic structures</h3>
+<h3 id="_basic_structures">5.3. Basic structures</h3>
<div class="paragraph"><p>The two basic structures are arrays and hashes. Hashes mirror the syntax used for accessing the value in the params. For example if a form contains</p></div>
<div class="listingblock">
<div class="content">
@@ -845,7 +829,7 @@ http://www.gnu.org/software/src-highlite -->
&lt;input name="person[phone_number][]" type="text"/&gt;</tt></pre>
</div></div>
<div class="paragraph"><p>This would result in <tt>params[:person][:phone_number]</tt> being an array.</p></div>
-<h3 id="_combining_them">8.2. Combining them</h3>
+<h3 id="_combining_them">5.4. Combining them</h3>
<div class="paragraph"><p>We can mix and match these two concepts. For example, one element of a hash might be an array as in the previous example, or you can have an array of hashes. For example a form might let you create any number of addresses by repeating the following form fragment</p></div>
<div class="listingblock">
<div class="content">
@@ -863,7 +847,7 @@ http://www.gnu.org/software/src-highlite -->
<td class="content">Array parameters do not play well with the <tt>check_box</tt> helper. According to the HTML specification unchecked checkboxes submit no value. However it is often convenient for a checkbox to always submit a value. The <tt>check_box</tt> helper fakes this by creating a second hidden input with the same name. If the checkbox is unchecked only the hidden input is submitted. If the checkbox is checked then both are submitted but the value submitted by the checkbox takes precedence. When working with array parameters this duplicate submission will confuse Rails since duplicate input names are how it decides when to start a new hash. It is preferable to either use <tt>check_box_tag</tt> or to use hashes instead of arrays.</td>
</tr></table>
</div>
-<h3 id="_using_form_helpers">8.3. Using form helpers</h3>
+<h3 id="_using_form_helpers">5.5. Using form helpers</h3>
<div class="paragraph"><p>The previous sections did not use the Rails form helpers at all. While you can craft the input names yourself and pass them directly to helpers such as <tt>text_field_tag</tt> Rails also provides higher level support. The two tools at your disposal here are the name parameter to <tt>form_for</tt>/<tt>fields_for</tt> and the <tt>:index</tt> option.</p></div>
<div class="paragraph"><p>You might want to render a form with a set of edit fields for each of a person&#8217;s addresses. Something a little like this will do the trick</p></div>
<div class="listingblock">
@@ -916,7 +900,7 @@ http://www.gnu.org/software/src-highlite -->
</div></div>
<div class="paragraph"><p>produces exactly the same output as the previous example.</p></div>
</div>
-<h2 id="_complex_forms">9. Complex forms</h2>
+<h2 id="_building_complex_forms">6. Building Complex forms</h2>
<div class="sectionbody">
<div class="paragraph"><p>Many apps grow beyond simple forms editing a single object. For example when creating a Person instance you might want to allow the user to (on the same form) create multiple address records (home, work etc.). When later editing that person the user should be able to add, remove or amend addresses as necessary. While this guide has shown you all the pieces necessary to handle this, Rails does not yet have a standard end-to-end way of accomplishing this, but many have come up with viable approaches. These include:</p></div>
<div class="ulist"><ul>
@@ -947,7 +931,7 @@ James Golick&#8217;s <a href="http://github.com/giraffesoft/attribute_fu/tree">a
</li>
</ul></div>
</div>
-<h2 id="_changelog">10. Changelog</h2>
+<h2 id="_changelog">7. Changelog</h2>
<div class="sectionbody">
<div class="paragraph"><p><a href="http://rails.lighthouseapp.com/projects/16213-rails-guides/tickets/1">Lighthouse ticket</a></p></div>
<div class="ulist"><div class="title">Authors</div><ul>
diff --git a/railties/doc/guides/html/security.html b/railties/doc/guides/html/security.html
index 4751e9f92b..371decda64 100644
--- a/railties/doc/guides/html/security.html
+++ b/railties/doc/guides/html/security.html
@@ -326,7 +326,7 @@ The user has his credit back.
</div>
</div>
<div class="paragraph"><p>This attack focuses on fixing a user&#8217;s session id known to the attacker, and forcing the user&#8217;s browser into using this id. It is therefore not necessary for the attacker to steal the session id afterwards. Here is how this attack works:</p></div>
-<div class="olist"><ol>
+<div class="olist arabic"><ol class="arabic">
<li>
<p>
The attacker creates a valid session id: He loads the login page of the web application where he wants to fix the session, and takes the session id in the cookie from the response (see number 1 and 2 in the image).