diff options
Diffstat (limited to 'guides/source')
| -rw-r--r-- | guides/source/active_record_validations.md | 5 | ||||
| -rw-r--r-- | guides/source/getting_started.md | 15 | ||||
| -rw-r--r-- | guides/source/security.md | 2 |
3 files changed, 18 insertions, 4 deletions
diff --git a/guides/source/active_record_validations.md b/guides/source/active_record_validations.md index d95b587e78..8154d4e1cc 100644 --- a/guides/source/active_record_validations.md +++ b/guides/source/active_record_validations.md @@ -243,7 +243,7 @@ line of code you can add the same kind of validation to several attributes. All of them accept the `:on` and `:message` options, which define when the validation should be run and what message should be added to the `errors` collection if it fails, respectively. The `:on` option takes one of the values -`:save` (the default), `:create` or `:update`. There is a default error +`:create` or `:update`. There is a default error message for each one of the validation helpers. These messages are used when the `:message` option isn't specified. Let's take a look at each one of the available helpers. @@ -765,10 +765,9 @@ class Person < ActiveRecord::Base validates :age, numericality: true, on: :update # the default (validates on both create and update) - validates :name, presence: true, on: :save + validates :name, presence: true end ``` -The last line is in review state and as of now, it is not running in any version of Rails 3.2.x as discussed in this [issue](https://github.com/rails/rails/issues/10248) Strict Validations ------------------ diff --git a/guides/source/getting_started.md b/guides/source/getting_started.md index 20d7eb3381..12eb88f018 100644 --- a/guides/source/getting_started.md +++ b/guides/source/getting_started.md @@ -1616,6 +1616,8 @@ end Security -------- +### Basic Authentication + If you were to publish your blog online, anybody would be able to add, edit and delete posts or delete comments. @@ -1663,6 +1665,19 @@ Authentication challenge  +Other authentication methods are available for Rails applications. Two popular +authentication add-ons for Rails are the [Devise](https://github.com/plataformatec/devise) +rails engine and the [Authlogic](https://github.com/binarylogic/authlogic) gem, +along with a number of others. + + +### Other Security Considerations + +Security, especially in web applications, is a broad and detailed area. Security +in your Rails application is covered in more depth in +The [Ruby on Rails Security Guide](security.html) + + What's Next? ------------ diff --git a/guides/source/security.md b/guides/source/security.md index ad0546810d..e4db26c64e 100644 --- a/guides/source/security.md +++ b/guides/source/security.md @@ -93,7 +93,7 @@ Rails 2 introduced a new default session storage, CookieStore. CookieStore saves * The client can see everything you store in a session, because it is stored in clear-text (actually Base64-encoded, so not encrypted). So, of course, _you don't want to store any secrets here_. To prevent session hash tampering, a digest is calculated from the session with a server-side secret and inserted into the end of the cookie. -That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA512, which has not been compromised, yet). So _don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters_. +That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA1, for compatibility). So _don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters_. `config.secret_key_base` is used for specifying a key which allows sessions for the application to be verified against a known secure key to prevent tampering. Applications get `config.secret_key_base` initialized to a random key in `config/initializers/secret_token.rb`, e.g.: |