From 35a0521c3c2e8cea397accb648f15f7e8b3cf8a8 Mon Sep 17 00:00:00 2001 From: Abe Voelker Date: Fri, 9 Mar 2012 15:15:01 -0600 Subject: Fix 'Security#Mass Assignment' URL typo --- railties/guides/source/security.textile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'railties/guides') diff --git a/railties/guides/source/security.textile b/railties/guides/source/security.textile index b1a09c0c05..747a4d6791 100644 --- a/railties/guides/source/security.textile +++ b/railties/guides/source/security.textile @@ -374,7 +374,7 @@ end Mass-assignment saves you much work, because you don't have to set each value individually. Simply pass a hash to the +new+ method, or +assign_attributes=+ a hash value, to set the model's attributes to the values in the hash. The problem is that it is often used in conjunction with the parameters (params) hash available in the controller, which may be manipulated by an attacker. He may do so by changing the URL like this: 
-"name":http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1
+http://www.example.com/user/signup?user[name]=ow3ned&user[admin]=1
This will set the following parameters in the controller: -- cgit v1.2.3 From 129ba87dc4d00cba7061111f6431531c4550aaca Mon Sep 17 00:00:00 2001 From: Grant McLean Date: Sat, 10 Mar 2012 20:58:40 +1300 Subject: fix fragment portion of some links --- railties/guides/source/2_2_release_notes.textile | 2 +- railties/guides/source/form_helpers.textile | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'railties/guides') diff --git a/railties/guides/source/2_2_release_notes.textile b/railties/guides/source/2_2_release_notes.textile index 8e2d528eee..3a0f2efbaf 100644 --- a/railties/guides/source/2_2_release_notes.textile +++ b/railties/guides/source/2_2_release_notes.textile @@ -229,7 +229,7 @@ This will enable recognition of (among others) these routes: * Lead Contributor: "S. Brent Faulkner":http://www.unwwwired.net/ * More information: -** "Rails Routing from the Outside In":http://guides.rubyonrails.org/routing.html#_nested_resources +** "Rails Routing from the Outside In":http://guides.rubyonrails.org/routing.html#nested-resources ** "What's New in Edge Rails: Shallow Routes":http://ryandaigle.com/articles/2008/9/7/what-s-new-in-edge-rails-shallow-routes h4. Method Arrays for Member or Collection Routes diff --git a/railties/guides/source/form_helpers.textile b/railties/guides/source/form_helpers.textile index a696e4f8ae..9f91d12a54 100644 --- a/railties/guides/source/form_helpers.textile +++ b/railties/guides/source/form_helpers.textile @@ -39,7 +39,7 @@ When called without arguments like this, it creates a +<form>+ tag which, -Now, you'll notice that the HTML contains something extra: a +div+ element with two hidden input elements inside. This div is important, because the form cannot be successfully submitted without it. The first input element with name +utf8+ enforces browsers to properly respect your form's character encoding and is generated for all forms whether their actions are "GET" or "POST". The second input element with name +authenticity_token+ is a security feature of Rails called *cross-site request forgery protection*, and form helpers generate it for every non-GET form (provided that this security feature is enabled). You can read more about this in the "Security Guide":./security.html#_cross_site_reference_forgery_csrf. +Now, you'll notice that the HTML contains something extra: a +div+ element with two hidden input elements inside. This div is important, because the form cannot be successfully submitted without it. The first input element with name +utf8+ enforces browsers to properly respect your form's character encoding and is generated for all forms whether their actions are "GET" or "POST". The second input element with name +authenticity_token+ is a security feature of Rails called *cross-site request forgery protection*, and form helpers generate it for every non-GET form (provided that this security feature is enabled). You can read more about this in the "Security Guide":./security.html#cross-site-request-forgery-csrf. NOTE: Throughout this guide, the +div+ with the hidden input elements will be excluded from code samples for brevity. @@ -428,7 +428,7 @@ As with other helpers, if you were to use the +select+ helper on a form builder <%= f.select(:city_id, ...) %> -WARNING: If you are using +select+ (or similar helpers such as +collection_select+, +select_tag+) to set a +belongs_to+ association you must pass the name of the foreign key (in the example above +city_id+), not the name of association itself. If you specify +city+ instead of +city_id+ Active Record will raise an error along the lines of ActiveRecord::AssociationTypeMismatch: City(#17815740) expected, got String(#1138750) when you pass the +params+ hash to +Person.new+ or +update_attributes+. Another way of looking at this is that form helpers only edit attributes. You should also be aware of the potential security ramifications of allowing users to edit foreign keys directly. You may wish to consider the use of +attr_protected+ and +attr_accessible+. For further details on this, see the "Ruby On Rails Security Guide":security.html#_mass_assignment. +WARNING: If you are using +select+ (or similar helpers such as +collection_select+, +select_tag+) to set a +belongs_to+ association you must pass the name of the foreign key (in the example above +city_id+), not the name of association itself. If you specify +city+ instead of +city_id+ Active Record will raise an error along the lines of ActiveRecord::AssociationTypeMismatch: City(#17815740) expected, got String(#1138750) when you pass the +params+ hash to +Person.new+ or +update_attributes+. Another way of looking at this is that form helpers only edit attributes. You should also be aware of the potential security ramifications of allowing users to edit foreign keys directly. You may wish to consider the use of +attr_protected+ and +attr_accessible+. For further details on this, see the "Ruby On Rails Security Guide":security.html#mass-assignment. h4. Option Tags from a Collection of Arbitrary Objects -- cgit v1.2.3 From 625cb12f21d08630577047ccf11678f886145234 Mon Sep 17 00:00:00 2001 From: Andrew France Date: Sun, 11 Mar 2012 13:28:25 +0000 Subject: attr_accessor_with_default was deprecated and removed. Deprecated in 673372152032a886ba9196c69348386834590eab and removed in 9cafc28874a681082f9f7e1e445db91f195a25ae. --- .../source/active_support_core_extensions.textile | 49 ---------------------- 1 file changed, 49 deletions(-) (limited to 'railties/guides') diff --git a/railties/guides/source/active_support_core_extensions.textile b/railties/guides/source/active_support_core_extensions.textile index 2091ce0395..5d0a3f82e8 100644 --- a/railties/guides/source/active_support_core_extensions.textile +++ b/railties/guides/source/active_support_core_extensions.textile @@ -509,55 +509,6 @@ end NOTE: Defined in +active_support/core_ext/module/aliasing.rb+. -h5. +attr_accessor_with_default+ - -The method +attr_accessor_with_default+ serves the same purpose as the Ruby macro +attr_accessor+ but allows you to set a default value for the attribute: - - -class Url - attr_accessor_with_default :port, 80 -end - -Url.new.port # => 80 - - -The default value can be also specified with a block, which is called in the context of the corresponding object: - - -class User - attr_accessor :name, :surname - attr_accessor_with_default(:full_name) do - [name, surname].compact.join(" ") - end -end - -u = User.new -u.name = 'Xavier' -u.surname = 'Noria' -u.full_name # => "Xavier Noria" - - -The result is not cached, the block is invoked in each call to the reader. - -You can overwrite the default with the writer: - - -url = Url.new -url.host # => 80 -url.host = 8080 -url.host # => 8080 - - -The default value is returned as long as the attribute is unset. The reader does not rely on the value of the attribute to know whether it has to return the default. It rather monitors the writer: if there's any assignment the value is no longer considered to be unset. - -Active Resource uses this macro to set a default value for the +:primary_key+ attribute: - - -attr_accessor_with_default :primary_key, 'id' - - -NOTE: Defined in +active_support/core_ext/module/attr_accessor_with_default.rb+. - h5. Internal Attributes When you are defining an attribute in a class that is meant to be subclassed, name collisions are a risk. That's remarkably important for libraries. -- cgit v1.2.3 From 4daef7427b3d63bdda4ac99df25fb3de32dfe9cd Mon Sep 17 00:00:00 2001 From: Ryan Bigg Date: Wed, 7 Mar 2012 07:36:08 -0800 Subject: [instrumentation guide] Cover receive.action_mailer event --- .../source/active_support_instrumentation.textile | 27 ++++++++++++++++++++++ 1 file changed, 27 insertions(+) (limited to 'railties/guides') diff --git a/railties/guides/source/active_support_instrumentation.textile b/railties/guides/source/active_support_instrumentation.textile index f9452400ad..79901a619c 100644 --- a/railties/guides/source/active_support_instrumentation.textile +++ b/railties/guides/source/active_support_instrumentation.textile @@ -21,8 +21,35 @@ You are even able to create your own events inside your application which you ca h3. Rails framework hooks +Within the Ruby on Rails framework, there are a number of hooks provided for common events. These are detailed below. + h4. Action Mailer +h5. receive.action_mailer + +This hook is called when the +receive+ method of an +ActionMailer::Base+ class is called: + + + class Mailer < ActionMailer::Base + def receive(mail) + + end + end + + +The payload for this event has the following parameters related to the incoming email: + +|_.Key |_.Value| +|mailer |Name of the mailer class| +|message_id |ID of the message, generated by the Mail gem| +|subject |Subject of the mail| +|to |To address(es) of the mail| +|from |From address of the mail| +|bcc |BCC addresses of the mail| +|cc |CC addresses of the mail| +|date |Date of the mail| +|mail |The encoded form of the mail| + h4. Action Controller h4. Action View -- cgit v1.2.3 From a42eedb3a3d55097624d5b6a9509d4d79264a391 Mon Sep 17 00:00:00 2001 From: Ryan Bigg Date: Wed, 7 Mar 2012 07:39:20 -0800 Subject: [instrumentation guide] Cover deliver.action_mailer event --- .../source/active_support_instrumentation.textile | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'railties/guides') diff --git a/railties/guides/source/active_support_instrumentation.textile b/railties/guides/source/active_support_instrumentation.textile index 79901a619c..26a5265143 100644 --- a/railties/guides/source/active_support_instrumentation.textile +++ b/railties/guides/source/active_support_instrumentation.textile @@ -50,6 +50,24 @@ The payload for this event has the following parameters related to the incoming |date |Date of the mail| |mail |The encoded form of the mail| +h5. deliver.action_mailer + +This hook is called when the +deliver+ method is called on a +Mail::Message+ object. This is due to a hook inserted by Action Mailer, rather than a specific feature of the Mail gem itself. + +The payload for this event has the following parameters related to the outgoing email: + +|_.Key |_.Value| +|mailer |Name of the mailer class| +|message_id |ID of the message, generated by the Mail gem| +|subject |Subject of the mail| +|to |To address(es) of the mail| +|from |From address of the mail| +|bcc |BCC addresses of the mail| +|cc |CC addresses of the mail| +|date |Date of the mail| +|mail |The encoded form of the mail| + + h4. Action Controller h4. Action View -- cgit v1.2.3 From 507df096f4dd875ba602164b997ef7d5f7739bb6 Mon Sep 17 00:00:00 2001 From: Ryan Bigg Date: Sun, 11 Mar 2012 16:18:48 -0700 Subject: [instrumentation] Add further action placeholders --- .../guides/source/active_support_instrumentation.textile | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'railties/guides') diff --git a/railties/guides/source/active_support_instrumentation.textile b/railties/guides/source/active_support_instrumentation.textile index 26a5265143..8e2866dfc3 100644 --- a/railties/guides/source/active_support_instrumentation.textile +++ b/railties/guides/source/active_support_instrumentation.textile @@ -70,6 +70,18 @@ The payload for this event has the following parameters related to the outgoing h4. Action Controller +h5. write_fragment.action_controller + +h5. read_fragment.action_controller + +h5. exist_fragment?.action_controller + +h5. expire_fragment.action_controller + +h5. write_page.action_controller + +h5. expire_page.action_controller + h4. Action View h4. Active Record -- cgit v1.2.3 From 36bd5c97420e46a19658e34dbe24bcab265311af Mon Sep 17 00:00:00 2001 From: Ryan Bigg Date: Sun, 11 Mar 2012 16:20:11 -0700 Subject: Add engines guide to documents.yaml --- railties/guides/source/documents.yaml | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'railties/guides') diff --git a/railties/guides/source/documents.yaml b/railties/guides/source/documents.yaml index 08aafda288..1c8d7d284c 100644 --- a/railties/guides/source/documents.yaml +++ b/railties/guides/source/documents.yaml @@ -96,6 +96,10 @@ name: Asset Pipeline url: asset_pipeline.html description: This guide documents the asset pipeline. + - + name: Getting Started with Engines + url: engines.html + description: This guide explains how to write a mountable engine. - name: The Rails Initialization Process work_in_progress: true -- cgit v1.2.3