John Troxel jtroxel

## list-posts.client.view.html
<section data-ng-controller="PostsController" data-ng-init="find()">
    <div class="page-header">
        <h1>Posts</h1>
    </div>
    <div class="list-group">
        <a data-ng-repeat="post in posts" data-ng-href="#!/posts/{{post._id}}" class="list-group-item">
			<small class="list-group-item-text">
				Posted on
				<span data-ng-bind="post.created | date:'medium'"></span>
				by

## server.js
// curl --data-urlencode "name=Thai Green and Sushi" -XPOST localhost:8080/restaurant
routeMatcher.post('/restaurant', function (req) {
    console.log("Params: " + req.params());

    req.expectMultiPart(true);
    req.endHandler(function() {
//        The request has been all ready so now we can look at the form attributes

        var formAttributes = req.formAttributes();
        var name = formAttributes.get('name');

## server.js
// Start a server listening to our routes
server.requestHandler(routeMatcher).listen(8080, 'localhost');

## server.js
        bus.send('manage-restaurants', // Event bus
            // Payload
            {
                action: 'create',
                name: name
            },
            // Reply handler
            function (reply) {
                console.log("Reply " + reply);
            }

## manage_restaurants.rb
Vertx::EventBus.register_handler('manage-restaurants') do |message|
  body = message.body
  puts "Got message body #{body.inspect}"
  case body['action']
    when "create"
      rest = Restaurant.new(body.slice('name'))
      rest.save
      message.reply "OK"
    when "update"
      id = body['id']

## post.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                jtroxel
                / post.md
            
            
              Created
              June 18, 2012 14:40
            
              
                Rails - Using whitelists to control mass-assignment 
              
          
    Rails - Using Whitelists for Mass-Assignment Security

Whitelisting attributes

For 3.2 upgrade, and to improve protection against mass-assignment exploits, we recently changed an app to use a more strict "whitelist" approach.  In case you missed it, there was a lot of drama recently around the exploit:  http://www.infoq.com/news/2012/03/GitHub-Compromised.  Basically, the power of Rails can be used to sneak in extra attributes (that are not presented in the UI) into requests, attributes that map to database properties.  This Rails magic happens with any method that ultimately calls ActiveRecord update_attributes.
One way to tighten this up is by setting the following in application.rb:
    config.active_record.whitelist_attributes = true
With that set, only attributes that are explicitly defined by attr_accessible are eligible for update from update_attributes.  This includes nested attributes that correspond to accepts_nested_attributes_for, for example :line_item_attributes.


## category_group.rb
module CategoryGroup
  module ClassMethods

    # Set up the association and accepts_nested_attributes_for in the client object.  Also defines some accessor and helper
    #   methods based on the name parameter
    def category_group_association(name, group)
      has_many "#{name}_categorizations".to_sym, :class_name => "Categorization", :foreign_key => "categorizable_id",
                    :conditions => ["categorizations.categorizable_group = ? and categorizations.categorizable_type = ?", group, "#{self.name}"]
      has_many "#{name}_categories".to_sym, :through => "#{name}_categorizations".to_sym, :source => :category

## product.rb
  include CategoryGroup # Module to help a AR model associate to a category scoped by a "group"

  has_many :categorizations, :as => :categorizable
  has_many :categories, :through => :categorizations

  category_group_association 'product', Category::PRODUCTS  # create has_many for categorizations and categories, called product_

## 20130128152044_create_user_history.rb
class CreateUserHistory < ActiveRecord::Migration
  def change
    create_table :user_history do |t|
      t.association :user # Most things we care about should have a user, but nil-able if not
      t.string :username # stamped from user.username
      t.string :message # Log-like message
      t.string :code # Specific token for sorting, or tracking error or status
      t.float :timing # Optional for keeping timing like response time

      #NOTE:  has_many :history_snapshots # snapshot data about relevant objects

## gist:5238846
def approve_invoice
  InvoiceSubmitedForApproval.new(current_user, params[:invoice].slice(:invoice_id)).execute
  # ...
  redirect_to :view_invoices
end

def view_invoices
  @pending_invoices = InvoiceViewListForUser(current_user, { pending: true }).execute
end
	<section data-ng-controller="PostsController" data-ng-init="find()">
	<div class="page-header">
	<h1>Posts</h1>
	</div>
	<div class="list-group">
	<a data-ng-repeat="post in posts" data-ng-href="#!/posts/{{post._id}}" class="list-group-item">
	<small class="list-group-item-text">
	Posted on
	<span data-ng-bind="post.created \| date:'medium'"></span>
	by
	// curl --data-urlencode "name=Thai Green and Sushi" -XPOST localhost:8080/restaurant
	routeMatcher.post('/restaurant', function (req) {
	console.log("Params: " + req.params());

	req.expectMultiPart(true);
	req.endHandler(function() {
	// The request has been all ready so now we can look at the form attributes

	var formAttributes = req.formAttributes();
	var name = formAttributes.get('name');
	// Start a server listening to our routes
	server.requestHandler(routeMatcher).listen(8080, 'localhost');
	bus.send('manage-restaurants', // Event bus
	// Payload
	{
	action: 'create',
	name: name
	},
	// Reply handler
	function (reply) {
	console.log("Reply " + reply);
	}
	Vertx::EventBus.register_handler('manage-restaurants') do \|message\|
	body = message.body
	puts "Got message body #{body.inspect}"
	case body['action']
	when "create"
	rest = Restaurant.new(body.slice('name'))
	rest.save
	message.reply "OK"
	when "update"
	id = body['id']
	module CategoryGroup
	module ClassMethods

	# Set up the association and accepts_nested_attributes_for in the client object. Also defines some accessor and helper
	# methods based on the name parameter
	def category_group_association(name, group)
	has_many "#{name}_categorizations".to_sym, :class_name => "Categorization", :foreign_key => "categorizable_id",
	:conditions => ["categorizations.categorizable_group = ? and categorizations.categorizable_type = ?", group, "#{self.name}"]
	has_many "#{name}_categories".to_sym, :through => "#{name}_categorizations".to_sym, :source => :category
	include CategoryGroup # Module to help a AR model associate to a category scoped by a "group"

	has_many :categorizations, :as => :categorizable
	has_many :categories, :through => :categorizations

	category_group_association 'product', Category::PRODUCTS # create has_many for categorizations and categories, called product_
	class CreateUserHistory < ActiveRecord::Migration
	def change
	create_table :user_history do \|t\|
	t.association :user # Most things we care about should have a user, but nil-able if not
	t.string :username # stamped from user.username
	t.string :message # Log-like message
	t.string :code # Specific token for sorting, or tracking error or status
	t.float :timing # Optional for keeping timing like response time

	#NOTE: has_many :history_snapshots # snapshot data about relevant objects
	def approve_invoice
	InvoiceSubmitedForApproval.new(current_user, params[:invoice].slice(:invoice_id)).execute
	# ...
	redirect_to :view_invoices
	end

	def view_invoices
	@pending_invoices = InvoiceViewListForUser(current_user, { pending: true }).execute
	end