Sarav's Weblog

Technical Articles for RoR Developers

Tag Archives: Rails

Understand Rails Authenticity Token!

What happens:
When the user views a form to create, update, or destroy a resource, the rails app would create a random authenticity_token, store this token in the session, and place it in a hidden field in the form. When the user submits the form, rails would look for the authenticity_token, compare it to the one stored in the session, and if they match the request is allowed to continue.

Why this happens:
Since the authenticity token is stored in the session, the client can not know its value. This prevents people from submitting forms to a rails app without viewing the form within that app itself. Imagine that you are using service A, you logged into the service and everything is ok. Now imagine that you went to use service B, and you saw a picture you like, and pressed on the picture to view a larger size of it. Now, if some evil code was there at service B, it might send a request to service A (which you are logged into), and ask to delete your account, by sending a request to http://serviceA.com/close_account. This is what is known as CSRF (Cross Site Request Forgery).

If service A is using authenticity tokens, this attack vector is no longer applicable, since the request from service B would not contain the correct authenticity token, and will not be allowed to continue.

Notes: Keep in mind, rails only checks POST, PUT, and DELETE requests. GET request are not checked for authenticity token. Why? because the HTTP specification states that GET requests should NOT create, alter, or destroy resources at the server, and the request should be idempotent (if you run the same command multiple times, you should get the same result every time).

Lessons: Use authenticity_token to protect your POST, PUT, and DELETE requests. Also make sure not to make any GET requests that could potentially modify resources on the server.

Courtesy: Faisal and stack overflow

Advertisements

Ruby-LDAP (add, search)

LDAP in Ruby

To use LDAP in Ruby you have to use following gems. So Install the following gems.

  • sudo gem install net-ldap
  • sudo gem insall ruby-net-ldap

User Authentication against LDAP Directory Using Ruby

Example of a user-authentication against an LDAP directory:

require 'rubygems'
require 'net/ldap'

ldap = Net::LDAP.new
ldap.host = your_server_ip_address
ldap.port = 389
ldap.auth "joe_user", "opensesame"
if ldap.bind
  # authentication succeeded
else
  # authentication failed
end

Search against LDAP Directory Using Ruby

Quick Example of a search against an LDAP directory:

require 'rubygems'
require 'net/ldap'

username = "cn=manager,dc=example,dc=com"
password = "xxxxxxxx"
host = example.com #(or) host = 111.111.111.11 (ipaddress)
ldap = Net::LDAP.new :host => host,  :port => 389
ldap.auth username, password

filter = Net::LDAP::Filter.eq( "cn", "George*" )
treebase = "dc=example,dc=com"

ldap.search( :base => treebase, :filter => filter ) do |entry|
  puts "DN: #{entry.dn}"
  entry.each do |attribute, values|
    puts "   #{attribute}:"
    values.each do |value|
      puts "      --->#{value}"
    end
  end
end

#puts  ldap.get_operation_result

Check out the rest of the documentation for pretty good examples. This is the library I recommend. In my situation, I’m using ruby-net-ldap to import data in to, manipulate and query data in an OpenDS LDAP server.

New source path for ruby gems

If you would had chance to view any ruby news in recent days , you would have come to know that github is no more going to host gems any-more. Ofcourse github will continue to host current gems (if I am not wrong that too for an year only)

Ok. No worries. From now onwards gemcutter is going to host ruby gems. so we all would need to update our ruby gem source path. commands to do so are as follows:

sudo gem update –system
sudo gem install gemcutter
gem tumble

This will add gemcutter as your primary RubyGem source. I think in near future all gems will be available at gemcutter, not rubyforge or github.
Follow above mentioned steps, to make sure you install proper version of gem.

Should I freeze my Rails application?

Ruby on Rails allows you to “freeze” the version of Rails used by your application. When you freeze Rails, your application will always use that version of Rails and the associated Ruby Gems, regardless of what version is installed on the server. You can choose which version of Rails you want to freeze to.

Freezing Rails is recommended if you are using a Rails application for a business site or another production environment where stability is the most important concern. If you don’t freeze your application, there is a small possibility that your application might stop working due to compatibility problems when a new version of Rails is installed on our servers.

However, keep in mind that if you freeze your application to use a current (or older) version of Rails, you will not get the security benefits of automatic upgrades. You should make sure you’re keeping track of Rails versions yourself (for example, by subscribing to the Rails mailing lists) and upgrading your frozen version of Rails as necessary.

On this page:

  • * Freezing Rails
  • * Unfreezing Rails
  • * Freezing to a different version

Freezing Your Application

cd "application path of your system"
rake rails:freeze:gems

This will copy the Rails files to the “vendor/rails” directory of your application. When the Rails framework runs, your application will first check for the presence of this directory. If it exists, Rails will load the Rails components from the directory instead of using the main server copy of Rails. As long as you do not delete these files, your application will continue to use your “frozen” version of Rails.

Freezing to a different version

Although we’ve explained how to freeze Rails to the current version on the server, Rails allows you to freeze to almost any version.

For example, this command freezes your application to Rails 2.2.2:

rake rails:freeze:edge RELEASE=2.2.2

And this freezes Rails to the current development version:

rake rails:freeze:edge

The ability to freeze to different versions of rails can be useful when upgrading. For example, imagine you created a new Rails application and froze it to version 2.2.3 to ensure stability. When you became aware of a Rails upgrade (version 2.3.4 became available), you could upgrade your frozen version of Rails during an off-peak hour:

rake rails:freeze:edge RELEASE=2.3.4

Then you’d test your application to ensure it worked properly. If so, you’re all set, with the latest version of Rails installed. If not, you could downgrade back to the previous version until you were able to fix the problem, using:

rake rails:freeze:edge RELEASE=2.2.3

By the way, you can tell what version of Rails your application uses with this command:

script/about

Finally, some Rails upgrades provide configuration file changes (in particular, changes to “config/boot.rb”). To get the benefit of these changes, run this command after switching Rails versions:

rake rails:update

blackbook gem (Contact Importer gem for Ruby on Rails)

Blackbook automates the nitty-gritty of importing contacts from various services and files and exporting them as VCard, XML, or simple Hash. Utilize those contacts from services like AOL, GMail, Yahoo Mail, Hotmail or CSV to help your social networking site become GIGANTIC overnight! You‘ll be able to get big and sell for millions before anyone figures out it‘s just like every other social network.

Websitehttp://contentfree.rubyforge.org/blackbook/

FEATURES/PROBLEMS:

The current list of supported services and file types:

Import:

  • AOL
  • CSV files
  • Gmail
  • Hotmail
  • Yahoo! Mail

Export:

  • Simple hash (default)
  • Vcard
  • XML

If you create an additional importer or exporter – or simply find a bug – please consider submitting it as a patch to the project so the community can all benefit from your hard work and ingenuity.

SYNOPSIS:

# An example of fetching Gmail contacts – by default, returns an array of hashes with :name and :email

  contacts = Blackbook.get :username => 'me@gmail.com', :password => 'whatever'

# or returning XML

  contacts = Blackbook.get :username => 'me@gmail.com', :password => 'whatever', :as =>  :x ml

# or importing from a CSV file

  contacts = Blackbook.get :csv, :file => #<File:/path/to/file.csv>

REQUIREMENTS:

  • Mechanize and its dependencies, for interacting with online providers
  • Fastercsv for reading CSV, Mechanize >= 0.7.0 for page scraping

INSTALL:

  • sudo gem install blackbook