Using the Ruby on Rails web framework – How to install Rails and create a simple blog (Part 2)

VN:F [1.9.22_1171]
Rating: 3.5/5 (6 votes cast)

This article is the follow up of “Using the Ruby on Rails web framework – How to install Rails and create a simple blog (Part 1)”.

In Part 1 of this tutorial (Step 1 to 8) you looked at how to install Rails on a Hostmonster web account, you set up the database, created and populated tables, and set basic authentication up.

This part of the tutorial will make user participation possible and will add security and styling to the application.

9. Adding comments to the blog

You’ll have to use SSH and scaffolding again (explained in Part 1 of the tutorial)…

cd ~/myrails/myblog

./script/generate scaffold Comment entry_id:integer
text:text author:string

… and as usual, the next thing is to run the migration process…

rake db:migrate

… and this will create the “comments” table in the database…
phpMyAdmin - Comments table… and an “entry.rb” model file (… plus many more files we don’t need to care about now). Let’s edit the “entry.rb” model file and add some validation and state that an entry can have many comments…

class Entry < ActiveRecord::Base
   validates_presence_of :title, :text
   has_many :comments

… and also edit the “comment.rb” model file to state that a comment always belongs to an entry…

class Comment < ActiveRecord::Base
   belongs_to :entry

The next thing you’ll do is that you change the “routes.rb” file in the ~/myrails/myblog/config folder. You’ll need to edit this bit at the top…

ActionController::Routing::Routes.draw do |map|
   map.resources :comments

   map.resources :entries

… and change it to…

ActionController::Routing::Routes.draw do |map|
   map.resources :entries, :has_many => :comments

What you want to do now is to display comments for the articles. It is obvious that you’ll have to edit the entry show view (~/myrails/myblog/app/views/entries/show.html.erb) adding some HTML and a Rails partial to it…

<div id="comments">
   <%= render :partial => @entry.comments %>

To make the comment partial display, you need to create a new comments view called “_comment.html.erb” (~/myrails/myblog/app/views/comments) and add the following content to it…

<% div_for comment do %>
      Comment posted <%= time_ago_in_words(comment.created_at) %> ago <br />
   <%= h(comment.text) %>
<% end %>

Now when you navigate to an entry page, you can see the “Comments” title appearing, but of course as no one has posted a comment yet, there are no comments underneath…
No comments posted yetThe next step is to add a comment form to the entry pages…
Comment form appearing on entry pageUsing Rails this is how you add it (to “_comment.html.erb”) …

<% form_for [@entry,] do |f| %>
      <%= f.label :text, "Write comment here:" %><br />
      <%= f.text_area :text %>
   <p><%= f.submit "Submit" %></p>
<% end %>

You’ll have to make this form work now. Go to the comments controller that the comment scaffold created (~/myrails/myblog/app/controllers/comments_controller.rb), delete all content of the CommentsController class (but leave the class itself) and add the following…

def create
   @entry = Entry.find(params[:entry_id])
   @comment = @entry.comments.create(params[:comment])
   redirect_to @entry

Now if you submit a comment, the page will refresh and the comment will be displayed above the form…
First comment posted

10. Adding simple security to the application

The default model component of Ruby on Rails (Active Record) secures applications against most types of SQL injection. Rails has a built in filter for special SQL characters, which will escape ‘ , ” , the NULL character and line breaks. Where you used the “find()” or “create()” functions in your application, Rails escapes these special characters, so SQL injection can’t happen, for example…

@comment = @entry.comments.create(params[:comment])

Wherever you used the Rails function “h()” (e.g. in “_comment.html.erb”) your application is also escaping inappropriate HTML to avoid cross-site scripting (XSS) and CSS injection on display…

<%= h(comment.text) %>

So when a hacker enters the following comment…

SQL injection: '); DROP TABLE users; <a href="
index.php/blog">Back to blog</a>
<script>var i=9;</script><div

… the database and the browser will store and display the same comment, but the HTML code will be changed to…

SQL injection: '); DROP TABLE users; &lt;a href=&quot;
index.php/blog&quot;&gt;Back to blog&lt;/a&gt;
&lt;script&gt;var i=9;&lt;/script&gt;&lt;div

Also, the Ruby on Rails website includes a brilliant document on securing Rails applications that web developers can use for their custom security needs.

11. Adding header and footer to the view

Your application currently has two views: entries and comments. You’re going to create an entirely new view for all parts of the blog and the two original views won’t be needed any more. You can delete them, if you want to.

Now create a new view file called “application.html.erb” in ~/myrails/myblog/app/views/layouts/ and place some sample HTML into it adding…

<%= yield %>

… where the changeable content of the application would go, such as…


   <title>MyBlog - Ruby on Rails application</title>
   <!-- Rails scaffolding CSS -->
   <%= stylesheet_link_tag 'scaffold' %>
   <!-- Your custom CSS for blog -->
   <%= stylesheet_link_tag 'myblog_style' %>  
<h1>Welcome to MyBlog!</h1>

<%= yield %>


Check out how your application looks now, and create a “myblog_style.css” file to edit your applications look. If necessary, you can delete the line linking to the scaffolding style in the view.

Check out the working application here.

Using the Ruby on Rails web framework - How to install Rails and create a simple blog (Part 2), 3.5 out of 5 based on 6 ratings

1 response:

  1. Using the Ruby on Rails web framework – How to install Rails and create a simple blog (Part 1) | Attila Szomor > web design and development blog

    [...] ask for the username (“admin”) and the password (“adminsecpass”). *** Part 2 of this tutorial will continue with adding comments to the blog posts, plus securing the [...]