Using the Ruby on Rails web framework – How to install Rails and create a simple blog (Part 2)
This article is the follow up of “Using the Ruby on Rails web framework – How to install Rails and create a simple blog (Part 1)”.
In Part 1 of this tutorial (Step 1 to 8) you looked at how to install Rails on a Hostmonster web account, you set up the database, created and populated tables, and set basic authentication up.
This part of the tutorial will make user participation possible and will add security and styling to the application.
You’ll have to use SSH and scaffolding again (explained in Part 1 of the tutorial)…
./script/generate scaffold Comment entry_id:integer
text:text author:string
… and as usual, the next thing is to run the migration process…
… and this will create the “comments” table in the database…
… and an “entry.rb” model file (… plus many more files we don’t need to care about now). Let’s edit the “entry.rb” model file and add some validation and state that an entry can have many comments…
validates_presence_of :title, :text
has_many :comments
end
… and also edit the “comment.rb” model file to state that a comment always belongs to an entry…
belongs_to :entry
end
The next thing you’ll do is that you change the “routes.rb” file in the ~/myrails/myblog/config folder. You’ll need to edit this bit at the top…
map.resources :comments
map.resources :entries
… and change it to…
map.resources :entries, :has_many => :comments
What you want to do now is to display comments for the articles. It is obvious that you’ll have to edit the entry show view (~/myrails/myblog/app/views/entries/show.html.erb) adding some HTML and a Rails partial to it…
<div id="comments">
<%= render :partial => @entry.comments %>
</div>
To make the comment partial display, you need to create a new comments view called “_comment.html.erb” (~/myrails/myblog/app/views/comments) and add the following content to it…
<p>
Comment posted <%= time_ago_in_words(comment.created_at) %> ago <br />
<%= h(comment.text) %>
</p>
<% end %>
Now when you navigate to an entry page, you can see the “Comments” title appearing, but of course as no one has posted a comment yet, there are no comments underneath…
The next step is to add a comment form to the entry pages…
Using Rails this is how you add it (to “_comment.html.erb”) …
<p>
<%= f.label :text, "Write comment here:" %><br />
<%= f.text_area :text %>
</p>
<p><%= f.submit "Submit" %></p>
<% end %>
You’ll have to make this form work now. Go to the comments controller that the comment scaffold created (~/myrails/myblog/app/controllers/comments_controller.rb), delete all content of the CommentsController class (but leave the class itself) and add the following…
@entry = Entry.find(params[:entry_id])
@comment = @entry.comments.create(params[:comment])
redirect_to @entry
end
Now if you submit a comment, the page will refresh and the comment will be displayed above the form…
The default model component of Ruby on Rails (Active Record) secures applications against most types of SQL injection. Rails has a built in filter for special SQL characters, which will escape ‘ , ” , the NULL character and line breaks. Where you used the “find()” or “create()” functions in your application, Rails escapes these special characters, so SQL injection can’t happen, for example…
Wherever you used the Rails function “h()” (e.g. in “_comment.html.erb”) your application is also escaping inappropriate HTML to avoid cross-site scripting (XSS) and CSS injection on display…
So when a hacker enters the following comment…
http://www.yoursite.com/yourfolder/
index.php/blog">Back to blog</a>
<script>var i=9;</script><div
style="background:url('javascript:alert(1)')">
… the database and the browser will store and display the same comment, but the HTML code will be changed to…
http://www.yoursite.com/yourfolder/
index.php/blog">Back to blog</a>
<script>var i=9;</script><div
style="background:url('javascript:alert(1)')">
Also, the Ruby on Rails website includes a brilliant document on securing Rails applications that web developers can use for their custom security needs.
Your application currently has two views: entries and comments. You’re going to create an entirely new view for all parts of the blog and the two original views won’t be needed any more. You can delete them, if you want to.
Now create a new view file called “application.html.erb” in ~/myrails/myblog/app/views/layouts/ and place some sample HTML into it adding…
… where the changeable content of the application would go, such as…
"http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<head>
<title>MyBlog - Ruby on Rails application</title>
<!-- Rails scaffolding CSS -->
<%= stylesheet_link_tag 'scaffold' %>
<!-- Your custom CSS for blog -->
<%= stylesheet_link_tag 'myblog_style' %>
</head>
<body>
<h1>Welcome to MyBlog!</h1>
<%= yield %>
</body>
</html>
Check out how your application looks now, and create a “myblog_style.css” file to edit your applications look. If necessary, you can delete the line linking to the scaffolding style in the view.
Check out the working application here.
May 12th, 2010 at 11:36 pm
[…] ask for the username (“admin”) and the password (“adminsecpass”). *** Part 2 of this tutorial will continue with adding comments to the blog posts, plus securing the […]