Professional Documents
Culture Documents
POST data
HTTP headers AJAX requests
Scoped Queries
class ContactsController < ApplicationController before_filter :require_signin def new @contact = Contact.new end def create contact = Contact.new params[:contact] contact.user_id = session[:user_id] contact.save redirect_to contact_url(contact) end
class UsersController < ApplicationController def edit @user = current_user end def update current_user.update_attributes params[:user] redirect_to edit_user_url end end edit.rhtml: <% form_for :user, :url => user_url, :html => { :method => :put } do |u| %> <p>Login: <%= u.text_field :login %></p> <p>Password: <%= u.password_field :password %></p> <p><%= submit_tag "Save Account Settings" %> <% end %>
require 'net/http' http = Net::HTTP.new 'localhost', 3000 http.post "/users/1", 'user[is_administrator]=1&_method=put', { 'Content-Type' => 'application/x-www-form-urlencoded' }
class User < ActiveRecord::Base attr_accessible :login, :password has_many :contacts end
Solution: h helper, also known as html escape. converts &, ", >, and < into &, " >, and <
<p>Your search for <em><%= h @q %></em> <%= link_to h(@user.name), user_url(@user) %>
Hashing Passwords
MD5 or SHA1
require 'digest/sha1' class User < ActiveRecord::Base attr_accessor :password validates_uniqueness_of :login validates_presence_of :password, :if => :password_required? validates_confirmation_of :password, :if => :password_required? before_save :hash_password # Authenticates a user by login/password. Returns the user or nil. def self.authenticate login, password find_by_login_and_hashed_password(login, Digest::SHA1.hexdigest(login+password)) end protected def hash_password return if password.blank? self.hashed_password = Digest::SHA1.hexdigest(login+password) end def password_required? hashed_password.blank? || !password.blank? end end
end