Things I've learned the hard way in Rails:
- Layouts run inside views, not the other way round. Set an instance variable in app/views/monkeys/show.html.erb and it will be defined in app/views/layouts/monkey.html.erb but not vice versa.
- set instance vars in view
@foo_val = find_foo_val - pass variables to partials using
<%= render :partial => "root/license", :locals => { :foo => @foo_val } -%> - use the instance var freely in the layout; it will take the value defined in the view
- set instance vars in view
- Dump an object for bobo debugging through the console or log:
$stderr.puts tag_list.to_yaml - In a migration, if you define a unique index on an attribute, make sure both the index AND attribute are
:unique => true, or else you'll get no uniqueness validation from Rails:create_table :monkeys do |t| # set :unique here t.string :name, :default => "", :null => false, :unique => true end # if you have :unique here add_index :datasets, [:name], :name => :name, :unique => true - If you scaffold a User or other object with private data, MAKE SURE you strip out fields you don't want a user setting or viewing:
- Set attr_accessible, which controls data coming *in* -- prevents someone setting an attribute by stuffing in a form value.
- In each view (.html.erb &c) and render method (to_xml), strip out fields you don't want anyone to see using the
:only => [:ok_to_see, :this_too]parameter. - Set filter_parameter_logging, which controls what goes into your logs. (Logs should of course be outside the public purview, but 'Defense in Depth' is ever our creed.)
- In the model, whitelist fields the user is allowed to set (this excludes things like confirmation code or usergroup):
attr_accessible :login, :email, :password, :password_confirmation - In the controller file, whitelist only the fields you wish to xml serialize:
format.xml { render :xml => @user.to_xml(:only => [:first_name, :last_name]) } - Obviously,In the show.html.erb and edit.html.erb strip out fields that shouldn't be seen.
- In the model file, blacklist fields from the logs:
filter_parameter_logging :password, :salt, "activation-code"
- I won't even tell you how often this happens to me: If you edit or install code in a plugin, restart the server.