I am designing a website which has many users, each user has many posts, and each post has many photos. Because I hope user can preview the upload photos when they are creating new post, I found the answer here, which suggested using a subform to upload photos.
I use carrierwaves to handle photo upload, and jquery-file-upload for user interface. The models are:
class User < ActiveRecord::Base
has_many :posts, dependent: :destroy
end
class Post < ActiveRecord::Base
attr_accessible :title, :description, :photo_ids
belongs_to :user
has_many :photos, :dependent => :destroy
end
class Photo < ActiveRecord::Base
mount_uploader :image, ImageUploader
attr_accessible :image
belongs_to :post
end
In the new post view, I put a jquery-file-upload UI above the normal post form, then:
When user select a photo, it will be uploaded to PhotosController via jquery-file-upload api. The post_id for this photo is nil at this step.
After photo uploaded finished, I use javascript to add a hidden input form like this:
input type="hidden" id="collection_image_ids" name="collection[collection_image_ids][]" value=#{the id of the photo}
User can repeat step 1&2 many times, then submit the post.
Everything works well, however....
I don't think it's a good idea to allow mass assignment for photo_ids because someone can use this request to assign other user's photo to his post. (in edit view)
The reference answer suggested using some randomized access key to improve the security,
but when someone visit other user's post, he can still get the randomized access key of those photos, right?
So the implementation is not safe for now right?
Could anyone give me some suggestions or what is the proper way to handle this problem?
Related
in a Rails 3 application there are two models assinged to each other by belongs_to and has_one. On both sides there is :depended => :destroy configured for this association.
now I had to add a :before_destroy callback in one of these models. the problem is now that this callback is triggered twice when an entity which includes this callback is destroyed. When I remove :depended => :destroy in the other model, it's triggered only once. So it seems this i causing the problem.
is there an elegant way to fix this ?
:dependent
Controls what happens to the associated objects when their owner is destroyed
dependent destroy must be alone in a model
has_many :comments, dependent: :destroy
has_one :position, dependent: :destroy
Sorry for my english XD
i have an application am designing which consists of users making friends and users
having many posts, paintings, friends and talks
the model is below
class User < ActiveRecord::Base
has_many :paintings, :dependent => :destroy
has_many :sells, :dependent => :destroy
has_many :posts, :dependent => :destroy
has_many :talks, :dependent => :destroy
has_many :friends
has_many :comments
end
i have set a notification system in which when a user creates a post or painting e.t.c
a notification is sent to the users friends which i have achieved with public_activity gem,
what i intend to achieve is a notification system in which when the notification is created, every user involved can mark as seen i.e they have seen it so THAT notification is not shown to the user anymore... And also when a user comments on a notification, i want a notification to be sent to the owner of the activity, and any other user that comments on THAT notification... IN SUMMARY, I NEED A FACEBOOK LIKE NOTIFACATION SYSTEM...
Have you considered creating a Notification after the relevant post/painting has been added?
Notifications would be created (probably using an after_create action on each of the relevant models e.g. posts, paintings).
class Post < ActiveRecord::Base
after_create :create_notification
private
def create_notification
# create notification here
end
end
If there are lots of notifications to be created then you may wish to consider creating them in a background job.
A notification would belong to the target friend of the user and could therefore be marked as seen through an attribute on the notification. You would include instance methods on the notification object to deal with this.
class Notification < ActiveRecord::Base
belongs_to :user # friend of the originating user
def mark_seen
update_attributes(viewed: true)
end
end
You could also add scopes on the notifications to make sure that users can easily see unseen notifications.
class User < ActiveRecord::Base
has_many :notifications
has_many :unseen_notifications, conditions: "notifications.viewed IS false" #or something like that
end
Hope this helps to set you on the right track.
I am trying to write a database for a company in town. I am using Devise for authentication, and Forem for the forums of the site. I decided to just have one class, "Account" for the Devise authentication, which will have many different access types to the site.
The bulk of the users will be just customers, which are segregated by routes (not Rails routes, street routes). So I decided to have them have their own profile model.
I want to do this - Profile is linked to account, and to route. (Routes are named gmr_routes)
Is this code the proper way to do it? Documentation I've found hasn't told me I can't, but I just want to be sure....
class Profile < ActiveRecord::Base
attr_accessible :first_name, :last_name, :phone_number, :street_address
belongs_to :account
belongs_to :gmr_route
end
Account has a has_one relationship with Profile, and gmr_route has a has_many.
Is this right?
Bryan
Yes, that's perfectly acceptable. You need to remember to include a foreign key id on any model with a belongs_to.
So in the case you describe, you would have account_id:integer and gmr_route_id:integer in your migration, and include those in the attr_accessible call in your model
I have just added devise_invitable to an app with a working implementation of devise already in place.
The invitation process itself all works fine (email is sent, new user can click link and set password etc).
The problem is that the inviter, a User, has an associated Profile, which is deleted when the inviter hits the 'Send an invitation' button.
Anyone have any idea why the invitation process would nuke an associated object on the inviter? I am going to try to trace this through the devise_invitable code, but it would be good to know if anyone has had this problem before, or knows where in devise's code the problem might lie.
The User:
has_one :profile, :inverse_of => :user, :dependent => :destroy
The Profile
belongs_to :user, :inverse_of => :profile
The error here is because – by default – devise_invitable's after_invite_path_for simply calls after_sign_in_path_for.
However, it does not pass the current user as the resource, which would be the case with a regular sign in.
If you override after_sign_in_path_for assuming it will only be called after a genuine sign in, as I did, this can be confusing.
(In my particular case: what my overridden method did was to look for the resource's associated profile, and if it didn't have one it would make a new one assuming the user is logging in for the first time. When devise_invitable passed an unexpected resource, this new profile object would overwrite the existing association and the :dependent => :destroy callback would be triggered on the old profile object. D'oh!)
Hi I have a NOOB question in light of what happend at GITHUB with their application being exploited because of the security hole in Rails.
What is the best way to protect object attributes in Rails but still allow them to be assigned values where applicable?
Thanks
Actually Rails 3.1 has added new built-in ways to handle mass-assignment with roles which is probably something that you want to take a look at.
Release notes here
Basically it works like this:
class User < ActiveRecord::Base
attr_accessible :name
attr_accessible :name, :role, :as => :admin
end
What this enables you to do is that you can use the following way to allow the user to update his own information in one of your controllers:
#user.update_attributes(params[:user])
And that usage can never update the :role attribute in the User model. But when you have your admin users managing the roles in a separate controller, then you can user the following syntax:
#user.update_attributes(params[:user], :as => :admin)
And that will allow the :role attribute to be updated as well