Action Controller Overview, Season 1

The 12th Round of ROR Lab.

Action Controller
Overview

May 12th, 2012

Hyoseong Choi
ROR Lab.

A Controller

• RESTful applications
• like an orchestra conductor
• as a middle man btw models and views

ROR Lab.

Methods & Actions
• A “class” has methods
• A controller < ApplicationController
• public methods => “action” <= routing

ROR Lab.

Parameters
• Two kinds of parameters
- Query string
- Post data
• by params hash
• “Routing” parameters

ROR Lab.

Parameters
• default_url_options

class PostsController < ApplicationController
  # The options parameter is the hash passed in to 'url_for'
  def default_url_options(options)
    {:locale => I18n.locale}
  end
end

ROR Lab.

Session
stateless => stateful

ActionDispatch::Session::CookieStore
• ActiveRecord::SessionStore
• ActionDispatch::Session::CacheStore
• ActionDispatch::Session::MemCacheStore

ROR Lab.

Session
Accessing the Session

class LoginsController < ApplicationController
  # "Create" a login, aka "log the user in"
  def create
    if user = User.authenticate(params[:username], params[:password])
      # Save the user ID in the session so it can be used in
      # subsequent requests
      session[:current_user_id] = user.id
      redirect_to root_url
    end
  end
end

ROR Lab.

Session
Removing a Session Key

  # "Delete" a login, aka "log the user out"
  def destroy
    # Remove the user id from the session
    @_current_user = session[:current_user_id] = nil
    redirect_to root_url
  end
end

ROR Lab.

Session
Flash

• cleared with each request
• only available in the next request
• useful for storing error messages etc

ROR Lab.

Session
Flash

redirect_to root_url, :notice => "You have successfully logged out"

ROR Lab.

Session
Flash

ROR Lab.

Session
Flash
flash.keep

class MainController < ApplicationController
  # Let's say this action corresponds to root_url, but you want
  # all requests here to be redirected to UsersController#index.
  # If an action sets the flash and redirects here, the values
  # would normally be lost when another redirect happens, but you
  # can use 'keep' to make it persist for another request.
  def index
    # Will persist all flash values.
    flash.keep

    # You can also use a key to keep only some kind of value.
    # flash.keep(:notice)
    redirect_to users_url
  end
end

ROR Lab.

Session
Flash
ﬂash.now

class ClientsController < ApplicationController
  def create
    @client = Client.new(params[:client])
    if @client.save
      # ...
    else
      ﬂash.now[:error] = "Could not save client"
      render :action => "new"
    end
  end
end

ROR Lab.

Cookies
• persisted across request and even sessions

class CommentsController < ApplicationController
  def new
    # Auto-ﬁll the commenter's name if it has been stored in a cookie
    @comment = Comment.new(:name => cookies[:commenter_name])
  end

  def create
    @comment = Comment.new(params[:comment])
    if @comment.save
      ﬂash[:notice] = "Thanks for your comment!"
      if params[:remember_name]
        # Remember the commenter's name.
        cookies[:commenter_name] = @comment.name
      else
        # Delete cookie for the commenter's name cookie, if any.
        cookies.delete(:commenter_name)
      end
      redirect_to @comment.article
    else
      render :action => "new"
    end
  end
end

ROR Lab.

Cookies
• to delete a cookie value

cookies.delete(:key)

ROR Lab.

xml & json data

class UsersController < ApplicationController
  def index
    @users = User.all
    respond_to do |format|
      format.html # index.html.erb
      format.xml { render :xml => @users}
      format.json { render :json => @users}
    end
  end
end

ROR Lab.

Filters

before Action after

around

ROR Lab.

Filters
class ApplicationController < ActionController::Base
  before_ﬁlter :require_login

  private

  def require_login
    unless logged_in?
      ﬂash[:error] = "You must be logged in to access this section"
      redirect_to new_login_url # halts request cycle
    end
  end

  # The logged_in? method simply returns true if the user is logged
  # in and false otherwise. It does this by "booleanizing" the
  # current_user method we created previously using a double ! operator.
  # Note that this is not common in Ruby and is discouraged unless you
  # really mean to convert something into true or false.
  def logged_in?
    !!current_user
  end
end

ROR Lab.

Filters
• skip_before_ﬁlter
skip_before_ﬁlter :require_login, :only => [:new, :create]
end

ROR Lab.

Filters
• around_ﬁlter
class ChangesController < ActionController::Base
  around_ﬁlter :wrap_in_transaction, :only => :show

  private

  def wrap_in_transaction
    ActiveRecord::Base.transaction do
      begin
        yield
      ensure
        raise ActiveRecord::Rollback
      end
    end
  end
end

ROR Lab.

Filters

• Three Ways to User Filters
- a private method
- a block
- a class

ROR Lab.

Filters
• Using a Block in more simple cases
  before_ﬁlter do |controller|
    redirect_to new_login_url unless controller.send(:logged_in?)
  end
end

ROR Lab.

Filters
• Using a Class in more complex cases
  before_filter LoginFilter
end

class LoginFilter
  def self.filter(controller)
    unless controller.send(:logged_in?)
      controller.flash[:error] = "You must be logged in"
      controller.redirect_to controller.new_login_url
    end
  end
end

ROR Lab.

CSRF

• Site to site hacking
• First step for this with non-GET request
:create/update/destroy

• RESTful default to protect CSRF
• Nevertheless, non-GET request still
vulnerable

ROR Lab.

CSRF
• To add a non-guessable token with form helpers

<%= form_for @user do |f| %>
  <%= f.text_ﬁeld :username %>
  <%= f.text_ﬁeld :password %>
<% end %>

<form accept-charset="UTF-8" action="/users/1" method="post">
<input type="hidden"
       value="67250ab105eb5ad10851c00a5621854a23af5489"
       name="authenticity_token"/>

</form>

ROR Lab.

CSRF
• form_authenticity_token in custom Ajax calls

<%= form_for @user do |f| %>
  <%= f.text_ﬁeld :username %>
  <%= f.text_ﬁeld :password %>
<% end %>

<form accept-charset="UTF-8" action="/users/1" method="post">
<input type="hidden"
       value="67250ab105eb5ad10851c00a5621854a23af5489"
       name="authenticity_token"/>

</form>

ROR Lab.

Request & Response
Objects

• Two methods in every controller
- `request` method => request object
- `response` method => response object

ROR Lab.

Request Objects

ROR Lab.

Request Objects

• Three hash parameters for request objects
- path_parameters
- query_parameters : query string
- request_parameters : post data

ROR Lab.

Response Objects

• like in an `after` ﬁlter
ROR Lab.

Response Objects

response.headers["Content-Type"] = "application/pdf"

ROR Lab.

HTTP
Authentications

ROR Lab.

HTTP
Authentications
• Two types
- Basic authentication
: using base 64 encoding
- Digest authentication
: using MD5 encoding

ROR Lab.

HTTP
Authentications
• Basic authentication
class AdminController < ApplicationController
http_basic_authenticate_with :name => "humbaba", :password => "5baa61e4"
end

ROR Lab.

HTTP
Authentications
• Digest authentication
class AdminController < ApplicationController
  USERS = { "lifo" => "world" }

  before_ﬁlter :authenticate

  private

  def authenticate
    authenticate_or_request_with_http_digest do |username|
      USERS[username]
    end
  end

ROR Lab.

Streaming & File
Downloads
require "prawn"
  # Generates a PDF document with information on the client and
  # returns it. The user will get the PDF as a file download.
  def download_pdf
    client = Client.find(params[:id])
    send_data generate_pdf(client),
              :filename => "#{client.name}.pdf",
              :type => "application/pdf",
:disposition => "attachement"
  end

  private

  def generate_pdf(client)
    Prawn::Document.new do
      text client.name, :align => :center
      text "Address: #{client.address}"
      text "Email: #{client.email}"
    end.render
  end
end

send_data ROR Lab.

Streaming & File
Downloads
  # Stream a file that has already been generated and stored on disk.
  def download_pdf
    client = Client.find(params[:id])
    send_file("#{Rails.root}/files/clients/#{client.id}.pdf",
              :filename => "#{client.name}.pdf",
              :type => "application/pdf")
  end

send_file ROR Lab.

Streaming & File
Downloads
in a RESTful application

require "prawn"

  def show
    @client = Client.ﬁnd(params[:id])

    respond_to do |format|
      format.html
      format.pdf { render :pdf => generate_pdf(@client) }
    end
  end

  private

  def generate_pdf(client)
    Prawn::Document.new do
      text client.name, :align => :center
      text "Address: #{client.address}"
      text "Email: #{client.email}"
    end.render
  end
end

send_ﬁle ROR Lab.

Streaming & File
Downloads
• in conﬁg/initializer/mime_types.rb
in a RESTful application

send_ﬁle ROR Lab.

Parameter
Filtering
• in config/application.rb
config.filter_parameters << :password

ROR Lab.

Rescue
  rescue_from User::NotAuthorized, :with => :user_not_authorized

  private

  def user_not_authorized
    flash[:error] = "You don't have access to this section."
    redirect_to :back
  end
end

  # Check that the user has the right authorization to access clients.
  before_filter :check_authorization

  # Note how the actions don't have to worry about all the auth stuff.
  def edit
    @client = Client.find(params[:id])
  end

  private

  # If the user is not authorized, just throw the exception.
  def check_authorization
    raise User::NotAuthorized unless current_user.admin?
  end

ROR Lab.

Force HTTPS
protocol
class DinnerController
  force_ssl
end

class DinnerController
  force_ssl :only => :cheeseburger
  # or
  force_ssl :except => :cheeseburger
end

# Force all access to the app over SSL, use Strict-Transport-Security, and use
secure cookies.
conﬁg.force_ssl = true

ROR Lab.

Action Controller Overview, Season 1

More Related Content

What's hot (18)

Viewers also liked (14)

Similar to Action Controller Overview, Season 1 (20)

More from RORLAB (20)

Recently uploaded (20)

Action Controller Overview, Season 1

Editor's Notes