Dev411 Blog: Category rails

Typo - Upgrading to 4.1.1

2007-06-16T17:36:00-05:00

I finally got around to upgrading from Typo 4.0.0 r1188 to Typo 4.1.1 and it was pretty smooth. I had held off for a while because Typo was changing a lot under the covers with some much needed refactoring and I have a few hacks I didn't feel like modifying with every minor update.

I ran into some initial issues because I was installing from the tarball and not the gem. I had an older version of Rails and Typo 4.1.1 needs Rails 1.2.3. Running "rake migrate" doesn't check the Rails version and would just abort. Eventually I guessed the problem reading the --trace output and I was on my way. The other curiosity was that Gem's --install-dependencies didn't work for me. I still had to install/upgrade rake, activerecord and a number of other packages before installing rails using gem. I think it would be nice if --install-dependencies did install those or at least showed all the packages that were needed in one report instead of just showing one and aborting. Perhaps there was something wrong with my setup. With CPAN, you get to see all the required dependencies in the first report and it will install them all for you in one shot. However, compared to gem, CPAN might show too much information by default. Perhaps the majority of the information CPAN shows should be moved to a non-default verbose mode.

I have a few hacks running on this blog so the update consisted of the following:

Theme: This blog runs a modified version of Azure which used a table that no longer exists in 4.1.1. Because of this Typo wouldn't start. To get around this I did a manual SQL update of the settings column in the blogs table to reset the theme to Azure before migrating my mods over. The settings field is an aggregate field with serialized information delimited by carriage returns. I prefer using JSON to serialize complex data structures stored in a single db field which I think is much more maintainable.
Categories Sidebar: This had moved from ./components/plugins/sidebar/category to ./vendor/plugins/category_sidebar. Now that the sidebars are stand-alone Rails plugins, it makes more sense for me to turn my custom Category sidebar into its own thing instead of modifying the existing one.
Notable Links: I put together some social bookmarking links a while back for Typo 4.0.0 and it was reported to no longer function with 4.1.1. A little checking showed that article.location was no longer available and replaced by article.permalink_url. Both 4.1.1 and 4.0.0 versions of the Notable view are now available. The method call used to display the article body in ./views/articles/read.rhtml had also changed. This is used as a reference point to insert new code.
Table of Contents: The Table of Contents solution I had put together had also broken and is now fixed. It is interesting to see the progression of link creation from 2.6.0 to 4.0.0 to 4.1.1. The previous two used Rails' link_to helper but 4.1.1 creates the HTML manually.

The rest of the changes were pretty straight-forward to carry across, including the category icons and routes.rb mods I use.

Overall, the upgrade was smooth after I figured out I needed to upgrade Rails from the rake migrate failure. I like the refactoring of the plugins and look forward to making some.

Frédéric de Villamil, the current Typo maintainer, menioned that 5.0 is coming and will have the following features:

Plugin Manager: to download and install plugins from the official repository
Advanced Theme Manager: to download and install themes from the official themes repository
Real Multi-User Support
OpenID Support
and more....

I've been pleasantly surprised with the development activity happening around Typo and can't wait for version 5.0.

Rails 1.1.4 LOAD_PATH vulnerability

2006-08-10T12:20:00-05:00

A couple of people have blogged about their use of the "elite hacking tool diff -r" to identify the problem solved by the Rails 1.1.5 Mandatory Mystery Patch. The problem is that Rails accepted LOAD_PATH as a HTTP request header with any file upload so a hacker could upload ruby controllers and then execute them by accessing the newly exposed URIs. This is discussed by Kristian Köhntopp and Evan Weaver.

Brian Hogan reports the 1.1.5 fix does not work with Mongrel and Sander Land's fix is needed. The issue is being discussed on Ruby Forums and here's the latest patch':

--- routing.rb.orig     2006-08-10 12:20:12.830325000 -0500
+++ routing.rb  2006-08-10 12:20:26.043147000 -0500
@@ -273,7 +273,7 @@
             $LOAD_PATH.select do |base|
               base = File.expand_path(base)
               extended_root = File.expand_path(RAILS_ROOT)
-
base.match(/\A#{Regexp.escape(extended_root)}\/*#{file_kinds(:lib) *
'|'}/) || base =~ %r{rails-[\d.]+/builtin}
+
base.match(/\A#{Regexp.escape(extended_root)}\/+(#{file_kinds(:lib) *
'|'})/) || base =~ %r{rails-[\d.]+/builtin}
             end
           else
             $LOAD_PATH

37Signals is getting some flack for keeping this a secret when it's so easy to discover what the issue is. Hopefully they'll learn their lesson. They'd also come across as more professional without things like this: http://www.flickr.com/photos/planetargon/127984254/.

Rails 1.1.5 routing vulnerability

2006-08-10T10:37:00-05:00

People are reporting a Rails 1.1.5 routing vulerability where accessing certain URIs will crash Rails. The problem has been reported on Mongrel, WeBrick and FastCGI. Piers Cawley is working on an explicit routes fix for Typo and discusses the issue on his blog. This has not been mentioned on the RoR blog yet. Good thing for public forums.

While this is being fixed you can take steps to protect your own apps by ensuring only valid urls are allowed to make it to your Rails app.

Some problem URIs that have been mentioned include:

active_support/dependencies
breakpoint_client
builder/blankslate
cgi

I've added some mod_rewrite rules for now but I'm hoping there will be a better solution soon.

If you are using 1.1.5 with Mongrel, see Rails 1.1.4 LOAD_PATH vulernability for a patch to make them work together.

UPDATE:This is now mentioned on the RoR blog with their recommended mod_rewrite fixes for Apache and lighttpd if you can't upgrade to 1.1.6 right away:

Apache:

RewriteRule ^(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/ - [F]

lighttpd:

url.rewrite-once = ( "^/(app|components|config|db|doc|lib|log|public|script|test|tmp|vendor)/" => "index.html" )

Upgrading Typo 4.0.0 to Rails 1.1.5/1.1.6

2006-08-10T01:14:00-05:00

It was recently announced that Rails 1.1.0, 1.1.1, 1.1.2, and 1.1.4. have a very serious security hole. Although the RoR blog hasn't discussed exactly what the hole is, it has been rumored to involve uploading of .rb files to execute arbitrary code on the server (UPDATE: now confirmed). Typo only allows file uploads by administrators so certain applications may be somewhat safer. (UPDATE: Running arbitrary code was fixed in 1.1.5 however you could still crash it. 1.1.6 has been released to fix these lingering bugs. Just change 1.1.5 to 1.1.6 below).

Scott Laird is working on releasing Typo 4.0.1 (now released) which will include Rails 1.1.5 but until then, or if you don't want to upgrade Typo, you can simply upgrade the Rails used by Typo by installing the 1.1.5 vendor/rails directory over the existing one. Here are some steps:

$ cd /tmp
$ wget http://rubyforge.org/frs/download.php/12258/rails-1.1.5.tgz
$ tar -zxf rails-1.1.5.tgz
$ cd rails/vendor
$ tar -zcf rails-1.1.5-vendor-rails.tgz rails
$ mv rails-1.1.5-vendor-rails.tgz /path/to/typo/vendor
$ cd /path/to/typo/vendor
$ tar -zxf rails-1.1.5-vendor-rails.tgz

To verify that Rails has been updated you can view the version.rb file which should now give you the following:

$ cat rails/railties/lib/rails/version.rb
module Rails
  module VERSION #:nodoc:
    MAJOR = 1
    MINOR = 1
    TINY  = 5

    STRING = [MAJOR, MINOR, TINY].join('.')
  end
end

You'll probably want to back up the existing vendor/rails directory as this will extract the 1.1.5 files over it. If you simply swap vendor directories, you'll get a lot of missing requirements errors (e.g. redcloth, bluecloth, rubypants, uuidtools, etc.) because rails isn't the only thing installed under vendor for Typo.

Mongrel and non-root URIs

2006-07-23T12:59:00-05:00

Two weeks ago, Scott Laird posted a Mongrel patch to the Typo list to make it work with non-root URIs. I'm particularly interested in this because Mongrel is getting more mindshare and my blog uses a non-root URI. The patch has been submitted to Zed Shaw for inclusion but, until it's in, here are some links since I don't think this is easy to find:

UPDATE: This is now included in Mongrel 0.3.13.4 pre-release.

Prototype's future in Rails

2006-07-20T17:22:00-05:00

The future of Prototype (the JavaScript AJAX library), both as a stand-alone library and as a part of Rails, is being discussed by the community on the rails-spinoffs list. The primary concerns appear to be:

Prototype is driven by one person who hasn't been very active on the list. Some patches are integrated but often without communication
it is difficult for others to contribute
there is no visibility into the roadmap for prototype
prototype is "falling behind" relative to other libraries

The one person vs. community aspect of the discussion reminds me of Red Hat rebuilds. When Red Hat stopped distributing free binaries, a number of projects took advantage of GPL and started providing free rebuild binaries. At first, White Box Enterprise Linux (WBEL) was the most popular and wide-spread rebuild but it was maintained by one person who occasionally got busy. It was eventually overtaken by CentOS which is maintained by a community.

For now, Prototype will remain popular because it comes bundled with Rails and is the basis for RJS and Scriptaculous. Thomas Fuchs has come out and said, "script.aculo.us will always depend on Prototype". Still, I wonder if community maintenance isn't a better way to go for something that's relied on by so many people. Some are even concerned that Rails itself will become less viable if it continues to attach itself to Prototype and the project management doesn't change.

You can follow the thread by going to the list archives page and looking for the subject name "Documenting Prototype...". Greg Hill's post seems like a reasonable place to start.

Adding a TOC to Typo

2006-06-26T16:37:00-05:00

I've been using MediaWiki for a while and wanted its ability to auto-generate Table of contents for pages with multiple articles such as the homepage and the category pages. Typo is a Ruby on Rails app so you'll need to be somewhat familiar with it to make enhancments. I have this running on Typo 4.1.1, 4.0.0 r1188 and 2.6.0.

I came up with the following but it's still in the early stages:

Add name attribute to article links: We want to add the HTML name attribute to the article links so we can anchor to them. To do this, edit the app/helpers/application_helper.rb file and modify the appropriate method shown below with the changes in highlighted.

For Typo 4.1.1:

def link_to_permalink(item, title, anchor=nil, name=nil)
  anchor = "##{anchor}" if anchor
  name   = " name=\"#{name}\"" if name
  "<a href=\"#{item.permalink_url}#{anchor}\"#{name}>#{title}</a>"
end

For Typo 4.0.0:

def item_link(title, item, anchor=nil)
  if item.is_a?(Article) && anchor != 'comments'
  && anchor != 'trackbacks'
    link_to title, item.location(anchor), :name => item.id
  else
    link_to title, item.location(anchor)
  end
end

For Typo 2.6.0:

def article_link(title, article, anchor=nil)
  link_to title, article_url(article,true,anchor),
    :name => article.id
end

For Typo 4.1.1, you will also need to edit the app/views/articles/index.rhtml file and make the following modification:

<%= link_to_permalink article,article.title,nil,article.id %>

Add TOC template: I decided to create a separate template to handle the TOC. I used the following file name:

app/views/articles/_articles_toc.rhtml

which consists of the following (I didn't use link_to because the uri is only the article.id):
```
<div id="articles_toc"><p>Table of Contents</p>
  <ul>
  <% for article in @articles -%>
    <li>
      <a href="#<%= article.id %>">
        <%= article.title %>
      </a>
    </li>
  <% end -%>
  </ul>
</div>
```
Call the TOC template: To call the TOC template from index.rhtml, add the following at the top of app/views/articles/index.rhtml
```
<%= render_partial "articles_toc" %>
```
Style with CSS: You'll probably want to style the TOC using CSS. Since the TOC feature is a hack it may be easier to put it in a supplementary CSS file so it won't get overwritten when you switch themes.
TODO - Admin Console: To make this a full-fledged enhancement, there should be a toggle in the admin console to turn the TOC on and off. Right now this also shows the list for the index and category pages even when there's just one article on the page. It may be worthwhile to configure a mininum number of articles before the TOC is displayed.

I'll run this on this blog for now since I like having a quick way to see the list of articles on the page.

UPDATE 1: I added the number of comments to the existing TOC here. You can get the number of comments by using article.comments.length.

UPDATE 2: I also looked at turning this into a sidebar plugin by using the bundled 2.6.0 plugins as examples. It seems that the sidebars are components and have their own context so they may not be able to access @articles in the action context. I'll either have to query articles a second time, which I'm loathe to do, or write it in JS and then do a JS sidebar rendering. It would be nice if the sidebar shared or could access the primary context.

UPDATE 2.1: After looking at layouts/default.rhtml I think it may be possible to pass @articles to the sidebar by adding it to:

<%= render_component(:controller=>'sidebars/sidebar'

default.rhtml gets @content_for_layout, not @articles, so some testing is needed.

UPDATE 3: I was running the Lucid theme here before but I had problems with anchors in that articles and sidebar content above the selected anchor wouldn't render when an anchor was selected. I've switched back to Azure for now.

ActiveRecord - Achilles Heel of Ruby on Rails?

2006-06-04T11:12:00-05:00

IMO, one of the major limitations of Ruby on Rails compared to other frameworks is its ORM, ActiveRecord. ActiveRecord is a fairly early ORM (object-relational mapper) that has made some questionable design decisions and doesn't support some very basic relational database concepts. These issues have been discussed on Joel on Software and elsewhere. Here are some limitations I wish were fixed:

No Foreign Key Support: Although RoR lets you define has_many relationships, it makes no effort to create foreign key constraints in the underlying database to ensure relational integrity.
No Multi-column Primary Key Support: Multi-column primary keys are a staple of relational database schema definition. Unfortunately, DDH had a pretty simple response:

> Is there a way to set an ActiveRecord object to point to a table
> with a multi-column primary key?

Not really, no. Active Record was designed for a single column primary key and that assumption runs pretty deep. AR is not a Data Mapper, so you have to be within a reasonable vicinity of its assumptions to enjoy it.
- David Heinemeier Hansson

As DHH says in his multi-col PK response, you need to be close to ActiveRecord's assumptions, it doesn't cater to your situation. ActiveRecord is nice for many simpler situations but if you want relational integrity and/or have complex relationships, it seems like it may not be the best tool for the job. Other ORMs such as the Perl-based DBIx::Class (often used with the Catalyst framework) can handle these issues and many more. According to the 37Signals blog entry Growing in vs. growing out, they prefer people to grow out of their applications. I'm curious if they also want people to grow out of ActiveRecord?