Comments on: Proper Error Handling in Rails Controllers http://www.pervasivecode.com/blog/2009/07/27/proper-error-handling-in-rails-controllers/ Jamie Flournoy's Software Development Blog Sat, 12 Jun 2010 04:23:27 -0500 http://wordpress.org/?v=2.8.4 hourly 1 By: Ennuyer.net » Blog Archive » Rails Reading - August 4, 2009 http://www.pervasivecode.com/blog/2009/07/27/proper-error-handling-in-rails-controllers/comment-page-1/#comment-19872 Ennuyer.net » Blog Archive » Rails Reading - August 4, 2009 Wed, 05 Aug 2009 08:19:58 +0000 http://www.pervasivecode.com/blog/?p=131#comment-19872 [...] Pervasive Code » Proper Error Handling in Rails Controllers [...] [...] Pervasive Code » Proper Error Handling in Rails Controllers [...]

]]> By: Jamie Flournoy http://www.pervasivecode.com/blog/2009/07/27/proper-error-handling-in-rails-controllers/comment-page-1/#comment-19608 Jamie Flournoy Wed, 29 Jul 2009 02:07:13 +0000 http://www.pervasivecode.com/blog/?p=131#comment-19608 I disagree that it belongs in the framework, but only because of Rails application templates. In other words, you probably shouldn't be starting with a generic Rails app anymore, unless your app is super weird and doesn't resemble any of the available templates. There's still the issue of retooling: at what point does it make sense to reimplement your app on top of a template that uses stuff that didn't exist when you started. So how do we retroactively beef up the security of some Rails app that's 18+ months old? Maybe your argument about it belonging in the framework holds water after all. :) I disagree that it belongs in the framework, but only because of Rails application templates. In other words, you probably shouldn’t be starting with a generic Rails app anymore, unless your app is super weird and doesn’t resemble any of the available templates.

There’s still the issue of retooling: at what point does it make sense to reimplement your app on top of a template that uses stuff that didn’t exist when you started. So how do we retroactively beef up the security of some Rails app that’s 18+ months old? Maybe your argument about it belonging in the framework holds water after all. :)

]]> By: Adam Breindel http://www.pervasivecode.com/blog/2009/07/27/proper-error-handling-in-rails-controllers/comment-page-1/#comment-19595 Adam Breindel Tue, 28 Jul 2009 18:26:27 +0000 http://www.pervasivecode.com/blog/?p=131#comment-19595 Great post! Especially the part about "you forgot to check that the ID being deleted matches the currently logged in user" ... Actually, Rails really needs better secure-by-default configuration. Stuff like attr_accessible is a step in the right direction, but ... considering Rails is already a heavy full-stack framework, I'd make a standard auth mechanism part of the stack unless the developer specifically disables it. Having a standard baked in user/role/access system would make it easy-ish to have the meta-programming-based code (e.g. joins) perform checks on all data access, etc. I'd even go so far as to make the production config automatically use https for urls, and add a utility to generate and handle certs for testing. Great post! Especially the part about “you forgot to check that the ID being deleted matches the currently logged in user” …

Actually, Rails really needs better secure-by-default configuration. Stuff like attr_accessible is a step in the right direction, but … considering Rails is already a heavy full-stack framework, I’d make a standard auth mechanism part of the stack unless the developer specifically disables it. Having a standard baked in user/role/access system would make it easy-ish to have the meta-programming-based code (e.g. joins) perform checks on all data access, etc.

I’d even go so far as to make the production config automatically use https for urls, and add a utility to generate and handle certs for testing.

]]>