Rails - Nov 2005 - accessing vars between controllers?

I have the Todo tutorial from
http://manuals.rubyonrails.com/read/book/7combined with the
login_system from
http://wiki.rubyonrails.com/rails/pages/HowToQuicklyDoAuthenticationWithLoginGenerator.
I am able to protect the front page with a login, I am able to
add/remove/edit Todos, and I am able to create users, login, and logout just
as both examples shoule.

Now, I''m trying to expand the capability. As it stands, with both
combined,
the auth portion just takes you to the Todo demo, so everyone sees the same
list of Todo items. I''ve expanded the todos table to include a login
field
so that I know who owns that item. For each user, I want to select only
items that belong to that particular user, and can only interact with their
items. I would like to access the @session[''user''].login
somehow from the
app/models/todo.rb file where I am currently doing something like

app/models/todo.rb:
class Todo < ActiveRecord::Base
def self.find_not_done
find(:all, :conditions=>["done = 0"],
:order=>"description")
end
end

and want it to be more like
find(:all, :conditions=>["done = 0 and login = ?",
@session[''user''].login],
:order=>"description")

Of course, the above doesn''t work. As I understand it, the vars from
the
AccountController such as @session[''user''].login cannot be
accessed from
TodoController? Is there a workaround or should this all really be combined
into one controller/model/view? Does anyone have any recommendations for how
this can be done?

My app is laid out something like this...
./app
./app/apis
./app/controllers
./app/controllers/application.rb
./app/controllers/todo_controller.rb
./app/controllers/account_controller.rb
./app/helpers
./app/helpers/application_helper.rb
./app/helpers/todo_helper.rb
./app/helpers/account_helper.rb
./app/models
./app/models/todo.rb
./app/models/user.rb
./app/views
./app/views/layouts
./app/views/layouts/scaffold.rhtml
./app/views/todo
./app/views/todo/_display.rhtml
./app/views/todo/list.rhtml
./app/views/todo/list_tag.rhtml
./app/views/todo/list_pri.rhtml
./app/views/account
./app/views/account/welcome.rhtml
./app/views/account/login.rhtml
./app/views/account/logout.rhtml
./app/views/account/signup.rhtml

mySQL db is structured as follows:
CREATE TABLE `users` (
`id` int(11) NOT NULL auto_increment,
`login` varchar(60) NOT NULL default '''',
`password` varchar(40) NOT NULL default '''',
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=7 ;
CREATE TABLE `todos` (
`id` int(11) NOT NULL auto_increment,
`description` varchar(100) NOT NULL default '''',
`done` tinyint(4) NOT NULL default ''0'',
`tag` varchar(128) default NULL,
`priority` int(5) NOT NULL default ''0'',
`login` varchar(60) NOT NULL default '''',
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=34 ;


_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

You should be able to access the session as
"session[''user'']".  Verify
that the user is actually stored in the session.

Check http://api.rubyonrails.com/classes/ActionController/Base.html

On 11/5/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
>  I have the Todo tutorial from
> http://manuals.rubyonrails.com/read/book/7 combined with
> the login_system from
>
http://wiki.rubyonrails.com/rails/pages/HowToQuicklyDoAuthenticationWithLoginGenerator.
>  I am able to protect the front page with a login, I am able to
> add/remove/edit Todos, and I am able to create users, login, and logout
just
> as both examples shoule.
>
>  Now, I''m trying to expand the capability. As it stands, with both
combined,
> the auth portion just takes you to the Todo demo, so everyone sees the same
> list of Todo items.  I''ve expanded the todos table to include a
login field
> so that I know who owns that item.  For each user, I want to select only
> items that belong to that particular user, and can only interact with their
> items.  I would like to access the @session[''user''].login
somehow from the
> app/models/todo.rb file where I am currently doing something like
>
>  app/models/todo.rb:
>  class Todo < ActiveRecord::Base
>      def self.find_not_done
>        find(:all, :conditions=>["done = 0"],
:order=>"description")
>      end
>  end
>
>  and want it to be more like
>      find(:all, :conditions=>["done = 0 and login = ?",
> @session[''user''].login],
:order=>"description")
>
>  Of course, the above doesn''t work.  As I understand it, the vars
from the
> AccountController such as @session[''user''].login cannot
be accessed from
> TodoController?  Is there a workaround or should this all really be
combined
> into one controller/model/view?  Does anyone have any recommendations for
> how this can be done?
>
>  My app is laid out something like this...
>  ./app
>  ./app/apis
>  ./app/controllers
>  ./app/controllers/application.rb
>  ./app/controllers/todo_controller.rb
>  ./app/controllers/account_controller.rb
>  ./app/helpers
>  ./app/helpers/application_helper.rb
>  ./app/helpers/todo_helper.rb
>  ./app/helpers/account_helper.rb
>  ./app/models
>  ./app/models/todo.rb
>  ./app/models/user.rb
>  ./app/views
>  ./app/views/layouts
>  ./app/views/layouts/scaffold.rhtml
>  ./app/views/todo
>  ./app/views/todo/_display.rhtml
>  ./app/views/todo/list.rhtml
>  ./app/views/todo/list_tag.rhtml
>  ./app/views/todo/list_pri.rhtml
>  ./app/views/account
>  ./app/views/account/welcome.rhtml
>  ./app/views/account/login.rhtml
>  ./app/views/account/logout.rhtml
>  ./app/views/account/signup.rhtml
>
>  mySQL db is structured as follows:
>  CREATE TABLE `users` (
>    `id` int(11) NOT NULL auto_increment,
>    `login` varchar(60) NOT NULL default '''',
>    `password` varchar(40) NOT NULL default '''',
>    PRIMARY KEY  (`id`)
>  ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=7 ;
>  CREATE TABLE `todos` (
>    `id` int(11) NOT NULL auto_increment,
>    `description` varchar(100) NOT NULL default '''',
>    `done` tinyint(4) NOT NULL default ''0'',
>    `tag` varchar(128) default NULL,
>    `priority` int(5) NOT NULL default ''0'',
>    `login` varchar(60) NOT NULL default '''',
>    PRIMARY KEY  (`id`)
>  ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=34 ;
>
>
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>

It is indeed being stored because I''m able to use it in
app/views/todo/list.rhtml. Somehow when I try to use it in
app/models/todo.rb I get a message about it being unexpected nil output:

You have a nil object when you didn''t expect it!
You might have expected an instance of Array.
The error occured while evaluating nil.[]


This is what I''ve done instead, but it''s not pretty...
in app/controllers/todo_controller.rb:
def list
@not_done = Todo.find_not_done(@session[:user].login)
@done = Todo.find_done(@session[:user].login)
end
and in app/models/todo.rb:
def self.find_not_done(char)
find(:all, :conditions=>["done = 0 and login =
\''#{char}\''"],
:order=>"description")
end

after that I was able to change the form in app/views/todo/list.rhtml to
have a hidden field for the username...
<input id="new_item_login" name="new_item[login]"
type="hidden" value="<%@session[:user].login %>" />

so now each person that signs up can see only their items. Now, the question
is, does anyone see any vulnerability to XSS in the way I handled that?

Ernie



On 11/5/05, Cuong Tran
<cuong.tran-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
> You should be able to access the session as
"session[''user'']". Verify
> that the user is actually stored in the session.
>
> Check http://api.rubyonrails.com/classes/ActionController/Base.html
>
> On 11/5/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> >
> > I have the Todo tutorial from
> > http://manuals.rubyonrails.com/read/book/7 combined with
> > the login_system from
> >
>
http://wiki.rubyonrails.com/rails/pages/HowToQuicklyDoAuthenticationWithLoginGenerator
> .
> > I am able to protect the front page with a login, I am able to
> > add/remove/edit Todos, and I am able to create users, login, and
logout
> just
> > as both examples shoule.
> >
> > Now, I''m trying to expand the capability. As it stands, with
both
> combined,
> > the auth portion just takes you to the Todo demo, so everyone sees the
> same
> > list of Todo items. I''ve expanded the todos table to include
a login
> field
> > so that I know who owns that item. For each user, I want to select
only
> > items that belong to that particular user, and can only interact with
> their
> > items. I would like to access the
@session[''user''].login somehow from
> the
> > app/models/todo.rb file where I am currently doing something like
> >
> > app/models/todo.rb:
> > class Todo < ActiveRecord::Base
> > def self.find_not_done
> > find(:all, :conditions=>["done = 0"],
:order=>"description")
> > end
> > end
> >
> > and want it to be more like
> > find(:all, :conditions=>["done = 0 and login = ?",
> > @session[''user''].login],
:order=>"description")
> >
> > Of course, the above doesn''t work. As I understand it, the
vars from the
> > AccountController such as @session[''user''].login
cannot be accessed from
> > TodoController? Is there a workaround or should this all really be
> combined
> > into one controller/model/view? Does anyone have any recommendations
for
> > how this can be done?
> >
> > My app is laid out something like this...
> > ./app
> > ./app/apis
> > ./app/controllers
> > ./app/controllers/application.rb
> > ./app/controllers/todo_controller.rb
> > ./app/controllers/account_controller.rb
> > ./app/helpers
> > ./app/helpers/application_helper.rb
> > ./app/helpers/todo_helper.rb
> > ./app/helpers/account_helper.rb
> > ./app/models
> > ./app/models/todo.rb
> > ./app/models/user.rb
> > ./app/views
> > ./app/views/layouts
> > ./app/views/layouts/scaffold.rhtml
> > ./app/views/todo
> > ./app/views/todo/_display.rhtml
> > ./app/views/todo/list.rhtml
> > ./app/views/todo/list_tag.rhtml
> > ./app/views/todo/list_pri.rhtml
> > ./app/views/account
> > ./app/views/account/welcome.rhtml
> > ./app/views/account/login.rhtml
> > ./app/views/account/logout.rhtml
> > ./app/views/account/signup.rhtml
> >
> > mySQL db is structured as follows:
> > CREATE TABLE `users` (
> > `id` int(11) NOT NULL auto_increment,
> > `login` varchar(60) NOT NULL default '''',
> > `password` varchar(40) NOT NULL default '''',
> > PRIMARY KEY (`id`)
> > ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=7 ;
> > CREATE TABLE `todos` (
> > `id` int(11) NOT NULL auto_increment,
> > `description` varchar(100) NOT NULL default '''',
> > `done` tinyint(4) NOT NULL default ''0'',
> > `tag` varchar(128) default NULL,
> > `priority` int(5) NOT NULL default ''0'',
> > `login` varchar(60) NOT NULL default '''',
> > PRIMARY KEY (`id`)
> > ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=34 ;
> >
> >
> >
> > _______________________________________________
> > Rails mailing list
> > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
> >
> >
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>

_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

much more elegant way, imo...

given tables users and todos, and and having todos.user_id reference
users.id <http://users.id>

class User < ActiveRecord::Base
has_many :not_done_todos, :class_name => "Todo", :conditions =>
"done = 0"
has_many :done_todos, class_name => "Todo", :conditions =>
"done = 1"
end

class Todo < ActiveRecord::Base
belongs_to :user
end

in your controllers or views, you can do:

@session[:user].not_done_todos

and

@session[:user].done_todos


Chris

On 11/5/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
> It is indeed being stored because I''m able to use it in
> app/views/todo/list.rhtml. Somehow when I try to use it in
> app/models/todo.rb I get a message about it being unexpected nil output:
>
> You have a nil object when you didn''t expect it!
> You might have expected an instance of Array.
> The error occured while evaluating nil.[]
>
>
> This is what I''ve done instead, but it''s not pretty...
> in app/controllers/todo_controller.rb:
> def list
> @not_done = Todo.find_not_done(@session[:user].login)
> @done = Todo.find_done(@session[:user].login)
> end
> and in app/models/todo.rb:
> def self.find_not_done(char)
> find(:all, :conditions=>["done = 0 and login =
\''#{char}\''"],
> :order=>"description")
> end
>
> after that I was able to change the form in app/views/todo/list.rhtml to
> have a hidden field for the username...
> <input id="new_item_login" name="new_item[login]"
type="hidden" value="<%> @session[:user].login %>"
/>
>
> so now each person that signs up can see only their items. Now, the
> question is, does anyone see any vulnerability to XSS in the way I handled
> that?
>
> Ernie
>
>
>
> On 11/5/05, Cuong Tran
<cuong.tran-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> >
> > You should be able to access the session as
"session[''user'']". Verify
> > that the user is actually stored in the session.
> >
> > Check http://api.rubyonrails.com/classes/ActionController/Base.html
> >
> > On 11/5/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > >
> > > I have the Todo tutorial from
> > > http://manuals.rubyonrails.com/read/book/7 combined with
> > > the login_system from
> > >
http://wiki.rubyonrails.com/rails/pages/HowToQuicklyDoAuthenticationWithLoginGenerator
> > .
> > > I am able to protect the front page with a login, I am able to
> > > add/remove/edit Todos, and I am able to create users, login, and
> > logout just
> > > as both examples shoule.
> > >
> > > Now, I''m trying to expand the capability. As it stands,
with both
> > combined,
> > > the auth portion just takes you to the Todo demo, so everyone
sees the
> > same
> > > list of Todo items. I''ve expanded the todos table to
include a login
> > field
> > > so that I know who owns that item. For each user, I want to
select
> > only
> > > items that belong to that particular user, and can only interact
with
> > their
> > > items. I would like to access the
@session[''user''].login somehow from
> > the
> > > app/models/todo.rb file where I am currently doing something like
> > >
> > > app/models/todo.rb:
> > > class Todo < ActiveRecord::Base
> > > def self.find_not_done
> > > find(:all, :conditions=>["done = 0"],
:order=>"description")
> > > end
> > > end
> > >
> > > and want it to be more like
> > > find(:all, :conditions=>["done = 0 and login = ?",
> > > @session[''user''].login],
:order=>"description")
> > >
> > > Of course, the above doesn''t work. As I understand it,
the vars from
> > the
> > > AccountController such as
@session[''user''].login cannot be accessed
> > from
> > > TodoController? Is there a workaround or should this all really
be
> > combined
> > > into one controller/model/view? Does anyone have any
recommendations
> > for
> > > how this can be done?
> > >
> > > My app is laid out something like this...
> > > ./app
> > > ./app/apis
> > > ./app/controllers
> > > ./app/controllers/application.rb
> > > ./app/controllers/todo_controller.rb
> > > ./app/controllers/account_controller.rb
> > > ./app/helpers
> > > ./app/helpers/application_helper.rb
> > > ./app/helpers/todo_helper.rb
> > > ./app/helpers/account_helper.rb
> > > ./app/models
> > > ./app/models/todo.rb
> > > ./app/models/user.rb
> > > ./app/views
> > > ./app/views/layouts
> > > ./app/views/layouts/scaffold.rhtml
> > > ./app/views/todo
> > > ./app/views/todo/_display.rhtml
> > > ./app/views/todo/list.rhtml
> > > ./app/views/todo/list_tag.rhtml
> > > ./app/views/todo/list_pri.rhtml
> > > ./app/views/account
> > > ./app/views/account/welcome.rhtml
> > > ./app/views/account/login.rhtml
> > > ./app/views/account/logout.rhtml
> > > ./app/views/account/signup.rhtml
> > >
> > > mySQL db is structured as follows:
> > > CREATE TABLE `users` (
> > > `id` int(11) NOT NULL auto_increment,
> > > `login` varchar(60) NOT NULL default '''',
> > > `password` varchar(40) NOT NULL default '''',
> > > PRIMARY KEY (`id`)
> > > ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=7 ;
> > > CREATE TABLE `todos` (
> > > `id` int(11) NOT NULL auto_increment,
> > > `description` varchar(100) NOT NULL default '''',
> > > `done` tinyint(4) NOT NULL default ''0'',
> > > `tag` varchar(128) default NULL,
> > > `priority` int(5) NOT NULL default ''0'',
> > > `login` varchar(60) NOT NULL default '''',
> > > PRIMARY KEY (`id`)
> > > ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=34 ;
> > >
> > >
> > >
> > > _______________________________________________
> > > Rails mailing list
> > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > >
> > >
> > >
> > _______________________________________________
> > Rails mailing list
> > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
>
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>

_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

Wow. That worked nicely and got rid of everything I had in
app/models/todo.rb. Just...wow.


On 11/5/05, Chris Hall
<christopher.k.hall-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
> much more elegant way, imo...
>
> given tables users and todos, and and having todos.user_id reference
> users.id <http://users.id>
>
> class User < ActiveRecord::Base
> has_many :not_done_todos, :class_name => "Todo", :conditions
=> "done = 0"
> has_many :done_todos, class_name => "Todo", :conditions =>
"done = 1"
> end
>
> class Todo < ActiveRecord::Base
> belongs_to :user
> end
>
> in your controllers or views, you can do:
>
> @session[:user].not_done_todos
>
> and
>
> @session[:user].done_todos
>
>
> Chris
>
> On 11/5/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> > It is indeed being stored because I''m able to use it in
> > app/views/todo/list.rhtml. Somehow when I try to use it in
> > app/models/todo.rb I get a message about it being unexpected nil
output:
> >
> > You have a nil object when you didn''t expect it!
> > You might have expected an instance of Array.
> > The error occured while evaluating nil.[]
> >
> >
> > This is what I''ve done instead, but it''s not
pretty...
> > in app/controllers/todo_controller.rb:
> > def list
> > @not_done = Todo.find_not_done(@session[:user].login)
> > @done = Todo.find_done(@session[:user].login)
> > end
> > and in app/models/todo.rb:
> > def self.find_not_done(char)
> > find(:all, :conditions=>["done = 0 and login =
\''#{char}\''"],
> > :order=>"description")
> > end
> >
> > after that I was able to change the form in app/views/todo/list.rhtml
to
> > have a hidden field for the username...
> > <input id="new_item_login"
name="new_item[login]" type="hidden"
> > value="<%= @session[:user].login %>" />
> >
> > so now each person that signs up can see only their items. Now, the
> > question is, does anyone see any vulnerability to XSS in the way I
handled
> > that?
> >
> > Ernie
> >
> >
> >
> > On 11/5/05, Cuong Tran
<cuong.tran-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org > wrote:
> > >
> > > You should be able to access the session as
"session[''user'']". Verify
> > > that the user is actually stored in the session.
> > >
> > > Check
http://api.rubyonrails.com/classes/ActionController/Base.html
> > >
> > > On 11/5/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > >
> > > > I have the Todo tutorial from
> > > > http://manuals.rubyonrails.com/read/book/7 combined with
> > > > the login_system from
> > > >
http://wiki.rubyonrails.com/rails/pages/HowToQuicklyDoAuthenticationWithLoginGenerator
> > > .
> > > > I am able to protect the front page with a login, I am able
to
> > > > add/remove/edit Todos, and I am able to create users, login,
and
> > > logout just
> > > > as both examples shoule.
> > > >
> > > > Now, I''m trying to expand the capability. As it
stands, with both
> > > combined,
> > > > the auth portion just takes you to the Todo demo, so
everyone sees
> > > the same
> > > > list of Todo items. I''ve expanded the todos table
to include a login
> > > field
> > > > so that I know who owns that item. For each user, I want to
select
> > > only
> > > > items that belong to that particular user, and can only
interact
> > > with their
> > > > items. I would like to access the
@session[''user''].login somehow
> > > from the
> > > > app/models/todo.rb file where I am currently doing something
like
> > > >
> > > > app/models/todo.rb:
> > > > class Todo < ActiveRecord::Base
> > > > def self.find_not_done
> > > > find(:all, :conditions=>["done = 0"],
:order=>"description")
> > > > end
> > > > end
> > > >
> > > > and want it to be more like
> > > > find(:all, :conditions=>["done = 0 and login =
?",
> > > > @session[''user''].login],
:order=>"description")
> > > >
> > > > Of course, the above doesn''t work. As I understand
it, the vars from
> > > the
> > > > AccountController such as
@session[''user''].login cannot be accessed
> > > from
> > > > TodoController? Is there a workaround or should this all
really be
> > > combined
> > > > into one controller/model/view? Does anyone have any
recommendations
> > > for
> > > > how this can be done?
> > > >
> > > > My app is laid out something like this...
> > > > ./app
> > > > ./app/apis
> > > > ./app/controllers
> > > > ./app/controllers/application.rb
> > > > ./app/controllers/todo_controller.rb
> > > > ./app/controllers/account_controller.rb
> > > > ./app/helpers
> > > > ./app/helpers/application_helper.rb
> > > > ./app/helpers/todo_helper.rb
> > > > ./app/helpers/account_helper.rb
> > > > ./app/models
> > > > ./app/models/todo.rb
> > > > ./app/models/user.rb
> > > > ./app/views
> > > > ./app/views/layouts
> > > > ./app/views/layouts/scaffold.rhtml
> > > > ./app/views/todo
> > > > ./app/views/todo/_display.rhtml
> > > > ./app/views/todo/list.rhtml
> > > > ./app/views/todo/list_tag.rhtml
> > > > ./app/views/todo/list_pri.rhtml
> > > > ./app/views/account
> > > > ./app/views/account/welcome.rhtml
> > > > ./app/views/account/login.rhtml
> > > > ./app/views/account/logout.rhtml
> > > > ./app/views/account/signup.rhtml
> > > >
> > > > mySQL db is structured as follows:
> > > > CREATE TABLE `users` (
> > > > `id` int(11) NOT NULL auto_increment,
> > > > `login` varchar(60) NOT NULL default '''',
> > > > `password` varchar(40) NOT NULL default
'''',
> > > > PRIMARY KEY (`id`)
> > > > ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=7 ;
> > > > CREATE TABLE `todos` (
> > > > `id` int(11) NOT NULL auto_increment,
> > > > `description` varchar(100) NOT NULL default
'''',
> > > > `done` tinyint(4) NOT NULL default ''0'',
> > > > `tag` varchar(128) default NULL,
> > > > `priority` int(5) NOT NULL default ''0'',
> > > > `login` varchar(60) NOT NULL default '''',
> > > > PRIMARY KEY (`id`)
> > > > ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=34 ;
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Rails mailing list
> > > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > > >
> > > >
> > > >
> > > _______________________________________________
> > > Rails mailing list
> > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > >
> >
> >
> > _______________________________________________
> > Rails mailing list
> > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
> >
> >
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>

_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

personally, i wouldn''t go the ''bunch of has_many''
route

but again, thats me. someone else on the list may have a better idea.

On 11/6/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
> I''m just curious because I''m a real newbie at this, and
you seem really
> knowledgable about Rails.
> Would it be less hokey to have a bunch of has_many statements?
> has_many :not_done_todos
> has_many :not_done_todos_tag
> has_many :not_done_todos_pri
>  has_many :done_todos
> has_many :done_todos_tag
> has_many :done_todos_pri
>
>
>
> On 11/6/05, Chris Hall
<christopher.k.hall-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> >
> > i''ve only seen it work with model attributes that way.
> >
> > you could try adding an attribute to your model like:
> >
> > class User < ActiveRecord::Base
> > has_many :not_done_todos, :class_name => "Todo",
:conditions => "done > > 0", :order =>
''#{sort_todos_by}''
> > has_many :done_todos, class_name => "Todo", :conditions
=> "done = 1",
> > :order => ''#{sort_todos_by}''
> >
> > :attr_accessor sort_todos
> > end
> >
> > then in controller just do:
> >
> > User.sort_todos_by = @params[:sort_todos_by]
> >
> > kind of hokey if you ask me, but i don''t know of another way
to do it,
> > so maybe someone else has a better answer.
> >
> > Chris
> >
> > On 11/6/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org > wrote:
> > >
> > >
> > > Do you know if the
> > > has_many :not_done_todos, :class_name => "Todo",
:conditions => "done
> > > = 0"
> > > can be used as something like
> > > has_many :not_done_todos, :class_name => "Todo",
:conditions => "done
> > > = 0", :order => #{sort}
> > >
> > > so that I can use this in my views...
> > > <%= render_collection_of_partials "display",
> > > @session[:user].not_done_todos, :locals => { :sort =>
@session[''sort''] } %>
> > >
> > > I plan on having columns sort things differently, but
don''t want to
> > > get into keeping a view for each.
> > > The sort works if I just stick the text ''tag''
or ''description'' in
> > > there, but I need it to handle a variable.
> > > Otherwise I end up resorting to making things like
> > >
> > >  has_many :not_done_todos
> > > has_many :not_done_todos_tag
> > > has_many :not_done_todos_pri
> > >
> > > which makes things less elegant. This idea of having a variable
in
> > > there can further reduce this down to one has_many statement like
> > >  has_many :get_todos, :class_name => "Todo",
:conditions => "done > > > ?", #{done}, :order =>
#{sort}
> > >
> > > Possible?
> > > Ernie
> > >
> > >
> > > app/controllers/todo_controller.rb:
> > > class TodoController < ApplicationController
> > > model :todo
> > > scaffold :todo
> > > before_filter :login_required
> > > def list
> > > session[''sort''] = "description"
> > > end
> > > def list_tag
> > > session[''sort''] = "tag"
> > > end
> > > def list_pri
> > > session[''sort''] = "priority"
> > > end
> > > end
> > >
> > > views/todo/list.rhtml:
> > > <%= link_to("Item", :action => "list")
%>
> > > <%= link_to("Tag", :action =>
"list_tag") %>
> > > <%= link_to("Priority", :action =>
"list_pri") %>
> > > <%= render_collection_of_partials "display",
> > > @session[:user].not_done_todos %>
> > > <%= render_collection_of_partials "display",
> > > @session[:user].done_todos %>
> > >
> > >
> > >
> > > On 11/6/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org > wrote:
> > > >
> > > >
> > > > Wow. That worked nicely and got rid of everything I had in
> > > > app/models/todo.rb. Just...wow.
> > > >
> > > >
> > > > On 11/5/05, Chris Hall <
christopher.k.hall-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > >
> > > > > much more elegant way, imo...
> > > > >
> > > > > given tables users and todos, and and having
todos.user_idreference
> > > > > users.id <http://users.id>
> > > > >
> > > > > class User < ActiveRecord::Base
> > > > > has_many :not_done_todos, :class_name =>
"Todo", :conditions =>
> > > > > "done = 0"
> > > > > has_many :done_todos, class_name =>
"Todo", :conditions => "done > > > > > 1"
> > > > > end
> > > > >
> > > > > class Todo < ActiveRecord::Base
> > > > > belongs_to :user
> > > > > end
> > > > >
> > > > > in your controllers or views, you can do:
> > > > >
> > > > > @session[:user].not_done_todos
> > > > >
> > > > > and
> > > > >
> > > > > @session[:user].done_todos
> > > > >
> > > > >
> > > > > Chris
> > > > >
> > > > > On 11/5/05, Ernie Oporto <
ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > > >
> > > > > > It is indeed being stored because I''m
able to use it in
> > > > > > app/views/todo/list.rhtml. Somehow when I try to
use it in
> > > > > > app/models/todo.rb I get a message about it being
unexpected nil output:
> > > > > >
> > > > > > You have a nil object when you didn''t
expect it!
> > > > > > You might have expected an instance of Array.
> > > > > > The error occured while evaluating nil.[]
> > > > > >
> > > > > >
> > > > > > This is what I''ve done instead, but
it''s not pretty...
> > > > > > in app/controllers/todo_controller.rb:
> > > > > > def list
> > > > > > @not_done =
Todo.find_not_done(@session[:user].login)
> > > > > > @done = Todo.find_done(@session[:user].login)
> > > > > > end
> > > > > > and in app/models/todo.rb:
> > > > > > def self.find_not_done(char)
> > > > > > find(:all, :conditions=>["done = 0 and
login = \''#{char}\''"],
> > > > > > :order=>"description")
> > > > > > end
> > > > > >
> > > > > > after that I was able to change the form in
> > > > > > app/views/todo/list.rhtml to have a hidden field
for the username...
> > > > > > <input id="new_item_login"
name="new_item[login]" type="hidden"
> > > > > > value="<%= @session[:user].login
%>" />
> > > > > >
> > > > > > so now each person that signs up can see only
their items. Now,
> > > > > > the question is, does anyone see any vulnerability
to XSS in the way I
> > > > > > handled that?
> > > > > >
> > > > > > Ernie
> > > > > >
> > > > > >
> > > > > >
> > > > > > On 11/5/05, Cuong Tran
<cuong.tran-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org > wrote:
> > > > > > >
> > > > > > > You should be able to access the session as
"session[''user'']".
> > > > > > > Verify
> > > > > > > that the user is actually stored in the
session.
> > > > > > >
> > > > > > > Check
http://api.rubyonrails.com/classes/ActionController/Base.html
> > > > > > >
> > > > > > >
> > > > > > > On 11/5/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > > > > > >
> > > > > > > > I have the Todo tutorial from
> > > > > > > >
http://manuals.rubyonrails.com/read/book/7 combined with
> > > > > > > > the login_system from
> > > > > > > >
http://wiki.rubyonrails.com/rails/pages/HowToQuicklyDoAuthenticationWithLoginGenerator
> > > > > > > .
> > > > > > > > I am able to protect the front page with
a login, I am able
> > > > > > > to
> > > > > > > > add/remove/edit Todos, and I am able to
create users, login,
> > > > > > > and logout just
> > > > > > > > as both examples shoule.
> > > > > > > >
> > > > > > > > Now, I''m trying to expand the
capability. As it stands, with
> > > > > > > both combined,
> > > > > > > > the auth portion just takes you to the
Todo demo, so
> > > > > > > everyone sees the same
> > > > > > > > list of Todo items. I''ve
expanded the todos table to include
> > > > > > > a login field
> > > > > > > > so that I know who owns that item. For
each user, I want to
> > > > > > > select only
> > > > > > > > items that belong to that particular
user, and can only
> > > > > > > interact with their
> > > > > > > > items. I would like to access the
@session[''user''].login
> > > > > > > somehow from the
> > > > > > > > app/models/todo.rb file where I am
currently doing something
> > > > > > > like
> > > > > > > >
> > > > > > > > app/models/todo.rb:
> > > > > > > > class Todo < ActiveRecord::Base
> > > > > > > > def self.find_not_done
> > > > > > > > find(:all, :conditions=>["done =
0"], :order=>"description")
> > > > > > > > end
> > > > > > > > end
> > > > > > > >
> > > > > > > > and want it to be more like
> > > > > > > > find(:all, :conditions=>["done =
0 and login = ?",
> > > > > > > >
@session[''user''].login], :order=>"description")
> > > > > > > >
> > > > > > > > Of course, the above doesn''t
work. As I understand it, the
> > > > > > > vars from the
> > > > > > > > AccountController such as
@session[''user''].login cannot be
> > > > > > > accessed from
> > > > > > > > TodoController? Is there a workaround or
should this all
> > > > > > > really be combined
> > > > > > > > into one controller/model/view? Does
anyone have any
> > > > > > > recommendations for
> > > > > > > > how this can be done?
> > > > > > > >
> > > > > > > > My app is laid out something like
this...
> > > > > > > > ./app
> > > > > > > > ./app/apis
> > > > > > > > ./app/controllers
> > > > > > > > ./app/controllers/application.rb
> > > > > > > > ./app/controllers/todo_controller.rb
> > > > > > > > ./app/controllers/account_controller.rb
> > > > > > > > ./app/helpers
> > > > > > > > ./app/helpers/application_helper.rb
> > > > > > > > ./app/helpers/todo_helper.rb
> > > > > > > > ./app/helpers/account_helper.rb
> > > > > > > > ./app/models
> > > > > > > > ./app/models/todo.rb
> > > > > > > > ./app/models/user.rb
> > > > > > > > ./app/views
> > > > > > > > ./app/views/layouts
> > > > > > > > ./app/views/layouts/scaffold.rhtml
> > > > > > > > ./app/views/todo
> > > > > > > > ./app/views/todo/_display.rhtml
> > > > > > > > ./app/views/todo/list.rhtml
> > > > > > > > ./app/views/todo/list_tag.rhtml
> > > > > > > > ./app/views/todo/list_pri.rhtml
> > > > > > > > ./app/views/account
> > > > > > > > ./app/views/account/welcome.rhtml
> > > > > > > > ./app/views/account/login.rhtml
> > > > > > > > ./app/views/account/logout.rhtml
> > > > > > > > ./app/views/account/signup.rhtml
> > > > > > > >
> > > > > > > > mySQL db is structured as follows:
> > > > > > > > CREATE TABLE `users` (
> > > > > > > > `id` int(11) NOT NULL auto_increment,
> > > > > > > > `login` varchar(60) NOT NULL default
'''',
> > > > > > > > `password` varchar(40) NOT NULL default
'''',
> > > > > > > > PRIMARY KEY (`id`)
> > > > > > > > ) ENGINE=MyISAM DEFAULT CHARSET=latin1
AUTO_INCREMENT=7 ;
> > > > > > > > CREATE TABLE `todos` (
> > > > > > > > `id` int(11) NOT NULL auto_increment,
> > > > > > > > `description` varchar(100) NOT NULL
default '''',
> > > > > > > > `done` tinyint(4) NOT NULL default
''0'',
> > > > > > > > `tag` varchar(128) default NULL,
> > > > > > > > `priority` int(5) NOT NULL default
''0'',
> > > > > > > > `login` varchar(60) NOT NULL default
'''',
> > > > > > > > PRIMARY KEY (`id`)
> > > > > > > > ) ENGINE=MyISAM DEFAULT CHARSET=latin1
AUTO_INCREMENT=34 ;
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
_______________________________________________
> > > > > > > > Rails mailing list
> > > > > > > >
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > > > > > >
http://lists.rubyonrails.org/mailman/listinfo/rails
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
_______________________________________________
> > > > > > > Rails mailing list
> > > > > > >
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > > > > >
http://lists.rubyonrails.org/mailman/listinfo/rails
> > > > > > >
> > > > > >
> > > > > >
> > > > > > _______________________________________________
> > > > > > Rails mailing list
> > > > > >
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > > > >
http://lists.rubyonrails.org/mailman/listinfo/rails
> > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Rails mailing list
> > > > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
>

_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

Does anyone know if the
has_many :not_done_todos, :class_name => "Todo", :conditions =>
"done = 0"
can be used as something like
has_many :not_done_todos, :class_name => "Todo", :conditions =>
"done = 0",
:order => #{sort}

so that I can use this in my views...
<%= render_collection_of_partials "display",
@session[:user].not_done_todos,
:locals => { :sort => @session[''sort''] } %>

I plan on having columns sort things differently, but don''t want to get
into
keeping a view for each.
The sort works if I just stick the text ''tag'' or
''description'' in there, but
I need it to handle a variable.
Otherwise I end up resorting to making things like

 has_many :not_done_todos
has_many :not_done_todos_tag
has_many :not_done_todos_pri
 has_many :done_todos
has_many :done_todos_tag
has_many :done_todos_pri

 which works, makes things less elegant since I may be adding more fields
later on. This idea of having a variable in there can further reduce this
down to one has_many statement like
 has_many :get_todos, :class_name => "Todo", :conditions =>
"done = ?",
#{done}, :order => #{sort}

Possible?
Ernie


app/controllers/todo_controller.rb:
class TodoController < ApplicationController
model :todo
scaffold :todo
before_filter :login_required
def list
session[''sort''] = "description"
end
def list_tag
session[''sort''] = "tag"
end
def list_pri
session[''sort''] = "priority"
end
end

views/todo/list.rhtml:
<%= link_to("Item", :action => "list") %>
<%= link_to("Tag", :action => "list_tag") %>
<%= link_to("Priority", :action => "list_pri") %>
<%= render_collection_of_partials "display",
@session[:user].not_done_todos
%>
<%= render_collection_of_partials "display",
@session[:user].done_todos %>

On 11/5/05, Chris Hall
<christopher.k.hall-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
> much more elegant way, imo...
>
> given tables users and todos, and and having todos.user_id reference
> users.id <http://users.id>
>
> class User < ActiveRecord::Base
> has_many :not_done_todos, :class_name => "Todo", :conditions
=> "done = 0"
> has_many :done_todos, class_name => "Todo", :conditions =>
"done = 1"
> end
>
> class Todo < ActiveRecord::Base
> belongs_to :user
> end
>
> in your controllers or views, you can do:
>
> @session[:user].not_done_todos
>
> and
>
> @session[:user].done_todos
>
>
> Chris
>
> On 11/5/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> > It is indeed being stored because I''m able to use it in
> > app/views/todo/list.rhtml. Somehow when I try to use it in
> > app/models/todo.rb I get a message about it being unexpected nil
output:
> >
> > You have a nil object when you didn''t expect it!
> > You might have expected an instance of Array.
> > The error occured while evaluating nil.[]
> >
> >
> > This is what I''ve done instead, but it''s not
pretty...
> > in app/controllers/todo_controller.rb:
> > def list
> > @not_done = Todo.find_not_done(@session[:user].login)
> > @done = Todo.find_done(@session[:user].login)
> > end
> > and in app/models/todo.rb:
> > def self.find_not_done(char)
> > find(:all, :conditions=>["done = 0 and login =
\''#{char}\''"],
> > :order=>"description")
> > end
> >
> > after that I was able to change the form in app/views/todo/list.rhtml
to
> > have a hidden field for the username...
> > <input id="new_item_login"
name="new_item[login]" type="hidden"
> > value="<%= @session[:user].login %>" />
> >
> > so now each person that signs up can see only their items. Now, the
> > question is, does anyone see any vulnerability to XSS in the way I
handled
> > that?
> >
> > Ernie
> >
> >
> >
> > On 11/5/05, Cuong Tran
<cuong.tran-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org > wrote:
> > >
> > > You should be able to access the session as
"session[''user'']". Verify
> > > that the user is actually stored in the session.
> > >
> > > Check
http://api.rubyonrails.com/classes/ActionController/Base.html
> > >
> > > On 11/5/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > >
> > > > I have the Todo tutorial from
> > > > http://manuals.rubyonrails.com/read/book/7 combined with
> > > > the login_system from
> > > >
http://wiki.rubyonrails.com/rails/pages/HowToQuicklyDoAuthenticationWithLoginGenerator
> > > .
> > > > I am able to protect the front page with a login, I am able
to
> > > > add/remove/edit Todos, and I am able to create users, login,
and
> > > logout just
> > > > as both examples shoule.
> > > >
> > > > Now, I''m trying to expand the capability. As it
stands, with both
> > > combined,
> > > > the auth portion just takes you to the Todo demo, so
everyone sees
> > > the same
> > > > list of Todo items. I''ve expanded the todos table
to include a login
> > > field
> > > > so that I know who owns that item. For each user, I want to
select
> > > only
> > > > items that belong to that particular user, and can only
interact
> > > with their
> > > > items. I would like to access the
@session[''user''].login somehow
> > > from the
> > > > app/models/todo.rb file where I am currently doing something
like
> > > >
> > > > app/models/todo.rb:
> > > > class Todo < ActiveRecord::Base
> > > > def self.find_not_done
> > > > find(:all, :conditions=>["done = 0"],
:order=>"description")
> > > > end
> > > > end
> > > >
> > > > and want it to be more like
> > > > find(:all, :conditions=>["done = 0 and login =
?",
> > > > @session[''user''].login],
:order=>"description")
> > > >
> > > > Of course, the above doesn''t work. As I understand
it, the vars from
> > > the
> > > > AccountController such as
@session[''user''].login cannot be accessed
> > > from
> > > > TodoController? Is there a workaround or should this all
really be
> > > combined
> > > > into one controller/model/view? Does anyone have any
recommendations
> > > for
> > > > how this can be done?
> > > >
> > > > My app is laid out something like this...
> > > > ./app
> > > > ./app/apis
> > > > ./app/controllers
> > > > ./app/controllers/application.rb
> > > > ./app/controllers/todo_controller.rb
> > > > ./app/controllers/account_controller.rb
> > > > ./app/helpers
> > > > ./app/helpers/application_helper.rb
> > > > ./app/helpers/todo_helper.rb
> > > > ./app/helpers/account_helper.rb
> > > > ./app/models
> > > > ./app/models/todo.rb
> > > > ./app/models/user.rb
> > > > ./app/views
> > > > ./app/views/layouts
> > > > ./app/views/layouts/scaffold.rhtml
> > > > ./app/views/todo
> > > > ./app/views/todo/_display.rhtml
> > > > ./app/views/todo/list.rhtml
> > > > ./app/views/todo/list_tag.rhtml
> > > > ./app/views/todo/list_pri.rhtml
> > > > ./app/views/account
> > > > ./app/views/account/welcome.rhtml
> > > > ./app/views/account/login.rhtml
> > > > ./app/views/account/logout.rhtml
> > > > ./app/views/account/signup.rhtml
> > > >
> > > > mySQL db is structured as follows:
> > > > CREATE TABLE `users` (
> > > > `id` int(11) NOT NULL auto_increment,
> > > > `login` varchar(60) NOT NULL default '''',
> > > > `password` varchar(40) NOT NULL default
'''',
> > > > PRIMARY KEY (`id`)
> > > > ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=7 ;
> > > > CREATE TABLE `todos` (
> > > > `id` int(11) NOT NULL auto_increment,
> > > > `description` varchar(100) NOT NULL default
'''',
> > > > `done` tinyint(4) NOT NULL default ''0'',
> > > > `tag` varchar(128) default NULL,
> > > > `priority` int(5) NOT NULL default ''0'',
> > > > `login` varchar(60) NOT NULL default '''',
> > > > PRIMARY KEY (`id`)
> > > > ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=34 ;
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Rails mailing list
> > > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > > >
> > > >
> > > >
> > > _______________________________________________
> > > Rails mailing list
> > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > >
> >
> >
> > _______________________________________________
> > Rails mailing list
> > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
> >
> >
>
> _______________________________________________
> Rails mailing list
> Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> http://lists.rubyonrails.org/mailman/listinfo/rails
>
>
>

_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails

Anyone?

On 11/6/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
wrote:
>
> Does anyone know if the
> has_many :not_done_todos, :class_name => "Todo", :conditions
=> "done = 0"
> can be used as something like
> has_many :not_done_todos, :class_name => "Todo", :conditions
=> "done > 0", :order => #{sort}
>
> so that I can use this in my views...
> <%= render_collection_of_partials "display",
> @session[:user].not_done_todos, :locals => { :sort =>
@session[''sort''] } %>
>
> I plan on having columns sort things differently, but don''t want
to get
> into keeping a view for each.
> The sort works if I just stick the text ''tag'' or
''description'' in there,
> but I need it to handle a variable.
> Otherwise I end up resorting to making things like
>
>  has_many :not_done_todos
> has_many :not_done_todos_tag
> has_many :not_done_todos_pri
>  has_many :done_todos
> has_many :done_todos_tag
> has_many :done_todos_pri
>
>  which works, makes things less elegant since I may be adding more fields
> later on. This idea of having a variable in there can further reduce this
> down to one has_many statement like
>  has_many :get_todos, :class_name => "Todo", :conditions =>
"done = ?",
> #{done}, :order => #{sort}
>
> Possible?
> Ernie
>
>
> app/controllers/todo_controller.rb:
> class TodoController < ApplicationController
> model :todo
> scaffold :todo
> before_filter :login_required
> def list
> session[''sort''] = "description"
> end
> def list_tag
> session[''sort''] = "tag"
> end
> def list_pri
> session[''sort''] = "priority"
> end
> end
>
> views/todo/list.rhtml:
> <%= link_to("Item", :action => "list") %>
> <%= link_to("Tag", :action => "list_tag") %>
> <%= link_to("Priority", :action => "list_pri")
%>
> <%= render_collection_of_partials "display",
> @session[:user].not_done_todos %>
> <%= render_collection_of_partials "display",
@session[:user].done_todos %>
>
> On 11/5/05, Chris Hall <
christopher.k.hall-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> >
> > much more elegant way, imo...
> >
> > given tables users and todos, and and having todos.user_id reference
> > users.id <http://users.id>
> >
> > class User < ActiveRecord::Base
> > has_many :not_done_todos, :class_name => "Todo",
:conditions => "done > > 0"
> > has_many :done_todos, class_name => "Todo", :conditions
=> "done = 1"
> > end
> >
> > class Todo < ActiveRecord::Base
> > belongs_to :user
> > end
> >
> > in your controllers or views, you can do:
> >
> > @session[:user].not_done_todos
> >
> > and
> >
> > @session[:user].done_todos
> >
> >
> > Chris
> >
> > On 11/5/05, Ernie Oporto <
ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> >
> > > It is indeed being stored because I''m able to use it in
> > > app/views/todo/list.rhtml. Somehow when I try to use it in
> > > app/models/todo.rb I get a message about it being unexpected nil
output:
> > >
> > > You have a nil object when you didn''t expect it!
> > > You might have expected an instance of Array.
> > > The error occured while evaluating nil.[]
> > >
> > >
> > > This is what I''ve done instead, but it''s not
pretty...
> > > in app/controllers/todo_controller.rb:
> > > def list
> > > @not_done = Todo.find_not_done(@session[:user].login)
> > > @done = Todo.find_done(@session[:user].login)
> > > end
> > > and in app/models/todo.rb:
> > > def self.find_not_done(char)
> > > find(:all, :conditions=>["done = 0 and login =
\''#{char}\''"],
> > > :order=>"description")
> > > end
> > >
> > > after that I was able to change the form in
app/views/todo/list.rhtml
> > > to have a hidden field for the username...
> > > <input id="new_item_login"
name="new_item[login]" type="hidden"
> > > value="<%= @session[:user].login %>" />
> > >
> > > so now each person that signs up can see only their items. Now,
the
> > > question is, does anyone see any vulnerability to XSS in the way
I handled
> > > that?
> > >
> > > Ernie
> > >
> > >
> > >
> > > On 11/5/05, Cuong Tran
<cuong.tran-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org > wrote:
> > > >
> > > > You should be able to access the session as
"session[''user'']".
> > > > Verify
> > > > that the user is actually stored in the session.
> > > >
> > > > Check
http://api.rubyonrails.com/classes/ActionController/Base.html
> > > >
> > > > On 11/5/05, Ernie Oporto
<ernieoporto-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
> > > > >
> > > > > I have the Todo tutorial from
> > > > > http://manuals.rubyonrails.com/read/book/7 combined
with
> > > > > the login_system from
> > > > >
http://wiki.rubyonrails.com/rails/pages/HowToQuicklyDoAuthenticationWithLoginGenerator
> > > > .
> > > > > I am able to protect the front page with a login, I am
able to
> > > > > add/remove/edit Todos, and I am able to create users,
login, and
> > > > logout just
> > > > > as both examples shoule.
> > > > >
> > > > > Now, I''m trying to expand the capability. As
it stands, with both
> > > > combined,
> > > > > the auth portion just takes you to the Todo demo, so
everyone sees
> > > > the same
> > > > > list of Todo items. I''ve expanded the todos
table to include a
> > > > login field
> > > > > so that I know who owns that item. For each user, I
want to select
> > > > only
> > > > > items that belong to that particular user, and can only
interact
> > > > with their
> > > > > items. I would like to access the
@session[''user''].login somehow
> > > > from the
> > > > > app/models/todo.rb file where I am currently doing
something like
> > > > >
> > > > > app/models/todo.rb:
> > > > > class Todo < ActiveRecord::Base
> > > > > def self.find_not_done
> > > > > find(:all, :conditions=>["done = 0"],
:order=>"description")
> > > > > end
> > > > > end
> > > > >
> > > > > and want it to be more like
> > > > > find(:all, :conditions=>["done = 0 and login =
?",
> > > > > @session[''user''].login],
:order=>"description")
> > > > >
> > > > > Of course, the above doesn''t work. As I
understand it, the vars
> > > > from the
> > > > > AccountController such as
@session[''user''].login cannot be
> > > > accessed from
> > > > > TodoController? Is there a workaround or should this
all really be
> > > > combined
> > > > > into one controller/model/view? Does anyone have any
> > > > recommendations for
> > > > > how this can be done?
> > > > >
> > > > > My app is laid out something like this...
> > > > > ./app
> > > > > ./app/apis
> > > > > ./app/controllers
> > > > > ./app/controllers/application.rb
> > > > > ./app/controllers/todo_controller.rb
> > > > > ./app/controllers/account_controller.rb
> > > > > ./app/helpers
> > > > > ./app/helpers/application_helper.rb
> > > > > ./app/helpers/todo_helper.rb
> > > > > ./app/helpers/account_helper.rb
> > > > > ./app/models
> > > > > ./app/models/todo.rb
> > > > > ./app/models/user.rb
> > > > > ./app/views
> > > > > ./app/views/layouts
> > > > > ./app/views/layouts/scaffold.rhtml
> > > > > ./app/views/todo
> > > > > ./app/views/todo/_display.rhtml
> > > > > ./app/views/todo/list.rhtml
> > > > > ./app/views/todo/list_tag.rhtml
> > > > > ./app/views/todo/list_pri.rhtml
> > > > > ./app/views/account
> > > > > ./app/views/account/welcome.rhtml
> > > > > ./app/views/account/login.rhtml
> > > > > ./app/views/account/logout.rhtml
> > > > > ./app/views/account/signup.rhtml
> > > > >
> > > > > mySQL db is structured as follows:
> > > > > CREATE TABLE `users` (
> > > > > `id` int(11) NOT NULL auto_increment,
> > > > > `login` varchar(60) NOT NULL default
'''',
> > > > > `password` varchar(40) NOT NULL default
'''',
> > > > > PRIMARY KEY (`id`)
> > > > > ) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=7
;
> > > > > CREATE TABLE `todos` (
> > > > > `id` int(11) NOT NULL auto_increment,
> > > > > `description` varchar(100) NOT NULL default
'''',
> > > > > `done` tinyint(4) NOT NULL default
''0'',
> > > > > `tag` varchar(128) default NULL,
> > > > > `priority` int(5) NOT NULL default
''0'',
> > > > > `login` varchar(60) NOT NULL default
'''',
> > > > > PRIMARY KEY (`id`)
> > > > > ) ENGINE=MyISAM DEFAULT CHARSET=latin1
AUTO_INCREMENT=34 ;
> > > > >
> > > > >
> > > > >
> > > > > _______________________________________________
> > > > > Rails mailing list
> > > > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > > > >
> > > > >
> > > > >
> > > > _______________________________________________
> > > > Rails mailing list
> > > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > > >
> > >
> > >
> > > _______________________________________________
> > > Rails mailing list
> > > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > > http://lists.rubyonrails.org/mailman/listinfo/rails
> > >
> > >
> > >
> >
> > _______________________________________________
> > Rails mailing list
> > Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
> > http://lists.rubyonrails.org/mailman/listinfo/rails
> >
> >
> >
>

_______________________________________________
Rails mailing list
Rails-1W37MKcQCpIf0INCOvqR/iCwEArCW2h5@public.gmane.org
http://lists.rubyonrails.org/mailman/listinfo/rails