When I use some helper with controller, like :helper helper_name, I can call all helper methods that are not private or protected from browser, by typing url "http://controller/helper_method". Does this work only for development enviroment or it works always? I''ve seen some helpers from wiki.rubyonrails.org and rails books and helper methods never were private or protected there... Thanks, Dmitry -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
> When I use some helper with controller, like :helper helper_name, > I can call all helper methods that are not private or protected from > browser, by typing url "http://controller/helper_method". > Does this work only for development enviroment or it works always? > I''ve seen some helpers from wiki.rubyonrails.org and rails books and > helper methods never were private or protected there...Hmm. I''m seeing this, too. For most cases, this results in a "Template is missing" error because there''s nothing to render. However, if you happened to have a helper method in the controller that rendered something (a partial, say), I''m thinking this could be a security issue. Protecting the methods seems to fix this, resulting in an "Unknown action" error. Is there any functionality lost by protecting the methods? Maybe helper_method should protect these automagically? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
> Hmm. I''m seeing this, too. For most cases, this results in a "Template > is missing" error because there''s nothing to render.> Protecting the methods seems to fix this, resulting in an "Unknown > action" error.BTW, these errors show up in development, but result in a 500 error in production. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Curtis Summers wrote:>> Hmm. I''m seeing this, too. For most cases, this results in a "Template >> is missing" error because there''s nothing to render. > >> Protecting the methods seems to fix this, resulting in an "Unknown >> action" error. > > BTW, these errors show up in development, but result in a 500 error in > production.But helper methods are still available through GET in production? As I saw in the development log when application error happens rails send http with 500 status -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Dmitry Hazin wrote:> But helper methods are still available through GET in production?Yep. In most cases they will cause a template error unless you have a helper that calls render or you happen to have a view to be rendered with your helper actions name. Why you would have a helper method that renders something defined in your controller I don''t know, but I''ve tested this and can get rendered text, partial, or full view. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Curtis Summers wrote:> Dmitry Hazin wrote: >> But helper methods are still available through GET in production? > > Yep. In most cases they will cause a template error unless you have a > helper that calls render or you happen to have a view to be rendered > with your helper actions name. > > Why you would have a helper method that renders something defined in > your controller I don''t know, but I''ve tested this and can get rendered > text, partial, or full view.Helpers Helpers are smart methods (functions) that help your view templates generate HTML. They know to use your model objects and controller classes to create just the right HTML and. (from http://www.onlamp.com/pub/a/onlamp/2005/10/13/what_is_rails.html?page=5, but it doesn''t matter) What d u mean> Why you would have a helper method that renders something defined in > your controller I don''t know, but I''ve tested this and can get rendered > text, partial, or full view.Helpers purpose is to ''render something defined in controller'' isn''t it?? -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Has this issue been raised on the core list? IMHO it seems like it should be something that should be discussed there, or at least a core member should be made aware of it. On 9/13/06, Dmitry Hazin <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > > Curtis Summers wrote: > > Dmitry Hazin wrote: > >> But helper methods are still available through GET in production? > > > > Yep. In most cases they will cause a template error unless you have a > > helper that calls render or you happen to have a view to be rendered > > with your helper actions name. > > > > Why you would have a helper method that renders something defined in > > your controller I don''t know, but I''ve tested this and can get rendered > > text, partial, or full view. > > Helpers > > Helpers are smart methods (functions) that help your view templates > generate HTML. They know to use your model objects and controller > classes to create just the right HTML and. > (from > http://www.onlamp.com/pub/a/onlamp/2005/10/13/what_is_rails.html?page=5, > but it doesn''t matter) > > What d u mean > > Why you would have a helper method that renders something defined in > > your controller I don''t know, but I''ve tested this and can get rendered > > text, partial, or full view. > > Helpers purpose is to ''render something defined in controller'' isn''t > it?? > > -- > Posted via http://www.ruby-forum.com/. > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Dmitry Hazin wrote:> Helpers purpose is to ''render something defined in controller'' isn''t > it??In the above statement I''m differentiating helpers defined in a controller vs. helpers defined in a helper module. If I need to use a method in both my controller and my view, I define it in my controller and then designate it as a helper with helper_method. In practice, I find that the methods I need in both the controller and the view are methods that do not end up rendering anything (e.g, logged_in?, is_admin?). Most of my rendering helpers are defined in my helper modules and not in my controller. Did that make sense? Daniel, As far as I know the core list has not been notified. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
I''ve put a link to this thread on the core list. Cheers --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
On 9/6/06, Dmitry Hazin <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote:> > When I use some helper with controller, like :helper helper_name, > I can call all helper methods that are not private or protected from > browser, by typing url "http://controller/helper_method". > Does this work only for development enviroment or it works always? > I''ve seen some helpers from wiki.rubyonrails.org and rails books and > helper methods never were private or protected there...Simply make your helper methods non-public. Perhaps helper_method could warn you if public_instance_methods.include?(method_name) but this really isn''t its concern. jeremy --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Jeremy Kemper wrote:> On 9/6/06, Dmitry Hazin <rails-mailing-list-ARtvInVfO7ksV2N9l4h3zg@public.gmane.org> wrote: >> >> When I use some helper with controller, like :helper helper_name, >> I can call all helper methods that are not private or protected from >> browser, by typing url "http://controller/helper_method". >> Does this work only for development enviroment or it works always? >> I''ve seen some helpers from wiki.rubyonrails.org and rails books and >> helper methods never were private or protected there... > > > Simply make your helper methods non-public. Perhaps helper_method could > warn > you if public_instance_methods.include?(method_name) but this really > isn''t > its concern. > > jeremyOf course, I can make my methods protected, but if anyone will follow any rails tutorial there is nothing about this, moreover, all 3rd party helpers that I''ve downloaded from wiki or somewhere else had their methods being public -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---
Dmitry Hazin wrote:> Of course, I can make my methods protected, but if anyone will follow > any rails tutorial there is nothing about this, moreover, all 3rd party > helpers that I''ve downloaded from wiki or somewhere else had their > methods being publicI agree that this problem is not well documented, and if no changes are made to helper_method, then there should at least be a note in the official docs. -- Posted via http://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk-unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk -~----------~----~----~----~------~----~------~--~---