Hi, Is it possible to open a file (in the public directory) in a text field, edit it and save it? Is it also possible to type into a new text field, then save this as a new file in the public directory? One use for this I could see would be to allow users to edit stylesheets/themes. If this is possible, how do you do it? Cheers, DAZ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Mon, Jan 12, 2009 at 4:37 PM, DAZ <daz4126-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Hi, > > Is it possible to open a file (in the public directory) in a text > field, edit it and save it? > > Is it also possible to type into a new text field, then save this as a > new file in the public directory? > > One use for this I could see would be to allow users to edit > stylesheets/themes. > > If this is possible, how do you do it? > > Cheers, > > DAZ > > >DAZ To get the contents, you could do: @file_contents = File.read(File.join(RAILS_ROOT, "public", "your_file_name.css")) And to save again, do: File.open(File.join(RAILS_ROOT, "public", "your_file_name.css")) do |file| file.write params[:file_contents] end NOTE: I''d be very careful of actually doing this though as there are MANY security issues. Think through things like who will have access to this functionality and how much they can be trusted. One thing to specifically check for is that the user cannot set the file path in any way or you could end up with files written to like: /home/rails/myproject/public/../../../../etc/passwd Have a look at http://guides.rubyonrails.org/security.html for some more detailed info on the potential problems. -- Andrew Timberlake http://ramblingsonrails.com http://www.linkedin.com/in/andrewtimberlake "I have never let my schooling interfere with my education" - Mark Twain --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
Thanks for the reply Andrew, and thanks for the link - very useful and informative (as is your blog!). The idea is as part of a CMS-style app, so people would have to be signed in to edit files, and they probably wouldn''t be able to choose the path, just the name. I guess I would use a similar whitelist approach as recommended in the docs. Would it be better to do this sort of thing at a database level - saving the whole CSS text in a Theme model or something? cheers, DAZ On Jan 12, 3:01 pm, "Andrew Timberlake" <and...-642hCh26+Dt3UeSHeRwt+FaTQe2KTcn/@public.gmane.org> wrote:> On Mon, Jan 12, 2009 at 4:37 PM, DAZ <daz4...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > Hi, > > > Is it possible to open a file (in the public directory) in a text > > field, edit it and save it? > > > Is it also possible to type into a new text field, then save this as a > > new file in the public directory? > > > One use for this I could see would be to allow users to edit > > stylesheets/themes. > > > If this is possible, how do you do it? > > > Cheers, > > > DAZ > > DAZ > > To get the contents, you could do: > @file_contents = File.read(File.join(RAILS_ROOT, "public", > "your_file_name.css")) > > And to save again, do: > File.open(File.join(RAILS_ROOT, "public", "your_file_name.css")) do |file| > file.write params[:file_contents] > end > > NOTE: I''d be very careful of actually doing this though as there are MANY > security issues. > Think through things like who will have access to this functionality and how > much they can be trusted. > One thing to specifically check for is that the user cannot set the file > path in any way or you could end up with files written to like: > /home/rails/myproject/public/../../../../etc/passwd > > Have a look athttp://guides.rubyonrails.org/security.htmlfor some more > detailed info on the potential problems. > > -- > Andrew Timberlakehttp://ramblingsonrails.comhttp://www.linkedin.com/in/andrewtimberlake > > "I have never let my schooling interfere with my education" - Mark Twain--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
> Would it be better to do this sort of thing at a database level - > saving the whole CSS text in a Theme model or something?I think that''d be the best solution.> > cheers, > > DAZ > > On Jan 12, 3:01 pm, "Andrew Timberlake" <and...-642hCh26+Dt3UeSHeRwt+FaTQe2KTcn/@public.gmane.org> > wrote: > > > On Mon, Jan 12, 2009 at 4:37 PM, DAZ <daz4...-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote: > > > > Hi, > > > > Is it possible to open a file (in the public directory) in a text > > > field, edit it and save it? > > > > Is it also possible to type into a new text field, then save this as a > > > new file in the public directory? > > > > One use for this I could see would be to allow users to edit > > > stylesheets/themes. > > > > If this is possible, how do you do it? > > > > Cheers, > > > > DAZ > > > DAZ > > > To get the contents, you could do: > > @file_contents = File.read(File.join(RAILS_ROOT, "public", > > "your_file_name.css")) > > > And to save again, do: > > File.open(File.join(RAILS_ROOT, "public", "your_file_name.css")) do |file| > > file.write params[:file_contents] > > end > > > NOTE: I''d be very careful of actually doing this though as there are MANY > > security issues. > > Think through things like who will have access to this functionality and how > > much they can be trusted. > > One thing to specifically check for is that the user cannot set the file > > path in any way or you could end up with files written to like: > > /home/rails/myproject/public/../../../../etc/passwd > > > Have a look athttp://guides.rubyonrails.org/security.htmlforsome more > > detailed info on the potential problems. > > > -- > > Andrew Timberlakehttp://ramblingsonrails.comhttp://www.linkedin.com/in/andrewtimberlake > > > "I have never let my schooling interfere with my education" - Mark Twain--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
On Mon, Jan 12, 2009 at 5:57 PM, DAZ <daz4126-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:> > Thanks for the reply Andrew, and thanks for the link - very useful and > informative (as is your blog!). > > The idea is as part of a CMS-style app, so people would have to be > signed in to edit files, and they probably wouldn''t be able to choose > the path, just the name. I guess I would use a similar whitelist > approach as recommended in the docs. > > Would it be better to do this sort of thing at a database level - > saving the whole CSS text in a Theme model or something? > > cheers, > > DAZThere are pros and cons to everything, I just wanted you to be aware - I don''t like providing a solution to someone where they can shoot themselves in the foot with it :-) Even in a CMS based app this can be dangerous. If the CMS is for a specific client running on their own hardware, you have less of a problem than if it is for public consumption. If you want to allow people to customise the look of an application, I would provide very specific things they can change. Your idea of a Theme model can work but still be careful of what they can set as values. IE allows javascript to execute within CSS which can open you up to XSS attacks etc. -- Andrew Timberlake http://ramblingsonrails.com http://www.linkedin.com/in/andrewtimberlake "I have never let my schooling interfere with my education" - Mark Twain --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe-/JYPxA39Uh5TLH3MbocFFw@public.gmane.org For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---