Pieces of Web

Generating custom XML for your rails app

Dan — Thu, 14 May 2009 00:46:42 +0000

Recently, I needed to generate some xml for a rails 2.3 app. What was supposed to be a fast and easy, turned out to take much longer than expected. After all, rails already provides

respond_to do |format|
  format.html # index.html.erb
  format.xml  { render :xml => @posts }
end

The problem is that the generated xml is very verbose. I spent some time googling and found plenty of information, but it was scattered and didn’t quite show the whole picture.

The rails api for Builder::XmlMarkup uses both an ‘xm’ and ‘xml’ object to show how to work with xml, but only the ‘xml’ object seems to work. It also doesn’t clearly show how to setup the controller or that the code should go in an xml.builder file. Similarly here, the xml object is used in the view correctly, but also fails mention anything about the controller or type of file the code should go in.

Over at xml.com, the tutorial creates an @xml instance variable of type Builder::XmlMarkup.new and then uses that object in an .rxml view (I know, its a little dated).

I was left with a bunch of puzzle pieces that didn’t quite fit together. Eventually, I figured out what needed to be done, and this is how…

First, in the controller, remove the other bits in the format.xml line so it reads

respond_to do |format|
  format.html # index.html.erb
  format.xml # index.xml.builder
end

Second, you need to create an xml.builder file, in this case, index.xml.builder. Inside the xml.builder view, you have access to an ‘xml’ object that is used to generate the xml. The xml for my sample @posts object can then look something like…

xml.instruct!
xml.posts do
  @posts.each do |post|
    xml.post do
      xml.title post.title
      xml.body post.body
      xml.published_at post.published_at
      xml.comments do
        post.comments.each do |comment|
          xml.comment do
            xml.body comment.body
          end
        end
      end
    end
  end
end

Now, when browsing to posts.xml, you’ll now see nicely formatted xml, without all the extra cruft added when using the default rails xml generation utility. I hope that saves you some time.

Adding Some Additional Security Measures to restful_authentication

Dan — Mon, 30 Mar 2009 01:55:14 +0000

If you’ve been paying attention to the web lately, you’ve probably heard of twitter and probably also remember hearing about this. Well, I’ve been wanting to implement something that would have prevented that hack into restful_authentication for a long time and I finally got around to it. I’ve been sitting on this for a bit because I wasn’t sure if I was ready to show it to the world, but I decided to just write about and release what I have thus far. So I present to you, my first iteration of locking out user accounts after too many incorrect login attempts. There are many ways to go about doing this, but the solution I settled on was to just lockout user accounts that have too many incorrect login attempts over a certain period of time. Its pretty simple really. This is done with the addition of one more table which is used to record incorrect logins.

For my example I’m going to spare you the details I used to get this running and only look at the lockout code. Click here to go directly to the github repo. I’m going to assume that you already have restful_authentication installed and running. First thing to do then, is generate the model that will track incorrect login attempts, as well as add an extra field in the users table to keep track of when the account was locked out. Just run…
./script/generate model login_attempt…and make the migration look like this…

class CreateLoginAttempts < ActiveRecord::Migration
  def self.up
    create_table :login_attempts do |t|
      t.integer :user_id, :null => false
      t.string :remote_ip, :user_agent
      t.timestamps
    end
    add_column :users, :locked_out_at, :datetime
  end
 
  def self.down
    drop_table :login_attempts
    remove_column :users, :locked_out_at
  end
end

…and then migrate the database with…
rake db:migrateFrom here, pretty much everything is in the sessions_controller.rb and user.rb files. For the user model, we need to add a way to set lockout options (I just use a constant, but you could add another model to keep track of of these options too), another state and some transitions, and a couple of methods to determine the state of the user in the lockout process. I’ll just paste my user.rb file, sans the validation methods that would just be taking up unnecessary space here.

require 'digest/sha1'
class User < ActiveRecord::Base
  include Authentication
  include Authentication::ByPassword
  include Authentication::ByCookieToken
  include Authorization::AasmRoles
 
  # here is how I setup the lockout options 
  LOCKOUT_OPTIONS = {
    :lockout_period => 1, # in minutes
    :login_attempts => 3, # number of tries
    :attempt_window => 4 # can have x number of login_attempts in this many minutes
  }
 
  has_many :login_attempts
 
  named_scope :with_allowed_states, :conditions => { :state => [ 'suspended', 'locked_out', 'active' ] }
 
  # A locked out account is different from a suspended account, so these are necessary
  aasm_state :locked_out, :enter => :set_locked_out_at
  aasm_event :lock_out do
    transitions :from => :active, :to => :locked_out
  end
  aasm_event :end_lock_out do
    transitions :from => :locked_out, :to => :active
  end
 
  # HACK HACK HACK -- how to do attr_accessible from here?
  # prevents a user from submitting a crafted form that bypasses activation
  # anything else you want your user to change should be added here.
  attr_accessible :login, :email, :name, :password, :password_confirmation
 
  def max_login_attempts?
    self.login_attempts.by_attempt_window(LOCKOUT_OPTIONS[:attempt_window]).all.size > LOCKOUT_OPTIONS[:login_attempts]
  end
 
  def lock_out_ended?
    self.locked_out_at < (Time.now - LOCKOUT_OPTIONS[:lockout_period].minutes)
  end
 
  def login=(value)
    write_attribute :login, (value ? value.downcase : nil)
  end
 
  def email=(value)
    write_attribute :email, (value ? value.downcase : nil)
  end
 
  def admin?
    self.role == 'admin'
  end
 
protected
 
  def set_locked_out_at
    self.locked_out_at = Time.now
  end
 
  def make_activation_code
    self.deleted_at = nil
    self.activation_code = self.class.make_token
  end
end

Next thing to do is to edit the sessions controller. Open it up and make it look like…

# This controller handles the login/logout function of the site.  
class SessionsController < ApplicationController
  # render new.rhtml
  def new
  end
 
  def create
    logout_keeping_session!
    @login       = params[:login]
    @remember_me = params[:remember_me]
    @user = User.with_allowed_states.find_by_login(@login)
    if @user
      case @user.aasm_current_state
      when :suspended
        flash_and_render(:error, "Your account is suspended")
      when :locked_out
        if @user.lock_out_ended?
          LoginAttempt.delete(@user.login_attempts)
          @user.end_lock_out!
          proceed_to_login
        else
          flash_and_render(:error, "Your account is locked out")
        end
      else # is active
        proceed_to_login
      end
    else
      flash_and_render
    end
  end
 
  def destroy
    logout_killing_session!
    flash[:notice] = "You have been logged out."
    redirect_back_or_default('/')
  end
 
protected
 
  def proceed_to_login
    if @user.authenticated?(params[:password])
      self.current_user = @user
      LoginAttempt.delete(@user.login_attempts)
      new_cookie_flag = (params[:remember_me] == "1")
      handle_remember_cookie! new_cookie_flag
      flash[:success] = "Logged in successfully"
      redirect_back_or_default(root_path)
    else
      @user.login_attempts.create(:remote_ip => request.remote_ip, :user_agent => request.user_agent)
      if @user.max_login_attempts?
        @user.lock_out!
        flash_and_render(:error, "Your account is locked out")
      else
        flash_and_render
      end
    end
  end
 
  def flash_and_render(type = :notice, message = "Incorrect username or password")
    flash[type] = message
    # done to clear out unneeded flash values since this isn't a redirect...know a better way to do this?
    flash.delete_if {|key, value| key != type }
    render :action => 'new'
  end
end

And thats about it. User accounts now get locked out for however many minutes you specify after however many login attempts you deem are inappropriate. In my example I have them set really low for testing purposes, but in the real world, I would probably up the login attempts to 10 or 15 tries and the lock out time for 10 to 15 minutes to balance not annoying your users and securing your site. But, that’s really up to you to decide whats appropriate in your case.

My sample app that uses this code is available on github here. I have some additional plans, but wanted to get this posted before I took any longer. For one, if a user mistakenly locks themselves out of their account, they should be able to click on a link to reset their password and not wait for their account to let them log in again and I would also like to restrict the IP address of users who lock out multiple accounts within a certain amount of time. I also want to get this integrated into restful_authentication so its just as easy to have account lockouts as it is to setup restful_authentication. As always, comments and suggestions are welcome.

Extending the will_paginate Rails Plugin

Dan — Mon, 09 Mar 2009 19:09:48 +0000

Recently I needed a little extra functionality for paginating. Specifically, I wanted to know if I was on the last page, and if so, add some content below my list of paginated stuff. Unfortunately, Mislav’s, will_paginate plugin does not provide those methods. All I wanted to be able to (with a collection of @products) do is…

<% if @products.last_page? %>
  here is the content
<% end %>

Adding that method is actually pretty easy. While I’m at it, it makes sense to add a first_page? method also. Will_paginate has the WillPaginate::Collection class that already adds some additional properties to make paginating in views easy. I just needed to add a little more to it. To start, I created a new file named will_paginate_ext.rb in my lib directory. Inside I added…

module WillPaginateExt
  def first_page?
    self.current_page == 1
  end
 
  def last_page?
    self.current_page == self.total_pages
  end
end
 
class WillPaginate::Collection
  include WillPaginateExt
end

…and inside my environment.rb file, below and outside of the Rails::Initializer block, add the line…

require 'will_paginate_ext'

With those simple additions, I add two new methods to the will_paginate plugin and am now able to figure out if I am on the first or last page of pagination and add content as necessary.

Is there a better way to add functionality to plugins or other objects? Let me know in the comments below.

More Advanced Searching Techniques with Rails

Dan — Fri, 06 Mar 2009 19:10:30 +0000

For my first real post, I want to start off looking at searching and drilling down a list of objects. It’s based on Railscast 112, the one on anonymous scopes, but with a few other things thrown in for good measure. For the purposes of this example, I’m going to use these classes

# models/employee.rb
class Employee < ActiveRecord::Base
  belongs_to :employer
  validates_presence_of :employer_id, :first_name, :last_name, :start_date, :salary
end
 
# models/employer.rb
class Employer < ActiveRecord::Base
  belongs_to :region
  has_many :employees
  validates_presence_of :name
  validates_uniqueness_of :name
end
 
# models/region.rb
class Region < ActiveRecord::Base
  has_many :employers
  validates_presence_of :name
  validates_uniqueness_of :name
end

One thing that always seems to be a problem for me, is working with dates in rails. So, instead of using the classic rails date_select, I am going to use Filament Groups jQuery UI Date Range Picker.

To begin, I generated the scaffold for the three models

./script/generate scaffold region name:string
./script/generate scaffold employer name:string region_id:integer
./script/generate scaffold employee employer_id:integer first_name:string last_name:string start_date:date salary:integer

I made a few changes to the views to include select lists where appropriate, but thats not so important at the moment. Take a look at the download if you would like to see those view changes.

The main stuff happens in the employees_controller. I wanted to keep this fairly simple, so there is no separate search action. It works out better this way anyway. Here is what the employees index action looks like

def index
  @search = params[:search].blank? ? {} : params[:search]
  get_dates
  collect_employees
  @employees = @scope.find(:all, :order => 'employers.name, last_name', :include => :employer)
  respond_to do |format|
    format.html # index.html.erb
    format.xml  { render :xml => @employees }
  end
end

As you can see, @search will be a blank hash if there is not an incoming search parameter.

Both the get_dates and collect_employees methods, are protected methods in the employees controller. The method get_dates, takes the single input field of the calendar select, and splits up the dates so employees start_dates can be filtered through any range of dates. It looks like this…

def get_dates
  unless @search.blank?
    dates = @search[:start].split('-')
    dates.each_with_index do |d, i|
      @search["date_#{i}".to_sym] = Date.parse(d.strip) unless d.blank?
    end
  end
end

The get_dates method extracts the two dates from @search[:start] and creates two new attributes, date_0 and date_1. This also keeps the :start attribute intact, and allows it to be redisplayed in the view. Also, if the start field only includes 1 date, the query will find all employees that started on that date till now.

The next method should look familiar if you watched railscast 112 . Here it is…

def collect_employees
  @scope = Employee.scoped({})
  @scope = @scope.scoped :conditions => ['first_name like ?', "%#{@search[:first_name]}%"] unless @search[:first_name].blank?
  @scope = @scope.scoped :conditions => ['last_name like ?', "%#{@search[:last_name]}%"] unless @search[:last_name].blank?
  @scope = @scope.scoped :conditions => { :employer_id => @search[:employer_id] } unless @search[:employer_id].blank?
  @scope = @scope.scoped :conditions => { :employers => { :region_id => @search[:region_id] } } unless @search[:region_id].blank?
  @scope = @scope.scoped :conditions => ['salary >= ?', @search[:salary_min] ] unless @search[:salary_min].blank?
  @scope = @scope.scoped :conditions => ['salary <= ?', @search[:salary_max] ] unless @search[:salary_max].blank?
  @scope = @scope.scoped :conditions => ['start_date >= ?', @search[:date_0] ] unless @search[:date_0].blank?
  @scope = @scope.scoped :conditions => ['start_date <= ?', @search[:date_1] ] unless @search[:date_1].blank?
end

As you can see, there is more going on than just refining the results by attributes of the employee. You can also find employees by their employer and even employees by the region their employer is located in.

I wanted to use a search model, like in railscast 111, so I could use f.text_field throughout the form, but I didn’t want to create a database object, and my attempts to finesse the code to work in that way proved fruitless. So, for the view, I used the generic form_for and text_field_tag’s like this…

<% form_for :search, :url => { :controller => 'employees', :action => 'index' } do %>
  
    First Name:

    <%= text_field_tag 'search[first_name]', @search[:first_name], :id => 'search_first_name' %>
  
  
    Last Name:

    <%= text_field_tag 'search[last_name]', @search[:last_name], :id => 'search_last_name' %>
  
  
    Employer:

    <%= select_tag 'search[employer_id]', employee_select_helper('Employer'), :id => 'search_employer_name' %>
  
  
    Region:

    <%= select_tag 'search[region_id]', employee_select_helper('Region'), :id => 'search_region_name' %>
  
  
    Salary

    <%= text_field_tag 'search[salary_min]', @search[:salary_min], :id => 'search_salary_min' %> -
    <%= text_field_tag 'search[salary_max]', @search[:salary_max], :id => 'search_salary_max' %>
  
  
    Start Date

    <%= text_field_tag 'search[start]', @search[:start], :id => 'search_start' %>
  
  <%= submit_tag "search" %>
<% end %>

The employee_select_helper is in the employeesHelper and thanks to some ruby magic, it looks like…

def employee_select_helper(object)
    '' + options_from_collection_for_select(object.constantize.find(:all, :order => 'name'), 'id', 'name', @search[object.foreign_key.to_s].to_i)
end

I ran into a couple of issues with the daterangepicker plugin displaying the dropdown correctly. The daterangepicker, by default, appends the slick looking calendar picker to the html document body, but this creates a problem whenever there is data after the daterangepicker, causing it to append to the bottom of the page and not work as expected. To fix that, I edited the daterangepicker.jQuery.js (around line 269) like this…

// from
jQuery(options.appendTo).append(rp);
// to
jQuery(this).after(rp);

And application.js is simple as this…

$(document).ready(function(){
	$("#search_start").daterangepicker({
		latestDate: Date.today()
	});
});

As for the daterangepicker plugin, I placed all the js files in the javascripts directory and all the css files inside the stylesheets directory. The plugin also includes an images directory, and in order to avoid having to edit all the image urls inside the css, I just placed the images directory inside the stylesheets directory. Maybe not a best practice, but it makes things easier at this point.

Now, you can search for employees in any combination of employer, employers region, a start date range, salary range, or first and last name. This concludes my further exploration of anonymous scopes and the Filament Group jQuery UI Date Range Picker. Hopefully you found something of value. The included app uses sqlite3 and also has a little sample data with it. You should only need to download, unzip and run script/server to see the basic, no style applied employee search app. As always, comments, suggestions and improvements are welcome.

Download: searching