Rails Guides Wants You

If you haven’t looked at the state of Rails documentation lately, it’s time to look again. The new Ruby on Rails Guides page includes 14 separate guides for Rails developers, with topics ranging from “Getting Started” to routing, security, testing, and debugging. That’s over 70,000 words of help content for Rails users that didn’t exist two months ago when we launched the Rails Guides project.

But we’re not done yet! We’re starting phase 2 of the Guides project, and planning a fresh batch of content to add to what’s already there. Our goal is to have a single page where you can find all of the information you need to be an effective Rails developer. Remember, though: this is open source. That means we want your help too!

Here’s what you can do to get involved:

  • Read about the process of and rewards for contributing on the Hackfest page.
  • Check the list of available tickets in our Lighthouse project, and sign up to write a guide.
  • Submit corrections, suggestion, bugs, or patches for the existing guides. You’ll find a link to the relevant Lighthouse ticket at the bottom of each guide.
  • Let us know what other guides you think should be added – whether you want to write them, or just hope that someone else will. Just leave a note in the comments here and we’ll get your idea into the process.

You’ll usually find some of the documentation team hanging around in #docrails on IRC. Come join us and help the community!

3 Weeks in Rails (October 29, 2008)

It’s been 3 weeks (I know I’ve been slacking). However, it’s time to write out another summary of information that any Rails developer might want to know about. Detailed audio versions of these notes can be found on the Rails Envy Podcast #51, #52, and #53.

You may already be aware that Rails 2.2 RC1 was released last Friday. For a glimpse at the new features you can read through the Release Notes. However, if you’re looking for something more comprehensive check out the Envycast on Ruby on Rails 2.2^ or the What’s New PDF by Carlos Brando.

Rails 2.0.5 and Rails 2.1.2 were also pushed in the last few weeks, mostly just plugging up a few small security concerns. If you’re on 2.x, you should probably take the time to upgrade.

If you’re taking advantage of the localization features of Rails 2.2, there are two libraries you should probably be aware of. First, Diego Carrion recently created a fork of restful_authentication where he added full support for i18n. Secondly, Karel Minarik recently released a plugin for doing localized_country_select so you can display countries the appropriate language.

If you need your Rails application to receive emails, one way to do it is to use gmail IMAP. John Nunemaker wrote up a nice walkthrough showing all the scripts need to parse email out of gmail.

Hosting, Performance, and Tuning

With Rails 2.2 thread safety, you might assume that brings a performance boost for everyone. However, this is not always the case and Pratik Naik explains why.

Ilya Grigorik wrote a blog post about Scaling Rails with MYSQL Plus where he uses the Non-Blocking MySQL driver from Neverblock to get some increased performance out of ActiveRecord which is quite impressive.

If you need to implement full text search in your Rails application, and you are already thinking Sphinx, you may want to check out the Thinking Sphinx PDF by Pat Allan over on Peepcode.

Library News

If you’re a fan of resource_controller (skinny REST controllers) and Shoulda you shoulda definitely check out the starter app by James Golick called Blank.

The next time you need to build a “Software As A Service” website (like basecamp), check out Service Merchant. This gem sits on top of Active Merchant and gives you everything you need to do Subscription Billing.

Do you ever forget your Rails routes? There’s always the “rake routes” command, but that’s not very user friendly. You might want to check out Vasco. Vasco is a Route explorer for Rails which provides a nice web interface to browse through and test all your Rails routes.

If you ever need to build a Rails application which is accessible on multiple domains or multiple paths (like foo.com or bar.com or a.com/foo) then take a look at the Rails Proxy Plugin by Sean Huber. This plugin allows you to dynamically respond to proxied requests by detecting the incoming path and properly setting the session domain, default host, and relative url root.

If you need an easy way to test your plugin which extends ActiveRecord, check out acts_as_fu, which aside from it’s unfortunate name, is pretty slick.

If you came over from PHP, you’re probably familiar with phpMyAdmin. One of the Rails Rumble teams made a Ruby version of phpMyAdmin that’s definitely worth checking out if you’re missing a quick web interface to your db.

Event News

The Rails Rumble is over and you only have 3 more days to vote (voting closes on Midnight November 1st). Cast your vote! It’s good practice for next Tuesday (least in the US).

If you’re over in London, Ruby Manor is taking place November 22nd. Looks like it’s going to be a fun unconference type of event.

Lastly, Rubyconf is next week here in Orlando, Florida where it’s been kinda chilly lately. Definitely pack something warm just in case, and see you next week!

Image Credit: Blue Sky on Rails by ecstaticist, Analog Solutions 606 Mod by Formication, RailsConf Europe 2006 by Paul Watson, Rainbow by One Good Bumblebee
^ In the interest of full disclosure, I do produce Envycasts, and profit from the sale of the screencasts.

Rails 2.2 RC1: i18n, thread safety, docs, etag/last-modified, JRuby/1.9 compatibility

Rails 2.2 is almost ready for its final release, but before we christen the gems, we’d like to have everyone test out a release candidate. Rails 2.2 is a major upgrade that includes a wealth of new features and fixes.

Chief inclusions are an internationalization framework, thread safety (including a connection pool for Active Record), easier access to HTTP caching with etags and last modified, compatibility with Ruby 1.9 and JRuby, and a wealth of new documentation.

Mike Gunderloy has compiled an exhaustive list and walk-through of many of the interesting new features for the Rails 2.2 release notes.

To help test the Rails 2.2 release candidate, please install with:
gem install rails -s http://gems.rubyonrails.org -v 2.2.0

Hopefully there will not be too much folly in the RC and we can quickly move to a final release. But it requires your help to get there.

Note that this release is called 2.2.0, not 2.1.99 as our previous naming scheme would have dictated. So the final release of Rails 2.2 will actually be 2.2.1 (if we only need one RC).

Rails 2.1.2: Security, other fixes

Rails 2.1.2 includes the same two security fixes that we pushed out for 2.0.x recently. We’re talking about a backport of the offset/limit sanitization fix for Active Record and a fix against header-injection when using user-contributed strings in redirect_to (see Response Splitting for more information).

In addition, Rails 2.1.2 fixes the warning that users of RubyGems 1.3.0 were having with script/generate as well as a range of other minor fixes. Enjoy!

As always, you can install with:
gem install rails --version 2.1.2

Paris on Rails: December 1st

Paris on Rails is having it’s third annual conference on December 1st. There’s a wealth of great speakers lined up and yours truly will be doing a video iChat session as well. If you register before November 9th, the entrance fee is just 80 euros. If you can, go!

Response Splitting Risk

The Ruby HTTP libraries used by Rails do not perform any santization of the values of their HTTP Headers. This can lead to Response Splitting and Header Injection attacks in certain circumstances where user-provided values are written into response headers. These malformed values can be used to set custom cookies, and forge fake responses to users if your application uses any of the user submitted parameters to construct HTTP headers without sanitizing.

A common scenario where this can be exploited is where your application takes a URL from the query string, and redirects the user to it. To mitigate this common scenario new versions of Rails will be released which sanitize the values passed to redirect_to. However you will still need to take care when writing other values to response headers.

The new versions which will contain the fixes are:

  • 2.0.5
  • 2.1.2
  • 2.2.0

These releases are not available immediately, so in the event that it’s infeasible or inconvenient for your application to sanitize the user-supplied values it passes to redirect_to, patches are available at the following locations.

Users of Edge Rails prior to ba80ff74a962 should update to the latest revisions, cherry pick the change at ba80ff74a962 or or apply this patch

Thanks to Luka Treiber and Mitja Kolsek of ACROS Security for notifying us of this issue and the Ruby Security team for their advice.

RailsConf '09: Accepting proposals for Vegas!

RailsConf 2009 is going to Las Vegas, baby. It’s happening from May 4-7 at the Las Vegas Hilton. Last year was an astounding success with probably the best session line-up of any of the many RailsConfs we’ve had yet. We’re hell bent on repeating that for 2009, but we need your help.

The call for proposals has opened and will stay open until February 17th, 2009. That’s a really long call for proposals and we’re doing it to get even more timely information available for the conference. If Rails 3.0 magically appears in January, we want to make sure there are sessions covering it.

The registration for the conference will open in January of 2009.