New Mephisto Release

The latest version of Mephisto, the blog that powers Riding Rails, has been released. Justin Palmer has the nitty gritty details at the Mephisto Blog. Our focus for this release has been the simple Asset Manager, as shown in the screenshot. I feel it’s pretty solid for a blog, so future releases will focus on broadening the horizons with some more CMS capabilities.

Even if you’re not looking for a publishing tool now, there’s a wealth of good, unit tested code in the subversion repository.

Capistrano 1.1.9 (beta)

A new release of Capistrano is nearly upon us! Before I unleash it upon the world, though, I’d like to have a few brave souls put it through its paces, so I’m doing a brief run of it as a pre-release. You can grab it from the Rails beta gem server:

gem install -s capistrano

There are a lot of changes in this release, most of them minor or cosmetic. However, there are some changes that may bite you, too.

The most significant change that may affect you has to do with the roles used for the setup, update_code, rollback_code, and symlink tasks. These tasks have changed such that they now deploy to all defined servers. That’s right, if you’ve got a server associated with any role, those tasks will deploy to that server. However, a server can explicitly opt out of being part of release deployment by setting :no_release => true in its role definition:

   role :file, "file-server.somewhere.example",
        :no_release => true

Take note of that! If you have any servers using non-standard roles (any role besides web, app, or db), you need to explicitly add :no_release => true in their role definitions, or your next deploy will target those servers, too.

Other significant changes that may or may not tickle you:

  • The -r/--recipe command line option is deprecated. You should use -f/--file instead.
  • Matthew Elder has contributed (and agreed to maintain) a module for the Mercurial SCM.
  • If you have sudo in a non-standard location, you can specify the path to sudo via the :sudo variable
  • Added :svn_passphrase so you can use keys with passphrases
  • Fixed missing default for :local in the CVS module
  • Subversion SCM accepts HTTPS certificates now
  • Work with pid-based setups (new spawner/reaper)
  • Added update task
  • Added :except on task declarations (as the opposite of :only)
  • Override the hosts to be used for a task via the HOSTS environment variable
  • Override the roles that will be used for a task via the ROLES environment variable
  • Added :hosts option on task declarations for defining tasks that work only on specific machines (rather than by role)
  • Don’t require a capfile (this allows you to use capistrano to operate on arbitrary hosts, all from the command line)

Various other changes have been made as well—you can look at the CHANGELOG for a complete list.

Things you shouldn't do in Rails

Kevin Clark was written a nice piece on things you shouldn’t be doing in Rails. It starts with a reminder about not using various deprecated pieces of the API, and goes from there into recommendations based on Kevin’s personal experience with Rails. It’s worth checking out. Remember, half of knowing what to do is knowing what not to do.

Power Flash and Flex from Rails

Jon Shumate introduces WebORB:

WebORB for Rails is server-side technology enabling connectivity between Flex and Flash Remoting clients and Ruby on Rails applications. WebORB for Rails can be installed as a plugin into any Rails application to expose Ruby classes as remote services. The product provides a complete implementation of the Adobe’s AMF0 and AMF3 messaging protocols and thus supports any Flash Remoting or Flex client.

Working with Flash and Flex? Check it out.

The Rails Edge

I’ve been wracking my brain trying to come up with something to say about The Rails Edge that isn’t already obvious. The problem is that everyone already knows that Dave Thomas and Mike Clark have been delivering top-notch Ruby on Rails training since last year, so I don’t have to say what a good deal this event will be. All the speakers are already famous Rails peeps in their own rights and don’t need their virtues extolled (even Marcel). And I certainly don’t need to tell anyone how much fun it is hanging out with a bunch of Rails folks for three days.

One thing I can offer is a personal testimonial as to the quality of the Pragmatic Studio programs. I took the Rails Studio back in January. Up until then I’d only dabbled with Rails. After taking the studio I had the knowledge to build real applications, and now I’ve got a job doing Rails development full time and am an author on the official Rails blog.. One can never know what might have been so I can’t say I owe it all to that training, but I certainly got a lot from it and happily give it credit for getting me going in the right direction.

This year, RailsConf and RubyConf both sold out in a matter of hours. There is a huge demand for conferences - people want to learn what’s up in the Rails world, to meet other Rails developers, and to improve their Rails development skills. We’ve started to see some regional conferences being organized which could potentially be pretty cool, but there is always a place for a professional production like The Rails Edge. If you’re looking to get more involved in Rails, you should check it out.

Unobtrusive Javascript Plugin

Dan Webb and Luke Redpath have release the latest version of their Unobtrusive Javascript Plugin for Rails. It solves several of the main problems people run into when working with unobtrusive javascript:

  • Development isn’t as intuitive with Rails when you’re defining your custom javascript behaviors in an external file.
  • When working with pages with lots of images and content, the behaviors won’t be enabled until everything is downloaded and window.onload is called. It’s been solved with some nasty cross-browser javascript hacks, all handled transparently by Dan’s LowPro extension for prototype. This has been a big deal for me personally, so it’s nice to see it all solved.

UJS attempts to solve this by taking defined behaviors in the view and creating a tailored javascript file for it. Smart conditional GET and page caching techniques can be used to save bandwidth and time.

All in all, it looks like Dan and Luke did an excellent job on the plugin. Anyone using it? How’s it working out for everyone?

Filtered parameter logging

Now that the hubbub about the recent security issues has died down, I think it’s worth pointing out a little jewel that was snuck into the 1.1.6 security release of Rails that most people missed.

ActionController#filter_parameter_logging lets you filter form data that you don’t want saved in the log. This is useful for preventing sensitive data like passwords and credit card numbers from being logged in the clear, for keeping huge pieces of data from clogging the log file, and so on.

If your application accepts passwords, paste this line into your ApplicationController class:

filter_parameter_logging "password"

That will prevent any field with a name matching the pattern /password/i from being logged, so both [user][password] and [user][password_confirmation] will be filtered out. If you care about preventing exposure of passwords, go do that right now.

Credit to Jeremy Evans for his patch!

Trac and SVN gets new powerful machine

After an extended period of troublesome Trac times, we’ve finally addressed the problem once and for all. Courtesy of TextDrive, we now have a new mega-powerful super machine dedicated to Trac and SVN. Instead of loads in the 30’es, it’s now below 1. So get all of your pending patches and tickets into the system. It now actually works.

And thanks to the move of the mailing list to Google Groups, there’s still enough power on the old server to run the wiki, the manuals site, and the weblog without slowdowns. We ruffled a few feathers during the move (some people took it harder than others, one guy wanted to hunt down and kill the responsible, eeks!), but we’re happy to report that in terms of providing breathing room for the overloaded servers, it worked like a charm.

Official Mailing List Move

Don’t worry if you see some mailing list subscriptions in your inbox, we’re simply transferring everything to Google Groups. This takes the incredible load off the Ruby on Rails server so it can focus on Trac, and gives everyone a Google-powered search engine for the archives. Atom feeds are also available if that’s your preference. Here are the new Google Groups:

Hey everyone, lets give the new rubyonrails-security list a warm welcome. It is an announcement-only list spawned from the lessons learned during the recent security incident.

By the way, it’s possible to subscribe to a Google Group without a Google account.

Streamlined: Taking admins beyond scaffolding

Justin Gehtland and Stuart Halloway has been moving along at a rapid pace on Streamlined since its unveiling at RailsConf in June. There’s now a public repository with the code available and they’ve put together a convincing screencast of its use.

I really like their approach of using separate UI classes instead of contaminating the model classes with administrative concerns. It has a great feel and look to it. Exciting to see it move forward.