Activity Graph

Page 1 of 4 | Next »


[04:10:44] greenride: has left #ruby: ()
[04:11:22] greenride: has left #RubyOnRails: ()


[19:24:53] greenride: has joined #RubyOnRails
[19:25:07] greenride: has joined #ruby


[02:27:06] greenride: has left #RubyOnRails: ()
[02:27:16] greenride: has left #ruby: ()


[19:33:44] greenride: has joined #ruby
[19:33:50] greenride: has joined #RubyOnRails


[02:20:04] greenride: has left #ruby: ()


[20:29:04] greenride: has joined #ruby
[23:11:26] greenride: Is there any way to prevent rdoc, maruku, or RedCloth from transforming a Unicode+0022 quotation mark into a Unicode+201 quotation mark?


[03:26:13] greenride: has joined #RubyOnRails
[03:30:35] greenride: I'm using the carrierwave gem and have an Uploader mounted on a column. For every upload, Carrierwave always writes 'file.jpeg' to the database. And, the url for all rows points to the last upload. What should carrierwave write in each row?
[03:42:34] greenride:
[03:43:55] greenride: Radar: The spec works and single file upload works. However, all subsequent collections point to the same image, and the value in the mounted column is always 'file.jpeg'.
[03:56:18] greenride: sevenseacat: Thanks. Do you know how filenames are translated into urls when using fog?
[03:56:43] greenride: Is the url completely determined by the filename?
[09:00:25] greenride: has left #RubyOnRails: ()


[03:48:47] greenride: has joined #RubyOnRails
[04:01:57] greenride: When using header tokens with Devise in a Rails api, what gems are useful for managing these tokens? Users need multiple active tokens, and support for token expiration/invalidation would be helpful.
[08:15:59] greenride: has left #RubyOnRails: ()


[11:09:03] greenride: has joined #RubyOnRails
[11:36:37] greenride: has left #RubyOnRails: ()


[05:08:16] greenride: has joined #RubyOnRails
[08:21:55] greenride: Quit: Leaving.


[04:10:40] greenride: has left #RubyOnRails: ()
[09:31:28] greenride: has left #RubyOnRails: ()


[09:24:14] greenride: has joined #RubyOnRails
[09:25:26] greenride: What's the best way to implement push notifications & synchronization without using a 3rd party service?
[09:35:06] greenride: I'm planning to use RabbitMQ, rabbitmq_web_stomp plugin, rabbitmq-auth-backend-http plugin, and hutch. Does anyone have experience using this stack for push notifications?


[20:57:11] greenride: has joined #RubyOnRails
[20:59:59] greenride: has left #RubyOnRails: ()


[00:27:31] greenride: Can the following command be modified to skip the generation of the edit and new methods in the generated controller? 'rails g scaffold user User first_name:string'
[00:43:36] greenride: Radar: Thanks. Good to know it isn't possible.
[00:45:50] greenride: advice noted... Should I stop using generators as well or just scaffolds?
[11:25:00] greenride: Quit: Leaving.


[23:41:28] greenride: has joined #RubyOnRails
[23:42:10] greenride: Is there a line I can add to config.application.rb to skip generation of all files with the .erb extension?


[06:48:53] greenride: has joined #ruby
[06:50:00] greenride: Are there any Ruby frameworks that use a persistent connection to push data to a web browser from a server? Ideally, the framework would be compatible with a Postgres database.
[06:53:06] greenride: Ox0dea: Cool! I didn't realize this was merged into Rails.
[06:53:39] greenride: Has anyone done load tests on the maximum number of open connections this can support?
[10:16:34] greenride: Quit: Leaving.


[01:39:06] greenride: has joined #RubyOnRails
[01:39:50] greenride: I'm getting the error undefined method `protect_from_forgery' for ApplicationController:Class when using rails-api. Has that functionality been completely stripped out?
[01:40:51] greenride: asset pipeline... cachebusting...
[09:27:53] greenride: Quit: Leaving.


[01:11:31] greenride: has joined #ruby
[01:12:14] greenride: Out of curiosity, are more recent versions of Ruby significantly faster than previous versions?
[01:12:25] greenride: Has anyone compiled benchmarks?
[01:24:36] greenride: shevy: Thanks for that link. The results are almost unbelievable.
[01:25:10] greenride: shevy: Can't believe JRuby with Torqbox is the fastest.
[01:45:02] greenride: shevy: He does. I understand that's an issue. I was interested in steady state though.
[01:51:53] greenride: Ox0dea: Is anyone using JRuby + Truffle in prod today?
[04:21:58] greenride: has left #ruby: ()


[08:16:43] greenride: has joined #ruby
[08:17:00] greenride: Are there any production quality CI servers written in Ruby?
[08:34:34] greenride: hmm... yes... now that I see the answer... I realize I asked the wrong question. ... meant to ask... Are there any open source production quality CI servers written in Ruby?
[19:23:40] greenride: has left #ruby: ()


[02:06:44] greenride: has joined #RubyOnRails
[02:06:55] greenride: has left #RubyOnRails: ()


[06:36:34] greenride: has joined #RubyOnRails
[06:37:16] greenride: has left #RubyOnRails: ()
[06:59:11] greenride: has joined #RubyOnRails
[08:17:17] greenride: has left #RubyOnRails: ()


[08:00:51] greenride: has left #RubyOnRails: ()


[03:45:51] greenride: *.net *.split
[04:06:30] greenride: has joined #RubyOnRails
[09:11:55] greenride: has left #RubyOnRails: ()
[23:09:18] greenride: has joined #RubyOnRails
[23:12:59] greenride: tubbo: Thanks for your comments on bamboo and capistrano yesterday. That helped me understand how to setup bamboo with the bamboozled-ruby-plugin and capistrano.


[19:39:34] greenride: has joined #RubyOnRails
[19:40:36] greenride: When using the bamboozled-ruby-plugin, are capistrano and its plugins typically included in a Rail's applications Gemfile? Or, can bamboo be setup to generate a tarball and then deploy this tarball to various servers?
[19:54:42] greenride: rhizome: It's a Ruby plugin for the Atlassian Bamboo CI/Build server.
[19:55:17] greenride: tubbo: My understanding of build servers is that they create a tarball that is then deployed to every server.
[19:55:55] greenride: tubbo: So, I was thinking that capistrano would no longer be required since it isn't being used for the deployment.
[19:56:42] greenride: What I don't know is whether Bamboo with that plugin can handle everything that capistrano does.
[20:03:21] greenride: tubbo: Ideally, I'd like bamboo to generate a tarball with all the dependencies. Then, I'd like to push the tarball to all servers. Can Bamboo use this deployment pattern?
[20:03:33] greenride: dependencies = gems


[05:53:03] greenride: has left #ruby: ()


[00:38:44] greenride: simkessy: I was bugging people here about api security and csrf tokens a little while ago. That said, Code School has a tutorial on Rails apis. The last part number 6, has a tutorial on authentication that is pretty good. I also recommend this book
[00:40:36] greenride: simkessy: yw
[00:41:00] greenride: The book is
[10:21:30] greenride: FailBit: Those complexity numbers are just wrong.
[10:22:54] greenride: chrislotix: One sec... let me get source (with code to prove).
[10:25:11] greenride:
[10:25:25] greenride: You might need to sign in to amazon.
[10:25:51] greenride: Code is on page 170
[10:26:11] greenride: My version of the book has the graph on pg 173 and the code on pg 172
[10:27:07] greenride: Average case is O(1)
[10:27:23] greenride: Best case is obviously O(1)
[10:29:57] greenride: Even with hash collisions, worst case is not O(n).
[10:30:33] greenride: Actually, I'm not sure about the worst case.
[10:34:09] greenride: workmad3: Ruby rebalances in the case that provided values hash to the same modulo value. As a result, hash lookups are faster, but insertions could be slower.
[10:35:33] greenride: workmad3: It's surprisingly well written... not as hard to read as one might think.
[10:36:16] greenride: I haven't read the whole book either.
[10:37:09] greenride: FailBit: I wasn't following that thread of conversation... reading
[10:38:29] greenride: FailBit: sortof.... it's only a constant factor slower.
[10:38:40] greenride: what was the claim?
[10:41:02] greenride:
[10:42:25] greenride: Which version of Ruby?
[10:43:14] greenride:
[10:46:18] greenride: unless it's assigned to a method name
[10:52:01] greenride: workmad3: I take that back about your example. It depends on the context in which it is used.
[10:52:37] greenride: workmad3: If it's used in a dynamic method definition, it's possible that it won't be garbage collected.
[11:03:20] greenride: Quit: Leaving.
[20:46:25] greenride: has joined #ruby


[01:14:54] greenride: I'm looking at Rails source. In particular, request_forgery_protection.rb. If I understand correctly, it's verification mechanism is to check whether the csrf token in the form submission matches the one in the session, which is often stored in a cookie. How does that offer any protection?
[01:15:40] greenride: The file path is gems/actionpack-4.1.1/lib/action_controller/metal/request_forgery_protection.rb
[01:18:03] greenride: Couldn't a malicious site just forge both the cookie and the authenticity_token in the form?
[01:21:27] greenride: pwnd_nsfw: If the session is stored in the cookie, can't the attacker just forge the cookie too?
[01:23:13] greenride: They don't need to obtain the cookie from the victim site. The attacker can just forge a brand new cookie and ensure it matches the authenticity_token that is also forged. Right?
[01:28:13] greenride: pwnd_nsfw: I read through that guide, but it doesn't answer my question (or, I don't understand that it's answering my question).
[01:29:56] greenride: There is no server side storage of the cookie. And, the cookie's data is included in the request made to the server. Just create an arbitrary cookie with the same data format.
[01:30:54] greenride: Then, the authenticity_token (which is generated by the malicious site) can be placed inside the cookie (that is forged) for the request.
[01:32:36] greenride: Section 2.5... that's what I was missing. Let me read it.
[01:47:06] greenride: pwnd_nsfw: I sort of see what's going on. Because the malicious site doesn't have the secret, it can't create the cookie's digest signature. What confuses me now is why the request even needs to provide the authenticity_token. Why not just stop at checking the session_id and digest signature of the cookie?
[06:41:59] greenride: When creating rails JSON apis, protect_from_forgery with: null_session is typically used, and CSRF protection is provided through the Authorization header containing a token. However, CSRF protection isn't present prior to user login. What's the standard way to provide CSRF protection for the /users/sign_in POST?
[06:46:24] greenride: cleopatra: Yes. After the sign_in, the CSRF protection is provided by the `Authorization: Token token=<32 digit hex number>` header.
[06:49:19] greenride: cleopatra: Abstractly, it would be for any post, put, patch, or delete action where a user is not signed in. My main use case is the sign_in, sign_up, password reset, etc. None of these requests would have an Authorization header with a token.
[06:51:25] greenride: cleopatra: That just skips the check. Right? In theory, that would allow for a cross site attack signing in a user as someone else. Or, signing up that user for some other email address. Right?
[06:54:44] greenride: If you're using an Authorization token, you won't be leaking data. So, it would probably pass a security audit. However, this seems to be a step backwards from the level of protection provided by the authentication token in form_for.
[06:57:45] greenride: cleopatra: I saw that stackoverflow post. So far, I've just been turning off CSRF protection for json APIs, but I'm wondering if there's a better way.
[06:59:35] greenride: That's a pretty heavy solution for this problem...
[07:00:51] greenride: For this situation, Angular
[07:01:53] greenride: I've used backbone, angular, ember, and react... same issue with all frameworks... it's an api issue unrelated to the frontend framework.
[07:05:58] greenride: cleopatra: have you seen the codeschool tutorial?
[07:06:11] greenride: on rails api?
[07:07:29] greenride: or ?
[07:08:47] greenride: the method recommended there avoids the csrf problem everywhere except the sign_in, sign_up, and password_reset.
[07:12:10] greenride: Essentially, they use an Authorization header with a user token that is stored in the user model (or its own table). That header provides csrf protection even though Rail's csrf protection is turned off. That method will pass security audits.
[07:12:42] greenride: However, a rogue site can sign in a user as someone else (for whom they have the username and password).
[07:12:59] greenride: But, they can't get any data.
[07:18:13] greenride: cleopatra: Here's the security problem that your site and mine currently face.
[20:44:50] greenride: Ping timeout: 240 seconds
[21:00:37] greenride: has joined #RubyOnRails
[21:19:23] greenride: has left #RubyOnRails: ()
[21:20:03] greenride: has joined #RubyOnRails
[21:20:27] greenride: What is the standard way to protect against Login CSRF attacks for a Rails JSON api?
[22:01:27] greenride: rhizome: I Googled 'rails api csrf' and read several posts. There's a variety of answers but none seem good. They suggest the following. 1. Turn off csrf for json apis. 2. Use Authentication header (with token) only after login. 3. Set CSRF token with GET before login.
[22:01:30] greenride: #1 is subject to CSRF. #2 is subject to Login CSRF. #3 was claimed to be bad practice.
[22:06:20] greenride: Radar: Are you suggesting that JSON apis should turn off csrf protection. Or, that turning of csrf tokens subjects them to csrf attacks on browsers?
[22:11:35] greenride: Radar: Code school suggests `protect_from_forgery with: :null_session` for JSON apis and then using an Authorization header with `Token token=<32 digit hex>`. This protects against most CSRF attacks but not a login CSRF attack.
[22:13:21] greenride: Code school suggests turning off as well. With the `Authorization: Token token=<32 digit hex>` this protects against all CSRF attacks except login CSRF. What can be used to protect against Login CSRF attacks?
[22:14:28] greenride: Login CSRF = logging in a user with the attacker's credentials.
[22:22:33] greenride: Aeyrix: It doesn't matter from Mobile apps, but it is an issue in web browsers. Right?
[22:24:20] greenride: Aeyrix: With CSRF turned off, what header is being set with the initial /users/sign_in POST request?
[22:28:27] greenride: Aeyrix: That's my whole question. With login forms, there's a CSRF token that one obtains from the GET request, which is then a posted parameter in the POST /users/sign_in. This CSRF token doesn't exist in a JSON api's /users/sign_in POST when using 'protect_from_forgery with: :null_session'.
[22:29:35] greenride: Aeyrix: On the /users/sign_in POST, there is no auth_token to set for the user.
[22:30:41] greenride: Radar: To prevent signing someone in with the attacker's credentials.
[22:31:31] greenride: CSRF = Cross Site Request Forgery
[22:32:21] greenride: If the user doesn't notice the credentials are not his or hers, the user might use the site with the attacker's credentials and enter information such as credit cards, etc. Then, the attacker can login at a later time and obtain the information the user entered.
[22:33:31] greenride: Aeyrix: CSRF... a submits Post/Put/patch/delete etc. when user clicks on a link in The http requests are to the
[22:34:32] greenride: Aeyrix: Right. That's what CSRF is doing. And, login CSRF is forging the sign_in process without the user's consent.
[22:37:06] greenride: Radar: The attacker can just create their own account.
[22:38:53] greenride: Radar: Attacker creates their own account on let's say using Amazon's ordinary web interface. Then, the user exploits Login CSRF on Amazon to log the victim into using the attacker's credentials. Then, the user (not noticing) enters PII data into Now, the attacker can login to their own account and retrieve that data.
[22:55:32] greenride: Radar: Nothing in the Rails Security guide talks about login CSRF attacks for JSON apis. Are you claiming that login CSRF is a stupid attack vector or that Rails JSON apis with `protect_from_forgery with: :null_session` don't need to protect against login CSRF?
[23:14:42] greenride: Aeyrix: Is your position that login csrf is a stupid attack or that rails json apis are already protected even with 'protect_from_forgery with: :null_session'?
[23:19:12] greenride: Aeyrix: This stack overflow post discusses the login csrf issue.
[23:19:52] greenride: Aeyrix: Google and Yahoo (along with some smaller sites) were hit by login csrf. Of course, I'm not Google, Yahoo, or anywhere near that scale.
[23:20:42] greenride: I agree with the position. Most security audits will point it out but still pass a site with login csrf issues.
[23:21:22] greenride: I was just wondering if there was a way to deal with the issue for JSON apis. Regular Rails login forms are protected.
[23:22:52] greenride: Rails JSON apis
[23:23:40] greenride: Restful Rails JSON apis for a javascript single page app (angular) that is served from a separate frontend server.
[23:29:24] greenride: Aeyrix: using `Authorization: Token token=<32 digit hex number>`, one can pass credentials as a header. However, that token is not available for the /users/sign_in POST. Problem with creating a get and passing a token is that the attacker can just fetch the same token and use it for a post. SOP isn't available for protection in that case.
[23:30:19] greenride: Aeyrix: That's a position I can agree with. =)
[23:38:21] greenride: Aeyrix: Ideally, I would like to serve the frontend from a different server/domain and get clean separation between angular and the Rails api.
[23:38:41] greenride: Aeyrix: Of course, there are CORS issues.
[23:39:43] greenride: Aeyrix: I believe the Angular rails gem sets the CSRF token in the initial delivery of the frontend. Then, the json POST request has the CSRF token to use.
[23:43:18] greenride: Aeyrix: Ari Lerner's book ( goes over the use of a separate nodejs server and rails api. However, he ignores the CSRF issue and turns it off. I was wondering if there was a way to make his approach work with CSRF protection.
[23:44:46] greenride: Which words?
[23:45:57] greenride: What did I state that is incorrect?
[23:47:33] greenride: That's what I meant... CORS issues = headers need to be set. But, point noted, I should have been more precise there.
[23:48:53] greenride: issues can be small or big. But, agreed. The size of the issue wasn't clear from my comment.
[23:49:09] greenride: Or size of task.
[23:50:28] greenride: Aeyrix: Was the `wrong irc window` directed at me?


[05:05:19] greenride: has joined #RubyOnRails
[09:59:05] greenride: Quit: Leaving.
[21:38:14] greenride: has joined #RubyOnRails
[21:39:11] greenride: I'm trying to understand csrf tokens. Why can't a Rogue site do both the get request to get the csrf token and the post request?
[22:12:33] greenride: How do people typically generate CSRF tokens for json apis?
[22:15:01] greenride: FailBit: CSRF protection should also be required for json apis supporting web frontends. Right?
[22:19:42] greenride: If no one is doing csrf protection for their json posts (and puts and deletes), this means every Rails json api is subject to csrf attacks. Right?
[22:21:36] greenride: Rogue site can log a browser in as some other user


[08:11:48] greenride: has joined #RubyOnRails
[08:13:03] greenride: Is there a way to get a CSRF token with a json get request? (For use in a json post to /users/sign_in with devise)
[08:17:45] greenride: has left #RubyOnRails: ()
[18:58:52] greenride: has joined #RubyOnRails
[19:01:13] greenride: Is there a way to configure ActionMailer to send mail without an smtp server? This is for the purpose of sending one summary email daily to a known user.
[19:04:10] greenride: matthewd: I can send email using the command line with a command such as `mail -s "Hello World" < /tmp/mail/txt` I want similar functionality using ActionMailer.
[19:04:58] greenride: matthewd: The mail sent by command line appears in the SPAM folder of my gmail account.
[19:07:37] greenride: matthewd: Right. The command line util does the dns lookup of the MX record at the specified domain, opens a tcp connection to the mail server and then delivers the mail. Not scaleable??? but great for delivering a few emails.
[19:09:03] greenride: matthewd: I'm asking if there's a way to configure ActionMailer to do the email sending without using an SMTP server.
[19:15:55] greenride: matthewd: Thanks. Didn't realize sendmail had command line email sending tools. I'll use that.
[19:51:21] greenride: has left #RubyOnRails: ()


[17:12:24] greenride: has joined #RubyOnRails
[17:22:49] greenride: Quit: Leaving.


[03:35:27] greenride: has joined #RubyOnRails
[04:00:57] greenride: When items are moved in a spree taxonomy, what would cause the url to be updated? Initially, the old url was maintained, but the url changed to reflect the new location.
[04:08:26] greenride: rhizome: The item is being moved manually. The unintended consequence is that the url changes to reflect the new location within the taxonomy.
[04:08:44] greenride: rhizome: Is there a rake task or some other piece of code that updates these urls?
[04:19:54] greenride: rhizome: No. I was wondering what actions could cause the url to be updated.
[04:28:00] greenride: Quit: Leaving.


[01:59:51] greenride: has joined #RubyOnRails
[01:59:58] greenride: has left #RubyOnRails: ()


[01:54:21] greenride: has joined #RubyOnRails
[01:55:00] greenride: has left #RubyOnRails: ()


[04:46:50] greenride: Quit: Leaving.
[17:00:13] greenride: has joined #RubyOnRails
[17:00:13] greenride: has joined #ruby
[18:34:45] greenride: has left #RubyOnRails: ()
[18:34:45] greenride: has left #ruby: ()


[01:39:57] greenride: Quit: Leaving.
[07:01:04] greenride: has joined #RubyOnRails
[07:01:04] greenride: has joined #ruby
[07:11:19] greenride: Quit: Leaving.
[19:07:31] greenride: has joined #RubyOnRails
[19:07:31] greenride: has joined #ruby


[21:58:54] greenride: has joined #ruby
[21:59:22] greenride: has joined #RubyOnRails
[22:04:21] greenride: I'm using Mongoid, and I want something like Membership.where(created_at + expiration_time_in_secs < created_at and expiration_time_in_secs are fields for the member object in the memberships collection. What is the syntax for this?
[22:26:16] greenride: rhizome: Memberships last variable amounts of time. The expiration time is a field in the Membership object. So, I need to use both the created_at and expiration_time_in_seconds. I also want to pull more than one record. So, I need a critera object.


[06:16:24] greenride: The set of users is probably limited.
[06:16:43] greenride: Yes, that's a lower bound.
[06:20:32] greenride: zenspider: Yes.
[06:21:07] greenride: zenspider: The obvious way is to get the time before and after a line of code. Then, find the difference.
[06:25:25] greenride: Ox0dea: What would a Ruby parser help me do in this case?
[06:41:37] greenride: zenspider: You asked me 'what about this line?'. Which line are you referring to?
[06:45:56] greenride: Ox0dea: I see. You are demonstrating that lines are a bad thing to benchmark since your example shows that lines are not necessarily a unit that translates into something meaningful at the token level or the ruby virtual machine level.
[06:47:06] greenride: Ox0dea: Fully agree.
[06:47:30] greenride: zenspider: Thanks for pointing that out. I just wasn't sharp enough to get it back then.
[06:47:47] greenride: zenspider: Noted that you said it.
[06:55:55] greenride: Ox0dea: By the way, thanks for the discussion.
[06:56:03] greenride: zenspider: By the way, thanks for the discussion.
[06:59:23] greenride: [k-: Thanks for the discussion as well. That's a cool little script.
[07:43:50] greenride: has left #ruby: ()