Forum: Ruby on Rails Editing Files in the Browser

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
DAZ (Guest)
on 2009-01-12 16:38
(Received via mailing list)
Hi,

Is it possible to open a file (in the public directory) in a text
field, edit it and save it?

Is it also possible to type into a new text field, then save this as a
new file in the public directory?

One use for this I could see would be to allow users to edit
stylesheets/themes.

If this is possible, how do you do it?

Cheers,

DAZ
Andrew T. (Guest)
on 2009-01-12 17:27
(Received via mailing list)
On Mon, Jan 12, 2009 at 4:37 PM, DAZ <removed_email_address@domain.invalid> 
wrote:

> stylesheets/themes.
>
> If this is possible, how do you do it?
>
> Cheers,
>
> DAZ
> >
>
DAZ

To get the contents, you could do:
@file_contents = File.read(File.join(RAILS_ROOT, "public",
"your_file_name.css"))

And to save again, do:
File.open(File.join(RAILS_ROOT, "public", "your_file_name.css")) do
|file|
  file.write params[:file_contents]
end

NOTE: I'd be very careful of actually doing this though as there are
MANY
security issues.
Think through things like who will have access to this functionality and
how
much they can be trusted.
One thing to specifically check for is that the user cannot set the file
path in any way or you could end up with files written to like:
/home/rails/myproject/public/../../../../etc/passwd

Have a look at http://guides.rubyonrails.org/security.html for some more
detailed info on the potential problems.

--
Andrew T.
http://ramblingsonrails.com
http://www.linkedin.com/in/andrewtimberlake

"I have never let my schooling interfere with my education" - Mark Twain
DAZ (Guest)
on 2009-01-12 17:58
(Received via mailing list)
Thanks for the reply Andrew, and thanks for the link - very useful and
informative (as is your blog!).

The idea is as part of a CMS-style app, so people would have to be
signed in to edit files, and they probably wouldn't be able to choose
the path, just the name. I guess I would use a similar whitelist
approach as recommended in the docs.

Would it be better to do this sort of thing at a database level -
saving the whole CSS text in a Theme model or something?

cheers,

DAZ






On Jan 12, 3:01 pm, "Andrew T." <removed_email_address@domain.invalid>
John Y. (Guest)
on 2009-01-12 18:28
(Received via mailing list)
> Would it be better to do this sort of thing at a database level -
> saving the whole CSS text in a Theme model or something?

I think that'd be the best solution.
Andrew T. (Guest)
on 2009-01-12 18:31
(Received via mailing list)
On Mon, Jan 12, 2009 at 5:57 PM, DAZ <removed_email_address@domain.invalid> 
wrote:

> saving the whole CSS text in a Theme model or something?
>
> cheers,
>
> DAZ


There are pros and cons to everything, I just wanted you to be aware - I
don't like providing a solution to someone where they can shoot
themselves
in the foot with it :-)

Even in a CMS based app this can be dangerous.
If the CMS is for a specific client running on their own hardware, you
have
less of a problem than if it is for public consumption.

If you want to allow people to customise the look of an application, I
would
provide very specific things they can change.
Your idea of a Theme model can work but still be careful of what they
can
set as values. IE allows javascript to execute within CSS which can open
you
up to XSS attacks etc.

--
Andrew T.
http://ramblingsonrails.com
http://www.linkedin.com/in/andrewtimberlake

"I have never let my schooling interfere with my education" - Mark Twain
This topic is locked and can not be replied to.