Howdy all,
I’ve never been one to use scaffolds in my Rails projects, but I’m
looking at it right now as a possible time saver. I spend a
ridiculous amount of time building the forms, and slightly less (but
more than I’d like) building the controller(s) for a new model when
developing my applications.
However, I’ve taken a quick look at both the built in script/generate
scaffold and it seems to be sorely lacking in error handling of any
kind.
For example, say I generate a quick scaffold for “Event”:
script/generate scaffold Event
…
Some resulting code looks like this:
def edit
@event = Event.find(params[:id])
end
What happens if I pass a non-existent ID there? An
ActiveRecord::RecordNotFound exception gets raised, causing an error
500 to be displayed to the user in production, and maybe an exception
notification email cluttering my inbox.
It doesn’t stop there. Look at this:
def create
@event = Event.new(params[:event])
respond_to do |format|
if @event.save
flash[:notice] = 'Event was successfully created.'
format.html { redirect_to(@event) }
format.xml { render :xml => @event, :status
=> :created, :location => @event }
else
format.html { render :action => “new” }
format.xml { render :xml => @event.errors, :status
=> :unprocessable_entity }
end
end
end
Okay, all well and good. However, what happens if I execute GET on
this action instead of POST? My understanding is that GET requests
are strictly to “get” data. However, in theory, I can pass a bunch
of URL encoded variables to this action and create a new event,
leaving this application wide open to XSS (assuming of course an
authorized user is logged in and clicks a malicious link)
Please PLEASE don’t see this as a “bitch and moan” post - far from
it. I point this out to show my own ignorance: I assume that I’m
missing something here.
So, what’s the deal? Is this REALLY lacking in error support/
handling, or am I just not using it right?
Thanks