Helper methods available from the browser?!

When I use some helper with controller, like :helper helper_name,
I can call all helper methods that are not private or protected from
browser, by typing url “http://controller/helper_method”.
Does this work only for development enviroment or it works always?
I’ve seen some helpers from wiki.rubyonrails.org and rails books and
helper methods never were private or protected there…

Thanks,
Dmitry

Hmm. I’m seeing this, too. For most cases, this results in a “Template
is missing” error because there’s nothing to render.

Protecting the methods seems to fix this, resulting in an “Unknown
action” error.

BTW, these errors show up in development, but result in a 500 error in
production.

Curtis S. wrote:

Hmm. I’m seeing this, too. For most cases, this results in a “Template
is missing” error because there’s nothing to render.

Protecting the methods seems to fix this, resulting in an “Unknown
action” error.

BTW, these errors show up in development, but result in a 500 error in
production.

But helper methods are still available through GET in production?
As I saw in the development log when application error happens rails
send http with 500 status

Dmitry H. wrote:

But helper methods are still available through GET in production?

Yep. In most cases they will cause a template error unless you have a
helper that calls render or you happen to have a view to be rendered
with your helper actions name.

Why you would have a helper method that renders something defined in
your controller I don’t know, but I’ve tested this and can get rendered
text, partial, or full view.

When I use some helper with controller, like :helper helper_name,
I can call all helper methods that are not private or protected from
browser, by typing url “http://controller/helper_method”.
Does this work only for development enviroment or it works always?
I’ve seen some helpers from wiki.rubyonrails.org and rails books and
helper methods never were private or protected there…

Hmm. I’m seeing this, too. For most cases, this results in a “Template
is missing” error because there’s nothing to render. However, if you
happened to have a helper method in the controller that rendered
something (a partial, say), I’m thinking this could be a security issue.

Protecting the methods seems to fix this, resulting in an “Unknown
action” error. Is there any functionality lost by protecting the
methods? Maybe helper_method should protect these automagically?

Has this issue been raised on the core list? IMHO it seems like it
should
be something that should be discussed there, or at least a core member
should be made aware of it.

Curtis S. wrote:

Dmitry H. wrote:

But helper methods are still available through GET in production?

Yep. In most cases they will cause a template error unless you have a
helper that calls render or you happen to have a view to be rendered
with your helper actions name.

Why you would have a helper method that renders something defined in
your controller I don’t know, but I’ve tested this and can get rendered
text, partial, or full view.

Helpers

Helpers are smart methods (functions) that help your view templates
generate HTML. They know to use your model objects and controller
classes to create just the right HTML and.
(from
Radar – O’Reilly,
but it doesn’t matter)

What d u mean

Why you would have a helper method that renders something defined in
your controller I don’t know, but I’ve tested this and can get rendered
text, partial, or full view.

Helpers purpose is to ‘render something defined in controller’ isn’t
it??

I’ve put a link to this thread on the core list.

Cheers

On 9/6/06, Dmitry H. [email protected] wrote:

When I use some helper with controller, like :helper helper_name,
I can call all helper methods that are not private or protected from
browser, by typing url “http://controller/helper_method”.
Does this work only for development enviroment or it works always?
I’ve seen some helpers from wiki.rubyonrails.org and rails books and
helper methods never were private or protected there…

Simply make your helper methods non-public. Perhaps helper_method could
warn
you if public_instance_methods.include?(method_name) but this really
isn’t
its concern.

jeremy

Jeremy K. wrote:

On 9/6/06, Dmitry H. [email protected] wrote:

When I use some helper with controller, like :helper helper_name,
I can call all helper methods that are not private or protected from
browser, by typing url “http://controller/helper_method”.
Does this work only for development enviroment or it works always?
I’ve seen some helpers from wiki.rubyonrails.org and rails books and
helper methods never were private or protected there…

Simply make your helper methods non-public. Perhaps helper_method could
warn
you if public_instance_methods.include?(method_name) but this really
isn’t
its concern.

jeremy

Of course, I can make my methods protected, but if anyone will follow
any rails tutorial there is nothing about this, moreover, all 3rd party
helpers that I’ve downloaded from wiki or somewhere else had their
methods being public

Dmitry H. wrote:

Of course, I can make my methods protected, but if anyone will follow
any rails tutorial there is nothing about this, moreover, all 3rd party
helpers that I’ve downloaded from wiki or somewhere else had their
methods being public

I agree that this problem is not well documented, and if no changes are
made to helper_method, then there should at least be a note in the
official docs.

Dmitry H. wrote:

Helpers purpose is to ‘render something defined in controller’ isn’t
it??

In the above statement I’m differentiating helpers defined in a
controller vs. helpers defined in a helper module.

If I need to use a method in both my controller and my view, I define it
in my controller and then designate it as a helper with helper_method.
In practice, I find that the methods I need in both the controller and
the view are methods that do not end up rendering anything (e.g,
logged_in?, is_admin?). Most of my rendering helpers are defined in my
helper modules and not in my controller.

Did that make sense?

Daniel,

As far as I know the core list has not been notified.