Problem in Rails Controller and Model

dubstep · February 3, 2012, 8:07am

Hi,
This is a piece of code found in a fictional Rails controller and
model.
Please point out any bugs or security problems in the code, fix them,
and refactor the code to make it cleaner.

class ProfileController < ApplicationController
def show
@user = User.find(:first, :conditions => “name =
‘#{params[:name]}’”)
@roles = Role.find(:all, :conditions => “user_id = #{@user.id}”)
end
end

class User < ActiveRecord::Base
end

class Role < ActiveRecord::Base
end

Please help me out.

srimanta12 · February 3, 2012, 9:52am

On 3 February 2012 07:07, Srimanta C. [email protected]
wrote:

This is a piece of code found in a fictional Rails controller and
model.
Please point out any bugs or security problems in the code, fix them,
and refactor the code to make it cleaner.

Sure… how much are you offering to pay for people to do your
fictional homework for you?
:rollseyes:

srimanta12 · February 3, 2012, 9:31am

Hi Srimanta,

Assigning values directly to the DB columns from UI can cause sql
injection. To avoid this, I would write this as :

@user = User.find(:first, :conditions => [“name = ?”, params[:name]])

I think, your association between User and Role is as follows :

User has many roles
Role has many users

For this you may be using the model association as :

class User < ActiveRecord::Base
has_many :users_roles
has_many :roles, :through => :users_roles
end

class Role < ActiveRecord::Base
has_many :users_roles
has_many :users, :through => :users_roles
end

From this, the ProfileController can be written as :

class ProfileController < ApplicationController
def show
@user = User.find(:first, :conditions => [“name = ?”,
params[:name]])
@roles = @user.roles
end
end

Thanks,

Neethu

srimanta12 · February 3, 2012, 10:15am

Thanks a lot to Neethu S…
Can you help me once again to answer the following:
What problems can arise when users hits the get_pdf action?
If there are problems, how can it be solved?

class PdfController < ApplicationController
def get_pdf
send_data Pdf.create(params[:contents])
end
end

class Pdf
def self.create(contents)
make_pdf(contents) # takes 30 seconds to run
end
end

srimanta12 · February 3, 2012, 10:35am

Srimanta C. wrote in post #1043866:

Thanks a lot to Neethu S…
Can you help me once again to answer the following:
What problems can arise when users hits the get_pdf action?
If there are problems, how can it be solved?

class PdfController < ApplicationController
def get_pdf
send_data Pdf.create(params[:contents])
end
end

class Pdf
def self.create(contents)
make_pdf(contents) # takes 30 seconds to run
end
end

Thanks Neethu S., no need to answer the above question I have
solved that problem.