Rails Code Review – Security and Readability Best Practices

Ruby on Rails Code Review with Edward Anderson
Ruby on Rails Code Review Ruby on Rails Web App Consultant Help

Edward AndersonRuby on Rails Code Review

Ruby on Rails Expert > Edward Anderson

In this session, Edward paired up with Stewart, a passionate product designer turned aspiring Rails student. Edward Anderson is a prolific AirPair expert having had many sessions on Rails code reviews. Edward has been developing with Ruby on Rails for 7 years. He is a regular contributor to open-source projects and helps maintain “Backbone.dualStorage”, which has 500+ GitHub followers. In his spare time, he volunteers at the Rails Hotline, GirlDevelopIt and Durham Teen Tech Camp. He’s also a Backbone.js expert.

Need Ruby on Rails help? Book Edward Anderson or browse other Rails experts for 1-on-1 RoR training and problem solving support.

What help from Rails Code Review Expert Edward Anderson over AirPair video chat looks like…

In this AirPair, Edward helps customer, Stewart, to implement the post and delete comments functionalities of his Rails app.

Book your own AirPair Expert, Now.

Code Review Session with Rails Expert – Edward Anderson

The session started with Stewart describing his journey to level up in Rails. He had tried pair programming before, and had gotten introduction to Model-View-Controller (MVC) frameworks, Rails fundamentals. He has the ambition of building FootySubs: a Rails app that allows soccer game organizers to identify and find substitutes, bring them onto the team, and communicate using Twilio’s API for SMS messaging in the process. He currently works as a product designer in San Francisco.

Edward and Stewart walked through steps of tracking errors in the Rails server command line, locating the corresponding codes, understanding mass assignment protections, indenting codes for readability. The second half was spent on creating dynamic UI buttons in CoffeeScript.

This session was preceded by a couple of other sessions Stewart had with AirPair. His initial request was to do bug fix and implementing UI changes for his Rails mobile web app (the keyboard GUI was blocking a form input field). This session was focused on the post and delete comments functionalities of his app.

Rails Code Review to the Rescue – Understanding Mass Assignment

Noticing that Steward had run into a mass assignment error more than once. Edward offered to clarify the concept of mass assignment and the Rails practice to protect against mass assignment.

Mass assignment allows multiple attributes to be set in one go. For example, all parameters come in through the POST action of a form, a new record is created using the corresponding parameters as attribute values. Without the convenience of mass assignment, each attribute will have to be assigned manually and explicitly. Mass assignment is convenient. However, it has security issues.

A hacker can set the :is_admin attribute to true when creating a user by editing the user sign up form. Thus he’s able to create admin users without the webmaster’s permission.

user = User.new({:is_admin => true}) # create a new user with admin privilege

Rails will disable mass assigning unless we explicitly tells it not to using “attr_accessible :attribute_name”. Making an attribute “accessible” in Rails is to make it “mass-assignable”.

Dynamic UI Design with CoffeeScript

In the second half of the session, Edward coached Stewart to design a simple yet elegant UI feature for his create comments page. They agreed to add a “confirm before deleting” functionality. There would be a pre-delete button, which would hide itself and then show the real delete button with a confirmation message. Only when users clicked on the real delete button, would the delete action take place.

Rails Expert Code Review CoffeeScript code sample

Code Readability for Rails

Edward noticed that Stewart’s indentation seemed off during their code review session. It turned out that Stewart had to manually enter spaces to “indent”. Since they were both using Sublime text editor, the change was easy: change bottom right corner Tab Size option to 2. It’s a simple quick change that makes readability much better.

As for the CoffeeScript codes, Edward mentioned a pro tip from an experienced Rails code reviewer: he uses a Sublime plugin for CoffeeScript syntax highlighting.