index.html


<!DOCTYPE html>
<!--[if IEMobile 7 ]><html class="no-js iem7"><![endif]-->
<!--[if lt IE 9]><html class="no-js lte-ie8"><![endif]-->
<!--[if (gt IE 8)|(gt IEMobile 7)|!(IEMobile)|!(IE)]><!--><html class="no-js" lang="en"><!--<![endif]-->
<head>
  <meta charset="utf-8">
  <title>$ man jerome_</title>
  <meta name="author" content="jerome basa">

  
  <meta name="description" content="in this post i will cover the security related stuff for rails which i learned
over the last couple of years. security is hard. rails is pretty &hellip;">
  

  <!-- http://t.co/dKP3o1e -->
  <meta name="HandheldFriendly" content="True">
  <meta name="MobileOptimized" content="320">
  <meta name="viewport" content="width=device-width, initial-scale=1">

  
  <link rel="canonical" href="http://jldbasa.github.io">
  <link href="/favicon.png" rel="icon">
  <link href="/stylesheets/screen.css" media="screen, projection" rel="stylesheet" type="text/css">
  <link href="/atom.xml" rel="alternate" title="$ man jerome_" type="application/atom+xml">
  <script src="/javascripts/modernizr-2.0.js"></script>
  <script src="//ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js"></script>
  <script>!window.jQuery && document.write(unescape('%3Cscript src="./javascripts/libs/jquery.min.js"%3E%3C/script%3E'))</script>
  <script src="/javascripts/octopress.js" type="text/javascript"></script>
  <!--Fonts from Google"s Web font directory at http://google.com/webfonts -->
<link href="http://fonts.googleapis.com/css?family=PT+Serif:regular,italic,bold,bolditalic" rel="stylesheet" type="text/css">
<link href="http://fonts.googleapis.com/css?family=PT+Sans:regular,italic,bold,bolditalic" rel="stylesheet" type="text/css">

  
</head>

<body   >
  <header role="banner"><hgroup>
  <h1><a href="/">$ man jerome_</a></h1>
  
    <h2>...</h2>
  
</hgroup>

</header>
  <nav role="navigation"><ul class="subscription" data-subscription="rss">
  <li><a href="/atom.xml" rel="subscribe-rss" title="subscribe via RSS">RSS</a></li>
  
</ul>
  
<form action="http://google.com/search" method="get">
  <fieldset role="search">
    <input type="hidden" name="q" value="site:jldbasa.github.io" />
    <input class="search" type="text" name="q" results="0" placeholder="Search"/>
  </fieldset>
</form>
  
<ul class="main-navigation">
  <li><a href="/">Blog</a></li>
  <li><a href="/blog/archives">Archives</a></li>
</ul>

</nav>
  <div id="main">
    <div id="content">
      <div class="blog-index">
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2014/03/06/rails-security-pitfalls/">rails security pitfalls</a></h1>
    
    
      <p class="meta">
        

<time datetime="2014-03-06T06:00:10-08:00" pubdate data-updated="true">Mar 6<span>th</span>, 2014</time>
        
           | <a href="/blog/2014/03/06/rails-security-pitfalls/#disqus_thread"
             data-disqus-identifier="http://jldbasa.github.io/blog/2014/03/06/rails-security-pitfalls/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>in this post i will cover the security related stuff for rails which i learned
over the last couple of years.</p>

<p>security is <strong>hard</strong>. rails is pretty secure by default (from hackers? maybe not),
but a simple mistake will lead to a catastrophe. as much as possible, try to
avoid the common pitfalls. as the saying goes <strong>prevention is better than cure</strong></p>

<h1>Common Attacks</h1>

<h2>SQL Injection</h2>

<p><img src="http://imgs.xkcd.com/comics/exploits_of_a_mom.png" alt="Exploits of a Mom" /></p>

<h3>simple case</h3>

<p>building your own conditions is vulnerable to sql injection. the code below is
not safe.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="no">User</span><span class="o">.</span><span class="n">where</span><span class="p">(</span><span class="s2">&quot;username LIKE &#39;%</span><span class="si">#{</span><span class="n">params</span><span class="o">[</span><span class="ss">:username</span><span class="o">]</span><span class="si">}</span><span class="s2">%&#39;&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="c1"># query</span>
</span><span class='line'><span class="no">SELECT</span>
</span><span class='line'>  <span class="sb">`users`</span><span class="o">.</span><span class="n">*</span>
</span><span class='line'><span class="no">FROM</span>
</span><span class='line'>  <span class="sb">`users`</span>
</span><span class='line'><span class="no">WHERE</span> <span class="p">(</span><span class="n">username</span> <span class="no">LIKE</span> <span class="s1">&#39;%jerome%&#39;</span><span class="p">)</span>
</span></code></pre></td></tr></table></div></figure>


<p>let say the attacker sets the value of <code>params[:username]</code> e.g.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">params</span><span class="o">[</span><span class="ss">:username</span><span class="o">]</span> <span class="o">=</span> <span class="s2">&quot;&#39;) UNION SELECT username, password,1,1,1 FROM users --&quot;</span>
</span><span class='line'>
</span><span class='line'><span class="no">User</span><span class="o">.</span><span class="n">where</span><span class="p">(</span><span class="s2">&quot;username LIKE &#39;%</span><span class="si">#{</span><span class="n">params</span><span class="o">[</span><span class="ss">:username</span><span class="o">]</span><span class="si">}</span><span class="s2">%&#39;&quot;</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'><span class="c1"># query</span>
</span><span class='line'><span class="no">SELECT</span>
</span><span class='line'>  <span class="sb">`users`</span><span class="o">.</span><span class="n">*</span>
</span><span class='line'><span class="no">FROM</span>
</span><span class='line'>  <span class="sb">`users`</span>
</span><span class='line'><span class="no">WHERE</span> <span class="p">(</span><span class="n">username</span> <span class="no">LIKE</span> <span class="s1">&#39;%&#39;</span><span class="p">)</span> <span class="no">UNION</span> <span class="no">SELECT</span> <span class="n">username</span><span class="p">,</span> <span class="n">password</span><span class="p">,</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span><span class="p">,</span><span class="mi">1</span> <span class="no">FROM</span> <span class="n">users</span> <span class="o">--%</span><span class="err">&#39;</span><span class="p">)</span>
</span></code></pre></td></tr></table></div></figure>


<p>anything after <code>--</code> will become a comment.</p>

<h3>countermeasure</h3>

<p>instead of passing the string directly to the condition option, you can pass an array to
sanitize the string.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="no">User</span><span class="o">.</span><span class="n">where</span><span class="p">(</span><span class="s2">&quot;username LIKE ?&quot;</span><span class="p">,</span> <span class="s2">&quot;%</span><span class="si">#{</span><span class="n">params</span><span class="o">[</span><span class="ss">:username</span><span class="o">]</span><span class="si">}</span><span class="s2">%&quot;</span><span class="p">)</span>
</span></code></pre></td></tr></table></div></figure>


<h2>XSS</h2>

<p>the rule of the thumb is <strong>never trust any data that comes from a user</strong></p>

<h3>simple case</h3>

<p>let say we have this code:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="o">&lt;</span><span class="n">span</span><span class="o">&gt;</span>
</span><span class='line'>  <span class="o">&lt;%=</span> <span class="n">raw</span> <span class="n">user</span><span class="o">.</span><span class="n">biography</span> <span class="sx">%&gt;</span>
</span><span class='line'><span class="sx">&lt;/span&gt;</span>
</span></code></pre></td></tr></table></div></figure>


<p>and the attacker sets the value of <code>user.biography</code> to <code>&lt;script&gt;alert('hello');&lt;/script&gt;</code>
the rendered page will have this.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="o">&lt;</span><span class="n">span</span><span class="o">&gt;</span>
</span><span class='line'>  <span class="o">&lt;</span><span class="n">script</span><span class="o">&gt;</span><span class="n">alert</span><span class="p">(</span><span class="s1">&#39;hello&#39;</span><span class="p">);</span><span class="o">&lt;</span><span class="sr">/script&gt;</span>
</span><span class='line'><span class="sr">&lt;/s</span><span class="n">pan</span><span class="o">&gt;</span>
</span></code></pre></td></tr></table></div></figure>


<p>our page will now execute this javascript code!</p>

<h3>countermeasure</h3>

<p>user input must be sanitized, you can use various Rails methods such as <code>sanitize</code></p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="o">&lt;</span><span class="n">span</span><span class="o">&gt;</span>
</span><span class='line'>  <span class="o">&lt;%=</span> <span class="n">sanitize</span> <span class="p">(</span><span class="n">user</span><span class="o">.</span><span class="n">biography</span><span class="p">,</span> <span class="ss">tags</span><span class="p">:</span> <span class="sx">%w(a)</span><span class="p">,</span> <span class="ss">attributes</span><span class="p">:</span> <span class="sx">%w(href)</span><span class="p">)</span> <span class="sx">%&gt;</span>
</span><span class='line'><span class="sx">&lt;/span&gt;</span>
</span></code></pre></td></tr></table></div></figure>


<h2>CSRF &ndash; Cross-Site Request Forgery</h2>

<h3>simple case</h3>

<ul>
<li>attacker sends requests on victim&rsquo;s behalf</li>
<li>doesn&rsquo;t depend on XSS</li>
</ul>


<h3>countermeasure</h3>

<ul>
<li>use <code>GET</code> and <code>POST</code> methods appropriately</li>
<li>use Rails default CSRF protection</li>
</ul>


<h1>Rails Specific Attacks</h1>

<h2>Mass Assignment</h2>

<h3>problem</h3>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="k">def</span> <span class="nf">create</span>
</span><span class='line'>  <span class="vi">@user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">params</span><span class="o">[</span><span class="ss">:user</span><span class="o">]</span><span class="p">)</span>
</span><span class='line'><span class="k">end</span>
</span></code></pre></td></tr></table></div></figure>


<p>if you have <code>User.admin</code> attribute; and the attacker sends
  <code>params[:user][:admin] = 1</code>, then the <code>admin</code> attribute will be set.</p>

<h3>solution</h3>

<ul>
<li>blacklist attributes using <code>attr_protected</code></li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="k">class</span> <span class="nc">User</span> <span class="o">&lt;</span> <span class="ss">ActiveRecord</span><span class="p">:</span><span class="ss">:Base</span>
</span><span class='line'>  <span class="n">attr_protected</span> <span class="ss">:admin</span>
</span><span class='line'>  <span class="o">.</span><span class="n">.</span><span class="o">.</span>
</span><span class='line'><span class="k">end</span>
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>whitelist attributes using <code>attr_accessible</code></li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="k">class</span> <span class="nc">User</span> <span class="o">&lt;</span> <span class="ss">ActiveRecord</span><span class="p">:</span><span class="ss">:Base</span>
</span><span class='line'>  <span class="n">attr_accessible</span> <span class="ss">:username</span><span class="p">,</span> <span class="ss">:email</span>
</span><span class='line'>  <span class="o">.</span><span class="n">.</span><span class="o">.</span>
</span><span class='line'><span class="k">end</span>
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>use strong parameters</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="o">.</span><span class="n">.</span><span class="o">.</span>
</span><span class='line'>
</span><span class='line'><span class="k">def</span> <span class="nf">create</span>
</span><span class='line'>  <span class="vi">@user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">params_user</span><span class="p">)</span>
</span><span class='line'><span class="k">end</span>
</span><span class='line'>
</span><span class='line'><span class="kp">private</span>
</span><span class='line'>
</span><span class='line'><span class="k">def</span> <span class="nf">params_user</span>
</span><span class='line'>  <span class="n">params</span><span class="o">.</span><span class="n">require</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span><span class="o">.</span><span class="n">permit</span><span class="p">(</span>
</span><span class='line'>    <span class="ss">:username</span><span class="p">,</span>
</span><span class='line'>    <span class="ss">:email</span><span class="p">)</span>
</span><span class='line'><span class="k">end</span>
</span><span class='line'>
</span><span class='line'><span class="o">.</span><span class="n">.</span><span class="o">.</span>
</span></code></pre></td></tr></table></div></figure>


<h2>Secret Token</h2>

<p>this token is used to sign cookies that the application sets. you can generate
a token by running <code>$ rake secret</code></p>

<h3>problem</h3>

<p>by default the token is stored in the file. most of the time this file is in
version control</p>

<figure class='code'><figcaption><span>config/initializers/secret_token.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="ss">MyApp</span><span class="p">:</span><span class="ss">:Application</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">secret_token</span> <span class="o">=</span> <span class="s1">&#39;c38d07e4b543baeea5ae70f5dd670828ec67eb3c4f585020d02667804cb39a3142704028055540b2270c5a8253cea780b16fa353b86f94c17c923ac484a20856&#39;</span>
</span></code></pre></td></tr></table></div></figure>


<h2>solution</h2>

<p>keep it out of version control. store it in <code>ENV</code>. you can use <code>figaro</code> gem to
store data in <code>ENV</code></p>

<figure class='code'><figcaption><span>config/initializers/secret_token.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="ss">MyApp</span><span class="p">:</span><span class="ss">:Application</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">secret_token</span> <span class="o">=</span> <span class="no">ENV</span><span class="o">[</span><span class="s1">&#39;SECRET_TOKEN&#39;</span><span class="o">]</span>
</span></code></pre></td></tr></table></div></figure>


<p><strong>note:</strong> in Rails 4, it is called <code>secret_key_base</code>.</p>

<h2>Logging Parameters</h2>

<p>by default Rails filter any parameter that matches <code>/password/</code> from being
logged and replacing it with <code>[FILTERED]</code>. you should filter sensitive data from logs.</p>

<figure class='code'><figcaption><span>config/initializers/filter_parameter_logging.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="no">Rails</span><span class="o">.</span><span class="n">application</span><span class="o">.</span><span class="n">config</span><span class="o">.</span><span class="n">filter_parameters</span> <span class="o">+=</span> <span class="o">[</span><span class="ss">:password</span><span class="p">,</span> <span class="ss">:ssn</span><span class="p">,</span> <span class="ss">:token</span><span class="o">]</span>
</span></code></pre></td></tr></table></div></figure>


<h2>&ldquo;match&rdquo; in Routing</h2>

<h3>problem</h3>

<p>in Rails 3, there&rsquo;s even an example in <code>config/routes.rb</code></p>

<figure class='code'><figcaption><span>config/routes.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="c1"># Example in config/routes.rb</span>
</span><span class='line'><span class="n">match</span> <span class="s1">&#39;:controller(/:action(/:id))(.:format)&#39;</span>
</span><span class='line'>
</span><span class='line'><span class="n">match</span> <span class="s1">&#39;/posts/delete/:id&#39;</span><span class="p">,</span> <span class="ss">:to</span> <span class="o">=&gt;</span> <span class="s2">&quot;posts#destroy&quot;</span> <span class="ss">:as</span> <span class="o">=&gt;</span> <span class="s2">&quot;delete_post&quot;</span>
</span></code></pre></td></tr></table></div></figure>


<ul>
<li><code>match</code> matches all HTTP verb and Rails CSRF protection doesn&rsquo;t apply to
<code>GET</code> requests.</li>
<li>the second route will allow <code>GET</code> method to delete posts</li>
</ul>


<h3>solution</h3>

<ul>
<li>use the correct HTTP verb e.g: <code>:get, :post, :delete</code></li>
<li>use <code>:via</code> e.g. <code>match '/posts/delete/:id', :to =&gt; "posts#destroy" :as =&gt;
"delete_post", :via =&gt; :delete</code></li>
</ul>


<h2>Scopes</h2>

<ul>
<li>let say  we have <code>user</code> and <code>post</code> models, when you you retrieve <code>post</code> for
<code>edit</code>, <code>update</code> or <code>destroy</code>, make sure you get it through authorize user.
in the code below; <code>Example 2</code> is the preferred way</li>
</ul>


<figure class='code'><figcaption><span>app/controllers/posts_controller.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="o">.</span><span class="n">.</span><span class="o">.</span>
</span><span class='line'><span class="c1"># Example 1 (UNSAFE)</span>
</span><span class='line'><span class="k">def</span> <span class="nf">edit</span>
</span><span class='line'>  <span class="vi">@post</span> <span class="o">=</span> <span class="no">Post</span><span class="o">.</span><span class="n">find_by</span> <span class="nb">id</span><span class="p">:</span> <span class="n">params</span><span class="o">[</span><span class="ss">:id</span><span class="o">]</span>
</span><span class='line'><span class="k">end</span>
</span><span class='line'>
</span><span class='line'><span class="c1"># Example 2 (SAFE)</span>
</span><span class='line'><span class="k">def</span> <span class="nf">edit</span>
</span><span class='line'>  <span class="vi">@post</span> <span class="o">=</span> <span class="n">current_user</span><span class="o">.</span><span class="n">posts</span><span class="o">.</span><span class="n">find_by</span> <span class="nb">id</span><span class="p">:</span> <span class="n">params</span><span class="o">[</span><span class="ss">:id</span><span class="o">]</span>
</span><span class='line'><span class="k">end</span>
</span><span class='line'><span class="o">.</span><span class="n">.</span><span class="o">.</span>
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>use authorization gem such as <code>cancan</code></li>
</ul>


<h2>Admin</h2>

<p>most of the time, admin URLs can be found in: <code>http://example.com/admin</code>, if you
can, please consider the following:</p>

<ul>
<li>maybe use sub-domain e.g. <code>http://some-url.example.com</code></li>
<li>whitelist IP address</li>
<li>VPN or intranet access only</li>
<li>separate application</li>
</ul>


<h1>Conclusion</h1>

<p>use <code>brakeman</code> to scan your app for vulnerabilities.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>brakeman . -o report.html
</span></code></pre></td></tr></table></div></figure>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>+----------------------+-------+
</span><span class='line'>| Warning Type         | Total |
</span><span class='line'>+----------------------+-------+
</span><span class='line'>| Cross Site Scripting | 1     |
</span><span class='line'>| SQL Injection        | 1     |
</span><span class='line'>| Session Setting      | 1     |
</span><span class='line'>+----------------------+-------+
</span><span class='line'>
</span><span class='line'>
</span><span class='line'>+SECURITY WARNINGS+
</span><span class='line'>
</span><span class='line'>+------------+-----------------+----------+-----------------+-------------------------------------------------------------------------+
</span><span class='line'>| Confidence | Class           | Method   | Warning Type    | Message                                                                 |
</span><span class='line'>+------------+-----------------+----------+-----------------+-------------------------------------------------------------------------+
</span><span class='line'>| High       | PostsController | set_post | SQL Injection   | Possible SQL injection near line 68: Post.where("id =#{+params[:id]+}") |
</span><span class='line'>| High       |                 |          | Session Setting | Session secret should not be included in version control near line 12   |
</span><span class='line'>+------------+-----------------+----------+-----------------+-------------------------------------------------------------------------+
</span><span class='line'>
</span><span class='line'>View Warnings:
</span><span class='line'>
</span><span class='line'>+------------+-------------------------------------+----------------------+-----------------------------------------------------------------------+
</span><span class='line'>| Confidence | Template                            | Warning Type | Message                                                                       |
</span><span class='line'>+------------+-------------------------------------+----------------------+-----------------------------------------------------------------------+
</span><span class='line'>| High       | posts/show (PostsController#create) | Cross Site Scripting | Unescaped model attribute near line 10: Post.new(post_params).content |
</span><span class='line'>+------------+-------------------------------------+----------------------+-----------------------------------------------------------------------+</span></code></pre></td></tr></table></div></figure>


</div>
  
  
    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2014/02/14/mysql-user-minimum-required-privileges-for-rails/">mysql user minimum required privileges for rails</a></h1>
    
    
      <p class="meta">
        

<time datetime="2014-02-14T09:51:00-08:00" pubdate data-updated="true">Feb 14<span>th</span>, 2014</time>
        
           | <a href="/blog/2014/02/14/mysql-user-minimum-required-privileges-for-rails/#disqus_thread"
             data-disqus-identifier="http://jldbasa.github.io/blog/2014/02/14/mysql-user-minimum-required-privileges-for-rails/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>if your application uses <code>root</code> as your database username; you&rsquo;re doing it wrong.
  a good practice is you should have two users for your application. let say
  i have a database called <code>blog_production</code>, i will have two users in my
  database: <code>blog</code> and <code>blog_admin</code>. the former will be use for regular stuff,
  and the latter for database administration. each db user have diffrent set of privileges.</p>

<ul>
<li><code>blog</code> user privileges

<ul>
<li>Select</li>
<li>Insert</li>
<li>Update</li>
<li>Delete</li>
<li>Lock</li>
</ul>
</li>
<li><code>blog_admin</code> user privileges

<ul>
<li>Select</li>
<li>Insert</li>
<li>Update</li>
<li>Delete</li>
<li>Lock</li>
<li>Create</li>
<li>Drop</li>
<li>Index</li>
<li>Alter</li>
</ul>
</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
</pre></td><td class='code'><pre><code class='mysql'><span class='line'><span class="k">CREATE</span> <span class="k">DATABASE</span> <span class="n">blog_production</span><span class="p">;</span>
</span><span class='line'>
</span><span class='line'><span class="k">CREATE</span> <span class="n">USER</span> <span class="s1">&#39;blog&#39;</span><span class="o">@</span><span class="s1">&#39;localhost&#39;</span> <span class="n">IDENTIFIED</span> <span class="k">BY</span> <span class="s1">&#39;db_password&#39;</span><span class="p">;</span>
</span><span class='line'><span class="k">GRANT</span> <span class="k">Select</span><span class="p">,</span><span class="k">Insert</span><span class="p">,</span><span class="k">Update</span><span class="p">,</span><span class="k">Delete</span><span class="p">,</span><span class="k">Lock</span> <span class="kp">Tables</span> <span class="k">ON</span> <span class="n">blog_production</span><span class="p">.</span><span class="o">*</span> <span class="k">TO</span> <span class="s1">&#39;blog&#39;</span><span class="o">@</span><span class="s1">&#39;localhost&#39;</span><span class="p">;</span>
</span><span class='line'>
</span><span class='line'><span class="k">CREATE</span> <span class="n">USER</span> <span class="s1">&#39;blog_admin&#39;</span><span class="o">@</span><span class="s1">&#39;localhost&#39;</span> <span class="n">IDENTIFIED</span> <span class="k">BY</span> <span class="s1">&#39;db_password&#39;</span><span class="p">;</span>
</span><span class='line'><span class="k">GRANT</span> <span class="k">Select</span><span class="p">,</span><span class="k">Insert</span><span class="p">,</span><span class="k">Update</span><span class="p">,</span><span class="k">Delete</span><span class="p">,</span><span class="k">Create</span><span class="p">,</span><span class="k">Drop</span><span class="p">,</span><span class="k">Index</span><span class="p">,</span><span class="k">Alter</span><span class="p">,</span><span class="k">Lock</span> <span class="kp">Tables</span> <span class="k">ON</span> <span class="n">blog_production</span><span class="p">.</span><span class="o">*</span> <span class="k">TO</span> <span class="s1">&#39;blog_admin&#39;</span><span class="o">@</span><span class="s1">&#39;localhost&#39;</span><span class="p">;</span>
</span><span class='line'>
</span><span class='line'><span class="n">FLUSH</span> <span class="n">PRIVILEGES</span><span class="p">;</span>
</span></code></pre></td></tr></table></div></figure>


<p>now, how do you use this two users in your rails app? in <code>databases.yml</code>, add a check for <code>DB_ADMIN</code> env var.</p>

<figure class='code'><figcaption><span>config/databases.yml </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="o">&lt;%</span>
</span><span class='line'>  <span class="k">if</span> <span class="no">ENV</span><span class="o">[</span><span class="s1">&#39;DB_ADMIN&#39;</span><span class="o">]</span>
</span><span class='line'>    <span class="n">username</span> <span class="o">=</span> <span class="s2">&quot;blog_admin&quot;</span>
</span><span class='line'>    <span class="n">password</span> <span class="o">=</span> <span class="s2">&quot;11111111&quot;</span>
</span><span class='line'>  <span class="k">else</span>
</span><span class='line'>    <span class="n">username</span> <span class="o">=</span> <span class="s2">&quot;blog&quot;</span>
</span><span class='line'>    <span class="n">password</span> <span class="o">=</span> <span class="s2">&quot;22222222&quot;</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'><span class="sx">%&gt;</span>
</span><span class='line'><span class="sx">production:</span>
</span><span class='line'><span class="sx">  adapter: mysql2</span>
</span><span class='line'><span class="sx">  encoding: utf8</span>
</span><span class='line'><span class="sx">  reconnect: false</span>
</span><span class='line'><span class="sx">  database: blog_production</span>
</span><span class='line'><span class="sx">  pool: 5</span>
</span><span class='line'><span class="sx">  username: &lt;%= username %&gt;</span>
</span><span class='line'>  <span class="ss">password</span><span class="p">:</span> <span class="o">&lt;%=</span> <span class="n">password</span> <span class="o">%&gt;</span>
</span></code></pre></td></tr></table></div></figure>


<p>by default it uses <code>blog</code> db username unless you pass <code>DB_ADMIN=true</code> env var.
the reasone we have this env is because we need to pass it when we run
migration  tasks e.g:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='bash'><span class='line'><span class="nv">$ DB_ADMIN</span><span class="o">=</span><span class="nb">true </span>bundle <span class="nb">exec </span>rails db:migrate
</span></code></pre></td></tr></table></div></figure>


<p>if you use <strong>capistrano</strong> for deployment, you need to set <code>migrate_env</code> var.</p>

<figure class='code'><figcaption><span>config/deploy.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">set</span> <span class="ss">:migrate_env</span><span class="p">,</span> <span class="s2">&quot;DB_ADMIN=true&quot;</span>
</span></code></pre></td></tr></table></div></figure>


<p>if you have better method, hit the comments.</p>

<p>and that&rsquo;s all there is to it. hth.</p>
</div>
  
  
    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2014/01/25/rails-4-paypal-express-checkout-integration/">rails 4: paypal express checkout integration using activemerchant</a></h1>
    
    
      <p class="meta">
        

<time datetime="2014-01-25T05:35:00-08:00" pubdate data-updated="true">Jan 25<span>th</span>, 2014</time>
        
           | <a href="/blog/2014/01/25/rails-4-paypal-express-checkout-integration/#disqus_thread"
             data-disqus-identifier="http://jldbasa.github.io/blog/2014/01/25/rails-4-paypal-express-checkout-integration/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>in this post, i will share on how i integrated Paypal&rsquo;s Express checkout in a rails 4 application using <code>activemerchant</code> gem. some of the code are based on <a href="http://railscasts.com/episodes/146-paypal-express-checkout">Railscasts Ep. 146</a>.</p>

<p><strong>before proceeding, make sure you have or did the following:</strong></p>

<ul>
<li><a href="http://developer.paypal.com">Paypal developer account</a></li>
<li>create Paypal sandbox accounts: merchant and buyer(go to Applications » Sandbox Accounts)</li>
</ul>


<p><strong>Gems to use</strong></p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">activemerchant</span> <span class="p">(</span><span class="mi">1</span><span class="o">.</span><span class="mi">42</span><span class="o">.</span><span class="mi">4</span><span class="p">)</span>
</span><span class='line'><span class="n">rails</span> <span class="p">(</span><span class="mi">4</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="mi">2</span><span class="p">)</span>
</span></code></pre></td></tr></table></div></figure>


<h2>Setup Activemerchant</h2>

<figure class='code'><figcaption><span>config/environments/developer.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">config</span><span class="o">.</span><span class="n">after_initialize</span> <span class="k">do</span>
</span><span class='line'>  <span class="ss">ActiveMerchant</span><span class="p">:</span><span class="ss">:Billing</span><span class="o">::</span><span class="no">Base</span><span class="o">.</span><span class="n">mode</span> <span class="o">=</span> <span class="ss">:test</span>
</span><span class='line'>  <span class="n">paypal_options</span> <span class="o">=</span> <span class="p">{</span>
</span><span class='line'>    <span class="ss">login</span><span class="p">:</span> <span class="s2">&quot;API_USERNAME_HERE&quot;</span><span class="p">,</span>
</span><span class='line'>    <span class="ss">password</span><span class="p">:</span> <span class="s2">&quot;API_PASSWORD_HERE&quot;</span><span class="p">,</span>
</span><span class='line'>    <span class="ss">signature</span><span class="p">:</span> <span class="s2">&quot;API_SIGNATURE_HERE&quot;</span>
</span><span class='line'>  <span class="p">}</span>
</span><span class='line'>  <span class="o">::</span><span class="no">EXPRESS_GATEWAY</span> <span class="o">=</span> <span class="ss">ActiveMerchant</span><span class="p">:</span><span class="ss">:Billing</span><span class="o">::</span><span class="no">PaypalExpressGateway</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="n">paypal_options</span><span class="p">)</span>
</span><span class='line'><span class="k">end</span>
</span></code></pre></td></tr></table></div></figure>


<figure class='code'><figcaption><span>config/environments/test.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">config</span><span class="o">.</span><span class="n">after_initialize</span> <span class="k">do</span>
</span><span class='line'>  <span class="ss">ActiveMerchant</span><span class="p">:</span><span class="ss">:Billing</span><span class="o">::</span><span class="no">Base</span><span class="o">.</span><span class="n">mode</span> <span class="o">=</span> <span class="ss">:test</span>
</span><span class='line'>  <span class="o">::</span><span class="no">EXPRESS_GATEWAY</span> <span class="o">=</span> <span class="ss">ActiveMerchant</span><span class="p">:</span><span class="ss">:Billing</span><span class="o">::</span><span class="no">BogusGateway</span><span class="o">.</span><span class="n">new</span>
</span><span class='line'><span class="k">end</span>
</span></code></pre></td></tr></table></div></figure>


<h2>Model changes</h2>

<p>this really depends on your app. maybe you have a <code>carts</code> and <code>orders</code> tables. or <code>bookings</code> and <code>reservations</code> tables. assuming you have <code>carts</code> and <code>orders</code> tables, you&rsquo;ll have the following fields.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
</pre></td><td class='code'><pre><code class=''><span class='line'>carts
</span><span class='line'> - id
</span><span class='line'> - total_amount_cents
</span><span class='line'> - purchased_at
</span><span class='line'> - created_at
</span><span class='line'> - updated_at
</span><span class='line'> 
</span><span class='line'>orders
</span><span class='line'> - id
</span><span class='line'> - cart_id
</span><span class='line'> - ip
</span><span class='line'> - express_token
</span><span class='line'> - express_payer_id</span></code></pre></td></tr></table></div></figure>


<h2>View Changes</h2>

<p>after you add the <code>express_checkout</code> to your routes file; in your cart page, put the express paypal checkout button</p>

<figure class='code'><figcaption><span>app/views/carts/index.html.erb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">link_to</span><span class="p">(</span><span class="n">image_tag</span><span class="p">(</span><span class="s2">&quot;https://www.paypal.com/en_US/i/btn/btn_xpressCheckout.gif&quot;</span><span class="p">),</span> <span class="n">express_checkout_path</span><span class="p">)</span>
</span></code></pre></td></tr></table></div></figure>


<p><strong>IMPORTANT:</strong> Paypal wants you to use their buttons, so use them! LOL</p>

<h2>Controller Changes</h2>

<p>add the following actions in your <code>orders</code> controller.</p>

<ul>
<li><code>express_checkout</code> &ndash; this will setup your purchase and redirect to paypal.</li>
<li><code>new</code> &ndash; a.k.a. Paypal&rsquo;s return URL. i usually add a &ldquo;Confirm Order&rdquo; button in this action. it&rsquo;s a good practice not to process the order right away.</li>
<li><code>create</code> &ndash; create and purchase the order</li>
</ul>


<figure class='code'><figcaption><span>app/controllers/orders_controller.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="k">def</span> <span class="nf">express_checkout</span>
</span><span class='line'>  <span class="n">response</span> <span class="o">=</span> <span class="no">EXPRESS_GATEWAY</span><span class="o">.</span><span class="n">setup_purchase</span><span class="p">(</span><span class="no">YOUR_TOTAL_AMOUNT_IN_CENTS</span><span class="p">,</span>
</span><span class='line'>    <span class="ss">ip</span><span class="p">:</span> <span class="n">request</span><span class="o">.</span><span class="n">remote_ip</span><span class="p">,</span>
</span><span class='line'>    <span class="n">return_url</span><span class="p">:</span> <span class="no">YOUR_RETURN_URL_</span><span class="p">,</span>
</span><span class='line'>    <span class="n">cancel_return_url</span><span class="p">:</span> <span class="no">YOUR_CANCEL_RETURL_URL</span><span class="p">,</span>
</span><span class='line'>    <span class="ss">currency</span><span class="p">:</span> <span class="s2">&quot;USD&quot;</span><span class="p">,</span>
</span><span class='line'>    <span class="n">allow_guest_checkout</span><span class="p">:</span> <span class="kp">true</span><span class="p">,</span>
</span><span class='line'>    <span class="ss">items</span><span class="p">:</span> <span class="o">[</span><span class="p">{</span><span class="nb">name</span><span class="p">:</span> <span class="s2">&quot;Order&quot;</span><span class="p">,</span> <span class="ss">description</span><span class="p">:</span> <span class="s2">&quot;Order description&quot;</span><span class="p">,</span> <span class="ss">quantity</span><span class="p">:</span> <span class="s2">&quot;1&quot;</span><span class="p">,</span> <span class="ss">amount</span><span class="p">:</span> <span class="no">AMOUNT_IN_CENTS</span><span class="p">}</span><span class="o">]</span>
</span><span class='line'>  <span class="p">)</span>
</span><span class='line'>  <span class="n">redirect_to</span> <span class="no">EXPRESS_GATEWAY</span><span class="o">.</span><span class="n">redirect_url_for</span><span class="p">(</span><span class="n">response</span><span class="o">.</span><span class="n">token</span><span class="p">)</span>
</span><span class='line'><span class="k">end</span>
</span><span class='line'>
</span><span class='line'><span class="k">def</span> <span class="nf">new</span>
</span><span class='line'>  <span class="vi">@order</span> <span class="o">=</span> <span class="no">Order</span><span class="o">.</span><span class="n">new</span><span class="p">(</span><span class="ss">:express_token</span> <span class="o">=&gt;</span> <span class="n">params</span><span class="o">[</span><span class="ss">:token</span><span class="o">]</span><span class="p">)</span>
</span><span class='line'><span class="k">end</span>
</span><span class='line'>
</span><span class='line'><span class="k">def</span> <span class="nf">create</span>
</span><span class='line'>  <span class="vi">@order</span> <span class="o">=</span> <span class="vi">@cart</span><span class="o">.</span><span class="n">build_order</span><span class="p">(</span><span class="n">order_params</span><span class="p">)</span>
</span><span class='line'>  <span class="vi">@order</span><span class="o">.</span><span class="n">ip</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">remote_ip</span>
</span><span class='line'>
</span><span class='line'>  <span class="k">if</span> <span class="vi">@order</span><span class="o">.</span><span class="n">save</span>
</span><span class='line'>    <span class="k">if</span> <span class="vi">@order</span><span class="o">.</span><span class="n">purchase</span> <span class="c1"># this is where we purchase the order. refer to the model method below</span>
</span><span class='line'>      <span class="n">redirect_to</span> <span class="n">order_url</span><span class="p">(</span><span class="vi">@order</span><span class="p">)</span>
</span><span class='line'>    <span class="k">else</span>
</span><span class='line'>      <span class="n">render</span> <span class="ss">:action</span> <span class="o">=&gt;</span> <span class="s2">&quot;failure&quot;</span>
</span><span class='line'>    <span class="k">end</span>
</span><span class='line'>  <span class="k">else</span>
</span><span class='line'>    <span class="n">render</span> <span class="ss">:action</span> <span class="o">=&gt;</span> <span class="s1">&#39;new&#39;</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'><span class="k">end</span>
</span></code></pre></td></tr></table></div></figure>


<p><strong>IMPORTANT:</strong> the total_amount must be equal to the total amount of <code>items</code> in the array of hashes or else you will get errors.</p>

<h2>Model Changes</h2>

<figure class='code'><figcaption><span>app/models/order.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="k">class</span> <span class="nc">Order</span> <span class="o">&lt;</span> <span class="ss">ActiveRecord</span><span class="p">:</span><span class="ss">:Base</span>
</span><span class='line'>  <span class="n">belongs_to</span> <span class="ss">:cart</span>
</span><span class='line'>
</span><span class='line'>  <span class="k">def</span> <span class="nf">purchase</span>
</span><span class='line'>    <span class="n">response</span> <span class="o">=</span> <span class="no">EXPRESS_GATEWAY</span><span class="o">.</span><span class="n">purchase</span><span class="p">(</span><span class="n">order</span><span class="o">.</span><span class="n">total_amount_cents</span><span class="p">,</span> <span class="n">express_purchase_options</span><span class="p">)</span>
</span><span class='line'>    <span class="n">cart</span><span class="o">.</span><span class="n">update_attribute</span><span class="p">(</span><span class="ss">:purchased_at</span><span class="p">,</span> <span class="no">Time</span><span class="o">.</span><span class="n">now</span><span class="p">)</span> <span class="k">if</span> <span class="n">response</span><span class="o">.</span><span class="n">success?</span>
</span><span class='line'>    <span class="n">response</span><span class="o">.</span><span class="n">success?</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>  <span class="k">def</span> <span class="nf">express_token</span><span class="o">=</span><span class="p">(</span><span class="n">token</span><span class="p">)</span>
</span><span class='line'>    <span class="nb">self</span><span class="o">[</span><span class="ss">:express_token</span><span class="o">]</span> <span class="o">=</span> <span class="n">token</span>
</span><span class='line'>    <span class="k">if</span> <span class="n">new_record?</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="n">token</span><span class="o">.</span><span class="n">blank?</span>
</span><span class='line'>      <span class="c1"># you can dump details var if you need more info from buyer</span>
</span><span class='line'>      <span class="n">details</span> <span class="o">=</span> <span class="no">EXPRESS_GATEWAY</span><span class="o">.</span><span class="n">details_for</span><span class="p">(</span><span class="n">token</span><span class="p">)</span>
</span><span class='line'>      <span class="nb">self</span><span class="o">.</span><span class="n">express_payer_id</span> <span class="o">=</span> <span class="n">details</span><span class="o">.</span><span class="n">payer_id</span>
</span><span class='line'>    <span class="k">end</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>  <span class="kp">private</span>
</span><span class='line'>
</span><span class='line'>  <span class="k">def</span> <span class="nf">express_purchase_options</span>
</span><span class='line'>    <span class="p">{</span>
</span><span class='line'>      <span class="ss">:ip</span> <span class="o">=&gt;</span> <span class="n">ip</span><span class="p">,</span>
</span><span class='line'>      <span class="ss">:token</span> <span class="o">=&gt;</span> <span class="n">express_token</span><span class="p">,</span>
</span><span class='line'>      <span class="ss">:payer_id</span> <span class="o">=&gt;</span> <span class="n">express_payer_id</span>
</span><span class='line'>    <span class="p">}</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'><span class="k">end</span>
</span></code></pre></td></tr></table></div></figure>


<p>and that&rsquo;s all there is to it. hth.</p>
</div>
  
  
    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2014/01/12/rails-4-login-with-devise-and-facebook/">rails 4: login with devise and facebook</a></h1>
    
    
      <p class="meta">
        

<time datetime="2014-01-12T08:43:00-08:00" pubdate data-updated="true">Jan 12<span>th</span>, 2014</time>
        
           | <a href="/blog/2014/01/12/rails-4-login-with-devise-and-facebook/#disqus_thread"
             data-disqus-identifier="http://jldbasa.github.io/blog/2014/01/12/rails-4-login-with-devise-and-facebook/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>i recently created an application where you can login with its own
authentication system and third party sites like facebook, twitter, linkedin, etc.
for this task, i used <code>devise</code>, <code>omniauth</code> and <code>omniauth-facebook</code> gems.</p>

<p>make sure that you setup your facebook app. we&rsquo;ll use the fb app id and secret
later. let&rsquo;s get started.</p>

<p><strong>Gems to use</strong></p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">devise</span> <span class="p">(</span><span class="mi">3</span><span class="o">.</span><span class="mi">2</span><span class="o">.</span><span class="mi">2</span><span class="p">)</span>
</span><span class='line'><span class="n">rails</span> <span class="p">(</span><span class="mi">4</span><span class="o">.</span><span class="mi">0</span><span class="o">.</span><span class="mi">2</span><span class="p">)</span>
</span><span class='line'><span class="n">omniauth</span><span class="o">-</span><span class="n">facebook</span> <span class="p">(</span><span class="mi">1</span><span class="o">.</span><span class="mi">5</span><span class="o">.</span><span class="mi">1</span><span class="p">)</span>
</span></code></pre></td></tr></table></div></figure>


<h2>Model changes</h2>

<p><strong>Create Authentication model</strong></p>

<p>assuming you are using <code>User</code> model for devise, create the <code>Authentication</code> model.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>rails g model Authentication user:references provider:string uid:string
</span><span class='line'>token:string token_secret:string
</span></code></pre></td></tr></table></div></figure>


<p><strong>Setup table relations</strong></p>

<figure class='code'><figcaption><span>app/model/users.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">has_many</span> <span class="ss">:authentications</span><span class="p">,</span> <span class="ss">dependent</span><span class="p">:</span> <span class="ss">:delete_all</span>
</span></code></pre></td></tr></table></div></figure>


<figure class='code'><figcaption><span>app/model/authentications.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">belongs_to</span> <span class="ss">:user</span>
</span></code></pre></td></tr></table></div></figure>


<p><strong>Add methods to user.rb</strong></p>

<p>we need to override devise methods <code>password_required</code> and
<code>update_with_password</code> since 3rd party authentications don&rsquo;t require password.</p>

<figure class='code'><figcaption><span>app/model/users.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'>  <span class="c1">#...</span>
</span><span class='line'>  <span class="k">def</span> <span class="nf">apply_omniauth</span><span class="p">(</span><span class="n">omniauth</span><span class="p">)</span>
</span><span class='line'>    <span class="nb">self</span><span class="o">.</span><span class="n">username</span> <span class="o">=</span> <span class="n">omniauth</span><span class="o">[</span><span class="s1">&#39;info&#39;</span><span class="o">][</span><span class="s1">&#39;nickname&#39;</span><span class="o">]</span> <span class="k">if</span> <span class="n">username</span><span class="o">.</span><span class="n">blank?</span>
</span><span class='line'>    <span class="nb">self</span><span class="o">.</span><span class="n">email</span> <span class="o">=</span> <span class="n">omniauth</span><span class="o">[</span><span class="s1">&#39;info&#39;</span><span class="o">][</span><span class="s1">&#39;email&#39;</span><span class="o">]</span> <span class="k">if</span> <span class="n">email</span><span class="o">.</span><span class="n">blank?</span>
</span><span class='line'>
</span><span class='line'>    <span class="n">authentications</span><span class="o">.</span><span class="n">build</span><span class="p">(</span><span class="ss">:provider</span> <span class="o">=&gt;</span> <span class="n">omniauth</span><span class="o">[</span><span class="s1">&#39;provider&#39;</span><span class="o">]</span><span class="p">,</span>
</span><span class='line'>                        <span class="ss">:uid</span> <span class="o">=&gt;</span> <span class="n">omniauth</span><span class="o">[</span><span class="s1">&#39;uid&#39;</span><span class="o">]</span><span class="p">,</span>
</span><span class='line'>                        <span class="ss">:token</span> <span class="o">=&gt;</span> <span class="n">omniauth</span><span class="o">[</span><span class="s1">&#39;credentials&#39;</span><span class="o">].</span><span class="n">token</span><span class="p">,</span>
</span><span class='line'>                        <span class="ss">:token_secret</span> <span class="o">=&gt;</span> <span class="n">omniauth</span><span class="o">[</span><span class="s1">&#39;credentials&#39;</span><span class="o">].</span><span class="n">secret</span><span class="p">)</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>  <span class="k">def</span> <span class="nf">password_required?</span>
</span><span class='line'>    <span class="p">(</span><span class="n">authentications</span><span class="o">.</span><span class="n">empty?</span> <span class="o">||</span> <span class="o">!</span><span class="n">password</span><span class="o">.</span><span class="n">blank?</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="k">super</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>  <span class="k">def</span> <span class="nf">update_with_password</span><span class="p">(</span><span class="n">params</span><span class="p">,</span> <span class="o">*</span><span class="n">options</span><span class="p">)</span>
</span><span class='line'>    <span class="k">if</span> <span class="n">encrypted_password</span><span class="o">.</span><span class="n">blank?</span>
</span><span class='line'>      <span class="n">update_attributes</span><span class="p">(</span><span class="n">params</span><span class="p">,</span> <span class="o">*</span><span class="n">options</span><span class="p">)</span>
</span><span class='line'>    <span class="k">else</span>
</span><span class='line'>      <span class="k">super</span>
</span><span class='line'>    <span class="k">end</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'>  <span class="c1">#...</span>
</span></code></pre></td></tr></table></div></figure>


<p><strong>Enable omniauth support in devise</strong></p>

<p>add FB app id and secret. note that it&rsquo;s a good practice to get them from ENV,
i use <code>figaro</code> gem to do this.</p>

<figure class='code'><figcaption><span>config/initializers/devise.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">config</span><span class="o">.</span><span class="n">omniauth</span> <span class="ss">:facebook</span><span class="p">,</span> <span class="no">Figaro</span><span class="o">.</span><span class="n">env</span><span class="o">.</span><span class="n">fb_app_id</span><span class="p">,</span> <span class="no">Figaro</span><span class="o">.</span><span class="n">env</span><span class="o">.</span><span class="n">fb_app_secret</span><span class="p">,</span>
</span><span class='line'><span class="ss">:scope</span> <span class="o">=&gt;</span> <span class="s1">&#39;email, user_location, publish_actions&#39;</span>
</span></code></pre></td></tr></table></div></figure>


<figure class='code'><figcaption><span>app/models/user.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="c1"># add :omniauthable</span>
</span><span class='line'><span class="n">devise</span> <span class="ss">:database_authenticatable</span><span class="p">,</span> <span class="ss">:registerable</span><span class="p">,</span>
</span><span class='line'>       <span class="ss">:recoverable</span><span class="p">,</span> <span class="ss">:rememberable</span><span class="p">,</span> <span class="ss">:trackable</span><span class="p">,</span> <span class="ss">:validatable</span><span class="p">,</span>
</span><span class='line'>       <span class="ss">:omniauthable</span>
</span></code></pre></td></tr></table></div></figure>


<h2>Controller changes</h2>

<p><strong>Create authentications and registrations controller</strong></p>

<p>we need callbacks for omniauth that&rsquo;s why we&rsquo;re creating <code>authentications</code>
controller and <code>registrations</code> controller to override some of devise
functionalities.</p>

<figure class='code'><figcaption><span>config/routes.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">devise_for</span> <span class="ss">:users</span><span class="p">,</span> <span class="ss">:path</span> <span class="o">=&gt;</span> <span class="s1">&#39;/&#39;</span><span class="p">,</span> <span class="ss">controllers</span><span class="p">:</span> <span class="p">{</span><span class="n">omniauth_callbacks</span><span class="p">:</span>
</span><span class='line'><span class="s2">&quot;authentications&quot;</span><span class="p">,</span> <span class="ss">registrations</span><span class="p">:</span> <span class="s2">&quot;registrations&quot;</span><span class="p">}</span>
</span></code></pre></td></tr></table></div></figure>


<figure class='code'><figcaption><span>app/controllers/registrations_controller.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="k">class</span> <span class="nc">RegistrationsController</span> <span class="o">&lt;</span> <span class="ss">Devise</span><span class="p">:</span><span class="ss">:RegistrationsController</span>
</span><span class='line'>
</span><span class='line'>  <span class="k">def</span> <span class="nf">create</span>
</span><span class='line'>    <span class="k">super</span>
</span><span class='line'>    <span class="n">session</span><span class="o">[</span><span class="s1">&#39;devise.omniauth&#39;</span><span class="o">]</span> <span class="o">=</span> <span class="kp">nil</span> <span class="k">unless</span> <span class="vi">@user</span><span class="o">.</span><span class="n">new_record?</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>  <span class="k">def</span> <span class="nf">build_resource</span><span class="p">(</span><span class="o">*</span><span class="n">args</span><span class="p">)</span>
</span><span class='line'>    <span class="k">super</span>
</span><span class='line'>    <span class="k">if</span> <span class="n">session</span><span class="o">[</span><span class="s1">&#39;devise.omniauth&#39;</span><span class="o">]</span>
</span><span class='line'>      <span class="vi">@user</span><span class="o">.</span><span class="n">apply_omniauth</span><span class="p">(</span><span class="n">session</span><span class="o">[</span><span class="s1">&#39;devise.omniauth&#39;</span><span class="o">]</span><span class="p">)</span>
</span><span class='line'>      <span class="vi">@user</span><span class="o">.</span><span class="n">valid?</span>
</span><span class='line'>    <span class="k">end</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'><span class="k">end</span>
</span></code></pre></td></tr></table></div></figure>


<figure class='code'><figcaption><span>app/controllers/authentications_controller.rb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="k">class</span> <span class="nc">AuthenticationsController</span> <span class="o">&lt;</span>  <span class="ss">Devise</span><span class="p">:</span><span class="ss">:OmniauthCallbacksController</span>
</span><span class='line'>
</span><span class='line'>  <span class="k">def</span> <span class="nf">all</span>
</span><span class='line'>    <span class="n">omniauth</span> <span class="o">=</span> <span class="n">request</span><span class="o">.</span><span class="n">env</span><span class="o">[</span><span class="s2">&quot;omniauth.auth&quot;</span><span class="o">]</span>
</span><span class='line'>    <span class="n">authentication</span> <span class="o">=</span> <span class="no">Authentication</span><span class="o">.</span><span class="n">where</span><span class="p">(</span><span class="ss">provider</span><span class="p">:</span> <span class="n">omniauth</span><span class="o">[</span><span class="s1">&#39;provider&#39;</span><span class="o">]</span><span class="p">,</span> <span class="ss">uid</span><span class="p">:</span> <span class="n">omniauth</span><span class="o">[</span><span class="s1">&#39;uid&#39;</span><span class="o">]</span><span class="p">)</span><span class="o">.</span><span class="n">take</span>
</span><span class='line'>
</span><span class='line'>    <span class="k">if</span> <span class="n">authentication</span>
</span><span class='line'>      <span class="n">flash</span><span class="o">[</span><span class="ss">:notice</span><span class="o">]</span> <span class="o">=</span> <span class="s2">&quot;Logged in Successfully&quot;</span>
</span><span class='line'>      <span class="n">sign_in_and_redirect</span> <span class="no">User</span><span class="o">.</span><span class="n">find</span><span class="p">(</span><span class="n">authentication</span><span class="o">.</span><span class="n">user_id</span><span class="p">)</span>
</span><span class='line'>    <span class="k">elsif</span> <span class="n">current_user</span>
</span><span class='line'>      <span class="n">token</span> <span class="o">=</span> <span class="n">omniauth</span><span class="o">[</span><span class="s1">&#39;credentials&#39;</span><span class="o">].</span><span class="n">token</span>
</span><span class='line'>      <span class="n">token_secret</span> <span class="o">=</span> <span class="n">omniauth</span><span class="o">[</span><span class="s1">&#39;credentials&#39;</span><span class="o">].</span><span class="n">has_key?</span><span class="p">(</span><span class="s1">&#39;secret&#39;</span><span class="p">)</span> <span class="p">?</span>  <span class="n">omniauth</span><span class="o">[</span><span class="s1">&#39;credentials&#39;</span><span class="o">].</span><span class="n">secret</span> <span class="p">:</span> <span class="kp">nil</span>
</span><span class='line'>
</span><span class='line'>      <span class="n">current_user</span><span class="o">.</span><span class="n">authentications</span><span class="o">.</span><span class="n">create!</span><span class="p">(</span><span class="ss">:provider</span> <span class="o">=&gt;</span> <span class="n">omniauth</span><span class="o">[</span><span class="s1">&#39;provider&#39;</span><span class="o">]</span><span class="p">,</span> <span class="ss">:uid</span> <span class="o">=&gt;</span> <span class="n">omniauth</span><span class="o">[</span><span class="s1">&#39;uid&#39;</span><span class="o">]</span><span class="p">,</span> <span class="ss">:token</span> <span class="o">=&gt;</span> <span class="n">token</span><span class="p">,</span> <span class="ss">:token_secret</span> <span class="o">=&gt;</span> <span class="n">token_secret</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'>      <span class="n">flash</span><span class="o">[</span><span class="ss">:notice</span><span class="o">]</span> <span class="o">=</span> <span class="s2">&quot;Authentication successful.&quot;</span>
</span><span class='line'>      <span class="n">sign_in_and_redirect</span> <span class="n">current_user</span>
</span><span class='line'>    <span class="k">else</span>
</span><span class='line'>      <span class="n">user</span> <span class="o">=</span> <span class="no">User</span><span class="o">.</span><span class="n">new</span>
</span><span class='line'>      <span class="n">user</span><span class="o">.</span><span class="n">apply_omniauth</span><span class="p">(</span><span class="n">omniauth</span><span class="p">)</span>
</span><span class='line'>
</span><span class='line'>      <span class="n">session</span><span class="o">[</span><span class="s1">&#39;devise.omniauth&#39;</span><span class="o">]</span> <span class="o">=</span> <span class="n">omniauth</span><span class="o">.</span><span class="n">except</span><span class="p">(</span><span class="s1">&#39;extra&#39;</span><span class="p">)</span>
</span><span class='line'>      <span class="n">redirect_to</span> <span class="n">new_user_registration_path</span>
</span><span class='line'>    <span class="k">end</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>  <span class="n">alias_method</span> <span class="ss">:facebook</span><span class="p">,</span> <span class="ss">:all</span>
</span><span class='line'>
</span><span class='line'><span class="k">end</span>
</span></code></pre></td></tr></table></div></figure>


<h2>Views changes</h2>

<figure class='code'><figcaption><span>app/views/layout/application.htm.erb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="o">&lt;%=</span> <span class="n">link_to</span> <span class="s1">&#39;Login with FB&#39;</span><span class="p">,</span> <span class="n">user_omniauth_authorize_path</span><span class="p">(</span><span class="ss">:facebook</span><span class="p">)</span> <span class="o">%&gt;</span>
</span></code></pre></td></tr></table></div></figure>


<p>hide passwords field in devise <code>new</code> and <code>edit</code> templates of <code>registrations</code> if they
are not needed.</p>

<figure class='code'><figcaption><span>app/views/devise/registrations/new.html.erb </span></figcaption>
<div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="o">&lt;</span><span class="sx">% if </span><span class="n">f</span><span class="o">.</span><span class="n">object</span><span class="o">.</span><span class="n">password_required?</span> <span class="sx">%&gt;</span>
</span><span class='line'><span class="sx">  &lt;%= f.input :password, required: true, label: false, input_html: { class: &#39;form-control&#39; }, placeholder: &#39;Password&#39;  %&gt;</span>
</span><span class='line'>  <span class="o">&lt;%=</span> <span class="n">f</span><span class="o">.</span><span class="n">input</span> <span class="ss">:password_confirmation</span><span class="p">,</span> <span class="ss">required</span><span class="p">:</span> <span class="kp">true</span><span class="p">,</span> <span class="ss">label</span><span class="p">:</span> <span class="kp">false</span><span class="p">,</span> <span class="n">input_html</span><span class="p">:</span> <span class="p">{</span> <span class="ss">class</span><span class="p">:</span> <span class="s1">&#39;form-control&#39;</span> <span class="p">},</span> <span class="ss">placeholder</span><span class="p">:</span> <span class="s1">&#39;Confirm Password&#39;</span>  <span class="sx">%&gt;</span>
</span><span class='line'><span class="sx">&lt;% end %&gt;</span>
</span></code></pre></td></tr></table></div></figure>


<p>if you want to add twitter, linkedin, etc, just refer to their respective
  omniauth gems.</p>

<p>and that&rsquo;s all there is to it. hth.</p>
</div>
  
  
    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2013/10/20/how-i-start-my-controller-spec/">how i start my controller spec</a></h1>
    
    
      <p class="meta">
        

<time datetime="2013-10-20T08:04:00-07:00" pubdate data-updated="true">Oct 20<span>th</span>, 2013</time>
        
           | <a href="/blog/2013/10/20/how-i-start-my-controller-spec/#disqus_thread"
             data-disqus-identifier="http://jldbasa.github.io/blog/2013/10/20/how-i-start-my-controller-spec/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>first, setup the data e.g.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span>
</span><span class='line'><span class="n">let</span><span class="p">(</span><span class="ss">:admin</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:admin</span><span class="p">)</span> <span class="p">}</span>
</span></code></pre></td></tr></table></div></figure>


<p>then define who has access to it e.g.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">describe</span> <span class="s2">&quot;admin access&quot;</span> <span class="k">do</span>
</span><span class='line'><span class="k">end</span>
</span><span class='line'>
</span><span class='line'><span class="n">describe</span> <span class="s2">&quot;user access&quot;</span> <span class="k">do</span>
</span><span class='line'><span class="k">end</span>
</span><span class='line'>
</span><span class='line'><span class="n">describe</span> <span class="s2">&quot;guest access&quot;</span> <span class="k">do</span>
</span><span class='line'><span class="k">end</span>
</span></code></pre></td></tr></table></div></figure>


<p>if needed, i use <strong>shared examples</strong> e.g.</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">shared_examples</span><span class="p">(</span><span class="s2">&quot;public access to products&quot;</span><span class="p">)</span> <span class="k">do</span>
</span><span class='line'><span class="k">end</span>
</span><span class='line'>
</span><span class='line'><span class="n">shared_examples</span><span class="p">(</span><span class="s2">&quot;full access to products&quot;</span><span class="p">)</span> <span class="k">do</span>
</span><span class='line'><span class="k">end</span>
</span></code></pre></td></tr></table></div></figure>


<p>and call them like this:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="n">it_behaves_like</span> <span class="s2">&quot;public access to products&quot;</span>
</span></code></pre></td></tr></table></div></figure>


<p>here&rsquo;s the full source for reference:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
<span class='line-number'>15</span>
<span class='line-number'>16</span>
<span class='line-number'>17</span>
<span class='line-number'>18</span>
<span class='line-number'>19</span>
<span class='line-number'>20</span>
<span class='line-number'>21</span>
<span class='line-number'>22</span>
<span class='line-number'>23</span>
<span class='line-number'>24</span>
<span class='line-number'>25</span>
<span class='line-number'>26</span>
<span class='line-number'>27</span>
<span class='line-number'>28</span>
<span class='line-number'>29</span>
<span class='line-number'>30</span>
<span class='line-number'>31</span>
<span class='line-number'>32</span>
<span class='line-number'>33</span>
<span class='line-number'>34</span>
<span class='line-number'>35</span>
<span class='line-number'>36</span>
<span class='line-number'>37</span>
<span class='line-number'>38</span>
<span class='line-number'>39</span>
<span class='line-number'>40</span>
<span class='line-number'>41</span>
<span class='line-number'>42</span>
<span class='line-number'>43</span>
<span class='line-number'>44</span>
<span class='line-number'>45</span>
<span class='line-number'>46</span>
<span class='line-number'>47</span>
<span class='line-number'>48</span>
<span class='line-number'>49</span>
<span class='line-number'>50</span>
<span class='line-number'>51</span>
<span class='line-number'>52</span>
<span class='line-number'>53</span>
</pre></td><td class='code'><pre><code class='ruby'><span class='line'><span class="nb">require</span> <span class="s1">&#39;spec_helper&#39;</span>
</span><span class='line'>
</span><span class='line'><span class="n">describe</span> <span class="no">ProductsController</span> <span class="k">do</span>
</span><span class='line'>
</span><span class='line'>  <span class="n">let</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:user</span><span class="p">)</span> <span class="p">}</span>
</span><span class='line'>  <span class="n">let</span><span class="p">(</span><span class="ss">:admin</span><span class="p">)</span> <span class="p">{</span> <span class="no">FactoryGirl</span><span class="o">.</span><span class="n">create</span><span class="p">(</span><span class="ss">:admin</span><span class="p">)</span> <span class="p">}</span>
</span><span class='line'>
</span><span class='line'>  <span class="n">shared_examples</span><span class="p">(</span><span class="s2">&quot;public access to products&quot;</span><span class="p">)</span> <span class="k">do</span>
</span><span class='line'>    <span class="n">describe</span> <span class="s2">&quot;GET #index&quot;</span> <span class="k">do</span>
</span><span class='line'>      <span class="n">before</span> <span class="ss">:each</span> <span class="k">do</span>
</span><span class='line'>        <span class="n">get</span> <span class="ss">:index</span>
</span><span class='line'>      <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>      <span class="n">it</span> <span class="s2">&quot;renders the :index template&quot;</span>
</span><span class='line'>    <span class="k">end</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>  <span class="n">shared_examples</span><span class="p">(</span><span class="s2">&quot;full access to products&quot;</span><span class="p">)</span> <span class="k">do</span>
</span><span class='line'>    <span class="n">describe</span> <span class="s2">&quot;GET &#39;new&#39;&quot;</span> <span class="k">do</span>
</span><span class='line'>      <span class="n">before</span> <span class="ss">:each</span> <span class="k">do</span>
</span><span class='line'>        <span class="n">get</span> <span class="ss">:new</span>
</span><span class='line'>      <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>      <span class="n">it</span> <span class="s2">&quot;renders the :new template&quot;</span>
</span><span class='line'>    <span class="k">end</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>  <span class="n">describe</span> <span class="s2">&quot;admin access&quot;</span> <span class="k">do</span>
</span><span class='line'>    <span class="n">before</span> <span class="ss">:each</span> <span class="k">do</span>
</span><span class='line'>      <span class="n">sign_in</span> <span class="ss">:user</span><span class="p">,</span> <span class="n">admin</span>
</span><span class='line'>    <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>    <span class="n">it_behaves_like</span> <span class="s2">&quot;public access to products&quot;</span>
</span><span class='line'>    <span class="n">it_behaves_like</span> <span class="s2">&quot;full access to products&quot;</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>  <span class="n">describe</span> <span class="s2">&quot;user access&quot;</span> <span class="k">do</span>
</span><span class='line'>    <span class="n">before</span> <span class="ss">:each</span> <span class="k">do</span>
</span><span class='line'>      <span class="n">sign_in</span> <span class="ss">:user</span><span class="p">,</span> <span class="n">user</span>
</span><span class='line'>    <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>    <span class="n">it_behaves_like</span> <span class="s2">&quot;public access to products&quot;</span>
</span><span class='line'>    <span class="n">it_behaves_like</span> <span class="s2">&quot;full access to products&quot;</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'>
</span><span class='line'>  <span class="n">describe</span> <span class="s2">&quot;guest access&quot;</span> <span class="k">do</span>
</span><span class='line'>    <span class="n">it_behaves_like</span> <span class="s2">&quot;public access to products&quot;</span>
</span><span class='line'>
</span><span class='line'>    <span class="n">describe</span> <span class="s2">&quot;GET &#39;new&#39;&quot;</span> <span class="k">do</span>
</span><span class='line'>      <span class="n">it</span> <span class="s2">&quot;requires login&quot;</span>
</span><span class='line'>    <span class="k">end</span>
</span><span class='line'>  <span class="k">end</span>
</span><span class='line'><span class="k">end</span>
</span></code></pre></td></tr></table></div></figure>


</div>
  
  
    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2013/10/13/favorite-gems/">favorite gems</a></h1>
    
    
      <p class="meta">
        

<time datetime="2013-10-13T07:00:00-07:00" pubdate data-updated="true">Oct 13<span>th</span>, 2013</time>
        
           | <a href="/blog/2013/10/13/favorite-gems/#disqus_thread"
             data-disqus-identifier="http://jldbasa.github.io/blog/2013/10/13/favorite-gems/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>am compiling a list of gems that i use or will use in the future. this post
will be regulary updated.</p>

<p><em>note:</em> the following gems works with rails 4.0</p>

<ul>
<li>authentication

<ul>
<li><a href="" title="https://github.com/plataformatec/devise">devise</a></li>
<li><a href="" title="https://github.com/intridea/omniauth">omniauth</a></li>
</ul>
</li>
<li>authorization &ndash; <a href="" title="https://github.com/nathanl/authority">authority</a></li>
<li>configuration &ndash; <a href="" title="https://github.com/laserlemon/figaro">figaro</a></li>
<li>elastic search &ndash; <a href="" title="https://github.com/karmi/retire">tire</a></li>
<li>facebook graph &ndash; <a href="" title="https://github.com/arsduo/koala">koala</a></li>
<li>paginator &ndash; <a href="" title="https://github.com/amatsuda/kaminari">kaminari</a></li>
<li>uploader

<ul>
<li><a href="" title="https://github.com/carrierwaveuploader/carrierwave">carrierwave</a></li>
</ul>
</li>
</ul>


<p>hit the comments if you want something added</p>
</div>
  
  
    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2013/10/10/creating-rails-app-from-scratch/">creating rails app from scratch</a></h1>
    
    
      <p class="meta">
        

<time datetime="2013-10-10T10:47:00-07:00" pubdate data-updated="true">Oct 10<span>th</span>, 2013</time>
        
           | <a href="/blog/2013/10/10/creating-rails-app-from-scratch/#disqus_thread"
             data-disqus-identifier="http://jldbasa.github.io/blog/2013/10/10/creating-rails-app-from-scratch/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>this is a trick i always use when i create a new project and i don&rsquo;t have rails gem
installed globally. but before i put the commands, here&rsquo;s my current setup:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>gem list
</span><span class='line'>
</span><span class='line'>*** LOCAL GEMS ***
</span><span class='line'>bundler <span class="o">(</span>1.3.5<span class="o">)</span>
</span><span class='line'>rbenv-gem-rehash <span class="o">(</span>1.0.0<span class="o">)</span>
</span></code></pre></td></tr></table></div></figure>


<p>also, i install the gems in a vendor directory inside the project; which means you
need to specify the <code>--path vendor</code> when running bundle install.</p>

<p>here are the commands:</p>

<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
<span class='line-number'>2</span>
<span class='line-number'>3</span>
<span class='line-number'>4</span>
<span class='line-number'>5</span>
<span class='line-number'>6</span>
<span class='line-number'>7</span>
<span class='line-number'>8</span>
<span class='line-number'>9</span>
<span class='line-number'>10</span>
<span class='line-number'>11</span>
<span class='line-number'>12</span>
<span class='line-number'>13</span>
<span class='line-number'>14</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>mkdir appname
</span><span class='line'><span class="nv">$ </span><span class="nb">cd </span>appname
</span><span class='line'><span class="nv">$ </span><span class="nb">echo</span> <span class="s2">&quot;source &#39;https://rubygems.org&#39;&quot;</span> &gt; Gemfile
</span><span class='line'><span class="nv">$ </span><span class="nb">echo</span> <span class="s2">&quot;gem &#39;rails&#39;, &#39;~&gt; 4.0.0&#39;&quot;</span> &gt;&gt; Gemfile
</span><span class='line'>
</span><span class='line'><span class="c"># make sure that your ruby version is set before running the next commands. am</span>
</span><span class='line'><span class="c"># using version 2.0.0.</span>
</span><span class='line'>
</span><span class='line'><span class="nv">$ </span>bundle install --path vendor
</span><span class='line'><span class="nv">$ </span>bundle <span class="nb">exec </span>rails new . --skip-bundle -d mysql
</span><span class='line'><span class="nv">$ </span>bundle install --path vendor
</span><span class='line'><span class="nv">$ </span>rails -v
</span><span class='line'><span class="nv">$ </span>bundle package
</span><span class='line'><span class="nv">$ </span><span class="nb">echo</span> <span class="s1">&#39;vendor/ruby&#39;</span> &gt;&gt; .gitignore
</span></code></pre></td></tr></table></div></figure>


</div>
  
  
    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2013/09/12/git-dot-dot-dot-what-is/">&#8216;git&#8230; what is ____?&#8217;</a></h1>
    
    
      <p class="meta">
        

<time datetime="2013-09-12T08:51:00-07:00" pubdate data-updated="true">Sep 12<span>th</span>, 2013</time>
        
           | <a href="/blog/2013/09/12/git-dot-dot-dot-what-is/#disqus_thread"
             data-disqus-identifier="http://jldbasa.github.io/blog/2013/09/12/git-dot-dot-dot-what-is/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><blockquote><p>some git notes i put together for reference</p></blockquote>

<h2>Rollback changes</h2>

<ul>
<li>undo last commit, put changes to staging</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>git reset --soft HEAD^
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>new message, change the last commit</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>git commit --amend -m
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>undo last commit and all changes</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>git reset --hard HEAD^
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>undo 2 commits and all changes</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>git reset --hard HEAD^^
</span></code></pre></td></tr></table></div></figure>


<h2>Remotes</h2>

<ul>
<li>add new remotes</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>git remote add &lt;name&gt; &lt;address&gt;
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>remove remotes</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>git remote rm &lt;name&gt;
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>push to remotes</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>git push -u &lt;name&gt; &lt;branch&gt;
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>remote show</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>git remote show origin
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>clean-up deleted remote branches</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>git remote prune origin
</span></code></pre></td></tr></table></div></figure>


<h2>Tagging</h2>

<ul>
<li>list all tags</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>git tag
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>checkout code commit</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>git checkout v0.0.1
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>add new tag</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>git tag -a v0.0.3 -m <span class="s2">&quot;version 0.0.3&quot;</span>
</span></code></pre></td></tr></table></div></figure>


<ul>
<li>push new tags</li>
</ul>


<figure class='code'><div class="highlight"><table><tr><td class="gutter"><pre class="line-numbers"><span class='line-number'>1</span>
</pre></td><td class='code'><pre><code class='sh'><span class='line'><span class="nv">$ </span>git push --tags
</span></code></pre></td></tr></table></div></figure>


</div>
  
  
    </article>
  
  
    <article>
      
  <header>
    
      <h1 class="entry-title"><a href="/blog/2013/08/19/first-post/">first post</a></h1>
    
    
      <p class="meta">
        

<time datetime="2013-08-19T11:29:00-07:00" pubdate data-updated="true">Aug 19<span>th</span>, 2013</time>
        
           | <a href="/blog/2013/08/19/first-post/#disqus_thread"
             data-disqus-identifier="http://jldbasa.github.io/blog/2013/08/19/first-post/">Comments</a>
        
      </p>
    
  </header>


  <div class="entry-content"><p>hello world!</p>

<p>trying out gh-pages, and i setup octopress. long story short; after you make
a post, just generate and deploy your blog to Github via rake commands.</p>

<p>post and pages are written using markdown syntax. so far it&rsquo;s all good.</p>

<p>if you use zsh, you might want to check this
  <a href="http://ryanarneson.com/blog/2012/04/07/rake-new-post-doesnt-work-with-zsh/">link</a>.</p>
</div>
  
  
    </article>
  
  <div class="pagination">
    
    <a href="/blog/archives">Blog Archives</a>
    
  </div>
</div>
<aside class="sidebar">
  
    <section>
  <h1>Recent Posts</h1>
  <ul id="recent_posts">
    
      <li class="post">
        <a href="/blog/2014/03/06/rails-security-pitfalls/">rails security pitfalls</a>
      </li>
    
      <li class="post">
        <a href="/blog/2014/02/14/mysql-user-minimum-required-privileges-for-rails/">mysql user minimum required privileges for rails</a>
      </li>
    
      <li class="post">
        <a href="/blog/2014/01/25/rails-4-paypal-express-checkout-integration/">rails 4: paypal express checkout integration using activemerchant</a>
      </li>
    
      <li class="post">
        <a href="/blog/2014/01/12/rails-4-login-with-devise-and-facebook/">rails 4: login with devise and facebook</a>
      </li>
    
      <li class="post">
        <a href="/blog/2013/10/20/how-i-start-my-controller-spec/">how i start my controller spec</a>
      </li>
    
  </ul>
</section>


</aside>

    </div>
  </div>
  <footer role="contentinfo"><p>
  Copyright &copy; 2014 - jerome basa -
  <span class="credit">Powered by <a href="http://octopress.org">Octopress</a></span>
</p>

</footer>
  

<script type="text/javascript">
      var disqus_shortname = 'jerome-github';
      
        
        var disqus_script = 'count.js';
      
    (function () {
      var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true;
      dsq.src = '//' + disqus_shortname + '.disqus.com/' + disqus_script;
      (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq);
    }());
</script>


  <script type="text/javascript">
    (function(){
      var twitterWidgets = document.createElement('script');
      twitterWidgets.type = 'text/javascript';
      twitterWidgets.async = true;
      twitterWidgets.src = '//platform.twitter.com/widgets.js';
      document.getElementsByTagName('head')[0].appendChild(twitterWidgets);
    })();
  </script>


</body>
</html>