Prepared exclusively for Rida Al Barazi Agile Web Development with Rails A Pragmatic Guide Dave Thomas David Heinemeier Hansson with Leon Breedt Mike Clark Thomas Fuchs Andreas Schwarz The Pragmatic Bookshelf Raleigh, North Carolina Dallas, Texas Prepared exclusively for Rida Al Barazi Bookshelf Pragmatic Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and The Pragmatic Programmers, LLC was aware of a trademark claim, the designations have been printed in initial capital letters or in all capitals. The Pragmatic Starter Kit, The Pragmatic Programmer, Pragmatic Programming, Pragmatic Bookshelf and the linking g device are trademarks of The Pragmatic Programmers, LLC. Every precaution was taken in the preparation of this book. However, the publisher assumes no responsibility for errors or omissions, or for damages that may result from the use of information (including program listings) contained herein. Our Pragmatic courses, workshops, and other products can help you and your team create better software and have more fun. For more information, as well as the latest Pragmatic titles, please visit us at http://www.pragmaticprogrammer.com Copyright © 2005 The Pragmatic Programmers LLC. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher. Printed in the United States of America. ISBN 0-9766940-0-X Printed on acid-free paper with 85% recycled, 30% post-consumer content. First printing, July 2005 Version: 2005-7-13 Prepared exclusively for Rida Al Barazi Contents 1Introduction 1 1.1 Rails Is Agile 3 1.2 Finding Your Way Around 4 1.3 Acknowledgments 6 Part I—Getting Started 8 2 The Architecture of Rails Applications 9 2.1 Models, Views, and Controllers 9 2.2 Active Record: Rails Model Support 13 2.3 Action Pack: The View and Controller 17 3 Installing Rails 19 3.1 Installing on Windows 19 3.2 Installing on Mac OS X 20 3.3 Installing on Unix/Linux 20 3.4 Rails and Databases 21 3.5 Keeping Up-to-Date 24 3.6 Rails and ISPs 24 4 Instant Gratification 25 4.1 Creating a New Application 25 4.2 Hello, Rails! 27 4.3 Linking Pages Together 37 4.4 What We Just Did 41 Prepared exclusively for Rida Al Barazi CONTENTS v Part II—Building an Application 42 5 The Depot Application 43 5.1 Incremental Development 43 5.2 What Depot Does 44 5.3 Let’s Code 48 6 Task A: Product Maintenance 49 6.1 Iteration A1: Get Something Running 49 6.2 Iteration A2: Add a Missing Column 57 6.3 Iteration A3: Validate! 60 6.4 Iteration A4: Prettier Listings 63 7 Task B: Catalog Display 67 7.1 Iteration B1: Create the Catalog Listing 67 7.2 Iteration B2: Add Page Decorations 70 8 Task C: Cart Creation 74 8.1 Sessions 74 8.2 More Tables, More Models 76 8.3 Iteration C1: Creating a Cart 78 8.4 Iteration C2: Handling Errors 86 8.5 Iteration C3: Finishing the Cart 90 9 Task D: Checkout! 95 9.1 Iteration D1: Capturing an Order 96 9.2 Iteration D2: Show Cart Contents on Checkout 104 10 Task E: Shipping 109 10.1 Iteration E1: Basic Shipping 109 11 Task F: Administrivia 118 11.1 Iteration F1: Adding Users 118 11.2 Iteration F2: Logging In 123 11.3 Iteration F3: Limiting Access 125 11.4 Finishing Up 129 11.5 More Icing on the Cake 130 Report erratum Prepared exclusively for Rida Al Barazi CONTENTS vi 12 Task T: Testing 132 12.1 Tests Baked Right In 132 12.2 Testing Models 133 12.3 Testing Controllers 148 12.4 Using Mock Objects 161 12.5 Test-Driven Development 162 12.6 Running Tests with Rake 165 12.7 Performance Testing 168 Part III—The Rails Framework 172 13 Rails in Depth 173 13.1 So Where’s Rails? 173 13.2 Directory Structure 173 13.3 Rails Configuration 177 13.4 Naming Conventions 180 13.5 Active Support 184 13.6 Logging in Rails 186 13.7 Debugging Hints 186 13.8 What’s Next 188 14 Active Record Basics 190 14.1 Tables and Classes 191 14.2 Columns and Attributes 192 14.3 Primary Keys and IDs 197 14.4 Connecting to the Database 199 14.5 CRUD—Create, Read, Update, Delete 201 14.6 Relationships between Tables 216 14.7 Transactions 237 15 More Active Record 243 15.1 Acts As 243 15.2 Aggregation 247 15.3 Single Table Inheritance 253 15.4 Validation 256 15.5 Callbacks 264 15.6 Advanced Attributes 272 15.7 Miscellany 275 Report erratum Prepared exclusively for Rida Al Barazi CONTENTS vii 16 Action Controller and Rails 278 16.1 Context and Dependencies 278 16.2 The Basics 279 16.3 Routing Requests 280 16.4 Action Methods 291 16.5 Cookies and Sessions 301 16.6 Flash—Communicating between Actions 311 16.7 Filters and Verification 313 16.8 Caching, Part One 318 16.9 The Problem with GET Requests 324 17 Action View 327 17.1 Templates 327 17.2 Builder templates 329 17.3 RHTML Templates 330 17.4 Helpers 332 17.5 Formatting Helpers 335 17.6 Linking to Other Pages and Resources 337 17.7 Pagination 340 17.8 Form Helpers 341 17.9 Layouts and Components 356 17.10 Caching, Part Two 366 17.11 Adding New Templating Systems 370 18 The Web, V2.0 373 18.1 Introducing AJAX 373 18.2 The Rails Way 376 18.3 The User Interface, Revisited 384 18.4 Advanced Techniques 389 19 Action Mailer 399 19.1 Sending E-mail 399 19.2 Receiving E-mail 406 19.3 Testing E-mail 408 20 Web Services on Rails 411 20.1 What AWS Is (and What It Isn’t) 411 20.2 The API Definition 412 20.3 Dispatching Modes 417 20.4 Using Alternate Dispatching 420 20.5 Method Invocation Interception 421 20.6 Testing Web Services 423 20.7 Protocol Clients 425 Report erratum Prepared exclusively for Rida Al Barazi CONTENTS viii 21 Securing Your Rails Application 427 21.1 SQL Injection 427 21.2 Cross-Site Scripting (CSS/XSS) 430 21.3 Avoid Session Fixation Attacks 433 21.4 Creating Records Directly from Form Parameters 434 21.5 Don’t Trust ID Parameters 435 21.6 Don’t Expose Controller Methods 436 21.7 File Uploads 438 21.8 Don’t Cache Authenticated Pages 438 21.9 Knowing That It Works 439 22 Deployment and Scaling 440 22.1 Picking a Production Platform 440 22.2 A Trinity of Environments 448 22.3 Iterating in the Wild 450 22.4 Maintenance 454 22.5 Scaling: The Share-Nothing Architecture 456 22.6 Finding and Dealing with Bottlenecks 459 22.7 Case Studies: Rails Running Daily 463 Part IV—Appendices 466 AIntroductiontoRuby 467 A.1 Ruby Is an Object-Oriented Language 467 A.2 Ruby Names 468 A.3 Methods 469 A.4 Classes 471 A.5 Modules 473 A.6 Arrays and Hashes 474 A.7 Control Structures 475 A.8 Regular Expressions 476 A.9 Blocks and Iterators 476 A.10 Exceptions 477 A.11 Marshaling Objects 478 A.12 Interactive Ruby 478 A.13 Ruby Idioms 479 A.14 RDoc Documentation 480 Report erratum Prepared exclusively for Rida Al Barazi CONTENTS ix B Configuration Parameters 482 B.1 Active Record Configuration 482 B.2 Action Pack Configuration 483 B.3 Action Mailer Configuration 485 B.4 Test Case Configuration 485 C Source Code 486 C.1 The Full Depot Application 486 C.2 Sample System Notifier 511 C.3 Cross-Reference of Code Samples 512 D Resources 516 D.1 Online Resources 516 D.2 Bibliography 516 Index 517 Report erratum Prepared exclusively for Rida Al Barazi By relieving the brain of all unnecessary work, a good notation sets it free to concentrate on more advanced problems Alfred North Whitehead Chapter 1 Introduction Ruby on Rails is a framework that makes it easier to develop, deploy, and maintain web applications. Of course, all web frameworks make the same claim. What makes Rails different? We can answer that question a number of ways. One way is to look at architecture. Over time, most developers have moved to a Model-View-Controller (MVC) architecture for serious web applica- tions. They find that MVC helps them structure their applications more cleanly. (We discuss MVC in more detail in the next chapter.) Java frame- works such as Tapestry and Struts are based on MVC. Rails is an MVC framework, too. When you develop in Rails, there’s a place for each piece of code, and all the pieces of your application interact in a standard way. It’s as if you start out with the skeleton of an application already prepared. Another way of answering the question is to look at the programming lan- guage. Rails applications are written in Ruby, a modern, object-oriented scripting language. Ruby is concise without being unintelligibly terse— you can express ideas naturally and cleanly in Ruby code. This leads to programs that are easy to write and (just as importantly) are easy to read months later. Ruby also lends itself to a style of programming that’s familiar to Lisp coders, but will look fairly exotic to others. The language makes it easy to create methods that act almost like extensions to the syntax. Some folks call this metaprogramming, but we just call it useful. It makes our pro- grams shorter and more readable. It also allows us to perform tasks that would normally be done in external configuration files inside the codebase instead. This makes it far easier to see what’s going on. The following code defines the model class for a project. Don’t worry about the details for Prepared exclusively for Rida Al Barazi [...]... Rails Is Agile The title of this book is Agile Web Development with Rails You may be surprised, then, to discover that we don’t have explicit sections on applying agile practices X, Y, and Z to Rails coding The reason is both simple and subtle Agility is part of the fabric of Rails Let’s look at the values expressed in the Agile Manifesto.1 They’re stated as a set of four preferences Agile development. .. add that product to itself (See how the model is being used to keep track of all the business data; the controller tells it what to do, and the model knows how to do it.) Now that the cart includes the new product, we can show it to the user The controller arranges things so that the view has access to the cart object from the model, and invokes the view code In Rails, this invocation is often implicit;... The routing component receives the incoming request and immediately picks it apart In this simple case, it takes the first part of the path, store, as the name of the controller and the second part, add_to_cart, as the name of an action The last part of the path, 123, is by convention extracted into an internal parameter called id As a result of all this analysis, the router knows it has to invoke the. .. builder templates starting on page 329 And the Controller! The Rails controller is the logical center of your application It coordinates the interaction between the user, the views, and the model However, 3 Or an XML response, or an e-mail, or The key point is that views generate the response back to the user 4 This approach might be familiar to web developers working with PHP or Java’s JSP technology Prepared... interacts with model Controller invokes view View renders next browser screen Controller View AND Model Database Figure 2.1: The Model-View-Controller Architecture via the model, but it will be a view that accesses the list from the model and formats it for the end user Although the view may present the user with various ways of inputting data, the view itself never handles incoming data The view’s... well-known place Using MVC was like constructing a skyscraper with the girders already in place—it was a lot easier to hang the rest of the pieces with a structure already there In the software world, we often ignore good ideas from the past as we rush headlong to meet the future When developers first started producing web applications, they went back to writing monolithic programs that inter- Prepared... encapsulation solves these types of problems We’d wrap everything to do with orders in a class; we’d have a single place to update when the regulations change Folks have extended these ideas to database programming The basic premise is trivially simple We wrap access to the database behind a layer of classes The rest of our application uses these classes and their objects—it never interacts with the database... where in the application the request should be sent and how the request itself should be parsed Ultimately, this phase identifies a particular method (called an action in Rails parlance) somewhere in the controller code The action might look at data in the request itself, it might interact with the model, and it might cause other actions to be invoked Eventually the action prepares information for the view,... along with support for test fixtures and mock objects, gives developers the safety net they need when making those changes With a good set of tests in place, changes are less nerve-wracking Rather than constantly trying to tie Rails processes to the agile principles, we’ve decided to let the framework speak for itself As you read through the tutorial section, try to imagine yourself developing web applications... reconciling the relational and OO views of their corporate data Let’s look at two different approaches One organizes your program around the database; the other organizes the database around your program Database-centric Programming The first folks who coded against relational databases programmed in procedural languages such as C and COBOL These folks typically embedded SQL2 directly into their code, either . exclusively for Rida Al Barazi Agile Web Development with Rails A Pragmatic Guide Dave Thomas David Heinemeier Hansson with Leon Breedt Mike Clark Thomas Fuchs Andreas Schwarz The Pragmatic Bookshelf Raleigh,. claim, the designations have been printed in initial capital letters or in all capitals. The Pragmatic Starter Kit, The Pragmatic Programmer, Pragmatic Programming, Pragmatic Bookshelf and the linking. No XML! 1.1 Rails Is Agile The title of this book is Agile Web Development with Rails.Youmaybe surprised, then, to discover that we don’t have explicit sections on applying agile practices X, Y,