Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using the session variable in my view

Tags:

variables

ruby-on-rails

I've been told that I shouldn't use variables such as params[:user_id] in my view files. Does the same rule apply to the session variable?

If not, then what should I be doing? Assign it to an instance variable first and then use that in the view? This seems annoying as I would have to do it for each of my actions. I guess I could put this repetitive code in one method which gets called by all the other actions in that class.

like image 832
alamodey Avatar asked Mar 17 '09 11:03

alamodey

2 Answers

This recommendation comes from the best practice of "separation of concerns" between the different components that make up your Rails app. The best place to determine the current user is in your controller. This is where you would access your params and/or session to determine if someone is logged in, either directly or indirectly through an authentication plugin. Then, if you need this information in your view just store it in a variable such as @user which will be automatically available in your view for display purposes. Doing it this way, if you later change your authentication mechanism you can do so without touching your views, which is a good indication to you that you have a good separation between the different components in your app.

Also in response to the second part of your question:

I guess I could put this repetitive code in one method which gets called by all the other actions in that class.

This can be easily done with a :before_filter in your controller, which you can point toward a method that checks authentication and creates any necessary instance variables to be shared among the actions in your controller.

like image 55
Adam Alexander Avatar answered Oct 07 '22 06:10

Adam Alexander

You definitely want to verify params[:user_id] or session[:user_id] on every page load. If your session is hijacked, you could potentially put unwanted code into your view and allow a cross-site scripting attack.

That said, the proper method, used in the authenticated_system plugin, is to reference a current_user helper method that allows you to retrieve current_user.user_id.

Additionally, if you're using user_id in a call to the database, you should still verify it by calling @selected_user = User.find(params[:user_id] and using @selected_user.id in your view and controller action.

You'll get much more control and protection.

like image 42
Christopher Hazlett Avatar answered Oct 07 '22 06:10

Christopher Hazlett
Sign in to Comment

Related questions

Rails low level cache not working in development mode
How to slow down Capybara?
How to Simulate ActiveStorage Uploads in RSpec Request Specs
Using ERB in Markdown with Redcarpet
How do I find and replace 'nil' values of Ruby hash with "None" or 0?
Webpacker throws application.css not found in manifest.json in *Rails 6* application
How can I extend gem class in Rails 6/Zeitwerk without breaking code reloading?
BUILD FAILED (OS X 10.15.1 using ruby-build 20191124) when installing ruby-2.4.0 with rbenv in OSX catalina(10.15.1)
In pagy gem in rails, how do you hide pagination when unneeded?
Where with OR condition for the same column in Rails
Read rails encrypted credentials in webpacker react app
Brand new Rails 6.1.4.1 fails with webpack error - TypeError: Class constructor ServeCommand cannot be invoked without 'new'
Is there a rake task for backing up the data in your database?
How does has_one :through work?
Correct Rails 2.1 way of doing things
Rails Associations, habtm? Polymorphic? Both?
Shared file storage for a Rails Application
Ruby on rails application root
Accessing associations in Rails
How do I textile and sanitize html?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!