Rails Nested Resources Tutorial

Preface

The best way to get started with Rails 2.x nested routing and routing at all, is to read the official Rails Routing guide at the Rails Guides website.

Rails Nested Routes/Resources

The rails nested routes/resources were indroduced at Rails 1.2 as part of the RESTful approach that was adopted by the Rails core members.
Nested resources allowed urls like:
/tasks/?project_id=1
To have a bit more sexy/RESTful look:
/projects/1/tasks

Let’s use this example to make things a little more clear, we will use 2 models, Project and Task

# /app/models/project.rb
class Project < ActiveRecord::Base
has_many :tasks
end

# /app/models/task.rb
class Task < ActiveRecord::Base
belongs_to :project
end


Setting up routes.rb

Creating a Nested Resource

:has_many keyword

The easiest way to create a nested route, is to use the :has_many keyword like that:

# /config/routes.rb
map.resources :projects, :has_many => :tasks

# and the correspondent task resource
map.resources :tasks


Adding the second routes, that defines a RESTful route to :tasks, depends if you would like to allow an access to the Task resource, without the project context, this is not a must.

Block

You can also specify the sub-resources in a block
map.resources :projects do |project|
project.resources :tasks
end


Singular Resources

Just the same:
map.resources :projects do |project|
user.resource :design_document
end


Routes Helpers

Run:
$ rake routes
to see what kind of routes do you have in your application, you can pipe UNIX’s grep command (”| grep xxx”) to filter the results:
$ rake routes | grep project

A basic map.resources :projects will produce:
events GET /projects {:controller=>"projects", :action=>"index"}
formatted_projects GET /projects.:format {:controller=>"projects", :action=>"index"}
POST /projects {:controller=>"projects", :action=>"create"}
POST /projects.:format {:controller=>"projects", :action=>"create"}
new_project GET /projects/new {:controller=>"projects", :action=>"new"}
formatted_new_project GET /projects/new.:format {:controller=>"projects", :action=>"new"}


but a Nested route, like we defined before will produce:
project_tasks GET /projects/:project_id/tasks
new_project_task GET /projects/:project_id/tasks/new
edit_project_task GET /projects/:project_id/tasks/:id/edit
project_task GET /projects/:project_id/tasks/:id

very nice.

Singular Nested Route Helpers

(from the example above)
/projects - list all projects
/projects/1 - show a single project
/projects/1/design_document - a project’s design document


Using the routing helpers

Since we now have another resource in context when we want o use the new helpers, we need to include that resource instance as a paramter:
new_project_task(@project)
# or when both resources are required
edit_project_task(@project, @task)


Forms

I'll assume you use form_for in your forms, it will make the usage of nested resources a lot easier than to work with plain HTML or form_tag.
The regular form we know of form_for, receives one instance as the form object:
<% form_for(@project) do |f| %>
...
<% end %>

But with nested resources, we'll pimp it up a little bit:

<% form_for([ @project, @task ]) do |f| %>
...
<% end %>

Note the instances array, that specifies the objects we need in our form when we deal with nested resources

Conclusion and some Gotchas.

Using nested resources and routes is the right thing, URLs are clear, and code is readable. but:

# You should not implement nested resources of more than 2 levels.
# Setting up pagination support (?page=3) kind of breaks the RESTful approach.
# The railscast about Nested Resources.
# Using RESTful ajax calls, a great lib by dfr|work (#rubyonrails).

NETTUTS: JQuery for beginners

http://nettuts.com/articles/web-roundups/jquery-for-absolute-beginners-video-series/
great great tutorial, although i am (currently) a MooTools fan, i think this is a very good guide collection for JQuery.

NETTUS: Best tutorial of 2008

NETTUS just published a great tutorial roundup for 2008.
Great web development resource.

Lighting Fast Ruby On Rails security checklist

Ruby on Rails Security checklist for models:

1. Use attr_accessible (or attr_protected if you must) to explicitly identify attributes that are accessible by .create and .update_attributes. Just because you don't expose an attribute on an edit form doesn't mean that someone won't try to post a value to it. I prefer attr_accessible over attr_protected as it fails on the side of safety when new fields are added to a model - you have to explicitly expose new fields.
2. Make sure queries are using the Rails bind variable facility for parameters, not string concatenation or the handy Ruby's #{...} syntax.
3. Use validations to prevent bad input.

Ruby on Rails Security checklist for controllers:

1. Make non-action controller methods private (if possible).
2. If non-action controller methods must be public, identify them with hide_action to prevent unwanted execution.
3. Make sure before_filters are in place if necessary for your authorization infrastructure.
4. Move queries from your controller to your model, and see the model checklist above.
5. Check for params[:id] usage - are you sure you can trust it? Check for proper ownership of the record.
6. Check for usage of hidden fields - a user can send anything to you through them, so treat them with suspicious just as params[:id] should be suspect.
7. Use filter_parameter_logging to prevent entry of sensitive unencrypted data (passwords, SSN's, credit card numbers, etc.) in your server logs.
8. Forget about your view code for a minute, and think about how to protect your controller from posts a malicious user could make to any of your exposed methods. All parameters (whether or not exposed on a form, and whether or not invisible) are suspect to length overruns, bypassing of any browser based validation, attacks with malformed data, etc.

Ruby on Rails Security checklist for views:

1. Make sure all data displayed is escaped with the helper method h(string).
2. Eliminate comments in your views that you don't wish the entire world to see.