Helper methods available from the browser???!!!

1 view
Skip to first unread message

Dmitry Hazin

unread,
Sep 6, 2006, 10:23:32 AM9/6/06
to rubyonra...@googlegroups.com
When I use some helper with controller, like :helper helper_name,
I can call all helper methods that are not private or protected from
browser, by typing url "http://controller/helper_method".
Does this work only for development enviroment or it works always?
I've seen some helpers from wiki.rubyonrails.org and rails books and
helper methods never were private or protected there...

Thanks,
Dmitry

--
Posted via http://www.ruby-forum.com/.

Curtis Summers

unread,
Sep 6, 2006, 10:50:03 AM9/6/06
to rubyonra...@googlegroups.com
> When I use some helper with controller, like :helper helper_name,
> I can call all helper methods that are not private or protected from
> browser, by typing url "http://controller/helper_method".
> Does this work only for development enviroment or it works always?
> I've seen some helpers from wiki.rubyonrails.org and rails books and
> helper methods never were private or protected there...

Hmm. I'm seeing this, too. For most cases, this results in a "Template
is missing" error because there's nothing to render. However, if you
happened to have a helper method in the controller that rendered
something (a partial, say), I'm thinking this could be a security issue.

Protecting the methods seems to fix this, resulting in an "Unknown
action" error. Is there any functionality lost by protecting the
methods? Maybe helper_method should protect these automagically?

Curtis Summers

unread,
Sep 6, 2006, 10:53:40 AM9/6/06
to rubyonra...@googlegroups.com
> Hmm. I'm seeing this, too. For most cases, this results in a "Template
> is missing" error because there's nothing to render.

> Protecting the methods seems to fix this, resulting in an "Unknown
> action" error.

BTW, these errors show up in development, but result in a 500 error in
production.

Dmitry Hazin

unread,
Sep 7, 2006, 12:00:47 AM9/7/06
to rubyonra...@googlegroups.com
Curtis Summers wrote:
>> Hmm. I'm seeing this, too. For most cases, this results in a "Template
>> is missing" error because there's nothing to render.
>
>> Protecting the methods seems to fix this, resulting in an "Unknown
>> action" error.
>
> BTW, these errors show up in development, but result in a 500 error in
> production.

But helper methods are still available through GET in production?
As I saw in the development log when application error happens rails
send http with 500 status

Curtis Summers

unread,
Sep 12, 2006, 7:41:57 AM9/12/06
to rubyonra...@googlegroups.com
Dmitry Hazin wrote:
> But helper methods are still available through GET in production?

Yep. In most cases they will cause a template error unless you have a
helper that calls render or you happen to have a view to be rendered
with your helper actions name.

Why you would have a helper method that renders something defined in
your controller I don't know, but I've tested this and can get rendered
text, partial, or full view.

Dmitry Hazin

unread,
Sep 12, 2006, 9:51:38 PM9/12/06
to rubyonra...@googlegroups.com

Helpers

Helpers are smart methods (functions) that help your view templates
generate HTML. They know to use your model objects and controller
classes to create just the right HTML and.
(from
http://www.onlamp.com/pub/a/onlamp/2005/10/13/what_is_rails.html?page=5,
but it doesn't matter)

What d u mean


> Why you would have a helper method that renders something defined in
> your controller I don't know, but I've tested this and can get rendered
> text, partial, or full view.

Helpers purpose is to 'render something defined in controller' isn't
it??

Daniel N

unread,
Sep 12, 2006, 9:57:54 PM9/12/06
to rubyonra...@googlegroups.com
Has this issue been raised on  the core list?  IMHO it seems like it should be something that should be discussed there, or at least a core member should be made aware of it.

Curtis Summers

unread,
Sep 12, 2006, 10:26:03 PM9/12/06
to rubyonra...@googlegroups.com
Dmitry Hazin wrote:
> Helpers purpose is to 'render something defined in controller' isn't
> it??

In the above statement I'm differentiating helpers defined in a
controller vs. helpers defined in a helper module.

If I need to use a method in both my controller and my view, I define it
in my controller and then designate it as a helper with helper_method.
In practice, I find that the methods I need in both the controller and
the view are methods that do not end up rendering anything (e.g,
logged_in?, is_admin?). Most of my rendering helpers are defined in my
helper modules and not in my controller.

Did that make sense?


Daniel,

As far as I know the core list has not been notified.

Daniel N

unread,
Sep 12, 2006, 10:48:17 PM9/12/06
to rubyonra...@googlegroups.com
I've put a link to this thread on the core list.

Cheers

Jeremy Kemper

unread,
Sep 13, 2006, 12:57:34 AM9/13/06
to rubyonra...@googlegroups.com
On 9/6/06, Dmitry Hazin <rails-mai...@andreas-s.net> wrote:
When I use some helper with controller, like :helper helper_name,
I can call all helper methods that are not private or protected from
browser, by typing url "http://controller/helper_method ".
Does this work only for development enviroment or it works always?
I've seen some helpers from wiki.rubyonrails.org and rails books and
helper methods never were private or protected there...

Simply make your helper methods non-public. Perhaps helper_method could warn you if public_instance_methods.include?(method_name) but this really isn't its concern.

jeremy

Dmitry Hazin

unread,
Sep 13, 2006, 5:50:01 AM9/13/06
to rubyonra...@googlegroups.com

Of course, I can make my methods protected, but if anyone will follow
any rails tutorial there is nothing about this, moreover, all 3rd party
helpers that I've downloaded from wiki or somewhere else had their
methods being public

Curtis Summers

unread,
Sep 13, 2006, 6:43:17 AM9/13/06
to rubyonra...@googlegroups.com
Dmitry Hazin wrote:
> Of course, I can make my methods protected, but if anyone will follow
> any rails tutorial there is nothing about this, moreover, all 3rd party
> helpers that I've downloaded from wiki or somewhere else had their
> methods being public

I agree that this problem is not well documented, and if no changes are
made to helper_method, then there should at least be a note in the
official docs.

Reply all
Reply to author
Forward
0 new messages