rescue_from ActionController::RoutingError II
Ralph Shnelvar
Why doesn't rescue_from ActionController::RoutingError work witht he
code from
http://www.rubyplus.org/episodes/20-Extended-RESTful-Authentication-Rails-2-App.html
class ApplicationController < ActionController::Base
helper :all # include all helpers, all the time
# See ActionController::RequestForgeryProtection for details
# Uncomment the :secret if you're not using the cookie session store
protect_from_forgery # :secret => '34e000fc7cc2daeae150a89535f7f87d'
# Be sure to include AuthenticationSystem in Application Controller
# instead
include AuthenticatedSystem
#Shnelvar
debugger # This one gets hit
#neither rescue_from seems to work
rescue_from ActionController::RoutingError, :with => :route_not_found
# rescue_from ActionController::RoutingError, :with => :render_404
protected
def route_not_found
debugger #this one does not
render :text => 'What are you looking for ?', :status => :not_found
end
#Shnelvar end
end
------------------------
As I scour the internet for this I see several people having the same
problem and various explanations that make little sense to me.
It gets more interesting in that if I use the most recent authlogic
code:
------------------------
# Filters added to this controller apply to all controllers in the
application.
# Likewise, all the methods added will be available for all controllers.
class ApplicationController < ActionController::Base
helper :all
helper_method :current_user_session, :current_user
filter_parameter_logging :password, :password_confirmation
private
def current_user_session
return @current_user_session if defined?(@current_user_session)
@current_user_session = UserSession.find
end
def current_user
return @current_user if defined?(@current_user)
@current_user = current_user_session &&
current_user_session.record
end
def require_user
unless current_user
store_location
flash[:notice] = "You must be logged in to access this page"
redirect_to new_user_session_url
return false
end
end
def require_no_user
if current_user
store_location
flash[:notice] = "You must be logged out to access this page"
redirect_to account_url
return false
end
end
def store_location
session[:return_to] = request.request_uri
end
def redirect_back_or_default(default)
redirect_to(session[:return_to] || default)
session[:return_to] = nil
end
rescue_from ActionController::RoutingError do
debugger
render :text => 'no way, Jose'
end
end
------------------------
the rescue DOES work.
So ... my general question is ...
How would one go about starting to figure out why it does not work in
the RESTful Authentication?
--
Posted via http://www.ruby-forum.com/.
Marnen Laibow-Koser
> OK ... so I'm not supposed to use it but ...
>
> Why doesn't rescue_from ActionController::RoutingError work witht he
> code from
> http://www.rubyplus.org/episodes/20-Extended-RESTful-Authentication-Rails-2-App.html
Dude. You don't need to rescue from RoutingErrors -- Rails already
handles that. You don't want to use restful_authentication -- Authlogic
is better. Why are you so intent on figuring out how to do things that
you already know are bad? Spend your time on learning to do better
things!
[...]
Best,
--
Marnen Laibow-Koser
http://www.marnen.org
mar...@marnen.org
Ralph Shnelvar
I will be using Authlogic ... that's not the issue.
I am trying to resolve why something that should work ... rescue_from
... doesn't work in one place but does in another.
Marnen Laibow-Koser
> Marnen Laibow-Koser wrote:
>> Ralph Shnelvar wrote:
>>> OK ... so I'm not supposed to use it but ...
>>>
>>> Why doesn't rescue_from ActionController::RoutingError work witht he
>>> code from
>>> http://www.rubyplus.org/episodes/20-Extended-RESTful-Authentication-Rails-2-App.html
>>
>> Dude. You don't need to rescue from RoutingErrors -- Rails already
>> handles that. You don't want to use restful_authentication -- Authlogic
>> is better. Why are you so intent on figuring out how to do things that
>> you already know are bad? Spend your time on learning to do better
>> things!
>> [...]
>>
>> Best,
>> --
>> Marnen Laibow-Koser
>> http://www.marnen.org
>> mar...@marnen.org
>
> I will be using Authlogic ... that's not the issue.
No, that's not the issue. The issue is that you never need rescue_from
RoutingError, since Rails already does that for you.
>
> I am trying to resolve why something that should work ... rescue_from
> ... doesn't work in one place but does in another.
Because you're using it in a nonsensical way.
Let me turn the question around. Why do you think you need rescue_from
RoutingError? What can you do with it that Rails' own error handling
doesn't give you?
Best,
--
Marnen Laibow-Koser
http://www.marnen.org
mar...@marnen.org
Ralph Shnelvar
> RoutingError? What can you do with it that Rails' own error handling
> doesn't give you?
Do I need it? Probably not.
But since you asked ...
Perhaps I want to collect statistics and take appropriate action if a
user is attempting to probe or attack my website for a security
weakness.
Marnen Laibow-Koser
>> Let me turn the question around. Why do you think you need rescue_from
>> RoutingError? What can you do with it that Rails' own error handling
>> doesn't give you?
>
> Do I need it? Probably not.
Then don't use it!
>
> But since you asked ...
>
> Perhaps I want to collect statistics and take appropriate action if a
> user is attempting to probe or attack my website for a security
> weakness.
I've never tried this, but apparently you want rescue_action or
rescue_action_in_public .
Best,
--
Marnen Laibow-Koser
http://www.marnen.org
mar...@marnen.org
Ralph Shnelvar
> Ralph Shnelvar wrote:
>>> Let me turn the question around. Why do you think you need rescue_from
>>> RoutingError? What can you do with it that Rails' own error handling
>>> doesn't give you?
>>
>> Do I need it? Probably not.
>
> Then don't use it!
>
>>
>> But since you asked ...
>>
>> Perhaps I want to collect statistics and take appropriate action if a
>> user is attempting to probe or attack my website for a security
>> weakness.
>
> I've never tried this, but apparently you want rescue_action or
> rescue_action_in_public .
Just to let you know ... the authlogic code, rescue_test.rb, tests for
rescue_from ActionController::RoutingError
with a comment that "# This is a Dispatcher exception and should be in
ApplicationController."
Anyway, thanks for pointing to rescue_action and
rescue_action_in_public. I'll research these.
Billee D.
I have to agree with Marnen on this issue; Rails already deals with
routing errors pretty well. But, I understand that you may want to get
your head around why the rescue_from ActionController::RoutingError
call doesn't work in certain situations. I also understand the need to
want to do something programmatically to log or handle the failed
request.
I think that Marnen is on the right track in that what you are trying
to accomplish with the rescue_from call isn't really the right way to
approach the situation. You want either the rescue_action or
rescue_action_in_public calls instead. I've never used them -- never
had a need for them that I'm aware of -- but the API docs on these
methods seem to tell me this is what you want instead of rescue_from.
I'm guessing here that you really want to be able to track and keep a
record of all the URLs in your app/site that might trigger a 404 or
could be considered "probing the armor" for weaknesses.
This may be a bit off from your original path, but have you considered
trying to catch and trap all 404 errors? I use a technique derived
from Advanced Rails Recipes (http://www.pragmaticprogrammer.com/titles/
fr_arr) where I set up a glob route at the bottom of my routes.rb
file:
map.connect '*path', :controller => 'four_o_fours'
Then create a controller and model to handle these requests:
==================================================
>> Controller:
class FourOFoursController < ApplicationController
def index
FourOFour.add_request(request.host,
request.path,
request.env['HTTP_REFERER'] || '')
respond_to do |format|
format.html { render :file => "#{RAILS_ROOT}/public/404.html",
:status => "404 Not Found" }
format.all { render :nothing => true,
:status => "404 Not Found" }
end
end
end
==================================================
>> Model:
class FourOFour < ActiveRecord::Base
def self.add_request(host, path, referer)
request = find_or_initialize_by_host_and_path_and_referer(host,
path,
referer)
request.count += 1
request.save
end
end
==================================================
>> Migration:
class CreateFourOFours < ActiveRecord::Migration
def self.up
create_table :four_o_fours do |t|
t.string :host, :path, :referer
t.integer :count, :default => 0
t.timestamps
end
add_index :four_o_fours, [:host, :path, :referer], :unique => true
add_index :four_o_fours, [:path]
end
def self.down
drop_table :four_o_fours
end
end
==================================================
Set this up and you can have a fairly decent trace log of errant
requests right in the database. You can also extend this logic and
setup other controllers for different errors and more. For example, I
have logic set up that will email me if a certain 404 error is
accessed more than 10 times in a minute so I can either fix the
problem or investigate the issue (e.g. a "probe" request).
I guess this is all just to point out that routing errors are already
pretty easy to manage and maybe what you are really trying to achieve
requires a different approach. :)
On Dec 24, 9:02 pm, Ralph Shnelvar <li...@ruby-forum.com> wrote:
> OK ... so I'm not supposed to use it but ...
>
> Why doesn't rescue_from ActionController::RoutingError work witht he
> code fromhttp://www.rubyplus.org/episodes/20-Extended-RESTful-Authentication-R...
Ralph Shnelvar
> Hi Ralph,
> I have to agree with Marnen on this issue; Rails already deals with
> routing errors pretty well. But, I understand that you may want to get
> your head around why the rescue_from ActionController::RoutingError
> call doesn't work in certain situations. I also understand the need to
> want to do something programmatically to log or handle the failed
> request.
Really, it was -- in the beginning -- a matter of curiosity as to WHY
something didn't work rather than any great need to deal with an issue.
It was, in addition, a general request for how one would go about
solving why.
Suddenly, though, it morphed into a security issue that "I picked that
out of the air" and realized that I really did want to deal with that
security issue.
As a newbie, I find your comments so far very illuminating and helpful.
>
> I think that Marnen is on the right track in that what you are trying
> to accomplish with the rescue_from call isn't really the right way to
> approach the situation. You want either the rescue_action or
> rescue_action_in_public calls instead. I've never used them -- never
> had a need for them that I'm aware of -- but the API docs on these
> methods seem to tell me this is what you want instead of rescue_from.
Ok, remembering that I am a newbie, please explain _why_ rescue_action
is better/preferred/etc. than rescue_from.
>
> I'm guessing here that you really want to be able to track and keep a
> record of all the URLs in your app/site that might trigger a 404 or
> could be considered "probing the armor" for weaknesses.
Speaking of this, I was delighted to find this relatively easy-to-read
article on security issues that was installed in my authlogic sample.
... \authlogic\vendor\rails\railties\guides\source\security.textile
>
> This may be a bit off from your original path, but have you considered
> trying to catch and trap all 404 errors? I use a technique derived
> from Advanced Rails Recipes (http://www.pragmaticprogrammer.com/titles/
> fr_arr) where I set up a glob route at the bottom of my routes.rb
> file:
It is off the original path but ...
I like! I like!
>
> map.connect '*path', :controller => 'four_o_fours'
>
> Then create a controller and model to handle these requests:
[snip]
> def self.down
> drop_table :four_o_fours
> end
> end
>
> ==================================================
>
> Set this up and you can have a fairly decent trace log of errant
> requests right in the database. You can also extend this logic and
> setup other controllers for different errors and more. For example, I
> have logic set up that will email me if a certain 404 error is
> accessed more than 10 times in a minute so I can either fix the
> problem or investigate the issue (e.g. a "probe" request).
Nice! Nice! Nice!
>
> I guess this is all just to point out that routing errors are already
> pretty easy to manage and maybe what you are really trying to achieve
> requires a different approach. :)
But ... I still don't understand why it is a better approach.
Clearly you and Marnen Laibow-Koser understand why rescue from is bad
bad bad ... but I an still clueless as to what principle or principles I
am breaking.
Marnen Laibow-Koser
Because it's clearly (from the docs etc.) the way the Rails designers
intended this to be done. I don't know why rescue_from doesn't work on
RoutingErrors -- I just know that it's not meant to work, and that there
is another method, built for the purpose, that does work.
[...]
> But ... I still don't understand why it is a better approach.
>
> Clearly you and Marnen Laibow-Koser understand why rescue from is bad
> bad bad ... but I an still clueless as to what principle or principles I
> am breaking.
You're breaking the principle of working *with* the framework, not
against it. If Rails provides something that does exactly what you
want, you should use it rather than trying to reinvent a square wheel.
Best,
--
Marnen Laibow-Koser
http://www.marnen.org
mar...@marnen.org
--
Posted via http://www.ruby-forum.com/.
Ralph Shnelvar
>> bad bad ... but I an still clueless as to what principle or principles I
>> am breaking.
>
> You're breaking the principle of working *with* the framework, not
> against it. If Rails provides something that does exactly what you
> want, you should use it rather than trying to reinvent a square wheel.
Ok ... I'm missing some gestalt.
Something is clear to you that is utterly unclear to me.
What in the docs clues you in to the fact that rescue_action is better
than rescue_from? And/or that rescue_from might not work.
Marnen Laibow-Koser
>>> Clearly you and Marnen Laibow-Koser understand why rescue from is bad
>>> bad bad ... but I an still clueless as to what principle or principles I
>>> am breaking.
>>
>> You're breaking the principle of working *with* the framework, not
>> against it. If Rails provides something that does exactly what you
>> want, you should use it rather than trying to reinvent a square wheel.
>
> Ok ... I'm missing some gestalt.
>
> Something is clear to you that is utterly unclear to me.
>
> What in the docs clues you in to the fact that rescue_action is better
> than rescue_from?
I did a Web search and found that that's what people are using for
rescuing from RoutingError.
> And/or that rescue_from might not work.
Your original post.
Best,
--
Marnen Laibow-Koser
http://www.marnen.org
mar...@marnen.org
Frederick Cheung
On Dec 26, 9:52 pm, Ralph Shnelvar <li...@ruby-forum.com> wrote:
> Something is clear to you that is utterly unclear to me.
>
> What in the docs clues you in to the fact that rescue_action is better
> than rescue_from? And/or that rescue_from might not work.
> --
Interestingly enough, I generated a fresh rails 2.3.5 app, stuck
class ApplicationController < ActionController::Base
rescue_from ActionController::RoutingError, :with => :not_found
rescue_from ActionController::UnknownAction, :with => :not_found
protected
def not_found
render :text => 'Oh No!'
end
end
in application_controller.rb and the rescue_from appears to work (ie
going to /doesnotexist or /products/1/blahblah both produce oh no)
(there is a slight difference between routing error and unknown action
- the former means that rails doesn't thing the path corresponds to
anything, the latter that rails thinks it is identified the controller
& action for the request but the controller in question did not have
the appropriate action. As far as the user is concerned these are both
404s but to rails these are slightly different)
Fred
Ralph Shnelvar
> On Dec 26, 9:52�pm, Ralph Shnelvar <li...@ruby-forum.com> wrote:
> Interestingly enough, I generated a fresh rails 2.3.5 app, stuck
>
> class ApplicationController < ActionController::Base
> rescue_from ActionController::RoutingError, :with => :not_found
> rescue_from ActionController::UnknownAction, :with => :not_found
> protected
> def not_found
> render :text => 'Oh No!'
> end
> end
So .... what I think is happening is that I have a versioning problem
with the restful authorization code.
Is there a way for me to see what version of the various components of
the application I have?
Frederick Cheung
Are you using the app checked in at http://code.google.com/p/simply-rich-authenticator
essentially unmodified? That is using rails 2.0.2 (look at
environment.rb) and rescue_from was only made to deal with
RoutingError in july of 2008 (ie several months after that sample app
was checked in), (if memory is correct that will mean that the first
version it was in was rails 2.2)
Fred
> --
> Posted viahttp://www.ruby-forum.com/.
Ralph Shnelvar
> Are you using the app checked in at
> http://code.google.com/p/simply-rich-authenticator
> essentially unmodified?
YES!
>That is using rails 2.0.2 (look at
> environment.rb) and rescue_from was only made to deal with
> RoutingError in july of 2008 (ie several months after that sample app
> was checked in), (if memory is correct that will mean that the first
> version it was in was rails 2.2)
I tracked through environment.rb with a debugger and
RAILS_GEM_VERSION = '2.0.2' unless defined? RAILS_GEM_VERSION
RAILS_GEM_VERSION is undefined before the statement and is defined as
RAILS_GEM_VERSION = "2.0.2"
afterwards.
I continued the run and immediately got the error
- - -
F:/InstantRails-2.0-win/ruby/lib/ruby/gems/1.8/gems/rails-2.2.2/lib/initializer.
rb:530:in `send': undefined method `cache_template_extensions=' for
ActionView::
Base:Class (NoMethodError)
- - -
So a little sniffing in the debugger and Google found
http://paulsturgess.co.uk/articles/show/75-undefined-method-cache_template_extensions-when-upgrading-to-ruby-on-rails-222
Commending out the line
# config.action_view.cache_template_extensions = false
in application.rb and voila ...
rescue_from ActionController::RoutingError, :with => :route_not_found
now works.
I love you, Frederick Cheung. Please marry me.
- - - -
Now I have another decision to make. Do I use the autlogic code or the
restful authorization code?
The http://code.google.com/p/simply-rich-authenticator code does a lot
of stuff I want (e.g. email confirmation of the user's email account).
Yet ... I am reading a lot about why I should not use it.
Some advice, please.
Marnen Laibow-Koser
[...]
> I tracked through environment.rb with a debugger and
> RAILS_GEM_VERSION = '2.0.2' unless defined? RAILS_GEM_VERSION
> RAILS_GEM_VERSION is undefined before the statement and is defined as
> RAILS_GEM_VERSION = "2.0.2"
> afterwards.
Why did you need a debugger for that? That's the standard way of
specifying Rails versions.
>
> I continued the run and immediately got the error
> - - -
> F:/InstantRails-2.0-win/ruby/lib/ruby/gems/1.8/gems/rails-2.2.2/lib/initializer.
> rb:530:in `send': undefined method `cache_template_extensions=' for
> ActionView::
> Base:Class (NoMethodError)
> - - -
>
> So a little sniffing in the debugger and Google found
> http://paulsturgess.co.uk/articles/show/75-undefined-method-cache_template_extensions-when-upgrading-to-ruby-on-rails-222
>
> Commending out the line
> # config.action_view.cache_template_extensions = false
> in application.rb and voila ...
>
> rescue_from ActionController::RoutingError, :with => :route_not_found
>
> now works.
>
> I love you, Frederick Cheung. Please marry me.
>
> - - - -
>
> Now I have another decision to make. Do I use the autlogic code or the
> restful authorization code?
Why the hell would you use restful_auth? It has virtually no advantages
over Authlogic and many disadvantages. I already explained this to you
in some detail.
>
> The http://code.google.com/p/simply-rich-authenticator code does a lot
> of stuff I want (e.g. email confirmation of the user's email account).
>
You should be able to do that pretty easily with Authlogic.
> Yet ... I am reading a lot about why I should not use it.
>
> Some advice, please.
I already gave you some in an earlier post. Perhaps you should go back
and read it instead of acting like you never saw it. Remember: we'll
help, but you have to read the help. It's not really fair to ask the
same question multiple times.
Best,
--
Marnen Laibow-Koser
http://www.marnen.org
mar...@marnen.org
Ralph Shnelvar
> Ralph Shnelvar wrote:
> [...]
>> I tracked through environment.rb with a debugger and
>> RAILS_GEM_VERSION = '2.0.2' unless defined? RAILS_GEM_VERSION
>> RAILS_GEM_VERSION is undefined before the statement and is defined as
>> RAILS_GEM_VERSION = "2.0.2"
>> afterwards.
>
> Why did you need a debugger for that? That's the standard way of
> specifying Rails versions.
Because, Marnen, what is utterly obvious to you ... what you know by
experience or having read it somewhere, is something new to me.
> Why the hell would you use restful_auth? It has virtually no advantages
> over Authlogic and many disadvantages. I already explained this to you
> in some detail.
And I explained that the restful code does email authorization. This is
a fair amount of code for ME to write.
>>
>> The http://code.google.com/p/simply-rich-authenticator code does a lot
>> of stuff I want (e.g. email confirmation of the user's email account).
>>
>
>You should be able to do that pretty easily with Authlogic.
It may be easy for you. It is a huge undertaking for me.
There is state logic that I need to maintain (e.g. "email not
confirmed") that I am not comfortable maintaining.
There is security code (e.g. the URL the user clicks on) that needs to
be generated and responded to ... more state information.
The restful code sample ...
http://code.google.com/p/simply-rich-authenticator
... uses "Acts As State Machine". Is this independent of the restful
authentication and is it wise to use this in the Authlogic code?
>
>> Yet ... I am reading a lot about why I should not use it.
>>
>> Some advice, please.
>
> I already gave you some in an earlier post. Perhaps you should go back
> and read it instead of acting like you never saw it. Remember: we'll
> help, but you have to read the help. It's not really fair to ask the
> same question multiple times.
I have read your advice. You have advised ... without much background
... that authlogic is better. But is it better in the case where a
more-or-less complete application has already been generated?
While you are obviously knowledgeable, following you advice without me
having the appropriate background is difficult.
It appears to me that you have forgotten that it is the simple things
that cause the greatest confusion.
Marnen Laibow-Koser
> Marnen Laibow-Koser wrote:
>> Ralph Shnelvar wrote:
>> [...]
>>> I tracked through environment.rb with a debugger and
>>> RAILS_GEM_VERSION = '2.0.2' unless defined? RAILS_GEM_VERSION
>>> RAILS_GEM_VERSION is undefined before the statement and is defined as
>>> RAILS_GEM_VERSION = "2.0.2"
>>> afterwards.
>>
>> Why did you need a debugger for that? That's the standard way of
>> specifying Rails versions.
>
> Because, Marnen, what is utterly obvious to you ... what you know by
> experience or having read it somewhere, is something new to me.
There is a comment explaining exactly this right in the environment.rb
file that Rails generates for you. Surely you've looked in that file
before...
>
>> Why the hell would you use restful_auth? It has virtually no advantages
>> over Authlogic and many disadvantages. I already explained this to you
>> in some detail.
>
> And I explained that the restful code does email authorization. This is
> a fair amount of code for ME to write.
>
>>>
>>> The http://code.google.com/p/simply-rich-authenticator code does a lot
>>> of stuff I want (e.g. email confirmation of the user's email account).
>>>
>>
>>You should be able to do that pretty easily with Authlogic.
>
> It may be easy for you. It is a huge undertaking for me.
I don't think you have to do it from scratch. IIRC, Authlogic provides
e-mail activation in an even better way than restful_auth does.
>
> There is state logic that I need to maintain (e.g. "email not
> confirmed") that I am not comfortable maintaining.
You don't need to.
>
> There is security code (e.g. the URL the user clicks on) that needs to
> be generated and responded to ... more state information.
>
> The restful code sample ...
> http://code.google.com/p/simply-rich-authenticator
> ... uses "Acts As State Machine". Is this independent of the restful
> authentication
5 seconds of Google searching will answer that.
> and is it wise to use this in the Authlogic code?
I don't think you need to, although you probably could.
>
>>
>>> Yet ... I am reading a lot about why I should not use it.
>>>
>>> Some advice, please.
>>
>> I already gave you some in an earlier post. Perhaps you should go back
>> and read it instead of acting like you never saw it. Remember: we'll
>> help, but you have to read the help. It's not really fair to ask the
>> same question multiple times.
>
> I have read your advice. You have advised ... without much background
> ... that authlogic is better. But is it better in the case where a
> more-or-less complete application has already been generated?
>
Yes. First of all, you shouldn't be relying too heavily on cookbook
code, and second, where did you get the idea that Authlogic sample apps
don't also exist? In fact, they do.
> While you are obviously knowledgeable, following you advice without me
> having the appropriate background is difficult.
Then feel free to ask questions or do independent research. I usually
phrase my answers in such a way as to encourage such research. This is
deliberate -- I prefer to guide rather than supply ready-made answers.
>
> It appears to me that you have forgotten that it is the simple things
> that cause the greatest confusion.
I have not forgotten, and if anything I say is confusing, I will clarify
it. But please meet me halfway by making a bona fide effort to
research, experiment, and understand before looking up the answers in
the back of the book. :)
Best,
--
Marnen Laibow-Koser
http://www.marnen.org
mar...@marnen.org