Category: Gems

Gems, MVC, Rails, Ruby, RVM

After the Install: Scenario-Based RVM Best Practices

Posted on by mxstrand

In my previous post, Ruby Version Manager (RVM) Overview for Rails Newbs, I outline RVM’s architecture and fundamental features. That post is also very focused on RVMs role when running rails new.

BeforeAfterToday, I’d like to cover a few more common scenarios Rails developers will encounter after the initial install of RVM. More to the point though, we’ll be focused on how RVM can be used to optimize workflow in these scenarios.

1.  USE A DISTINCT GEMSET FOR EACH PROJECT
In my own development journey, it wasn’t initially clear to me when I should be creating new gemsets. If you too have pondered this question, here’s my suggested answer…create a new gemset for every project you are working on. This approach is not only clean and orderly but more importantly reduces the chance that gem dependency errors sidetrack your work.

As a refresher, here’s the necessary commands to create and use a new gemset:

$ rvm gemset create new_gemset_name

$ rvm gemset use new_gemset_name

Hopefully you’re starting to get some clarity on the use-cases for global, default, and custom gemsets. Basically, global and default are largely used to influence what you get from rails new. Custom gemsets are then used to manage all gems related to a project from that point forward.

RVM_architecture

2.  AUTOMATICALLY CHANGE RUBY VERSION AND RUBY GEMSETS WHEN MOVING BETWEEN PROJECTS
Like all devs, I’ve got lots of active projects in various stages on maturity on my machine.  Before I came across this little nugget of knowledge (just keep reading!), I was frequently running:

$ rvm use ruby_version_here

and then

$ rvm gemset use gemset_name_here

It worked pretty well, but when moving between projects in my command line I often got gem-related errors when trying to run rails s or rails c. The problem was that if I forgot to tell RVM to change gemsets when I moved across projects in my command line, the gems that project expected to be available weren’t there.

Before I get to the solution here, humor me with a quick aside…

In a previous life, I was an Excel junky. I really loved Excel and what it could do. Just like development, it offers an incredible combination of logic and creativity. Also like development, the mouse is not necessarily your friend. Learning to do things without leaving the keyboard can be a HUGE time saver. People who were more mouse-dependent would sometimes look over my shoulder as I worked and say, “dude, you need to teach a class on Excel!”. It was a nice compliment and while I was interested in sharing both my love of Excel as well as its features, I would often respond with,

“if you are ever working in Excel and thinking ‘there has to be a better way to do this’. There is. You just need to figure it out.”

The point is that even though I espoused awareness of this phenomena in the context of Excel, I lamely continued with my error-prone use of RVM for some weeks. It wasn’t until my good friend @megharastogi noticed what I was doing and said, “why don’t you use an .rvmrc file?”.

Eureka! An .rvmrc file sits at the root level of your application and basically tells RVM which Ruby version and gemset to use. RVM is smart and interprets these files as you navigate project folders in the command line.

Below is an actual .rvmrc file in one of my apps. It’s stored at your_project_name/.rvmrc or in the below case social-playlist/.rvmrc.

Screen Shot 2013-08-26 at 8.15.50 AM

Your .rvmrc file should be in the same location as your .gitignore, Gemfile, and README.

Boom! No more gem-related errors. Time saved. Happy dev.

3.  CREATE AND USE A NEW GEMSET WHEN RUNNING GIT CLONE
If you haven’t yet, at some point you’ll clone an existing repo. After doing so, likely your first task is to ensure you can get the app running locally in your development environment. For a Rails app, having the required gems present locally is a critical step in the process.

While you’ve cloned the repo, the repo likely doesn’t contain the actual gems. It merely contains a statement of what gems are necessary, via the Gemfile.

Here’s my recommended order of operations:

1. Review the repo’s README file.

2.  Check the Gemfile of the target repo to see if a Ruby version and or gemset name is explicitly stated. (If it’s a Rails app, a Rails version will surely be stated).

3. Check the target repo for a .rvmrc file at project_directory/.rvmrc. If yes, this often also tell you which version of Ruby as well as the gemset name being used.

NOTE:  As per the Typical RVM Project Workflow, other potential locations where Ruby version and/or gemset dependencies may be stated include files named: .versions.conf, .ruby-version.

4. If a Ruby version is explicitly stated, ensure that Ruby version is installed locally on your machine with $ rvm list

a. If that version is already installed locally on your machine, make it active with $ rvm use ruby_version_here and go to step 5.
b. If that version is not installed locally on your machine, get it with $ rvm install ruby_version_name                                       c. If no version of Ruby is explicity stated, I recommend using the latest stable version.
d. Make the target version of Ruby active with  make it active with $ rvm use ruby_version_here

5. Run $ git clone target_repo_location_here

      • Example:  $ git clone git@github.com:lostincode/social-playlist.git or
      • Example:  $ git clone https://github.com/lostincode/social-playlist.git

Note: Both of the above commands clone the same repo, they just use different security protocols. For the truly adventurous reader, here’s a deep dive on the hows and whys of each protocol.

6. $ cd newly_created_directory_name

7. $ rvm gemset create new_gemset_name

Note: If the repo already contained a .rvmrc file with a gemset name, consider naming your local gemset the same as what’s being used by the other dev(s) pushing to the repo.

8. $ rvm gemset use new_gemset_name

9. $ bundle install

If no .rvmrc file is already present in the app, create one! It’s up to you if you include the .rvmrc in the .gitignore (I strongly suggest you do not! This as an important file for ensuring consistency across collaborators).

While not RVM specific, for good measure I’ll also offer up the other following steps to get the newly cloned app running locally.

10. $ rake db:create

11. $ rake db:migrate

12. $ rake db:seed (optional – only run if seeds.rb contains seed data).

Unless there’s database or server specific requirements, that should suffice to get the app running locally with rails s.

Looping back to the big picture before closing out on this topic. Now we have a distinct gemset just for this project (meeting the objectives of best practice #1) – and automated instructions for RVM to use this gemset whenever this project is active (meeting the objectives of best practice #2) in the command line. And we can be confident we are mirroring the Ruby and Ruby gem configuration of the other devs on the project.

4.  CREATE A “RAILS 4 SCAFFOLD APP” FOR QUICK REFERENCE
In my other post, Reading Rails 4: MVC and Scaffolding for Rails Newbs, I go deep on some of the code generated when running rails generate scaffold.

My original title and concept for the post was not Rails-version specific. I thought it would mostly be about MVC and scaffolding – but be agnostic of Rails version. However, by reviewing the output of rails new and rails scaffold (while having RVM use Rails 4), I quickly and easily learned a lot about Rails 4 versus the Rails 3 versions I was more familiar with.

The point here is that RVM (combined with rails generators), is your assistant in having multiple boilerplate/clean versions of working Rails apps side-by-side on your machine. This makes it easy to access, evaluate, compare, and understand fundamental changes in Rails versions. Personally, I found reviewing the output of a Rails 4 scaffold more educational on mass-assignment in Rails 4 than any online documentation.

If helpful, here’s specifically what I’m suggesting. Say you’ve been hesitating getting onto the Rails 4 bandwagon because you are up and running and proficient in Rails 3. Maybe you feel too busy right now to slow down and learn the “gotchas” in Rails 4. Well, I think 5 minutes spent on the following will probably get you past that hurdle

  1. Create a new gemset called “rails4scaffold” with $ rvm gemset create rails4scaffold
  2. Make the new gemset active with $ rvm gemset use rails4scaffold
  3. Install Rails 4 in that gemset by running $ gem install rails 4
  4. Create a new app by running $ rails new rails4scaffoldapp
  5. Scaffold a basic MVC in that app with rails generate scaffold books title author
  6. Run rake db:migrate
  7. Now go inspect key files like app/controllers/books_controller.rb and run $ rake routes to see how Rails 4 handles basic CRUD.

If you haven’t yet, consider moving Rails 4 into your default gemset!

SUMMARY
As always, I really appreciate you reading my post. I hope it’s been useful for you in getting more value out of RVM. Your comments and feedback are welcomed.

One other quick point is that there are other tools and approaches for doing what RVM does (quite well in my opinion). However my goal is not to promote RVM, but to promote knowledgeable, confident, and satisfying development experiences. As such, I want to share a post titled “Vendor Everything” Still Applies by Ryan McGreary. In it, he makes some interesting and compelling arguments for an alternative approach to gemsets and gem management.

I’m personally still using RVM, but that doesn’t mean I will forever.

Truth fears no questions.
-Napoleon Bonaparte

Reading between the lines of Mr McGreary’s post as well as some of the comments, I think the main point is that consistency in approach to gemset management within a collaborating group is critical to developer happiness and productivity.

Here’s some of my other posts you might like:

Peace.

4
Gems, MVC, Rails, Ruby, TwitterBootstrap

Embedding Devise Forms in Twitter Bootstrap Modals

Posted on by mxstrand

In my previous post Top 10 Gems for new Rails Devs, I covered both the Devise and Twitter Bootstrap gems. Each of these gems is great at what they respectively do (authentication, design/styling). In this post, I’ll bring @plataformatec and @seyhunak‘s gifts together and easily put Devise sign-in and sign-up forms into Twitter Bootstrap modals.

defaults

What is a modal? If you aren’t familiar with modals, they are basically “pop-ups” or “prompts” that take a priority position in the user experience. If you’re interested in more theory regarding when and how to use modals, check out this post.

Getting sign-in and sign-up modals working in your application is not only a great introduction to using modals, but I think this feature creates a quality “first impression” for site visitors as well.

Want to see this code in a working repo? I’ll be orienting this post around a working implementation of this feature at www.social-playlist.com. This is a site I built with my good friend @lostincode. The project is open-source, so if you want to see everything in-context you can do so at https://github.com/lostincode/social-playlist.

Okay, let’s get started…

STEP 1:  BUILD THE MODAL PARTIALS
Partials are basically re-usable pieces of code falling into the the View portion of MVC. (For a Rails 4-specific explanation for MVC, check out my other post Reading Rails 4: MVC and Scaffolding for Rails Newbs.

Partials in Rails are easily identifiable based on the preceding underscores _ in file names (Example: _partial.html.erb). If you’ve ever run a rails g scaffold, you’ve created a partial named _form.html.erb. This single form is used in both the new and edit views for your scaffolded model. Whether you are creating a new record in the database or editing an existing record, you likely want access to all the same fields. Given the overlap, a single partial can serve in both conditions.

Okay, now let’s build modal partials for today’s feature…

We’re going to need to create some new files and there’s no hard requirements about where they go in your app. I think you definitely want them somewhere in your app/views/ hierarchy, but exactly where after that is up to you.

In many of my projects I use a “welcome controller” and associated views for things like the home page or “about us” page. As such, I think app/views/welcome/ makes a great spot for the below two files.

_login_modal.html.erb

_sign_up_modal.html.erb

Here’s a copy-paste of what I place into each file:

app/views/welcome/_login_modal.html.erb

<div class="modal hide fade in" id="login">

<div class="modal-header">

<button class="close" data-dismiss="modal">x</button>

<h2>Sign in</h2>

</div>

<div class="modal-body">

<%= form_for(resource, :as => resource_name, :url => session_path(resource_name)) do |f| %>

<div><%= f.label :email %><br />

<%= f.email_field :email, :autofocus => true %></div>

<div><%= f.label :password %><br />

<%= f.password_field :password %></div>

<% if devise_mapping.rememberable? -%>

<div><%= f.check_box :remember_me %> <%= f.label :remember_me %></div>

<% end -%>

<%= f.submit "Sign in", :class => 'btn btn-small btn-success' %>

<% end %>

</div>

<div class="modal-footer">

<%= render "devise/shared/links" %>

</div>

</div>

Newb Note! The studious reader will have identified a sub-partial embedded within the partial we just created. Inspect the following statement:

<%= render "devise/shared/links" %>

That’s calling a partial into our partial! Don’t worry if you don’t fully understand just yet, it will all get clearer before we’re done.

Let’s get back to building our own partials. The second and final file we’ll need to create is:

app/views/welcome/_sign_up_modal.html.erb

<div class="modal hide fade in" id="sign_up">

<div class="modal-header">

<button class="close" data-dismiss="modal">x</button>

<h2>Sign Up</h2>

</div>

<div class="modal-body">

<%= form_for(resource, :as => resource_name, :url => registration_path(resource_name)) do |f| %>

<%= devise_error_messages! %>

<div><%= f.label :email %><br />

<%= f.email_field :email, :autofocus => true %></div>

<div><%= f.label :password %><br />

<%= f.password_field :password %></div>

<div><%= f.label :password_confirmation %><br />

<%= f.password_field :password_confirmation %></div>

</div>

<div class="modal-footer">

<p><div><%= f.submit "Sign up", :class => 'btn btn-small btn-success' %></div></p>

<p><a href="#" class="btn btn-small" data-dismiss="modal">Close</a></p>

</div>

<% end %>

</div>

NEWB NOTE! When creating modals in Twitter Bootstrap, make sure to use their built in classes for header, body, and footer. These control margins/padding that help things look just right.

Okay, back to business. Let’s get those partials working for us.

STEP 2: RENDER THE PARTIALS INTO APPLICATION LAYOUT
Remember above when I highlighted the partial-within-a-partial? The sub-partial was invoked using:

<%= render "devise/shared/links" %>

The reason I belabor the point is to establish a universal trend – and here it is…To render any partial, simply call render along with the location of the partial.

In our case, we have sign-in and sign-up buttons in the navbar on every page of our web site. As is the Rails way, we place app-wide View content in app/views/layouts/application.html.erb. Similarly, we want our new pop-up modals available (visible or not) on every page of our site. Accordingly, we put the below code into app/views/layouts/application.html.erb also:

<%= render "welcome/login_modal" %>

<%= render "welcome/sign_up_modal" %>

Newb Note! You might be thinking, “hey, that looks like a typo…aren’t partials pre-fixed with an underscore like _partial.html.erb ?” That’s not a typo, that’s simply the Rails convention for refering to partial location. Also, we do not need to supply the app/views/ elements of the directory path when refering to the location of partials. Rails confidently expects them to be in the V of MVC!

Where exactly should this render code be placed in app/views/layouts/application.hmtl.erb? Again, there’s not much of a hard and fast rule. Personally, I put mine immediately under the  <body> open div.

STEP 3: UPDATE YOUR LINK_TOs
We’re not leaving app/views/layout/application.html.erb yet. Now we need to update our sign-in and sign-up buttons to engage our newly created modals as opposed to their historical forms. We can do this by simply changing the relevant link_to‘s to look like the below.

<%= link_to "Login", "#login", "data-toggle" => "modal", :class => 'btn btn-small' %>

<%= link_to "Sign up", "#sign_up", "data-toggle" => "modal", :class => 'btn btn-small btn-success' %>

Newb Note! The first time I implemented this feature, I placed the above code next to the existing link_to‘s. I did this to make sure everything was working with the new before getting rid of the old way.

One of the critical pieces of any link_to is the second argument – in our case, #login and #sign_up. The values provided here must match the id in the parent <div> of the associated partials. To make sure I’m clear, the relevant code from the parent <div>s are shown here again.

<div class="modal hide fade in" id="login">

<div class="modal hide fade in" id="sign_up">

STEP 4: ADD SOME JAVASCRIPT MAGIC
Everything is just about ready to rock. When I first got this working in my app, I was disappointed that while the modals were popping up, they were dark like the subordinated background. Luckily, this StackOverflow post suggested adding the below into app/views/layouts/application.html.erb

<script type="text/javascript"> $(function ()

{ $("#myModal").modal({show:false }); </script>

If you’re like me, you’re thinking “where exactly should I put that code?”. Kindly the SO post also suggests putting it “right before the </head >” close tag.

STEP 5: UPDATE YOUR APPLICATION HELPER
Okay, so we’ve forms that users want to see. We’ve established a call to render them on every page of our application – next we need to make sure a new resource (the Devise term for user) is instantiated when our modal is engaged.

Thankfully the esteemed Pablo who originally wrote this entry (the birthplace of some succinctly powerful methods and now hosted on the official Devise wiki), provides us the below helper methods to place in app/helpers/application_helpers.rb.

def resource_name

:user

end

def resource

@resource ||= User.new

end

def devise_mapping

@devise_mapping ||= Devise.mappings[:user]

end

STEP 6: ENJOY!
You’re done! Fire up a rails s and check it out in the browser before you git push.

Hopefully you’ve enjoyed and found value in this post. If so, drop me a comment or a tweet @mxstrand! Also, here’s a few other posts you might like:

Thanks for reading.

2
Gems, Rails, Ruby, Security

Security is a Feature: 9 Newb-Friendly Steps to Securing Your Rails Apps

Posted on by mxstrand

imagesIn my previous blog post Easy Does IT: Top 10 Gems for Rails Newbs, I highlighted the Brakeman gem for its ability to easily identify, interpret, and resolve security issues in a Rails app. Today I want to offer a few more security best practices for the new Rails developer. Here goes…

STEP 1:  IDENTIFY SENSITIVE INFORMATION
Depending on the feature set, your application might leverage any one of hundreds of internet-based services. Below is a list of some of the most commonly encountered by new Rails developers.

For your rails application to interact with any of these services, a set of credentials (username, password, developer key) must be accessible to your code base.

When I first started working with these tools, I foolishly didn’t consider that I was putting sensitive information on the public internet with every git push. That said, I know I’m not alone. It’s easy to find StackOverflow posts where newer devs are publishing their credentials for the whole internet to see.

One additional sensitive piece of information that is auto-generated during rails new and necessary for every Rails app to function is its secret_token (also known as “secret_key_base”), which can be found at app/config/initializers/secret_token.rb. What is a secret_token? Well, looking into the file’s own comments we see:

# Your secret key is used for verifying the integrity of signed cookies.
# If you change this key, all old signed cookies will become invalid!
# Make sure the secret is at least 30 characters and all random,
# no regular words or you'll be exposed to dictionary attacks.
# You can use `rake secret` to generate a secure secret key.
# Make sure your secret_key_base is kept private
# if you're sharing your code publicly.

Okay, that’s enough discussion – let’s get into some code and discuss how to make it secure. Here’s an example of what I commonly include in app/config/environments/development.rb to configure ActionMailer to leverage Gmail for sending email in dev to see things like the Devise confirmable or Devise_Invitable (a separate gem – check it out!) working before pushing to production.

config.action_mailer.raise_delivery_errors = true
config.action_mailer.default_url_options = { :host => 'localhost:3000' }
config.action_mailer.perform_deliveries = true
config.action_mailer.default :charset => "utf-8"

ActionMailer::Base.delivery_method = :smtp

ActionMailer::Base.smtp_settings = {

:address => "smtp.gmail.com",
:port => 587,
:authentication => "plain",
:user_name => "my_actual_username@gmail.com",
:password => "my_actual_password" }

Now this code works, but I definitely don’t want to be sharing my Gmail credentials with the world. Let’s talk about what to do.

STEP 2:  MOVE SENSITIVE INFO TO A .YML FILE
Before we can move our sensitive info to it, we need to create a new file at app/config/application.yml. Inside that file, we’ll declare our “environment variables” with the following styling.

GMAIL_USERNAME: "my_actual_username@gmail.com"

GMAIL_PASSWORD: "my_actual_password"

If you’re interested, here’s the Wikipedia page about the .yml file history and purpose.

Moving on, now we can move our credentials out of the app/config/environments/development.rb file by revising the last 2 lines of the code block below:

config.action_mailer.raise_delivery_errors = true
config.action_mailer.default_url_options = { :host => 'localhost:3000' }
config.action_mailer.perform_deliveries = true
config.action_mailer.default :charset => "utf-8"

ActionMailer::Base.delivery_method = :smtp

ActionMailer::Base.smtp_settings = {

:address => "smtp.gmail.com",
:port => 587,
:authentication => "plain",
:user_name => ENV["GMAIL_USERNAME"],
:password => ENV["GMAIL_PASSWORD"] }

Newb Note! It’s standard practice to use ALL CAPS for environment variable naming.

Starting to feel more secure? You should! But we aren’t done yet.

STEP 3:  LOAD DEVELOPMENT ENVIRONMENT VARIABLES
Now, we need to tell Rails to load the locally-stored environment variables during application start-up. We can do this in app/config/application.rb with:

if Rails.env.development?

ENV.update YAML.load(File.read(File.expand_path('../application.yml', __FILE__)))

end

That’s it for step 3!

STEP 4: EXCLUDE YOUR .YML FILE FROM YOUR REPO
Next, we need to put the project’s app/.gitignore file to good use. Let’s go ahead and add the following lines to it:

# Ignore environment variable during "git push"
/config/environments/application.yml

If you haven’t noticed or used the .gitignore file before, it does just what the name implies. It tells Git, what files not to push to the remote repository.

Newb Note! Because you are not pushing your app/config/environments/application.yml file into your repository, should you or another developer ever git clone the repo, the clone will not include the necessary environment variables for the application to function properly. This is of course “by-design”, but can be an area of confusion for newbs trying to get a cloned app up and running.

STEP 5:  CORRECT PAST MISTAKES
So we’re secure moving forward, but what if you’ve already pushed a commit to a public GitHub repository that included sensitive info? Here’s a few options in order of complexity.

  • Change your sensitive info (like passwords or secret_tokens) after implementing the best practices outlined above. While the old credentials may still be visible, they’ll no longer work
  • Clone the repo to a new directory, change your sensitive info, implement these best practices, and delete the original repo.
  • If you are wondering if you can delete a commit, the answer is sort of. Here’s more details for the adventurous.

STEP 6:  MANAGE PRODUCTION ENVIRONMENT VARIABLES
Everything discussed above has been focused on environment variables for development. Because the .yml file containing these values is stored locally on your machine, your app can read them. But Heroku (a.k.a production) doesn’t have access to that .yml file on your machine. Don’t worry, setting environment variables with Heroku is easy.

Say for instance we want to set our secret_token with Heroku. When can do so via:

heroku config:set SECRET_TOKEN=123456789012345678901234567890

Or maybe we’re interacting with the Twitter API. In this case we need to set both:

heroku config:set TWITTER_CONSUMER_KEY=1234567890

heroku config:set TWITTER_CONSUMER_SECRET=1234567890

Obviously you can see the pattern. Basically, anything you are storing in your .yml file that your application depends on needs to be configured at Heroku as well.

For a complete description of how to manage environment variables with Heroku, check out this article.

Newb Note! As with all common Rails scenarios, you can probably guess a gem or two is out there to help. In the case of environment variables, I recommend checking out both the Dotenv gem and the Figaro gem.

STEP 7:  SECURE YOUR STAGING ENVIRONMENT (if you have one)
By default, Rails will give you test, development, and production environments. While it’s generally safe to assume that what works in development will also work on the internet (production), for mission critical applications you will likely want to set up a 4th environment called “staging”. Staging is intended to be a mirror of production (also on the public internet) – it’s just not actually open to the public. By first determining that things are working as intended in this production-like environment, you can have a much higher confidence that changes will not negatively impact your end users.

Newb Note! Staging environments are also a great place to do performance testing and reproducing customer-reported issues without actually impacting production services.

So we’ve discussed the importance of staging, but specifically how do you put something on the public internet, but not have it public?

Rails to the rescue again! Rails has a nice, little built-in method that you can drop right into your application_controller.rb. Here it is:

before_filter :http_authenticate if Rails.env.staging?

def http_authenticate

authenticate_or_request_with_http_basic do |username, password|

username == "some_username" && password == "secret_password"

end

end

Oops! Did you notice what I did there? Once again, I’ve got my sensitive information embedded in my code and being pushed to the repo. Thankfully, I know how to move these values to an environment variable – leveraging a .yml file for development and/or setting them directly with Heroku through the command line.  Here’s the revised code.

before_filter :http_authenticate if Rails.env.staging?

def http_authenticate

authenticate_or_request_with_http_basic do |username, password|

username == ENV["STAGING_USERNAME"] && password == ENV["STAGING_PASSWORD"]

end

end

Don’t forget to add the actual values to the app/config/application.yml file!

Now, any visitors to your staging URL will be prompted for credentials before being allowed to even see the home page.

As it’s outside the scope of this post, I’ll forgo instructions on how to set up a staging environment. And an even better reason not to cover the topic here is because this Heroku article explains the steps quite nicely. (Should you decide to you’d like to run a local staging environment, Mr. Bates has developed a great RailsCast on the subject here.)

STEP 8:  LEVERAGE PRIVATE REPOSITORIES (when appropriate)
GitHub is a great resource and heavily used by the Rails community. While they do offer private repositories, they are not free. Another option to check out is BitBucket. BitBucket offers free, private repos – allowing up to 5 collaborators on each repo.

As a bonus, if you invite new users to BitBucket and they use the service, you can earn privileges for more than 5 collaborators on your repos.

Newb Note! Once you’ve got your first freelance gig, consider having your client create their own repo at BitBucket and make you a collaborator. This way, they “own” the source code – if that’s how your contract is structured.

One final word of wisdom to the Rails newb regarding private repos. While BitBucket is a great security solution and arguably removes the need to concern yourself with some of the “overhead” like .yml files described above – don’t rush to move all your projects there. As a new developer, potential employers will want to see that you are an active “commiter” – and most employers will look to GitHub for such evidence.

STEP 9:  KEEP LEARNING
If you’ve got your arms around everything covered here – you are off to a great start. But like all rabbit holes, this one goes deeper. A great resource for continuing your security education, is a free, one month email course on securing your Ruby apps provided by Code Climate. To sign up, you’ll want to hit http://railssecurity.com.

So once again, thanks for reading! Security may not be sexy, but good developers are. If you haven’t checked them out, here’s some of my other posts you might like:

If there’s a topic you’d like me to cover in a future blog post, don’t hesitate to add a comment.

0
Gems, Rails, Ruby

Easy Does IT: Top 10 Gems For Rails Newbs

Posted on by mxstrand

babydev

Whatever your reasons are for choosing to learn Ruby on Rails, they were the right ones! Rails is an excellent framework for quickly building feature-rich, scalable, and secure web apps.

In the forward of The Rails 3 Way (required reading for all new Rails devs) Mr. Fernandez states,

 …Rails frees you to kick off your project with a bang, getting a working prototype out the door quickly. This makes it possible to build an application with some meat on its bones in a few weekends, making Rails the web framework of choice for people with a great idea and a full time job.

Whether you are building a prototype or an enterprise-level application; whether you are a full-time dev or a weekend hacker, the key message is that you can get a QUALITY Rails app up FAST. Gems are a cornerstone of this fact.

In my other post, Ruby Version Manager (RVM) for Rails Newbs, I discuss how Rails itself is a Ruby gem. While Rails is the king of gems, there are many more the Rails newb should get acquainted with early in their career.

The purpose of this post is to introduce the Rails newb to a handful of gems offering low cost (time) and high return (features!). Another important characteristic of all the below gems is their licensing terms. These gems can be used freely – including commercial use.

Newb Note! The “Ease of Implementation” guidance given below is not intended to be exhaustive. It’s intended to highlight the  ease with which a given gem’s base functionality can be enabled. Many of these gems have a rich capability set that requires further reading to completely unlock. This post will get you started and give you some perspective, but plan to read the source docs to get the most from the gem.

Knowing all that, let’s talk gems. Here’s a table of contents for this post if you’d like to jump to a particular gem.

    1. Devise
    2. Twitter Bootstrap
    3. PostgreSQL
    4. Pry Debugger
    5. Better Errors
    6. Launchy
    7. Rails ERD
    8. Brakeman
    9. Faker
    10. Font Awesome

1. DEVISE     (source code)

What does it do? Any modern web app, must have user “authentication” – meaning users can create credentials (e-mail and password) and have those credentials stored in the application’s database for future use. Given the importance of authentication, it’s included first in our list.

Ease of Implementation: Beyond the usual Gemfile inclusion and bundle install, Devise requires just a bit of configuration to get running. The good news is that these instructions are well documented in the README.

Environments: Place it at the root level of your gem file so it’s available across dev, test, and production.

Newb Note! Devise’s default configuration is good, but you can make it great by turning on some additional built-in features. For example, you might want to add a “username” field (the default for sign-in is e-mail + password). Or you might want to use the “confirmable” option so users are required to confirm ownership of their provided e-mail address by clicking a link in a system generated e-mail. These options too are well documented.

Recommended Resources:

2. TWITTER BOOTSTRAP     (source code)

What does it do? Twitter Bootstrap provides clean, modern, and professional CSS styling for a number of common web app elements like navigation bars, buttons, icons, fonts, and much more.

Ease of Implementation: Installation and base configuration are quite easy and well documented in the README. Depending on your familiarity with HTML and CSS, the harder (but not hard) part is choosing which elements to use and getting them properly embedded in your Views. If you are confused by that statement regarding “Views” have a read of my post Reading Rails: MVC and Scaffolding for Rails Newbs.

Environments: In Rails 3, you’ll want to place Twitter Bootstrap in the “asset” group in your gemfile. In Rails 4, there is no asset group so go ahead and place it at the root level so it’s available in all environments.

Newb Note! I’m embarrassed to admit this, but in my own newb-ness at first I was confused about how to implement Bootstrap’s examples in my own projects. I followed the gem instructions, but then what? Where was my beautiful carousel and navigation? One of my first, very patient Rails mentors @lostincode told me to just right click and “View Source” on the target example’s web page. Then just copy the relevant code and drop it into your Rails app. After you’ve done this a few times, you have a library and favorite code that you can move between projects.

Recommended Resources:

3. PG also known as POSTGRESQL     (source code)

What does it do? Just about any web app you build needs to ultimately move off your development machine and onto the internet. Thankfully for Rails newbs, Heroku makes this very easy and free. Heroku’s only requirement is that you run a PostgreSQL database in production instead of Rails’ default of SQLite. The PG gem is the ticket.

Ease of Implementation: It’s really quite easy to set your production DB to PostgreSQL via the gemfile. Instead of the gem’s own README, I suggest having a read of Heroku’s guidance at Getting Started with Rails on Heroku.

Environments: You’re definitely going to want it in your group :production do  group if deploying to Heroku. Whether you also use it in dev or test, is up to you.

Newb Note! While purists will argue you should run PostgreSQL locally in development to ensure a mirror with production, many (not all!) Rails app scenarios will handle SQLite in dev and PG in production just fine. It’s acceptable for newbs to start with this approach and as you get further along in your Rails journey, then you can go about getting PostgreSQL running locally via instructions like these. Once you have PG running locally, when creating future Rails apps (that you plan to deploy to Heroku) I recommend telling Rails that you want a PG database from the get go. Here’s how to modify your $ rails new accordingly:

$ rails new myapp --database=postgresql

Recommended Resources:

4. PRY-DEBUGGER     (source code)

What does it do? Pry-Debugger can be used in both development and test environments to “pause” your application mid-stream at a point you specify. Once paused, you can interrogate and evaluate variables or params. For example, if you want to see what information is being passed from a view’s form into your controller, pause the app in the controller action triggered by the form submit button.

Ease of Implementation: It’s so, so easy to install and requires effectively no configuration. After including in your gemfile and running bundle install, simply drop binding.pry into your codebase (likely in your Controller or Model) just after code you want to evaluate after the application “pauses”. Then, trigger the target action in your browser (or via your test spec) . When the application hits your binding.pry, go to your terminal/console and go crazy!

Environments: I recommend creating a gem group for both dev and test with something like group :development, :test do. Pry-Debugger should go here.

Newb Note!  Pry-Debugger is built upon the original Pry but also includes some additional commands such as step, next, finish, and continue. Check out the README for a quick explanation of these commands.

Recommended Resources:

5. BETTER ERRORS     (source code)

What does it do? No matter what, your app is going to puke from time to time. The least you can do for yourself is to have easy-to-clean-up puke. This is where Better Errors comes in. It provides cleanly formatted errors with log details in the browser just a click-away.

Ease of Implementation: So easy, there’s really no excuses not to use it. Put it in your gemfile and bundle install. That’s it.

Environments: I recommend group :development do for Better Errors.

Newb Note! As per the README, make sure to check out the complementary gem “binding_of_caller“, which gives you functionality similar to Pry-Debugger (described above) – but this functionality is inside your web browser when a better_errors’ error is thrown.

Recommended Resources:

6. LAUNCHY     (source code)

What does it do? Sometimes when your test specs are failing, the error messages just aren’t informative enough – you need to see what the test is seeing in the browser. This can be especially maddening when everything appears to be fine in the browser in the development environment, but your tests are failing. Here comes Launchy to the rescue!

Ease of Implementation: Put it in your gemfile, bundle install, and include save_and_open_page inside your test spec where you want to browser to open.

Environments: As per the description, you only need Launchy in your group :test do block.

Newb Note! Dont’ forget to remove save_and_open_page after you’ve resolved your issue.

Recommended Resources:

7. RAILS-ERD     (source code)

What does it do? Rails-ERD generates a visual representation of your database schema – including tables, fields, and relationships. Personally, there’s a few scenarios where I like to use this gem.

    1. Getting up to speed on an existing project when I’m a new team member
    2. When I want to get another dev up to speed one of my existing projects
    3. For planning purposes when I know I need to change my database architecture in a material way
    4. To facilitate design discussions with more-technical clients and project decision makers
    5. Returning to project that may have been dormant for some time

Ease of Implementation: In addition to the requisite inclusion in your gemfile and bundle install – you’ll need to install Graphviz. It’s all quite easy and laid out here. After setup, you can run rake erd at any time to generate an up-to-date diagram.

Environments: I put Rails-ERD in my group :development do block.

Newb Note! Personally, I like to use this gem once my project is up and running and the schema starts to get more complicated. However, a related best-practice that I recommend is to use a similar tool to create a draft of your intended schema before you write a single line of code. Personally, I’ve been mostly pleased with the Sea Quail Database Diagram Tool. What it lacks in features, it makes up for in ease of use. I don’t have deep experience with the multitude of options that are just a search engine away. Please comment on this post if you recommendations for other ERD design tools!

Recommended Resources:

8. BRAKEMAN     (source code)

What does it do? I’m no security expert, so I really appreciate a tool that helps me easily identify, interpret, and resolve security issues in my Rails app. Enter Brakeman.

Ease of Implementation: In addition to the requisite inclusion in your gemfile and bundle install – you just put brakeman into your command line from the application root directory.

Environments: I put Brakeman my group :development do block.

Newb Note! As per the README, don’t forget to include :require => false in your gemfile when inserting Brakeman. Also, if you’d like to go deeper on Rails security, check out my other post Security is a Feature: 9 Newb-Friendly Steps to Securing Your Rails Apps

Recommended Resources:

9. FAKER     (source code)

What does it do? Sometimes having a robust set of data in your development database makes the testing and development process go much smoother. Entering it through the browser is a fool’s errand (and it’s retained if you reset your DB). Seeds.rb files are a big help, but you still have to come up with the actual values to be entered. Not anymore with Faker. Faker provides random values for names, cities, addresses (physical and internet) – even lorem ipsum text.

Ease of Implementation: You know the drill – put it in your gemfile and run bundle install. Next, incorporate the Faker syntax in either your seeds.rb or a rake tasks. Here’s some sample Faker syntax so you can see just how easy it is.

Faker::Name.name #=> “Christophe Bartell”

Faker::Internet.email #=> “kirsten.greenholt@corkeryfisher.info”

Environments: I recommend creating a gem group for gems used in both dev and test with something like group :development, :test do. Faker should go here (you can use Faker in in your tests!).

Newb Note! Check out the README for a full inventory of the fields Faker provides.

Recommended Resources:

10. FONT-AWESOME     (source code)

What does it do? These guys take icons really seriously. They use them stand-alone, but also embed them with buttons, navbars, and form inputs.  Remember,

a picture is worth a thousand words

Ease of Implementation: Just like Twitter Bootstrap, just add Font Awesome to your gem file, run bundle install, and start embedding the syntax for the desired icons and styling into your html.erb Views.

Environments: Place it at the root level of your gem file so it’s available across dev, test, and production.

Newb Note! Font Awesome plays well with Twitter Bootstrap (#2 in our gem list). Use the two together to build a highly polished product!

Recommended Resources:

SUMMARY
As with most of my posts, if you’ve gotten this far – congratulations and thank you! If I’ve left out any low cost, high benefit gems of note – please comment!

Here’s a few other posts of mine you might like:

1