Chapter 9

Question 1

For the Users resource, if ‘new’ corresponds to GET and ‘create’ corresponds to POST, what do edit (a form) and update correspond to?

Answer 1

GET and PATCH, respectively

Question 2

When we see repeated code in a view, what is a good thing to do?

Answer 2

Make it into a partial.

Question 3

In an a tag, what is a trick to get the browser to open the link in a new tab?

Answer 3

Use ‘_blank’

a href=”http://gravatar.com/emails” target=_blank

Question 4

In form_for, how does Rails know whether to send a POST (create new user) or PATCH (update user).

Answer 4

Rails decides which one depending on the boolean value of #new_record?

Question 5

In TDD, is it better to check if an app handles correct or incorrect information first?

Answer 5

Catch incorrect info first, then you can ensure it does the right thing with the correct data; easier than doing this the other way around.

Question 6

What is the difference between authentication and authorization?

Answer 6

In the context of web applications, authentication allows us to identify users of our site, and authorization lets us control what they can do.

Question 7

What is a ‘before filter’?

Answer 7

Ensures that certain requirements are met before an action is carried out, such a a user being logged in to their own account before updating their information.

Question 8

T/F: the ‘unless’ keyword can be used as a complement to the ‘if’ statement.

Answer 8

T

Question 9

Explain the following controller statement:

before_action :logged_in_user, only: [:edit, :update]

Answer 9

A before filter that states that the user must be logged in to perform any action in the controller, but this filter only applies to the ‘edit’ and ‘update’ actions.

Question 10

What is a good way to test the basic functioning of a security model?

Answer 10

Turn it off/comment it out and see if the application responds accordingly.

Question 11

What is a URL stub, and when should it be used?

Answer 11

Replacing a URL with simply a ‘#’ sign; good in development when not all routes have been created yet.

Question 12

What goes in db/seeds.rb ?

Answer 12

Values/objects to place into the database.

Question 13

When might it be preferable to raise an exception when encountering an error rather than merely returning false or nil?

Answer 13

When you want to avoid ‘silent errors’, for example when debugging.

Question 14

How do we actually insert db/seeds.rb into the database?

Answer 14

$bundle exec rake db:seed

Question 15

What does ‘pagination’ refer to within the context of a web app?

Answer 15

Displaying a certain number of elements per page, and indexing each page.

Question 16

What are the steps involved in adding a new attribute to a model?

Answer 16

Generate a database migration, containing the value name and data type, then run the migration.

Question 17

Y/N: If the ‘admin’ attribute is a boolean value, should it be false by default? Why?

Answer 17

Yes, for obvious security reasons.

Question 18

When adding a boolean attribute through a db migration, what method will rails automatically add to the model?

Answer 18

A ‘?’ method.

i.e. #admin?

Question 19

Explain the importance of the following code:

def user_params
      params.require(:user).permit(:name, :email, :password,
                                   :password_confirmation)
    end

Answer 19

This code returns a version of the params hash with only the permitted attributes (while raising an error if the :user attribute is missing).

This returns a list of strong parameters, which help prevent malicious activity.

Note in particular that admin is not in the list of permitted attributes. This is what prevents arbitrary users from granting themselves administrative access to our application.

Question 20

What is so important about the following before filter?

before_action :admin_user, only: :destroy

Answer 20

It ensures that only admins can issue a DELETE request (the ‘destroy’ action), otherwise any arbitrary user could do so.