ACTION METHODS 291

You can pass additional parameters as a hash to these named route. The parameters will be added into the defaults for the particular route. This is illustrated by the following examples.

index_url

#=> http://pragprog.com/blog

date_url(:year => 2005)

#=> http://pragprog.com/blog/2005

date_url(:year => 2003, :month => 2)

#=> http://pragprog.com/blog/2003/2

show_url(:id => 123)

#=> http://pragprog.com/blog/show/123

You can use an xxx_url method wherever Rails expects URL parameters. Thus you could redirect to the index page with the following code.

redirect_to(index_url)

In a view template, you could create a hyperlink to the index using

<%= link_to("Index", index_url) %>

16.4 Action Methods

When a controller object processes a request, it looks for a public instance method with the same name as the incoming action. If it finds one, that method is invoked. If not, but the controller implements method_missing( ), that method is called, passing in the action name as the first parameter and an empty argument list as the second. If no method can be called, the controller looks for a template named after the current controller and action. If found, this template is rendered directly. If none of these things happen, an Unknown Action error is generated.

By default, any public method in a controller may be invoked as an action method. You can prevent particular methods from being accessible as actions by making them protected or private or by using hide_action( ).

class BlogController < ActiveRecord::Base

def create_order

order = Order.new(params[:order]) if check_credit(order)

order.save else

# ...

end end

hide_action :check_credit

def check_credit(order)

# ...

end end

ACTION METHODS 292

If you find yourself using hide_action( ) because you want to share the nonaction methods in one controller with another, consider using helpers (described starting on page 332) instead.

Controller Environment

The controller sets up the environment for actions (and, by extension, for the views that they invoke). The environment is established in instance variables, but you should use the corresponding accessor methods in the controller.

request

The incoming request object. Useful attributes of the request object include:

•domain( ), which returns the last two components of the domain name of the request.

•remote_ip( ), which returns the remote IP address as a string. The string may have more than one address in it if the client is behind a proxy.

•env( ), the environment of the request. You can use this to access values set by the browser, such as

request.env['HTTP_ACCEPT_LANGUAGE']

•method returns the request method, one of :delete, :get, :head,

:post, or :put.

•delete?, get?, head?, post?, and put? return true or false based on the request method.

class BlogController < ApplicationController def add_user

if request.get? @user = User.new

else

@user = User.new(params[:user]) @user.created_from_ip = request.env["REMOTE_HOST"] if @user.save

redirect_to_index("User #{@user.name} created") end

end end

end

See the RDoc for ActionController::AbstractRequest for full details.

params

A hash-like object containing the request parameters (along with pseudoparameters generated during routing). It’s hash-like because

ACTION METHODS 293

you can index entries using either a symbol or a string—params[:id] and params[’id’] return the same value. (Idiomatic Rails applications use the symbol form.)

cookies

The cookies associated with the request. Setting values into this object stores cookies on the browser when the response is sent. We discuss cookies on page 301.

response

The response object, filled in during the handling of the request. Normally, this object is managed for you by Rails. As we’ll see when we look at filters on page 315, we sometimes access the internals for specialized processing.

session

A hash-like object representing the current session data. We describe this on page 302.

headers

A hash of HTTP headers that will be used in the response. By default,

Cache-Control is set to no-cache. You might want to set Content-Type headers for special-purpose applications. Note that you shouldn’t set cookie values in the header directly—use the cookie API to do this.

In addition, a logger is available throughout Action Pack. We describe this on page 186.

Responding to the User

Part of the controller’s job is to respond to the user. There are basically three ways of doing this.

•The most common way is to render a template. In terms of the MVC paradigm, the template is the view, taking information provided by the controller and using it to generate a response to the browser.

•The controller can return a string directly to the browser without invoking a view. This is fairly rare but can be used to send error notifications.

•The controller can send other data to the client (something other than HTML). This is typically a download of some kind (perhaps a PDF document or a file’s contents).

We’ll look at these three in more detail shortly.

ACTION METHODS 294

ACTION METHODS 295

render(:inline =>string, [ :type =>"rhtml"|"rxml"] )

Interprets string as the source to a template of the given type, rendering the results back to the client.

The following code adds method_missing( ) to a controller if the application is running in development mode. If the controller is called with an invalid action, this renders an inline template to display the action’s name and a formatted version of the request parameters.

class SomeController < ApplicationController

if RAILS_ENV == "development" def method_missing(name, *args)

render(:inline => %{

<h2>Unknown action: #{name}</h2>

Here are the request parameters:<br/> <%= debug(params) %> })

end end

end

render(:action =>action_name)

Renders the template for a given action in this controller. Sometimes folks mistakenly use the :action form of render( ) when they should use redirects—see the discussion starting on page 298 for why this is a bad idea.

def display_cart if @cart.empty?

render(:action => :index) else

# ...

end end

render(:file =>path, [ :use_full_path =>true|false] )

Renders the template in the given path (which must include a file extension). By default this should be an absolute path to the template, but if the :use_full_path option is true, the view will prepend the value of the template base path to the path you pass in. The template base path is set in the configuration for your application (described on page 177).

render(:template =>name)

Renders a template and arranges for the resulting text to be sent back to the client. The :template value must contain both the controller and action parts of the new name, separated by a forward slash. The following code will render the template app/views/blog/short_list.

class BlogController < ApplicationController def index

render(:template => "blog/short_list") end

end

ACTION METHODS 296

render(:partial =>name, ...)

Renders a partial template. We talk about partial templates in depth on page 359.

render(:nothing => true)

Returns nothing—sends an empty body to the browser.

render()

With no overriding parameter, the render( ) method renders the default template for the current controller and action. The following code will render the template app/views/blog/index.

class BlogController < ApplicationController def index

render end

end

So will the following (as the default action of a controller is to call render( ) if the action doesn’t).

class BlogController < ApplicationController def index

end end

And so will this (as the controller will call a template directly if no action method is defined).

class BlogController < ApplicationController end

All forms of the render call take optional :status and :layout parameters. The :status parameter is used to set the status header in the HTTP response. It defaults to "200 OK". Do not use render( ) with a 3xx status to do redirects; Rails has a redirect( ) method for this purpose.

The :layout parameter determines whether the result of the rendering will be wrapped by a layout (we first came across layouts on page 70, and we’ll look at them in depth starting on page 356). If the parameter is :false, no layout will be applied. If set to nil or true, a layout will be applied only if there is one associated with the current action. If the :layout parameter has a string as a value, it will be taken as the name of the layout to use when rendering. A layout is never applied when the :nothing option is in effect.

Sometimes it is useful to be able to capture what would otherwise be sent to the browser in a string. The render_to_string( ) takes the same parameters as render( ) but returns the result of rendering as a string—the rendering is not stored in the response object and so will not be sent to the user unless you take some additional steps.

ACTION METHODS 297

Sending Files and Other Data

We’ve looked at rendering templates and sending strings in the controller. The third type of response is to send data (typically, but not necessarily, file contents) to the client.

send_data

Send a string containing binary data to the client.

send_data(data, options...)

Sends a data stream to the client. Typically the browser will use a combination of the content type and the disposition, both set in the options, to determine what to do with this data.

def sales_graph

png_data = Sales.plot_for(Date.today.month)

send_data(png_data, :type => "image/png", :disposition => "inline") end

send_file

Send the contents of a file to the client.

send_file(path, options...)

Sends the given file to the client. The method sets the Content-Length, Content-Type,

Content-Disposition, and Content-Transfer-Encoding headers.

ACTION METHODS 298

You can set additional headers for either send_ method using the headers attribute in the controller.

def send_secret_file send_file("/files/secret_list") headers["Content-Description"] = "Top secret"

end

We show how to upload files starting on page 350.

Redirects

An HTTP redirect is sent from a server to a client in response to a request. In effect it says, “I can’t handle this request, but here’s someone who can.” The redirect response includes a URL that the client should try next along with some status information saying whether this redirection is permanent (status code 301) or temporary (307). Redirects are sometimes used when web pages are reorganized; clients accessing pages in the old locations will get referred to the page’s new home.

Redirects are handled behind the scenes by web browsers. Normally, the only way you’ll know that you’ve been redirected is a slight delay and the fact that the URL of the page you’re viewing will have changed from the one you requested. This last point is important—as far as the browser is concerned, a redirect from a server acts pretty much the same as having an end user enter the new destination URL manually.

Redirects turn out to be important when writing well-behaved web applications.

Let’s look at a simple blogging application that supports comment posting. After a user has posted a comment, our application should redisplay the article, presumably with the new comment at the end. It’s tempting to code this using logic such as the following.

class BlogController def display

@article = Article.find(params[:id]) end

def add_comment

@article = Article.find(params[:id]) comment = Comment.new(params[:comment]) @article.comments << comment

if @article.save

flash[:note] = "Thank you for your valuable comment" else

flash[:note] = "We threw your worthless comment away" end

# DON'T DO THIS render(:action => 'display')

end end

ACTION METHODS 299

The intent here was clearly to display the article after a comment has been posted. To do this, the developer ended the add_comment( ) method with a call to render(:action=>'display'). This renders the display view, showing the updated article to the end user. But think of this from the browser’s point of view. It sends a URL ending in blog/add_comment and gets back an index listing. As far as the browser is concerned, the current URL is still the one that ends blog/add_comment. This means that if the user hits Refresh (perhaps to see if anyone else has posted a comment), the add_comment URL will be resent to the application. The user intended to refresh the display, but the application sees a request to add another comment. In a blog application this kind of unintentional double entry is inconvenient. In an online store it can get expensive.

In these circumstances, the correct way to show the added comment in the index listing is to redirect the browser to the display action. We do this using the Rails redirect_to( ) method. If the user subsequently hits Refresh, it will simply reinvoke the display action and not add another comment.

def add_comment

@article = Article.find(params[:id]) comment = Comment.new(params[:comment]) @article.comments << comment

if @article.save

flash[:note] = "Thank you for your valuable comment" else

flash[:note] = "We threw your worthless comment away" end

redirect_to(:action => 'display') end

Rails has a simple yet powerful redirection mechanism. It can redirect to an action in a given controller (passing parameters), to a URL on the current server, or to an arbitrary URL. Let’s look at these three forms in turn.

redirect_to

Redirecting to an action

redirect_to(options...)

Sends a temporary redirection to the browser based on the values in the options hash. The target URL is generated using url_for( ), so this form of redirect_to( ) has all the smarts of Rails routing code behind it. See Section 16.3, Routing Requests, on page 280 for a description.

ACTION METHODS 300

redirect_to

Redirect to a fixed path in the application.

redirect_to(path)

Redirects to the given path. The path, which should start with a leading /, is relative to the protocol, host, and port of the current request. This method does not perform any rewriting on the URL, so it should not be used to create paths that are intended to link to actions in the application.

def save

order = Order.new(params[:order]) if order.save

redirect_to :action => "display" else

session[:error_count] ||= 0 session[:error_count] += 1 if session[:error_count] < 4

flash[:notice] = "Please try again" else

# Give up -- user is clearly struggling redirect_to("/help/order_entry.html")

end end

end

redirect_to

Redirect to an absolute URL.

redirect_to(url)

Redirects to the given full URL, which must start with a protocol name (such as http://).

def portal_link

link = Links.find(params[:id]) redirect_to(link.url)

end

By default all redirections are flagged as temporary (they will affect only the current request). When redirecting to a URL, it’s possible you might want to make the redirection permanent. In that case, set the status in the response header accordingly.

headers["Status"] = "301 Moved Permanently" redirect_to("http://my.new.home")

Because redirect methods send responses to the browser, the same rules apply as for the rendering methods—you can issue only one per request.

COOKIES AND SESSIONS 301

16.5 Cookies and Sessions

Cookies allow web applications to get hash-like functionality from browser sessions: you can store named strings on the client browser and retrieve the values by name on subsequent requests.

This is significant because HTTP, the protocol used between browsers and web servers, is stateless. Cookies provide a means for overcoming this limitation, allowing web applications to maintain data between requests.

Rails abstracts cookies behind a convenient and simple interface. The controller attribute cookies is a hash-like object that wraps the cookie protocol. When a request is received, the cookies object will be initialized to the cookie names and values sent from the browser to the application. At any time the application can add new key/value pairs to the cookies object. These will be sent to the browser when the request finishes processing. These new values will be available to the application on subsequent requests (subject to various limitations, described below).

Here’s a simple Rails controller that stores a cookie in the user’s browser and redirects to another action. Remember that the redirect involves a round-trip to the browser and that the subsequent call into the application will create a new controller object. The new action recovers the value of the cookie sent up from the browser and displays it.

cookie_value = cookies[:the_time]

render(:text => "The cookie says it is #{cookie_value}") end

end

You must pass a string as the cookie value—no implicit conversion is performed. You’ll probably get an obscure error containing private method ‘gsub’ called... if you pass something else.

Browsers store a small set of options with each cookie: the expiry date and time, the paths that are relevant to the cookie, and the domain to which the cookie will be sent. If you create a cookie by assigning a value to cookies[name], you get a default set of these options: the cookie will apply to the whole site, it will never expire, and it will apply to the domain of the host doing the setting. However, these options can be overridden by passing in a hash of values, rather than a single string. (In this example,

COOKIES AND SESSIONS 302

4This time is absolute and is set when the cookie is created. If your application needs to set a cookie that expires so many minutes after the user last sent a request, you either need to reset the cookie on each request or (better yet) keep the session expiry time in session data in the server and update it there.

COOKIES AND SESSIONS 303

COOKIES AND SESSIONS 304

•You probably don’t want to store volatile objects in session data. For example, you might want to keep a tally of the number of articles in a blog and store that in the session for performance reasons. But, if you do that, the count won’t get updated if some other user adds an article.

It is tempting to store objects representing the current logged-in user in session data. This might not be wise if your application needs to be able to invalidate users. Even if a user is disabled in the database, their session data will still reflect a valid status.

Store volatile data in the database and reference it from the session instead.

•You probably don’t want to store critical information solely in session data. For example, if your application generates an order confirmation number in one request and stores it in session data so that it can be saved to the database when the next request is handled, you risk losing that number if the user deletes the cookie from their browser. Critical information needs to be in the database.

There’s one more caveat, and it’s a big one. If you store an object in session data, then the next time you come back to that browser your application will end up retrieving that object. However, if in the meantime you’ve updated your application, the object in session data may not agree with the definition of that object’s class in your application, and the application will fail while processing the request. There are three options here. One is to store the object in the database using conventional models and keep just the id of the row in the session. Model objects are far more forgiving of schema changes than the Ruby marshaling library. The second option is to manually delete all the session data stored on your server whenever you change the definition of a class stored in that data.

The third option is slightly more complex. If you add a version number to your session keys, and change that number whenever you update the stored data, you’ll only ever load data that corresponds with the current version of the application. You can potentially version the classes whose objects are stored in the session and use the appropriate classes depending on the session keys associated with each request. This last idea can be a lot of work, so you’ll need to decide whether it’s worth the effort.

Because the session store is hash-like, you can save multiple objects in it, each with its own key. In the following code, we store the id of the logged-in user in the session. We use this later in the index action to create

def login

user = User.find_by_name_and_password(params[:user], params[:password])

if user

session[:user_id] = user.id redirect_to :action => "index"

else reset_session

flash[:note] = "Invalid user name/password" end

end

def index

@menu = create_menu_for(session[:user_id]) @menu.highlight(session[:last_selection])

end

def select_item

@item = Item.find(params[:id]) session[:last_selection] = params[:id]

end

def logout reset_session

end end

As is usual with Rails, session defaults are convenient, but we can override them if necessary. In the case of sessions, the options are global, so you’ll typically set them in your environment files (config/environment.rb or one of the files in config/environments).5 Unusually for Rails, there’s no pretty API to set options: you simply set values into the DEFAULT_SESSION_OPTIONS hash directly. For example, if you want to change the cookie name used by your application (which is pretty much mandatory if you plan on running more than one Rails application from the same host), you could add the following to the environment file.

ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS[:session_key] = 'my_app'

The available session options are

:database_manager

Controls how the session data is stored on the server. We’ll have more to say about this shortly.

:session_domain

The domain of the cookie used to store the session id on the browser. Defaults to the application’s host name.

5There’s one exception to this—you can’t set the session expiry time this way.

COOKIES AND SESSIONS 306

:session_id

Overrides the default session id. If not set, new sessions automatically have a 32-character key created for them. This key is used in subsequent requests.

:session_key

The name of the cookie used to store the session id. You’ll want to override this in your application, as shown previously.

:session_path

The request path to which this session applies (it’s actually the path of the cookie). The default is /, so it applies to all applications in this domain.

:session_secure

If true, sessions will be enabled only over https://. The default is false.

:new_session

Directly maps to the underlying cookie’s new_session option. However, this option is unlikely to work the way you need it to under Rails, and we’ll discuss an alternative in Section 16.8, Time-Based Expiry of Cached Pages, on page 323.

:session_expires

The absolute time of the expiry of this session. Like :new_session, this option should probably not be used under Rails.

In addition, you can specify options that depend on the storage type. For example, if you choose to use the PStore database manager for session data, you can control where Rails store the files and the prefix it gives to the individual filenames.

class DaveController < ApplicationController

session_options = ::ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS session_options[:tmpdir] = "/Users/dave/tmp"

session_options[:prefix] = "myapp_session_"

# ...

See the documentation for CGI::Session in the standard Ruby distribution for details of these options.

Session Storage

Rails has a number of options when it comes to storing your session data. Each has good and bad points. We’ll start by listing the options and then compare them at the end.

COOKIES AND SESSIONS 307

The session storage mechanism is set using the :database_manager parameter in the DEFAULT_SESSION_OPTIONS hash. The alternatives are

:database_manager => CGI::Session::PStore

This is the default session storage mechanism used by Rails. Data for each session is stored in a flat file in PStore format. This format keeps objects in their marshaled form, which allows any serializable data to be stored in sessions. This mechanism supports the additional configuration options :prefix and :tmpdir.

:database_manager => CGI::Session::ActiveRecordStore

You can store your session data in your application’s database using ActiveRecordStore. Create a table called sessions with the following DDL (this is the MySQL version—you may have to adjust slightly for your database engine). This store uses YAML to serialize its objects.

updated_at datetime default NULL, primary key(id),

index session_index (sessid)

);

The sessid column holds the session ids—the DDL above makes it long enough to hold the default 32 characters. It’s a good idea to index this column, as it is used to look up session data.

If you add columns named created_at or updated_at, Active Record will automatically timestamp the rows in the session table—we’ll see later why this is a good idea.

:database_manager => CGI::Session::DrbStore

DRb is a protocol that allows Ruby processes to share objects over a network connection. Using the DrbStore database manager, Rails stores session data on a DRb server (which you manage outside the web application). Multiple instances of your application, potentially running on distributed servers, can access the same DRb store. A simple DRb server that works with Rails is included in the Rails source.6 DRb uses Marshal to serialize objects.

:database_manager => CGI::Session::MemCacheStore

memcached is a freely available, distributed object caching system

6If you install from Gems, you’ll find it in {RUBYBASE}/lib/ruby/gems/1.8/gems/actionpack-

x.y/lib/action_controller/session/drb_server.rb.

COOKIES AND SESSIONS 308

from Danga Interactive.7 The Rails MemCacheStore uses Michael Granger’s Ruby interface8 to memcached to store sessions. memcached is more complex to use than the other alternatives and is probably interesting only if you are already using it for other reasons at your site.

:database_manager => CGI::Session::MemoryStore

This option stores the session data locally in the application’s memory. As no serialization is involved, any object can be stored in an in-memory session. As we’ll see in a minute, this generally is not a good idea for Rails applications.

:database_manager => CGI::Session::FileStore

Session data is stored in flat files. It’s pretty much useless for Rails applications, as the contents must be strings. This mechanism supports the additional configuration options :prefix, :suffix, and :tmpdir.

If your application has no need for sessions (and doesn’t use the flash, which is stored in session data), you can disable Rails session processing by setting

::ActionController::CgiRequest::DEFAULT_SESSION_OPTIONS = false

Comparing Session Storage Options

With all these session options to choose from, which should you use in your application? As always, the answer is “It depends.”

If we rule out memory store as being too simplistic, file store as too restrictive, and memcached as overkill, the choice boils down to PStore, Active Record store, and DRb-based storage. We can compare performance and functionality across these options.

Scott Barron has performed a fascinating analysis of the performance of these storage options.9 His findings are somewhat surprising. For low numbers of sessions, PStore and DRb are roughly equal. As the number of sessions rises, PStore performance starts to drop. This is probably because the host operating system struggles to maintain a directory that contains tens of thousands of session data files. DRb performance stays relatively flat. Performance using Active Record as the backing storage is lower but stays flat as the number of sessions rises.

7http://www.danga.com/memcached

8Available from http://www.deveiate.org/code/Ruby-MemCache.html.

9Mirrored at http://media.pragprog.com/ror/sessions.

COOKIES AND SESSIONS 309

What does this mean for you? Reviewer Bill Katz summed it up in the following paragraph.

If you expect to be a large web site, the big issue is scalability, and you can address it either by “scaling up” (enhancing your existing servers with additional CPUs, memory, etc.) or “scaling out” (adding new servers). The current philosophy, popularized by companies such as Google, is scaling out by adding cheap, commodity servers. Ideally, each of these servers should be able to handle any incoming request. Because the requests in a single session might be handled on multiple servers, we need our session storage to be accessible across the whole server farm. The session storage option you choose should reflect your plans for optimizing the whole system of servers. Given the wealth of possibilities in hardware and software, you could optimize along any number of axes that impacts your session storage choice. For example, you could use the new MySQL cluster database with extremely fast in-memory transactions; this would work quite nicely with an Active Record approach. You could also have a high-performance storage area network that might work well with PStore. memcached approaches are used behind high-traffic web sites such as LiveJournal, Slashdot, and Wikipedia. Optimization works best when you analyze the specific application you’re trying to scale and run benchmarks to tune your approach. In short, “It depends.”

There are few absolutes when it comes to performance, and everyone’s context is different. You hardware, network latencies, database choices, and possibly even the weather will impact how all the components of session storage interact. Our best advice is to start with the simplest workable solution and then monitor it. If it starts to slow you down, find out why before jumping out of the frying pan.

If your application runs on a single server, your simplest choice for session storage is PStore. It has good performance for reasonable numbers of active sessions and requires little configuration.

If your application has more than 10,000 concurrent sessions, or if it runs on multiple servers, we recommend you start with an Active Record solution. If, as your application grows, you find this becoming a bottleneck, you can migrate to a DRb-based solution.

COOKIES AND SESSIONS 310

Session Expiry and Cleanup

One problem with all the solutions is that session data is stored on the server. Each new session adds something to the session store. You’ll eventually need to do some housekeeping, or you’ll run out of server resources.

There’s another reason to tidy up sessions. Many applications don’t want a session to last forever. Once a user has logged in from a particular browser, the application might want to enforce a rule that the user stays logged in only as long as they are active; when they log out, or some fixed time after they last use the application, their session should be terminated.

You can sometimes achieve this effect by expiring the cookie holding the session id. However, this is open to end-user abuse. Worse, it is hard to synchronize the expiry of a cookie on the browser with the tidying up of the session data on the server.

We therefore suggest that you expire sessions by simply removing their server-side session data. Should a browser request subsequently arrive containing a session id for data that has been deleted, the application will receive no session data; the session will effectively not be there.

Implementing this expiration depends on the storage mechanism being used.

For PStore-based sessions, the easiest approach is periodically to run a sweeper task (for example using cron(1) under Unix-like systems). This task should inspect the last modification times of the files in the session data directory, deleting those older than a given time.

For Active Record–based session storage, we suggest defining created_at and/or updated_at columns in the sessions table. You can delete all sessions that have not been modified in the last hour (ignoring daylight savings time changes) by having your sweeper task issue SQL such as

delete from sessions

where now() - updated_at > 3600;

For DRb-based solutions, expiry takes place within the DRb server process. You’ll probably want to record timestamps alongside the entries in the session data hash. You can run a separate thread (or even a separate process) that periodically deletes the entries in this hash.

In all cases, your application can help this process by calling reset_session( ) to delete sessions when they are no longer needed (for example, when a user logs out).

FLASH—COMMUNICATING BETWEEN ACTIONS 311

16.6 Flash—Communicating between Actions

When we use redirect_to( ) to transfer control to another action, the browser generates a separate request to invoke that action. That request will be handled by our application in a fresh instance of a controller object— instance variables that were set in the original action are not available to the code handling the redirected action. But sometimes we need to communicate between these two instances. We can do this using a facility called the flash.

The flash is a temporary scratchpad for values. It is organized like a hash and stored in the session data, so you can store values associated with keys and later retrieve them. It has one special property. By default, values stored into the flash during the processing of a request will be available during the processing of the immediately following request. Once that second request has been processed, those values are removed from the flash.10

Probably the most common use of the flash is to pass error and informational strings from one action to the next. The intent here is that the first action notices some condition, creates a message describing that condition, and redirects to a separate action. By storing the message in the flash, the second action is able to access the message text and use it in a view.

class BlogController def display

@article = Article.find(params[:id]) end

def add_comment

@article = Article.find(params[:id]) comment = Comment.new(params[:comment]) @article.comments << comment

if @article.save

flash[:note] = "Thank you for your valuable comment" else

flash[:note] = "We threw your worthless comment away" end

redirect_to :action => 'display' end

In this example, the add_comment( ) method stores one of two different messages in the flash using the key :note. It redirects to the display( ) action.

10If you read the RDoc for the flash functionality, you’ll see that it talks about values being made available just to the next action. This isn’t strictly accurate: the flash is cleared out at the end of handling the next request, not on an action-by-action basis.

FLASH—COMMUNICATING BETWEEN ACTIONS 312

The display( ) action doesn’t seem to make use of this information. To see what’s going on, we’ll have to dig deeper and look at the view code in display.rhtml in the directory app/views/blog.

<html> <head>

<title>My Blog</title>

<%= stylesheet_link_tag("blog") %>

</head> <body>

<div id="main">

<% if @flash[:note] -%>

<div id="notice"><%= @flash[:note] %></div> <% end -%>

:: :

:: :

</div> </body>

</html>

The flash is accessible in the layout code as well as the controller. In this example, our layout generated the appropriate <div> if the flash contained a :note key.

It is sometimes convenient to use the flash as a way of passing messages into a template in the current action. For example, our display( ) method might want to output a cheery banner if there isn’t another, more pressing note. It doesn’t need that message to be passed to the next action—it’s for use in the current request only. To do this, it could use flash.now, which updates the flash but does not add to the session data.

class BlogController def display

unless flash[:note]

flash.now[:note] = "Welcome to my blog" end

@article = Article.find(params[:id]) end

end

While flash.now creates a transient flash entry, flash.keep does the opposite, making entries that are currently in the flash stick around for another request cycle.

class SillyController def one

flash[:note] = "Hello" flash[:error] = "Boom!" redirect_to :action => "two"

end

def two flash.keep(:note)

flash[:warning] = "Mewl" redirect_to :action => "three"

end

FILTERS AND VERIFICATION 313

#flash[:warning] => "Mewl"

#and flash[:error] is unset render

end end

If you pass no parameters to flash.keep, all the flash contents are preserved.

Flashes can store more than just text messages—you can use them to pass all kinds of information between actions. Obviously for longer-term information you’d want to use the session (probably in conjunction with your database) to store the data, but the flash is great if you want to pass parameters from one request to the next.

Because the flash data is stored in the session, all the usual rules apply. In particular, every object must be serializable, and if you store models, you need a model declaration in your controller.

16.7 Filters and Verification

Filters enable you to write code in your controllers that wrap the processing performed by actions—you can write a chunk of code once and have it be called before or after any number of actions in your controller (or your controller’s subclasses). This turns out to be a powerful facility. Using filters, we can implement authentication schemes, logging, response compression, and even response customization.

Rails supports three types of filter: before, after, and around. Filters are called just prior to and/or just after the execution of actions. Depending on how you define them, they either run as methods inside the controller or are passed the controller object when they are run. Either way, they get access to details of the request and response objects, along with the other controller attributes.

Before and After Filters

As their names suggest, before and after filters are invoked before or after an action. Rails maintains two chains of filters for each controller. When a controller is about to run an action, it executes all the filters on the before chain. It executes the action before running the filters on the after chain.

Filters can be passive, monitoring activity performed by a controller. They can also take a more active part in request handling. If a before filter

before_filter :authorize

# ...

This is an example of having a method act as a filter; we passed the name of the method as a symbol to before_filter. The filter declarations also accept blocks and the names of classes. If a block is specified, it will be called with the current controller as a parameter. If a class is given, its filter( ) class method will be called with the controller as a parameter.

class AuditFilter

def self.filter(controller)

AuditLog.create(:action => controller.action_name) end

end

# ...

class SomeController < ApplicationController

before_filter do |controller| logger.info("Processing #{controller.action_name}")

end

after_filter AuditFilter

# ...

end

By default, filters apply to all actions in a controller (and any subclasses of that controller). You can modify this with the :only option, which takes one or more actions to be filtered, and the :except option, which lists actions to be excluded from filtering.

class BlogController < ApplicationController

before_filter :authorize, :only => [ :delete, :edit_comment ] after_filter :log_access, :except => :rss

# ...

FILTERS AND VERIFICATION 315

The before_filter and after_filter declarations append to the controller’s filter chains. Use the variants prepend_before_filter( ) and prepend_after_filter( ) to put filters at the front of the chain.

After Filters and Response Munging

After filters can be used to modify the outbound response, changing the headers and content if required. Some applications use this technique to perform global replacements in the content generated by the controller’s templates (for example, substituting a customer’s name for the string <customer/> in the response body). Another use might be compressing the response if the user’s browser supports it.

The code below is an example of how this might work.11 The controller declares the compress( ) method as an after filter. The method looks at the request header to see if the browser accepts compressed responses. If so, it uses the Zlib library to compress the response body into a string.12 If the result is shorter than the original body, it substitutes in the compressed version and updates the response’s encoding type.

after_filter :compress

def index

render(:text => "<pre>" + File.read("/etc/motd") + "</pre>") end

protected

def compress

accepts = request.env['HTTP_ACCEPT_ENCODING'] return unless accepts && accepts =~ /(x-gzip|gzip)/ encoding = $1

output = StringIO.new

def output.close # Zlib does a close. Bad Zlib...

rewind end

gz = Zlib::GzipWriter.new(output) gz.write(response.body)

gz.close

if output.length < response.body.length response.body = output.string response.headers['Content-encoding'] = encoding

end end

end

11This code is not a complete implementation of compression. In particular, it won’t compress streamed data downloaded to the client using send_file( ).

12Note that the Zlib Ruby extension might not be available on your platform—it relies on

the presence of the underlying libzlib.a library.

FILTERS AND VERIFICATION 316

Around Filters

Around filters are objects that wrap the execution of actions. The objects must implement the methods before( ) and after( ), which are called before and after the filtered action executes. Around filter objects maintain their state between the before( ) and after( ) calls. The following example illustrates this by timing actions in the blog controller.

class TimingFilter

def before(controller) @started = Time.now

end

def after(controller)

elapsed = Time.now - @started action = controller.action_name

controller.logger.info("#{action} took #{elapsed} seconds") end

end

# ...

class BlogController < ApplicationController

around_filter TimingFilter.new

# ...

Unlike before and after filters, around filters do not take :only or :except parameters.

Around filters are added to the filter chain differently. The before( ) method of the around object is appended to the chain, while the after( ) method is prepended to the after chain. This means that around objects will correctly nest. If you write

around_filter A.new, B.new

the sequence of filter calls will be

A#before()

B#before

action...

B#after

A#after

Filter inheritance

If you subclass a controller containing filters, the filters will be run on the child objects as well as in the parent. However, filters defined in the children will not run in the parent.

Verification

A common use of before filters is verifying that certain conditions are met before an action is attempted. The Rails verify mechanism is an abstrac-

FILTERS AND VERIFICATION 317

tion that might help you express these preconditions more concisely than you could in explicit filter code.

For example, we might require that the session contains a valid user before our blog allows comments to be posted. We could express this using a verification such as

class BlogController < ApplicationController

verify :only => :post_comment, :session => :user_id,

:add_flash => { :note => "You must log in to comment"}, :redirect_to => :index

# ...

This declaration applies the verification to the post_comment action. If the session does not contain the key :user_id, a note is added to the flash and the request is redirected to the index action.

The parameters to verify can be split into three categories.

Applicability

These options select which actions have the verification applied.

:only =>:name or [ :name, ... ]

Verify only the listed action or actions.

:except =>:name or [ :name, ... ]

Verify all actions except those listed.

Tests

These options describe the tests to be performed on the request. If more than one of these is given, all must be true for the verification to succeed.

:flash =>:key or [ :key, ... ]

The flash must include the given key or keys.

:method =>:symbol or [ :symbol, ... ]

The request method (:get, :post, :head, or :delete) must match one of the given symbols.

:params =>:key or [ :key, ... ]

The request parameters must include the given key or keys.

:session =>:key or [ :key, ... ]

The session must include the given key or keys.