Never ever manage data by using active record migrations

So you happily using migrations to handle your database and everything goes pretty well. I love them.

New requirement comes to you and you need to add new data set into a new table and you create a new migration to handle it. Flawless.

Later on, this column does not make sense anymore and you, good developer, decide to remove it. Perfect.

However, you managed data using migrations and don’t actually remember. You screwed all your migrations. They don’t run anymore and you didn’t realise because your database was in a further version of this failure point and you haven’t found yourself in need to drop and recreate your development db.

New developer arrives and try rake db:create db:migrate. Fail. More time to spent why migrations is failing.

This was just one case. Many others can happen. Fields changed in your model. New validations were added. You’ve added new field to not have mass assignment. And so many others.

Lessons learned and gold tip: Never ever ever manage data using migrations. Create a script which can do it for you and throw it away after you’ve done the dirty service. You make your life and whoever is coming next easier.


Ruby Conf Australia 2013 in Review - Hacking with gems

This post was originally posted here at the 8th of March, 2013.

Yes! We made it. Ruby Conf Australia 2013 exceeded our expectations. So many great talks, amazing people and superb conversations. We’ve met people from all over the world who share the same thoughts and hold different opinions at the same time. This is what brings us even more inspiration to keep up with what we’ve been doing best: developing.

Rob has talked about BoxenRowan nailed what he learnt with Keith and Mario’s Guide to Fast Websites and Dan shared his overview about his very first RubyConf. So now it is my turn to close Ruby Conf Australia 2013 in Review.

The Keynote speakers in general were fantastic but the one who took more my attention was Benjamin Smith and his talk: “Hacking with Gems”.

I am not the kind of person who freaks out overly about security, even when you can see source code on Github and follow every step to ensure you are using a good thing.

Ben though, showed just how easy it is to write a gem, in order to compromise a box in matter of few lines of code. For example, the source code which you believe to live in the repository doesn’t necessarily mean the gem itself at Rubygems has exactly the same code. You can infact easily push to rubygems, a different version with just a modified Rakefile that will post all interesting dot files that you have crypted to a URL. This means that your secret keys are at risk of being compromised and the malicious gem’s owner is able to use services you own the way he wants.

A good workflow to prevent yourself not to be caught is to download a gem first and verify its code by doing:

gem fetch gem-name
gem unpack gem-name

Rubygems, the main gem’s repository, has gone through an exploit attack based on malicious code that made ruby community stop for a while. Deploys at Heroku went down, Travis CI went down. Not surprisingly, many people got involved to fix it as soon as possible. So it is definitely worthwhile checking what you are really using. At least, you will learn something new.

Here are his slides.

Summing up, great talks and heaps of learnings. Looking forward to next RubyConf Australia 2014.

Last thing, I’ve created a gem recently and would love to get someone helping me to test:

gem install xmastree

I’d really appreciate.


Update #1: After this post, I’ve updated my gem readme on github with more explanation. Check it out: https://github.com/bernardeli/xmastree


Capybara and nested attributes

Rails provides a mechanism to create nested forms easily using accept_nested_attributes_for for models and fields_for on views.

Every time I need to use nested attributes, it comes with a requirement that a user can add/remove as many as he wants.

Despite of working pretty well, it is always a pain to create a integration test using capybara, mainly because the “Add” and “Remove” button is javascript and it generates always a new piece on form using a timestamp.

The problem to fill in these new fields is that you can’t guess the timestamp. I found some interesting solutions with xpath, that is pretty horrible in my opinion and I wanted to try something more beautiful if I could.

Luckily, this is the final solution I could achieve:

Based that all group of fields is involved with a div that contains a class named fields, and imagine we are creating a group that contains people, we could do this:

Final code is very clear, way better than xpath and works exactly as I expected.

Please share with me if you got a better solution for it. I’d love to hear.

Happy coding! :) 


The right tools for the job - efficient web application development

This post was originally posted here at the 7th of December 2012: http://netengine.com.au/blog/efficient_web_application_development/

We’re very glad to admit that here at NetEngine we’ve got clients that allow us to use what we consider the most appropriate tools for their projects.

It’s not big news that for each brand new project we need to follow different requirements. That said, we have found a few common third party tools that we’ve been using heavily across all projects to help us on development, improving, monitoring and communicating with our clients.

  1. Bugsnag

    Despite knowing it is crucial not to have bugs in production, sometimes it happens. We always keep an eye on it and Bugsnag helps us to trace a bug down. It is an excellent tool if you want to be notified straight away and control what is resolved or not.


  2. Papertrail

    In addition to Bugsnag helping to debug whether an exception raises, we also use Papertrail. This is an awesome tool to keep our logs centralized and search for events and errors from a simple interface. Its search is fast and gives you the option of parsing the log based on time. In short – you don’t need to ssh into your server and grep your logs.


  3. Newrelic

    Newrelic defines itself as “a developer’s best friend” and definitily is a must-have. We’ve been constantly chasing out perfomance improvements, removing bottlenecks and monitoring all our clients applications ever since with NewRelic. We wrote a blog post about a huge performance improvement in one of the projects we’ve developed. Check it out here


  4. Sprintly

    We want to show to our clients what we’ve been working on and keep them informed about the progress of a new feature or a bugfix. Sprintly simply works. Its interface has heaps of cool features such as real-time notifications, easy priority changes and full of filters. The highlights ofSprintly goes to GitHub’s integration. We just need to refer the task number in the commit message and it is automatically added as a new comment and linked to a Github commit page. Besides that, it has a simple natural language parsing, which means that if you say as your commit message “Fixes #42”, the item #42 will move into the ‘Done’ column. Our clients are very happy to use it and that’s what we want.


Of course we are not stuck with these amazing tools and we always want to try new ones, but these four above have impressed us and are helping a lot.

We want to hear from you now, what are your favourite tools?


Time.at and @time.to_i

As I’m building a system which has to deal a lot with Time and Date and at a specific case it needs to be passed through an API. Although at my first attempt I used something like time.to_s, I figured out it could screw up the other side by having some space in it.

So instead of time.to_s, I tried time.to_i and when it gets consumed, I’ve changed back to time class using Time.at(lots-of-number-from-time-to_i) and eureka.

Hope to be helpful to you! :-)


Rails Authenticity Token

It’s been a while since I started writing about the Rails authenticity token from the scratch.

I decided to finish it today and I was looking for new references to do a best post, I came along to an excellent post at Stack Overflow and decided to re-blog it with the same words [1].

What happens: When the user views a form to create, update, or destroy a resource, the rails app would create a random authenticity_token, store this token in the session, and place it in a hidden field in the form. When the user submits the form, rails would look for the authenticity_token, compare it to the one stored in the session, and if they match the request is allowed to continue.

Why this happens: Since the authenticity token is stored in the session, the client can not know its value. This prevents people from submitting forms to a rails app without viewing the form within that app itself. Imagine that you are using service A, you logged into the service and everything is ok. Now imagine that you went to use service B, and you saw a picture you like, and pressed on the picture to view a larger size of it. Now, if some evil code was there at service B, it might send a request to service A (which you are logged into), and ask to delete your account, by sending a request tohttp://serviceA.com/close_account. This is what is known as CSRF (Cross Site Request Forgery).

If service A is using authenticity tokens, this attack vector is no longer applicable, since the request from service B would not contain the correct authenticity token, and will not be allowed to continue.

Notes: Keep in mind, rails only checks POST, PUT, and DELETE requests. GET request are not checked for authenticity token. Why? because the HTTP specification states that GET requests should NOT create, alter, or destroy resources at the server, and the request should be idempotent (if you run the same command multiple times, you should get the same result every time).

Lessons: Use authenticity_token to protect your POST, PUT, and DELETE requests. Also make sure not to make any GET requests that could potentially modify resources on the server.

[1] http://stackoverflow.com/questions/941594/understand-rails-authenticity-token


sed to update Factory Girl old syntax to the new one

I just updated Factory Girl to its last version (3.0.0 at the moment I’m writing it down) and I’ve got lots of deprecation messages about its syntax.

As I have 44 files defining different kinds of factories, I would be a pain in the ass to open all and then update to the new syntax. I’m too lazy for that.

I made a sed command and updated all them at once.

I’m using OS X. It needs to backup your files using -i.bkp. In a linux environment you can remove that, I guess.

Hope it may help you out!


contributing to delayed job

delayed job encapsulates the common pattern of asynchronously executing longer tasks in the background.

I’ve had to implement a way to run tasks in different servers, according to their hostname, using a —server parameter.

As I patched delayed job to run like that, I sent a pull request with someone else would like to use.

They asked me if I could change server to queue and do some more workaround to define a resque-style feature called named queues.

Here is the announcement: http://collectiveidea.com/blog/archives/2012/01/04/the-big-three-oh/

Reasons for contributing to open source: 

1. Different people will review your code. Don’t be ashamed to commit mistakes. You can learn from that.

2. Did something different? Someone may need and might be facing the same problem as you.

3. You use. It is free. Give some love back as well.

A great text that is in my bookmarks about this topic: http://shal.in/post/285909694/why-you-should-contribute-to-open-source


using url helpers outside controllers

Today I came across a problem trying to access some routing methods where I couldn’t in a Rails app.

I extracted a class to lib directory to build XMLs according to some parameters and this class has no communication to external world. So, to build paths and urls dynamically where there’s no url helpers, you can either:

1. Use include and access all routing helpers as below:


2. Call the routing helper needed from Rails.application.routes.url_helpers.route_that_i_want_path.

This is a case that you must use it carefully, otherwise, MVC is going through the window.


konami code jquery

few days ago, we developed a great feature for our customers at WebStore that the customer can customize its own template. even though, part of it wasn’t finished and properly tested.

at a first sight, we decided to leave it there and add a ‘beta’ flag, but things could go to a wrong way. so we let it hidden and added something funny: konami code.

it is a very simple jquery lines:

and then you add a listener to element window and pass a function to execute what it should do:

when this hidden feature would be properly tested, there’s no more point to leave a konami code there. if a customer find out, there’s a message to do it on his own risk.

(I’ll try to use gist from now on to write down codes if necessary)