Databound – exposes Ruby on Rails database to the JavaScript side (databound.me) 2 points by Nedomas 11y ago ↗ HN
[–] jameskilton 11y ago ↗ Mind if I ask why this exists?The operations side of me sees nothing but a massive security hole.The developer in me sees anything built with this to be a maintenance nightmare, even more so than many Rails apps tend to be.What benefit does this library provide? [–] Nedomas 11y ago ↗ Thanks for asking, James.Many Rails apps get/create/update database data on the Javascript side. Sometimes it is done using some kind of framework (Ember, Angular).This is for the times you don't use a full fledged framework - think React or something similar.Its benefit is that you don't have to set up routes, parsing/encoding for the data you send.It lets you securely choose which parts of the model you want the Javascript to edit (permitted_columns).It also works with Active Model Serializers (f.e. UserSerializer) - it lets you specify which attributes to send to the client.It is as secure as you would do it yourself.If possible, please hack the databound.me website and help me fix the holes if there are any.Thanks! [–] jameskilton 11y ago ↗ This isn't about "hacking" the website, it's about protecting the users of your library (including yourself). I'll open an Issue with more details. [–] Nedomas 11y ago ↗ Thanks.For other readers: the issue is being adressed at https://github.com/Nedomas/databound/issues/2 [–] Nedomas 11y ago ↗ Fixed with 1.1.0 release.https://github.com/Nedomas/databound-rails/commit/04e28afaf0...
[–] Nedomas 11y ago ↗ Thanks for asking, James.Many Rails apps get/create/update database data on the Javascript side. Sometimes it is done using some kind of framework (Ember, Angular).This is for the times you don't use a full fledged framework - think React or something similar.Its benefit is that you don't have to set up routes, parsing/encoding for the data you send.It lets you securely choose which parts of the model you want the Javascript to edit (permitted_columns).It also works with Active Model Serializers (f.e. UserSerializer) - it lets you specify which attributes to send to the client.It is as secure as you would do it yourself.If possible, please hack the databound.me website and help me fix the holes if there are any.Thanks! [–] jameskilton 11y ago ↗ This isn't about "hacking" the website, it's about protecting the users of your library (including yourself). I'll open an Issue with more details. [–] Nedomas 11y ago ↗ Thanks.For other readers: the issue is being adressed at https://github.com/Nedomas/databound/issues/2 [–] Nedomas 11y ago ↗ Fixed with 1.1.0 release.https://github.com/Nedomas/databound-rails/commit/04e28afaf0...
[–] jameskilton 11y ago ↗ This isn't about "hacking" the website, it's about protecting the users of your library (including yourself). I'll open an Issue with more details. [–] Nedomas 11y ago ↗ Thanks.For other readers: the issue is being adressed at https://github.com/Nedomas/databound/issues/2 [–] Nedomas 11y ago ↗ Fixed with 1.1.0 release.https://github.com/Nedomas/databound-rails/commit/04e28afaf0...
[–] Nedomas 11y ago ↗ Thanks.For other readers: the issue is being adressed at https://github.com/Nedomas/databound/issues/2 [–] Nedomas 11y ago ↗ Fixed with 1.1.0 release.https://github.com/Nedomas/databound-rails/commit/04e28afaf0...
[–] Nedomas 11y ago ↗ Fixed with 1.1.0 release.https://github.com/Nedomas/databound-rails/commit/04e28afaf0...
5 comments
[ 2.3 ms ] story [ 21.4 ms ] threadThe operations side of me sees nothing but a massive security hole.
The developer in me sees anything built with this to be a maintenance nightmare, even more so than many Rails apps tend to be.
What benefit does this library provide?
Many Rails apps get/create/update database data on the Javascript side. Sometimes it is done using some kind of framework (Ember, Angular).
This is for the times you don't use a full fledged framework - think React or something similar.
Its benefit is that you don't have to set up routes, parsing/encoding for the data you send.
It lets you securely choose which parts of the model you want the Javascript to edit (permitted_columns).
It also works with Active Model Serializers (f.e. UserSerializer) - it lets you specify which attributes to send to the client.
It is as secure as you would do it yourself.
If possible, please hack the databound.me website and help me fix the holes if there are any.
Thanks!
For other readers: the issue is being adressed at https://github.com/Nedomas/databound/issues/2
https://github.com/Nedomas/databound-rails/commit/04e28afaf0...