在 Ruby on Rails 中创建对象时,您更喜欢哪种保存方法,为什么?
在 Ruby on Rails 应用程序中为对象编写“create”方法时,我使用了两种方法。 为了使代码更干净、更一致,我想使用一种方法。 我将在下面列出这两种方法。 有谁知道其中一个是否比另一个更好? 如果是这样,为什么?
方法一:
def create1
# is this unsecure? should we grab user_id from the session
params[:venue]['user_id'] = params[:user_id]
begin
venue = Venue.create(params[:venue])
@user_venues = @user.venues
render :partial => 'venue_select_box', :success => true, :status => :ok
rescue ActiveRecord::RecordInvalid
render :text => 'Put errors in here', :success => false, :status => :unprocessable_entity
end
end
方法二:
def create2
# is this unsecure? should we grab user_id from the session
params[:venue]['user_id'] = params[:user_id]
venue = Venue.new(params[:venue])
if venue.save
@user_venues = @user.venues
render :partial => 'venue_select_box', :success => true, :status => :ok
else
render :text => 'Put errors in here', :success => false, :status => :unprocessable_entity
end
end
When writing the "create" method for an object in a Ruby on Rails app, I have used two methods. I would like to use one method for the sake of cleaner and more consistent code. I will list the two methods below. Does anyone know if one is better than the other? If so, why?
Method 1:
def create1
# is this unsecure? should we grab user_id from the session
params[:venue]['user_id'] = params[:user_id]
begin
venue = Venue.create(params[:venue])
@user_venues = @user.venues
render :partial => 'venue_select_box', :success => true, :status => :ok
rescue ActiveRecord::RecordInvalid
render :text => 'Put errors in here', :success => false, :status => :unprocessable_entity
end
end
Method 2:
def create2
# is this unsecure? should we grab user_id from the session
params[:venue]['user_id'] = params[:user_id]
venue = Venue.new(params[:venue])
if venue.save
@user_venues = @user.venues
render :partial => 'venue_select_box', :success => true, :status => :ok
else
render :text => 'Put errors in here', :success => false, :status => :unprocessable_entity
end
end
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
以这种方式使用
@user.venues确保用户 ID 始终被正确设置。 此外,ActiveRecord 将保护:user_id字段在#create!调用过程中不被赋值。 因此,来自外部的攻击将无法修改:user_id。在测试中,您可以验证对 :create 执行 POST 是否会引发 ActiveRecord::RecordInvalid 异常。
Using
@user.venuesin this way ensure that the user ID will always be set appropriately. In addition, ActiveRecord will protect the:user_idfield from assignment during the course of the#create!call. Hence, attacks from the outside will not be able to modify:user_id.In your tests, you may verify that doing a POST to :create raises an ActiveRecord::RecordInvalid exception.
我认为异常不应该用于常规条件,所以我认为第二种更好。
I'm of the school of thought that exceptions shouldn't be used for routine conditions, so I'd say the second is better.
这取决于。 如果您希望所有创建语句都能工作,请使用前者,因为创建和保存失败是例外情况,并且可能是程序无法轻松恢复的情况。 另外,如果您使用关系完整性(RedHill Consulting 的foreign_key_migrations),这将引发外键违规异常,因此您可能希望在创建或更新时捕获它们。
第二个是可行的,如果查询不成功是您期望作为该特定操作的日常操作的一部分的情况,那么这很好。
另外,您的代码注释有关会话不安全——会话是放置 user_id 的地方。 只要您在执行其他操作之前检查并验证用户是否已通过身份验证,就可以了。
It depends. If you expect all of the create statements to work, use the former, because the failure to create-and-save is exceptional, and may possibly be a condition from which the program can't readily recover. Also, if you use relational integrity (foreign_key_migrations by RedHill Consulting), this will throw exceptions on foreign key violations, so you probably want to catch them whenever creating or updating.
The second is workable, and good if the query not succeeding is something you expect as part of the day-to-day operation of that particular action.
Also, your code comment about session being insecure -- the session is the place to put the user_id. As long as you're checking to verify that the user has been authenticated before doing anything else, you'll be okay.
我完全同意唐的评论。 但我什至会更进一步使用 user_id 部分,并将其设置为模型上的前置过滤器。
I totally agree with Don's comment. But I would even go one step further with the user_id part and set it as a before filter on the model.