## December 23, 2007

### Instiki and Rails 2.0

I upgraded Instiki to Rails 2.0.2. There are many, many changes to Rails, from 1.2.5, which is what Instiki, previously, was based on. At least, for the present, I made the bare minimum of changes in Instiki, required. Even so, one gets a whole raft of improvements, “for free.”

Mostly, there were silly little things.

render_text "You c'yan come in.", '403 Forbidden'

for instance, became

render :text => "You c'yan come in.", :status => 403

and

response.headers['Content-Type'] = 'application/xhtml+xml'

became

response.headers['type'] = 'application/xhtml+xml'

More interesting was that sessions are now, by default, stored in a cookie, rather than on the server. There was, apparently, quite some brouhaha surrounding this change. The session is stored in a cookie as a cryptographically-signed (base64-encoded) cleartext. Many of the objections would, presumably, go away if the session were encrypted, rather than simply signed — a relatively trivial change in the code.

Whatever … there’s nothing particularly earthshaking in Instiki’s session data.

But there’s still the matter of generating a secret signing key. That, I provided by the following bit of code in config/environment.rb

# Secret session key
generator = Rails::SecretKeyGenerator.new("Instiki")
config.action_controller.session = {
:session_key => "instiki_session",
:secret => generator.generate_secret
} 

so a new key is generated every time the server starts up.

In looking through the list of changes to Rails, I was struck by the new Sanitizer code, something I’d complained about previously. It looked vaguely … familiar. But its successor is still superior.

I also squashed a few bugs.

1. The first (reported by Diego Restrepo) led to equations not rendering, in certain circumstances, when utf-8 (non-ascii) text was present.
2. The second had to do with WikiWord processing being mistakenly applied to camel-cased elements, attributes or attribute values (with potentially disastrous, non-well-formed results).
3. The third (reported by Saji N. Hameed) was in the S5 generation code. Or, more correctly, in the latest version of REXML.

element.write(out_string,indent,transitive=true,ie_hack)

generates an error. Instead, you need to

formatter = REXML::Formatters::Default.new(ie_hack)
formatter.write(element, out_string)

Anyway, enjoy the new version of Instiki … something shiny and new for the Holidays.

#### Update (12/28/2007):

Speaking of shiny and new, Ruby 1.9 has just been released. Rails 2.0.2 is not compatible with Ruby 1.9 and, hence, neither is Instiki. When there’s a Ruby 1.9.x-compatible version, I’ll let you know.
Posted by distler at December 23, 2007 9:52 PM

TrackBack URL for this Entry:   http://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/1546

### Re: Instiki and Rails 2.0

With Ruby 1.8.6 on Ubuntu:

LoadError: no such file to load -- rexml/formatters/default

Perhaps some sort of conditional logic based on whether or not this library is available is in order?

Posted by: Sam Ruby on December 28, 2007 1:37 PM | Permalink | Reply to this

### S5 and REXML

Whoops!

Forgot to copy the relevant conditional logic from to_html to to_s5.

Posted by: Jacques Distler on December 28, 2007 8:03 PM | Permalink | PGP Sig | Reply to this

### Re: Instiki and Rails 2.0

Thanks for the session key solution.

However, I am not sure whether regeneration will not loose user sessions after restarting the app in production. Therefore, I put the code in some rake task in \lib\tasks so I generate its once.

Posted by: ernest on January 7, 2008 2:51 PM | Permalink | Reply to this

### Re: Instiki and Rails 2.0

You’re absolutely right. As distributed in my branch of Instiki, restarting the server will invalidate all the old session cookies. Users will see a message telling them to reload the page.

I’m not sure that this is the desired behaviour (under what conditions should old sessions be invalidated?). If it’s not, one could always generate the secret key once, and place it statically in the config/environment.rb.

Posted by: Jacques Distler on January 7, 2008 10:13 PM | Permalink | PGP Sig | Reply to this

### Re: Instiki and Rails 2.0 - generate secret key

I tried your solution to generate a secret key and I get the following error:

uninitialized constant CGI::Session (NameError)