Skip to the Main Content

Note:These pages make extensive use of the latest XHTML and CSS Standards. They ought to look great in any standards-compliant modern browser. Unfortunately, they will probably look horrible in older browsers, like Netscape 4.x and IE 4.x. Moreover, many posts use MathML, which is, currently only supported in Mozilla. My best suggestion (and you will thank me when surfing an ever-increasing number of sites on the web which have been crafted to use the new standards) is to upgrade to the latest version of your browser. If that's not possible, consider moving to the Standards-compliant and open-source Mozilla browser.

December 23, 2007

Instiki and Rails 2.0

I upgraded Instiki to Rails 2.0.2. There are many, many changes to Rails, from 1.2.5, which is what Instiki, previously, was based on. At least, for the present, I made the bare minimum of changes in Instiki, required. Even so, one gets a whole raft of improvements, “for free.”

Mostly, there were silly little things. 

render_text "You c'yan come in.", '403 Forbidden'

for instance, became

render :text => "You c'yan come in.", :status => 403

and

response.headers['Content-Type'] = 'application/xhtml+xml'

became

response.headers['type'] = 'application/xhtml+xml'

More interesting was that sessions are now, by default, stored in a cookie, rather than on the server. There was, apparently, quite some brouhaha surrounding this change. The session is stored in a cookie as a cryptographically-signed (base64-encoded) cleartext. Many of the objections would, presumably, go away if the session were encrypted, rather than simply signed — a relatively trivial change in the code.

Whatever … there’s nothing particularly earthshaking in Instiki’s session data.

But there’s still the matter of generating a secret signing key. That, I provided by the following bit of code in config/environment.rb

# Secret session key
generator = Rails::SecretKeyGenerator.new("Instiki")
config.action_controller.session = { 
  :session_key => "instiki_session",
  :secret => generator.generate_secret
}

so a new key is generated every time the server starts up.

In looking through the list of changes to Rails, I was struck by the new Sanitizer code, something I’d complained about previously. It looked vaguely … familiar. But its successor is still superior.

I also squashed a few bugs.

  1. The first (reported by Diego Restrepo) led to equations not rendering, in certain circumstances, when utf-8 (non-ascii) text was present.
  2. The second had to do with WikiWord processing being mistakenly applied to camel-cased elements, attributes or attribute values (with potentially disastrous, non-well-formed results).

  3. The third (reported by Saji N. Hameed) was in the S5 generation code. Or, more correctly, in the latest version of REXML.

    element.write(out_string,indent,transitive=true,ie_hack)

    generates an error. Instead, you need to

    formatter = REXML::Formatters::Default.new(ie_hack)
formatter.write(element, out_string)

Anyway, enjoy the new version of Instiki … something shiny and new for the Holidays.

Update (12/28/2007):

Speaking of shiny and new, Ruby 1.9 has just been released. Rails 2.0.2 is not compatible with Ruby 1.9 and, hence, neither is Instiki. When there’s a Ruby 1.9.x-compatible version, I’ll let you know.
Posted by distler at December 23, 2007 9:52 PM

TrackBack URL for this Entry:   https://golem.ph.utexas.edu/cgi-bin/MT-3.0/dxy-tb.fcgi/1546



5 Comments & 0 Trackbacks

Re: Instiki and Rails 2.0

With Ruby 1.8.6 on Ubuntu:

LoadError: no such file to load -- rexml/formatters/default

Perhaps some sort of conditional logic based on whether or not this library is available is in order?

Posted by: Sam Ruby on December 28, 2007 1:37 PM | Permalink | Reply to this

S5 and REXML

Whoops!

Forgot to copy the relevant conditional logic from to_html to to_s5.

Fixed now. Try pulling the latest version.

Posted by: Jacques Distler on December 28, 2007 8:03 PM | Permalink | PGP Sig | Reply to this

Re: Instiki and Rails 2.0

Thanks for the session key solution.

However, I am not sure whether regeneration will not loose user sessions after restarting the app in production. Therefore, I put the code in some rake task in \lib\tasks so I generate its once.

Posted by: ernest on January 7, 2008 2:51 PM | Permalink | Reply to this

Re: Instiki and Rails 2.0

You’re absolutely right. As distributed in my branch of Instiki, restarting the server will invalidate all the old session cookies. Users will see a message telling them to reload the page.

I’m not sure that this is the desired behaviour (under what conditions should old sessions be invalidated?). If it’s not, one could always generate the secret key once, and place it statically in the config/environment.rb.

Posted by: Jacques Distler on January 7, 2008 10:13 PM | Permalink | PGP Sig | Reply to this

Re: Instiki and Rails 2.0 - generate secret key

I tried your solution to generate a secret key and I get the following error:

uninitialized constant CGI::Session (NameError)

even tho I have added:
require ‘cgi’
require ‘cgi/session’
to my environment.rb

What’s the trick that I am missing?

Thanks…

Posted by: Jon on January 27, 2008 2:32 PM | Permalink | Reply to this

Post a New Comment