-
A Rails Security Flaw – Destroying The Audit Trail
Recently Rails 2.3 was released, with a number of new features.
One of these was the ability to set the created_at/updated_at time-stamped columns manually. Now, why anybody would want to do this currently escapes me – but that aside, those columns are now attr_accessible.
This means that anybody can set them by manually editing the forms on your site, so you can’t trust them to be correct. Your audit trail is no longer valid.
Now, you may argue that it’s a simple matter of setting those columns to attr_protected in the models. However, how many people do you think will remember to do that? Especially when you’re upgrading pre 2.3 apps.
I’ve talked to the Rails core about this issue, but they’re reluctant to make created_at/updated_at attr_protected by default due to api compatibility problems.
In any case, you can fix it yourself by putting the following script in config/initializers:
-
TweetMod – Moderated Twitter Stream
You probably saw the Skittles debacle a while back. They basically turned their entire home page into a Twitter search for the word ’skittles’.
What was quite an innovative idea opened Skittles up to quite some exploitation, people posted literally anything to get on their homepage, regardless of how gratuitous.
Kudos to Skittles for sticking with it – but although many brands want to utilize UGC, they can’t take that sort of risk risk.That’s why we’ve made TweetMod – an extension to Socialmod (discussed previously).
You just need to specify a few Twitter search queries that you want to track and, instead of pulling the feed from Twitter, pull a moderated feed from us.
We’ve also emulated the Twitter API to some extent – so you can use the existing libraries out there for Twitter – just change the endpoint.
If you’re interested in participating in the beta, let us know. We’ll be launching shortly.
-
SocialMod – Moderation Service
Whether you’re building a new website, or want to manage your community more effectively – moderation is a common requirement.
Unfortunately computers haven’t got to the stage where they can recognize libelous/offensive images – so UGC often has to get passed in front of a human moderator to get an accurate verdict.People often build moderation systems from scratch – even though it’s quite a generic problem. Today we’re officially announcing SocialMod – a comprehensive hosted moderation system that prevents you from reinventing the wheel.
The idea is simple; you send any images/videos and text to SocialMod using the API. Once they’ve been moderated, you get a verdict back.
For example, a user uploads an image to your website. Your site then automatically submits it to SocialMod and, once the image has been moderated, you can then display it publicly (if it passed moderation).
Or, if your traffic is even higher, you could just submit an item to SocialMod when it gets ‘flagged’ by your community. Have a look at my previous post on moderation types for more information.So who actually does the moderation? Well, there are three choices:
- You or your team. You can add extra users to your account and they can perform the moderation.
- Your community. SocialMod can be embedded into your site and you can give trusted members of your community access.
- Us. If you choose one of the automated plans, we’ll do all the moderation.
There’s much more to SocialMod, such as spam & profanity filters, referral, audit trails, reports and Twitter integration. We’ll be blogging about some of these in the near future.
If you’re interested in participating in the beta, let us know. We’ll be launching shortly.
-
How to disable IE6 in your Rails applications
Well, the uprising against IE 6 has begun, and not a moment too soon – IE 6 will be seven years old on August 27th. In fact, there’s even a service to say goodbye to the old dinosaur.
You can do your bit for the Internet by showing a warning to IE 6 users in your Rails applications, or disabling it completely for those users, encouraging them to upgrade their browsers (or nag the relevant Sys Admin).
Firstly you need to install the UserAgent plugin by Josh Peek:
script/plugin install git://github.com/josh/useragent.gitYou then need to copy this script to your lib directory.
If you want to just show a warning to people using unsupported browsers, you’ve got a valid_browser? helper method:
<%- unless valid_browser? -%> ... <%- end -%>Or you can disable access completely:
before_filter :restrict_browser
def restrict_browser
unless valid_browser?
render :action => '/path_to_template'
return false
end
end
-
Moderation types
Whenever companies want to publish user generated content (UGC) they need to look into moderation, which usually consists of the following three types:
Pre-moderation:
Some sites operate on the principle that every piece of UGC should be moderated before it’s displayed on the website. This is the approach Amazon takes for their reviews, for example, and what the BBC use for their message boards for children. It’s usually used for content that isn’t specifically community based, or content that’s potentially dangerous (from a legal perspective). Some message-boards, particular those that concern themselves with topical issues or celebrities, are prone to libel and can be a source of legal anxiety for the organisation that hosts them. Pre-moderation is probably a good idea in those cases. The drawback is the lack of instant gratification to the user (when they don’t see their content displayed immediately) and the negative impact that can have on your comunity.
Post-moderation:
One of the drawbacks of pre-moderation is that it can cut down on the conversations within online communities, especially if the content takes some time to moderate. One solution to this is moderate everything after it has gone ‘live’ – which means you can still have effective community conversations while keeping objectionable content at bay.
There is a legal issue in this method though, as the operator of the site assumes responsibility for any content that appears, even if that content is subsequently removed by moderation. It’s worth noting too that the less time that offending content appears online, the fewer people will see it – and that could impact on liability or reduce an award of damages.Reactive-moderation:
This type of moderation is fairly passive, and relies on the users to flag objectionable content – for you to then review and, if appropriate, remove. The advantages of this approach is that it scales with your community and it’s easier to avoid liability for anything that is defamatory, infringing or otherwise unlawful as long as you provides a process for removing offending content expeditiously upon being made aware of it (generally considered to be 48 hours). The downside of this approach is that abusive content can appear in front of your users, and you’re relying on your community to tell you about it. This might not be acceptable to all organizations, particularly the highly brand conscious.
A recent court case in Italy may have grave consequences for reactive-moderation and the idea it’s a legal safe harbor. If the case is not defeated – the implications could be huge.
SocialMod:
We’ve been developing a moderation platform called SocialMod, which is in a private beta at the moment. We’ll be blogging about this subject more in the future.
Based on Everything in Moderation’s “Four Types of Moderation“.Links:
-
Saasy – SaaS for Rails
I’ve been working on an open source SaaS solution for Rails over Christmas called Saasy (pronouced “sarrsy” – using a posh voice).
Saasy provides:
- Subscription management
- Recurring billing
- Credit card management
- User authentication and SSO
- Mailers for invoices etc
-
Saucy – use any font on your website
Fonts can be a developer’s nightmare if they’re not one of the ones installed on the user’s machine. There are alternatives such as sIFR and typeface.js but they’re quite resource intensive – we had to remove sIFR for that reason.
What some people end up doing is using images, cutting them up manually; quite a time intensive way of doing things. Saucy is Rails plugin developed by Jonah Fox to generate the text server side, using RMagick, so you can use any font you want.
<%= saucy_tag "h2 tag", :style => { :font => { :size => 100, :font => "bauhausl.ttf" } }, :tag => :h2, :html => {:id => "myid"} %>
I’ve recently been extending Saucy to support Sprites, so you can do rollover images easily. It’s as simple as this:
<%= saucy_tag("I am a red/blue sprite", :style => {:font => {:color => 'red'}}, :hover => {:font => {:color => 'blue'}} ) %>You can get Saucy here until Jonah merges the changes.
Next up is rounded corners (don’t even mention drop shadows) ;)
-
Ruby Manor
On Saturday I did a presentation at Ruby Manor on using recommendation systems in production featuring our plugin, acts as recommendable (AAR).
This was, without a doubt, the best conference I’ve been too – and the icing on the cake was the leftover £500 behind a students bar afterwards – ginger beers for everyone!
Graham Ashton has done a write up of all the talks and Chris Lowis has converted AAR to use the GNU scientific lib.
I was going to use Slideshare, but they seem to have broken it, so you can download a pdf of the presentation here (video will be up soon). The slides don’t make much sense by themselves though.
-
Metrotwin Recommends
We’ve been using our new Acts As Recommendable plugin on metrotwin.com and it’s been interesting to see how it’s performing in a real-world situation.
Bookmarks (places) are integral to Metrotwin, and a user can associate themselves with a bookmark by ‘Loving it’, saving it to their profile, or by stating they’ve been there.
So there was potentially a lot of information that could be collected about users preferences from their association with bookmarks. And that information could then be used to improve the overall experience, such as recommending bookmarks to people, and showing similar bookmarks – a great example of a practical application to Collective Intelligence.
-
Rails Conf Europe 08
Stuart and I were presenting at Rails Conf Europe last week in Berlin on a Rails plugin called Juggernaut which I’ve been working on for a few years now.
Juggernaut lets you do ‘Server Push‘, i.e. you can push data to the client from the server.During the presentation we showed a live chat application, with a real-time presence list of connected users.
We also demoed a real time map application, where users could show where they had traveled from to visit the conference in Berlin.
You can find the demo code for both applications here and here respectively. You can also find a PDF of the presentation here.
One of the other presentations I really enjoyed was Security on Rails by Jonathan Weiss (presentation here). He approaches security from an attacker’s perspective, which was a really effective way of getting the presentation across.
All things considered, it was an interesting conference – now for the dConstruct writeup…
Author Archive
Our latest tweets
- @chrbutler thanks! glad you like it :) RT @chrbutler @madebymany Your blog is great! It's a never-skip for me. 2 days ago
- @chrbutler mentioned our blog in his post on designing for attention, here: http://bit.ly/aTo8eY 2 days ago
- @apophenia in Technology Review says that people will simply carve out a space for privacy as they think best: http://bit.ly/cbbNdy 2 days ago
- More updates...
Most commented
People
Categories
- advertising (9)
- agile (9)
- Clients (29)
- code (1)
- Conferences (41)
- content (6)
- design (17)
- Games (2)
- Great Stuff (13)
- innovation (25)
- interview (3)
- jobs (1)
- Labs (9)
- Made by Many (142)
- mobile (4)
- New connections (2)
- opinion (50)
- play (1)
- publishing (8)
- Social Web (132)
- technology (2)
- Transmedia (1)
Archives
Sites we like
- Aaron Koblin
- Barbarian Group
- BBH Labs
- Big Spaceship
- Big Spaceship – Think
- Bud Caddell – What Consumes Me
- Creative Applications
- David Armano
- Edward Boches
- Faris Yakob
- Ffffound
- Gareth Kay
- Howard Rheingold
- Iain Tait – Crack Unit
- idsgn
- Manuel Lima
- Mike Arauz
- Neil Perkin – Only Dead Fish
- Noah Brier
- Not For Paper
- Paul Davis – Our illustrator
- TED Blog
- Undercurrent
- We Are Social