ActiveJax: An ActiveRecord to JavaScript Bridge
ActiveJax is a Rails plugin developed by Nicholas Schlueter that acts as a bridge between ActiveRecord and Prototype-backed JavaScript. This means you can call ActiveRecord model methods from JavaScript using AJAX. Example:
ActiveJax.Author.find_by_name("Nicholas Schlueter").each(function(author) {alert(author.name);});
I asked Nicholas how this differs from the existing Jester library developed by Thoughtbot. One significant difference is the syntax. ActiveJax's mechanisms are all embedded underneath the ActiveJax object, whereas Jester offers up the "models" more directly within JavaScript. ActiveJax also doesn't depend on the application providing RESTful services, it's possible to call any method on the models. All this said, the motivations for using Jester versus ActiveJax cross significantly, so it's worth checking out both libraries if this is an area that interests you.
More info is available in this blog post by Nicholas, including a link to a sample application.
December 7, 2007 at 2:27 pm
Is it me or does this seem slightly dangerous. Hope nobody opens up the console and does:
User.destroy_all
I'm sure there is some security built in but seems like you would have to be very careful to lock down your object.
December 7, 2007 at 2:57 pm
Hey, you are right, this is dangerous. By default it only exposes methods that start with "find". If you have destructive finders you could still be in trouble though. As always, use caution and you will be fine.
December 8, 2007 at 9:16 pm
and what about attributes? There could be private data in there.
can't I just write a query to give me user.password and user.salt (if it's hashed) ?
it also says it's possible to call any method on the models. What about destroy? authorize! name=(new_name), password=(new_password)....
This scares me.
December 10, 2007 at 9:47 pm
If a client-side library can expose security problems in your server-side interface then you have other problems.
With proper server-side scoping this is a useful library.
December 12, 2007 at 2:59 am
@Paul:
but your client-side library can't do *anything* unless the server-side interface allows it. (And, if I understand correctly, ActiveJax provides both.) So I'm not sure if I follow what your point is. It sounds as if you're trying to dismiss the security concerns raised here.
December 17, 2007 at 9:38 pm
Just for posterity, active_jax by default exposes all finders and all attributes on the models. Associations are opt-in, and you can exclude any column, server-side, you need to exclude. active_jax will never expose any instance methods off your models, I hope this clears things up.