Want to stay on top? Ruby Weekly is a once-weekly e-mail newsletter covering the latest Ruby and Rails news.
     Feed Icon

ActiveJax: An ActiveRecord to JavaScript Bridge

By Peter Cooper / December 7, 2007

ActiveJax is a Rails plugin developed by Nicholas Schlueter that acts as a bridge between ActiveRecord and Prototype-backed JavaScript. This means you can call ActiveRecord model methods from JavaScript using AJAX. Example:

ActiveJax.Author.find_by_name("Nicholas Schlueter").each(function(author) {alert(author.name);});

I asked Nicholas how this differs from the existing Jester library developed by Thoughtbot. One significant difference is the syntax. ActiveJax's mechanisms are all embedded underneath the ActiveJax object, whereas Jester offers up the "models" more directly within JavaScript. ActiveJax also doesn't depend on the application providing RESTful services, it's possible to call any method on the models. All this said, the motivations for using Jester versus ActiveJax cross significantly, so it's worth checking out both libraries if this is an area that interests you.
More info is available in this blog post by Nicholas, including a link to a sample application.

Comments

  1. Eric Anderson says:

    Is it me or does this seem slightly dangerous. Hope nobody opens up the console and does:

    User.destroy_all

    I'm sure there is some security built in but seems like you would have to be very careful to lock down your object.

  2. Nicholas Schlueter says:

    Hey, you are right, this is dangerous. By default it only exposes methods that start with "find". If you have destructive finders you could still be in trouble though. As always, use caution and you will be fine.

  3. Steven Soroka says:

    and what about attributes? There could be private data in there.

    can't I just write a query to give me user.password and user.salt (if it's hashed) ?

    it also says it's possible to call any method on the models. What about destroy? authorize! name=(new_name), password=(new_password)....

    This scares me.

  4. Paul M. Watson says:

    If a client-side library can expose security problems in your server-side interface then you have other problems.

    With proper server-side scoping this is a useful library.

  5. Brandon Z says:

    @Paul:
    but your client-side library can't do *anything* unless the server-side interface allows it. (And, if I understand correctly, ActiveJax provides both.) So I'm not sure if I follow what your point is. It sounds as if you're trying to dismiss the security concerns raised here.

  6. Nicholas Schlueter says:

    Just for posterity, active_jax by default exposes all finders and all attributes on the models. Associations are opt-in, and you can exclude any column, server-side, you need to exclude. active_jax will never expose any instance methods off your models, I hope this clears things up.

Other Posts to Enjoy

Twitter Mentions