Thanks for the reply Andrew, and thanks for the link - very useful and informative (as is your blog!).
The idea is as part of a CMS-style app, so people would have to be signed in to edit files, and they probably wouldn't be able to choose the path, just the name. I guess I would use a similar whitelist approach as recommended in the docs. Would it be better to do this sort of thing at a database level - saving the whole CSS text in a Theme model or something? cheers, DAZ On Jan 12, 3:01 pm, "Andrew Timberlake" <[email protected]> wrote: > On Mon, Jan 12, 2009 at 4:37 PM, DAZ <[email protected]> wrote: > > > Hi, > > > Is it possible to open a file (in the public directory) in a text > > field, edit it and save it? > > > Is it also possible to type into a new text field, then save this as a > > new file in the public directory? > > > One use for this I could see would be to allow users to edit > > stylesheets/themes. > > > If this is possible, how do you do it? > > > Cheers, > > > DAZ > > DAZ > > To get the contents, you could do: > @file_contents = File.read(File.join(RAILS_ROOT, "public", > "your_file_name.css")) > > And to save again, do: > File.open(File.join(RAILS_ROOT, "public", "your_file_name.css")) do |file| > file.write params[:file_contents] > end > > NOTE: I'd be very careful of actually doing this though as there are MANY > security issues. > Think through things like who will have access to this functionality and how > much they can be trusted. > One thing to specifically check for is that the user cannot set the file > path in any way or you could end up with files written to like: > /home/rails/myproject/public/../../../../etc/passwd > > Have a look athttp://guides.rubyonrails.org/security.htmlfor some more > detailed info on the potential problems. > > -- > Andrew > Timberlakehttp://ramblingsonrails.comhttp://www.linkedin.com/in/andrewtimberlake > > "I have never let my schooling interfere with my education" - Mark Twain --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
