Hi,
Is it possible to open a file (in the public directory) in a text field, edit it and save it?
Is it also possible to type into a new text field, then save this as a new file in the public directory?
One use for this I could see would be to allow users to edit stylesheets/themes.
If this is possible, how do you do it?
Cheers,
DAZ
DAZ
To get the contents, you could do: @file_contents = File.read(File.join(RAILS_ROOT, “public”, “your_file_name.css”))
And to save again, do: File.open(File.join(RAILS_ROOT, “public”, “your_file_name.css”)) do |file|
file.write params[:file_contents] end
NOTE: I’d be very careful of actually doing this though as there are MANY security issues. Think through things like who will have access to this functionality and how much they can be trusted.
One thing to specifically check for is that the user cannot set the file path in any way or you could end up with files written to like: /home/rails/myproject/public/…/…/…/…/etc/passwd
Have a look at http://guides.rubyonrails.org/security.html for some more detailed info on the potential problems.
Thanks for the reply Andrew, and thanks for the link - very useful and informative (as is your blog!).
The idea is as part of a CMS-style app, so people would have to be signed in to edit files, and they probably wouldn't be able to choose the path, just the name. I guess I would use a similar whitelist approach as recommended in the docs.
Would it be better to do this sort of thing at a database level - saving the whole CSS text in a Theme model or something?
cheers,
DAZ
Would it be better to do this sort of thing at a database level - saving the whole CSS text in a Theme model or something?
I think that'd be the best solution.
There are pros and cons to everything, I just wanted you to be aware - I don’t like providing a solution to someone where they can shoot themselves in the foot with it 
Even in a CMS based app this can be dangerous.
If the CMS is for a specific client running on their own hardware, you have less of a problem than if it is for public consumption.
If you want to allow people to customise the look of an application, I would provide very specific things they can change.
Your idea of a Theme model can work but still be careful of what they can set as values. IE allows javascript to execute within CSS which can open you up to XSS attacks etc.