views:

29

answers:

1

I'm looking at the liquid templating language for Rails apps:

http://wiki.github.com/tobi/liquid/

I'd like my users to also be able to make AJAX calls (just like the ones in rails for periodically_call_remote, observe_field, etc). Is this possible?

Assuming the rails helpers can be added as filters, how will the user be able to modify what gets returned by the AJAX call? They cannot modify an rjs file on the server or anything like that. I suppose the AJAX call could return JSON (instead of rendered html) and then the javascript could use that to render something. But I'm having a little trouble envisioning how it would work exactly.

If anyone can point me to an example of this or clarify it'd be much appreciated. Thanks!

+1  A: 

Is allowing any user to make any ajax call really what you want ?
Don't forget you can't trust your users. Do you really want them to be able to request any page on your domain name ?

I guess you want to be able to allow them to request some pages only though. A defined list of urls.

Then you can just create one filter per url that'll return your content.
So if the user does in his template :

{{ get_users }}

Which will do, internaly, an ajax call retrieving the list of all your users.

You can think generic when you're working on things that only developers should be working on.
But when it's about allowing your users to change the code of your application, you should restrain them so they don't hack and break everything.

Damien MATHIEU
Good point Damien. Couple thoughts. 1. On the security, an authenticated API call could solve the security problem or 2. What you suggested with a filter that does the ajax call. I actually like this better - but how will they render the returned data in a custom way? Can the get_users command return JSON and let the user do what they will with it? Thanks for the help I can tell you've got some great experience here.
Brian Armstrong
I'm not very familiar with liquid. But if your filter returns a ruby array, you can loop through it and then display it the way you want.
Damien MATHIEU