I am trying to build a CMS using ERB. Is there a way you can give ERB code read-only access to your models? For instance, I want to be able to load any information on my models (Model.all, Model.find_by_slug, Model.find_by_name, Model.other_model.name, etc...), but I don't want to be able to change this data. Can you disable ERB from executing commands that would make database changes (Model.save, Model.update, Model.delete, Model.destroy, etc.)???
A:
There is safemode by Rails core developer Sven Fuchs to make you erb, well, safer.
A template engine like liquid (which is painful in my eyes) or mustache might be easier to learn and apply for your users than erb.
Thomas R. Koll
2010-05-09 06:44:13
A:
Try to use :readonly flag while finding models:
@posts = Post.find(:all, :readonly => true)
In case you'll try to save it - will throw ReadOnlyRecord exception. But I'd also suggest Liquid as a templater, since user has no restricted access to application varibles inside ERB templates.
fantactuka
2010-05-23 13:50:32