Databound – exposes Ruby on Rails database to the JavaScript side
databound.meMind if I ask why this exists?
The operations side of me sees nothing but a massive security hole.
The developer in me sees anything built with this to be a maintenance nightmare, even more so than many Rails apps tend to be.
What benefit does this library provide?
Thanks for asking, James.
Many Rails apps get/create/update database data on the Javascript side. Sometimes it is done using some kind of framework (Ember, Angular).
This is for the times you don't use a full fledged framework - think React or something similar.
Its benefit is that you don't have to set up routes, parsing/encoding for the data you send.
It lets you securely choose which parts of the model you want the Javascript to edit (permitted_columns).
It also works with Active Model Serializers (f.e. UserSerializer) - it lets you specify which attributes to send to the client.
It is as secure as you would do it yourself.
If possible, please hack the databound.me website and help me fix the holes if there are any.
Thanks!
This isn't about "hacking" the website, it's about protecting the users of your library (including yourself). I'll open an Issue with more details.
Thanks.
For other readers: the issue is being adressed at https://github.com/Nedomas/databound/issues/2
Fixed with 1.1.0 release.
https://github.com/Nedomas/databound-rails/commit/04e28afaf0...