Don't pass request environment to renderer when calling sync actions

[ajb]

Problem

1. Sync partials should not be able to access current_user, params, etc
2. When sync_update (or sync_new) are called from inside of a request environment, they can access the variables inside of that environment
3. This can lead to silent errors, or errors that occur only in production when background jobs are enabled. (Silent error when current_user is called without refetch: true #190 might be an example of one of these)

Solution

• Disable access to request environment when calling sync actions
• Disable access to request environment when rendering sync partials, always? (This might be a breaking change...)

[aeberlin]

This would definitely be a breaking change. I would suggest building out a small DSL for things to be passed to the sync render context, possibly by leveraging a library like decent_exposure.

That way, the breaking changes would be minimized and would still guarantee quite a bit of flex.

[aguayma]

Just following up. Was anyone able to resolve this issue? I am still getting the

env for NilClass 

when using current_user in the views.

[aguayma]

Was anyone able to resolve this issue? Ran with pusher and faye and I am still receiving the following error:

method=POST path=/messages format=js controller=MessagesController action=create status=500 error='ActionView::Template::Error: undefined method `env' for nil:NilClass' duration=70.15 view=0.00 db=12.97
15:48:48 server.1 |
15:48:48 server.1 | NoMethodError - undefined method `env' for nil:NilClass:
15:48:48 server.1 |   devise (4.2.0) lib/devise/controllers/helpers.rb:141:in `warden'
15:48:48 server.1 |   devise (4.2.0) lib/devise/controllers/helpers.rb:124:in `current_user'
15:48:48 server.1 |   actionpack (4.2.7.1) lib/abstract_controller/helpers.rb:67:in `current_user'
15:48:48 server.1 |   app/views/sync/messages/_message_row.html.erb:11:in `_app_views_sync_messages__message_row_html_erb___4026068312585040076_70129917733380'

The message object is being created, so when page refreshes the new message is there.

Here is a look at the controller:

def create
    @message = Message.new(message_params)
    respond_to do |format|
      if @message.save
        sync_new @message, scope: @conversation
        format.html { render :nothing => true, :status => 200 }
        # format.json { render :show, status: :created, location: @message }
        format.js { render :nothing => true, :status => 200 }
      else
        format.html { redirect_to influencer_path(id: current_user.influencer.id) }
        format.json { render json: @message.errors, status: :unprocessable_entity }
      end
    end
  end

calling the partials:

<div style='border-bottom:thin solid #f2f2f2'>
  <% @messages.each do |message| %>
  <%= sync partial: 'message_row', resource: message, refetch: true %>
  <% end %>
  <%= sync_new partial: 'message_row', resource: Message.new, scope: @conversation, refetch: true %>
</div>

partial:

<div class='col-xs-12 col-md-12 own-sent-messages'>
  <div class='col-xs-3 col-md-2'>
    <%= link_to image_tag(message.sender.determine_avatar, {class: 'img-responsive img-circle influencer-circular-image'}), message.sender.profession %>
  </div>
  <div class='col-xs-9 col-md-9'>
    <div>
      <%= simple_format(message.body, {class: 'small-text msb-grey-color remove-margin', style: 'font-size:14px'}) %>
    </div>
    <div>
      <p class='large-title msb-grey-color remove-margin'>
        <%= message.created_at.in_time_zone(current_user.influencer.time_zone).strftime("%b %d, %Y") %>
        <%= message.created_at.strftime("%b %d, %Y") %>
      </p>
    </div>
  </div>
</div>