Fat Free CRM is an open source CRM (customer relationship management) system built upon Rails by Michael Dvorkin. Even if you don't need a CRM system, it's interesting as an example of a new, full, open source Rails project. Michael hopes that Fat Free CRM will act as a generic codebase for developing more extensive CRM applications.

The project is hosted, naturally, on Github and there are also tarball downloads. You can also keep up to date with code updates on Twitter @fatfreecrm.

Also worth seeing.. Mobile Orchard's Beginning iPhone Programming Workshop. Bay Area/July 30-31. Seattle/Aug 20-21. Ruby Inside discount of $200 — use "ri" discount code.

The Rails Rescue Handbook is a new, 83 page PDF e-book by Mike Gunderloy that goes in-depth on how to "rescue" a Rails project that might have, well, gone off the rails. The book is aimed at people who've had to (or want to) take over development on other people's projects and Rails newbies who want to learn conventions. The book costs $9.99 (or £7.08 if you're in the UK) and comes as a DRM-free PDF (a short sample chapter is available).

The book is split into many sections, such as Setting Expectations, Source Code Management, Dissecting the MVC, Judging the Tests, Investigating Deployment, metric_fu to the Rescue, Reading Exceptions, Database Rescues, Log File Analysis, Testing Rescues, Refactoring Rescues, Modernizing Code, Taming Plugins, Tackling View Performance Issues, and, naturally, many more. It's a pretty broad and shallow look at a rather murky area few people have bothered to write about before, so the only complaint you could have about this book is that it's too short - but given the niche, anything is great!

Mike was a Rails contributor for a while as well as a founding member of official Rails Activists team. He still blogs cool Rails links at A Fresh Cup and works as part of the Rails Documentation team. Put it this way, if anyone's writing could be trusted about Rails, there aren't many people more credible than Mike.

Support from: Brightbox; - Europe's leading provider of Ruby on Rails hosting. Now with Phusion Passenger support, each Brightbox server comes with access to a managed MySQL cluster and redundant SAN storage. Brightbox also provides managed services for large scale applications and dedicated clusters.

Adam McCrea of EdgeCase has put together a screencast demonstrating how to easily implement Ajax file uploads in your Rails application. It's about ten minutes long.

Job! Interkonect, a web app consultancy in Nottingham, UK, is looking for a part-time junior Rails developer - working from home/freelancing is fine but you should be in the UK in order to attend occasional meetings. Click here to learn more.

For a couple of months now, I've been getting regular e-mails from Carlos Taborda of new host Webbynode, asking me to check out their service, give it a try, watch their screencasts, and so on. You know, the usual promotional stuff - except, no, almost no-one usually goes to these efforts in the Ruby or Rails world. So, for his persistence, he gets a post.. and no, I'm not getting paid for this, I haven't even got a free VPS from them! :) This is just news on an interesting new contender in the Rails hosting space.

With the small talk out of the way, Webbynode, a new Rails-focused VPS (virtual private server) hosting company launched today. On the surface it looks like another Linode (a sponsor of Ruby Inside) or Slicehost with plans ranging from $15 per month for a VPS with 256MB RAM and 12GB of disk space, up to $250 per month for a VPS with 4GB RAM and 180GB storage. Dig deeper by watching the screencast tour, however, and you'll soon see it's a different beast.

Webbynode makes it ridiculously easy to deploy a Rails application. Your VPS can automatically come with a fully tested Rails stack, drag your code off of Github (yes, automatically!) and be up and running in just a few clicks. The Webbynode control panel also offers New Relic integration for professional-grade application performance monitoring.

If Carlos and his team are as on the ball with hosting as they are at promotion, building a control panel, and putting together a compelling screencast tour, you shouldn't have much to worry about. If you prefer doing all of your deployments manually, Webbynode is a bit overpriced, but if you want to set, click, and forget, Webbynode looks ideal and you still get the full root shell access available for when you want to dig deeper.

Nate Kontny of Inkling Markets has found a nasty security hole in the code example provided in both the documentation and blog post for the Digest Authentication functionality in Rails 2.3. If you've built your routine in a similar way to that as shown in the Rails documentation or blog post, you might be open to security issues.

Here's the code example in question:

class PostsController < ApplicationController
  Users = {"dhh" => "secret"}
  before_filter :authenticate

  def index
    render :text => "You needed a password to see this…"
  end

  private

  def authenticate
    realm = "Application"
    authenticate_or_request_with_http_digest(realm) do |name|
      Users[name]
    end
  end
end

Notice that authenticate uses the Users hash to authenticate the HTTP Digest Auth request? When you call hashes with non-existing keys, nil is returned. Luckily, Rails' digest authentication routines consider a response of nil as an authentication failure but if the password actually supplied is blank (ending up as nil), things don't quite work out as intended since nil == nil and you get right through the authentication!

Nate has written up a ton of info about this, including a test and a patch, and it's a must-read unless you're totally confident you have this covered already.

Worryingly, Nate claims that he has had little luck in raising this vulnerability with the Rails core team:

I've attempted to contact this security list and a couple members on the core team through their individual email accounts over a week ago. I've only received one response last Thursday that someone would look into it, but the issue seemed to die there.

Now that enough time has been given for the security list to look into the problem (and hopefully not ignore it), the best practice I thought would be to tell as many people as possible about it so the fix can be applied and publicized. I felt I'd get a lot bigger audience here at Hacker news than the rails bug tracker. The bigger the audience the more people that can get their Rails 2.3 instances fixed if they are effected and avoid a problem. I was also planning on posting it there, but feel free to do it as well.

Streamlined is a Rails plugin that can give your Rails application beautiful user interfaces right out of the box. You need to have your models and controllers setup already, but once you have, you add a single layout line, along with acts_as_streamlined and you're ready to go.

If you want to see more screenshots and get an idea of how to develop a very simple application from scratch, check out "Java Kicks Ruby In The What Now", an article that rebuffs a recent piece of prime trolling from the Java community against Rails' lack of good scaffolding. Streamlined demonstrates that it's possible and easy - just that you might need a third party library to actually get there..

Support from: Brightbox; - Europe's leading provider of Ruby on Rails hosting. Now with Phusion Passenger support, each Brightbox server comes with access to a managed MySQL cluster and redundant SAN storage. Brightbox also provides managed services for large scale applications and dedicated clusters.

This year, RailsConf brought in a new idea of allowing people to record sessions themselves and upload them to blip.tv. The problem is, few people are carrying good gear around to conferences, and even fewer want to hold up their Flip HDs throughout a whole session.

Other Ruby conferences have used the services of the excellent Confreaks conference recording team to bring high quality videos of sessions and presentations to the Web. For example, consider the videos of MountainWest RubyConf 2009 and acts_as_conference 2009; they're awesome! High quality, slides shown next to the presenter, the works.

The problem is that companies like Confreaks cost money and some conferences don't want videos of presentations leaking out. RailsConf is already partially happy with the latter, though, and if they could spend potentially $15k-$25k for an hour of Tim Ferriss (this is his quoted rate, though whether they paid this is not known), surely < $10k for full video coverage is a bargain. Update: Turns out it's not quite THAT cheap. But see the comments below for responses related to this, including one from Carl Youngblood of Confreaks himself.

If you agree, let O'Reilly hear your voice. Either state your support on Twitter using the tag #railsconf and say you want the talks filmed, or leave a comment here in support. At least this way, we can find out if people want the sessions taped, and if so, they'll have no excuse of not knowing about the demand.

Click to play

Having trouble watching the movie? Click here to go to blip.fm.

The evening keynote on the first full day of RailsConf 2009 was delivered by Tim Ferriss and David Heinemeier Hansson in a "fireside chat" interview format. Tim Ferriss is a productivity guru most famous for his book The 4 Hour Workweek which topped the New York Times bestseller list some time back.

I was expecting the keynote to be an active, charismatic affair. I'd read Tim's book in the past and while I didn't agree with it, he seemed an interesting, exciting guy so I was looking forward to it. But.. it's okay trying not to offend people, especially after the Porngate scandal of the last week, but boring people to death seems to be just as offensive. Some reactions:

And this is just a selection!

The stream of people leaving throughout the keynote was quite significant; something I've never seen before.

Most of the complaints I heard were not based around a dislike of Tim (people were asking me who he is; he's not well known to this audience) but by a boredom of the format and the content. It really was dull. Tim had no passion in his voice at all. A real shame from such an otherwise interesting guy.

Update! The keynote has already been found in video form. Only joking but it's about the same.

We're two days into proceedings here at RailsConf and things have gone pretty smoothly. One day of tutorials and one day of the conference proper with over 1000 developers in attendance.

Gregg Pollack of RailsEnvy has put together a 4 minute video with a basic, atmospheric look at the first day and the opinions of some of the attendees. Nick Quaranto has also live blogged several sessions (and will be continuing to do so tomorrow); his notes are pretty deep.

On day two (or the first day of the true "conference") the centerpiece was David Heinemeier Handsome's keynote, well written up by Arun Gupta, where he suggested everyone should stop worrying so much. He then quickly moved on to Rails 3 developments. No defined alpha version is available, but there's some code that we can "play with." DHH looked quickly at some changes to defaults in Rails 3, such as automatically escaping all output into views (you can override this with the "raw" method) and using unobtrusive JavaScript techniques out of the box. He concluded by saying that the secret to high productivity is to "renegotiate requirements" (i.e. people tend to come up with specific solutions to vague goals, when you could just resolve the vague goal instead).

Other presentations included Ilya Grigorik's Building a Mini Google in Ruby, Jeremy Hinegardner's Crate: Packaging Standalone Ruby Apps, and Phusion's Scaling Rails, among others. Scaling Rails was particularly notable because even though the content was quite basic, it was concluded with a demonstration of a Wolfenstein 3D clone written in Ruby which featured Zed Shaw as a boss. It's called RubyStein and you can play with it right now. It'll be written up in more detail on Ruby Inside soon.

The general reaction to the conference (and Vegas) so far has been positive. People seem to like Vegas a lot more than was anticipated (though true Vegas haters probably didn't come anyway) and everyone's been having fun enjoying the various facilities Vegas and the Hilton have offered. So far, an interesting conference with little controversy, except…

And.. that's the topic of the next post ;-)

Update: Scribd has links to presentations from all of the RailsConf sessions so far. Nice!