If you’ve ever been involved with a pentest on an Elixir application, you know someone calling “raw/1” directly on user input is rare, along with bypassing the view/template/render pattern to render HTML. The author of Sobelow, Griffin Byatt, mentions this in his ElixirConf talk, ElixirConf 2017 - Plugging the Security Holes in Your Phoenix Application It’s a fantastic talk, he gives the example of file upload leading to XSS. I close out this blog post with that example, and hope you find it useful in ensuring the security of your own apps.
Nice find and while you are at it there is also @moduletag which allows you to do the same but at the module level. I use this tagging to segment my unit tests from their integration and system tests siblings.
This epic article of 4500 words covers everything there is to know about efficient full-text search with Postgres and Ecto. It explains how Postgres’ full-text search works and how you can use indexes to speed up your search. It also covers search modifiers, query testing, extracting headlines, and so much more!
I fell off the writing wagon a couple years ago, after my first child was born, but I’m trying to hop back on! Here’s a rundown of a method I’ve been using to handle combinatorial explosions of query parameters in my Phoenix applications.
Today’s article explains how to simulate a bad internet connection when developing locally by adding latency, jitter, and package loss to your connection. It’s crucial to test your app under these circumstances before deploying it. Otherwise, especially users on a mobile connection will have a bad UX when using your site.
Learn how to build a Roles and Permissions (RAP) system for Phoenix! Not all your users should have access to all your data. A RAP helps you to set up user groups and control which data they can access through permissions.
It was very timely for me, as I’ve been working on an authorization library over the last few days and took this as an opportunity to integrate it with your RAP example. I wrote up some thoughts and added the modified modules in a gist. It was a great opportunity to see how the auth library I’m working on might integrate with the permissions architecture you presented. Would love to hear your (or anyone else’s) feedback, if you find time to take a look.