When designing a web site, most of the work goes into making a well-designed and usable frontend interface. What doesn't get nearly as much love is the backend administrative interface. Like security, it typically comes as an after thought if at all. However, with this website, I needed a reasonably functional administration section that would allow me to manipulate data in the models and a somewhat presentable interface that wasn't so arcane that it was unusable. While I did write some custom code to manage certain aspects of the site, developing an entire administration section from scratch was about as palatable as a dish of warmed up horse droppings. Say hello to my new best friend, ActiveScaffold.

As I mentioned in a previous blog, Rails recently introduced RequestForgeryProtection. I wanted to take full advantage of this functionality to help protect against CSRF-based attacks. I realize it's not a perfect method, but every layer helps. One of the observations I made when reviewing some of my code is that I had a number of actions within my controllers that did not validate the type of HTTP method supplied. Therefore, actions like deleting a blog or media file would work regardless of the HTTP method provided by the user as long as the user was logged in. Not a huge problem, right? Well, not quite.

Over the weekend, Rails 2.0 was released to the masses. Packed with a flurry of changes, I decided to take the plunge. After grabbing a Coke, turning on some music, and firing up TextMate, it was time to rock and roll. One of the new features included in the release was  RequestForgeryProtection, one that I wanted to take full advantage of to help protect against CSRF-based attacks. Considering I've been keeping current with each release cycle of Rails, I was hoping that the upgrade from 1.2.6 to 2.0 would be a piece of cake. Well, long story short, it wasn't. Not suprising I'm sure, but it was another late night of code wrangling that ended up putting me to bed around 5:20am on a Saturday morning.