tonyhokan / belt_reviewer Goto Github PK

In https://github.com/TONYHOKAN/belt_reviewer/blob/a09a31467ffa48fa61ca9c528ac0fcf386614ca8/app/controllers/comments_controller.rb:

On line 3, event_id assignment is unnecessary.

@comment.save will not throw exception if the save failed, and we are not handling the error case here. If the record fails to save, it will fail silently without anyone noticing. Silent failure is generally bad.
Use @comment.save! instead, or handle the error case manually.

In https://github.com/TONYHOKAN/belt_reviewer/blob/a09a31467ffa48fa61ca9c528ac0fcf386614ca8/app/controllers/events_controller.rb:

Storing user_id in session and reading it directly has no security measures. It is acceptable in this practice but it is extremely dangerous for practical usage and is something to be aware of.

flash[:event] is usually only used for storing string messages rather than objects. Was this practice shown in some guidelines that I'm not aware of?

There is a method called event_comments which is responsible for creating a string to display to the user. That is view logic, so it should not live in the controller. It should live in the view erb instead.

In

Prefer assigning local variable registration = instead of instance variable @registration = if it is not necessary.

Others:
I see that you have some validations in place for some models, and that is good. It is a good practice to also enforce data integrity at the database level. What I usually do is to apply the same validation in the rails model and the db column, but this is not required and can be a judgement call. Though it is usually a good idea to enforce data integrity at db level as I've said.

Also, none of the controllers are guarded by whether the user is authenticated. This means that all pages are accessible to anyone, which is not a desirable situation.