This course came at the perfect time. I’ve recently gotten back into Rails after an 18-year hiatus, and this was a perfect refresher and shows just how much you can accomplish with Rails right out of the box.Garrett Winder
Summary
Video Transcript
Now that our users can sign up and sign in to our application, we can turn our focus to the core of Lorem News—posts. To do this, we'll use Rails scaffolding to generate a Post resource.
Generating the Post Resource
Let's switch back to our command line and run the following command:
bin/rails generate scaffold Post 'user:belongs_to' 'title:string!:uniq' 'body:text!'
Running this command creates:
- A migration defining the database structure
- A Post model that belongs to a user
- A controller with RESTful actions (index, show, new, edit, create, update, destroy)
- Views for each action
- Tests for the post functionality
Reviewing the Migration and Model
Let's inspect the migration file to ensure everything looks correct. Everything is set up properly. The posts table:
- User (foreign key) – Links the post to the user who created it.
- Title (string, required, unique) – Ensures each post has a distinct title.
- Body (text, required) – Prevents empty posts from being submitted.
Before continuing, let's commit our changes.
Testing the Scaffolded Features
Now, let's start our development server and see how it looks.
Navigating to /posts, we see no posts yet, but we can go to /posts/new to create one. However, the form currently asks for a user ID, which we need to remove and set automatically based on the logged-in user.
Automatically Assigning the Current User to Posts
To ensure new posts are linked to the signed-in user, we update our Post controller:
We remove the user ID field from the form and set the user in the post controller:
def new
@post = Current.user.posts.new
end
def create
@post = Current.user.posts.new(post_params)
if @post.save
redirect_to @post, notice: "Post was successfully created."
else
render :new, status: :unprocessable_entity
end
end
...
def post_params
params.expect(post: [ :title, :body])
end
Here’s what’s happening:
- Current.user.posts.new automatically sets the post’s user ID.
- User input is limited to only the title and body, preventing unauthorized access.
- If the post saves successfully, the user is redirected to the post’s page.
Adding the Association in the User Model
To complete this, we need to define the relationship in our User model:
class User < ApplicationRecord
has_many :posts, dependent: :destroy
end
Now, each user can have many posts, and when a user is deleted, their posts will be removed as well (dependent: :destroy).
Improving the Post Form
Next, we update the form view (_form.html.erb) to remove the user selection field:
<%= form_with(model: post) do |form| %>
<div>
<%= form.label :title %>
<%= form.text_field :title %>
</div>
<div>
<%= form.label :body %>
<%= form.text_area :body %>
</div>
<div>
<%= form.submit %>
</div>
<% end %>
Now, users don’t need to select their own ID—it’s handled automatically!
Testing Post Creation
Navigating to /posts/new, we create a new post:
- Title: "My New Post"
- Body: "This is the body."
Submitting the form, we see:
- The post was successfully created
- The user ID was correctly assigned
We also made small UI improvements to flash messages, making them more noticeable when actions succeed or fail.
Next Steps: Enhancing Security and Access Control
While the post submission works, there are some security enhancements we need to make:
- Only authenticated users should be able to submit posts
- Unauthenticated users should still be able to view posts (like Hacker News)
- Authorization rules should be added to prevent unauthorized actions
We'll tackle these improvements in the next video to ensure our Rails and SQLite app is both secure and efficient.