seeding ghost’s DB

building ghost-powered website’s contents in a scalable way

1. what we’re doing

We’re building a custom website for a particular client, and we’ll be using ghost as our cms. This allows us to quickly bootstrap the website, building a theme based on a custom design our client has previously picked.

2. the problem

To put this in a clear way, there’s three parts of the website we’ll deliver to our client:

  1. ghost, the CMS that will run our site
  2. a custom theme for our client, which has their colors, fonts, etc.
  3. the contents for the theme itself. the theme must have some contents in order to be fully displayed

It’s on the third item in the list where our problem lies on. Maybe it has not been paid too much attention, but there has to be a scalable way of handling the “base” or the “default” data the theme features. Some way in which a developer doesn’t see different contents than his partner when building the UI or when structuring the components and the elements for the webpage.

And it goes further than that – we’ll have:

  • one development environment per development machine (and there’ll be a couple of persons building it simultaneously)
  • a staging environment (or several of them, depending on how big our team) in which will be deployed automatically off from master branch and checked constantly so that we QA this shared env
  • a production environment – which won’t be created right away but needs to be easily deployed (and re-built) with the “initial” data once we are ready to deliver

It’s important for our building team to have a similar copy of each one of these. Keeping everybody in the same page will avoid us misunderstandings.

3. why not use DB dumps?

Well, there’s a few reasons. First, each environment must be using a different DB engine. For convenience, development environments will be using sqlite3 which is better for a bootstrap, while production environments will be running PostgreSQL.

4. the solution

The missing piece must be a program which can create (and re-create) in a one-off-run the “initial” data for the database (aka seed the database) in order to allow us to show correctly our theme

5. how to?

We’ve released a gem, which will read fixtures (yml files) for the models that currently make up ghost’s structure and will create the necessary DB records. This way our contents are written in simple text files rather than hardcoded on the theme itself.

This project has some seed fixtures we can take a look as a sample: github.com/prendho/webpage/tree/master/config/seed/fixtures

And this is the ruby gem, I hope we’ll be documenting in the close future: rubygems.org/gems/ghost-seeder

I’ll be writing some more documentation in our GH repo github.com/noggalito/ghost-seeder but basically at the moment we run the task using rake and it creates (or re-creates) the necessary data to make up the website.

$ rake db:seed

ghost-seeder db:seed task

ghost-seeder db:seed task

TL;DR

We add a ruby gem to our projects, which allows us to run a simple task and based on some “initial” data we deploy the entire website with it’s contents in a few seconds.

¿Por qué el software cuesta tanto?

Les comparto una cita de Tom DeMarco:

En lugar de preguntar por qué el software cuesta tanto, necesitamos comenzar a preguntar: ¿qué hemos hecho para hacer posible que el software actual cueste tan poco?
La respuesta a esa pregunta nos ayudará a continuar el extraordinario nivel de logro que siempre ha distinguido a la industria del software

de cómo podrían hackear el TEDxQuito

top

Hoy les tengo una historia interesante :)

Quería ir al TEDxQuito. Quería ir con Alguien, entonces necesitábamos una entrada más (la mía ya estaba confirmada). Entré a buscar datos de contacto porque quería llamarles. Pronto me encontré con esto: http://www.tedxquito.com/admin_databases/. Y entonces me di cuenta que era vulnerable a SQL Injection (adelante, pruébenlo).

Llamé por teléfono a un par de personas (Renato Solines y Marcelo Naranjo) y les dije que lo arreglemos juntos, que no quería dañar nada de lo que ellos tenían; solamente quería ir al TED (intenté cambiar mi conocimiento por la entrada al evento), pero no les pareció e incluso se portaron groseros.

Es por eso que ahora les muestro un par de cosas:

Inyección SQL

Inyección SQL

Un par de datos que encontré:

Al parecer, la persona que programó esto

Al parecer, la persona que programó esto

Screen Shot 2013-07-02 at 15.10.01Screen Shot 2013-07-02 at 15.10.34[Aquí debería colocar la instrucción para entrar directamente a la administración? O creen que alguien se va a enojar?]

Pd: Gente de digiway, hicieron un trabajo estupendo! No nos divertiríamos tanto si no fuera por ustedes.