Dear Heroku -
I've developed a set of test-first ruby training exercises at
http://testfirst.org and I've been brainstorming about how to take it to the
next level. I've been imagining an interactive web site, where users can
edit code and run RSpec tests from inside their web browser.
Unfortunately (for me and for the whole world) the SCRIPT tag only supports
JavaScript on most browsers. So I'd have to send the students' code to a web
server and execute it there.
The problem with that is security. The code is all open source and I won't
be storing any sensitive information, so I'm not worried about malicious
crackers[1], but there's still a risk that a student could, accidentally or
on purpose, break or otherwise compromise the functionality of the app if
I'm evaling arbitrary code on their behalf.
I know about $SAFE but I don't think it's actually safe enough for this
purpose. I've also heard of Why's Freaky Sandbox but I couldn't find the
code anywhere (R.I.P.)
So I had a thought: what if I have a master app, and a student could connect
to it, temporarily give me his Heroku credentials, and then I could spin up
a lab app under his Heroku account that only he knows the URL to. Anything
he breaks would just affect his own instance, and I could have a big "reset"
button that could clean up ("heroku restart") after that. I'd still use
$SAFE to stop access to the filesystem, but even that wouldn't be very
risky.
Is there a way to do this cleanly? Say, with a Heroku OAuth API?
Oh, wait, I think I just figured it out!
I can't create an app with the user's credentials. But I can create an app
with *my* credentials (SSH keys) and then transfer ownership to the user
(after appropriate email validation, of course).
So I guess now my question becomes, can I use the heroku gem or CLI from
inside a running heroku app?
- A
[1] not nearly as tasty as Animal Crackers.
(cc'ing the test-first-teaching google group in case someone there has any
bright ideas or wants to contribute)
--
Alex Chaffee - a...@stinky.com - http://alexch.github.com
Stalk me: http://friendfeed.com/alexch | http://twitter.com/alexch |
http://alexch.tumblr.com
--
You received this message because you are subscribed to the Google Groups
"Heroku" group.
To post to this group, send email to heroku@googlegroups.com.
To unsubscribe from this group, send email to
heroku+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/heroku?hl=en.
