Adam Tuttle

To Scope, or Not To Scope

Adam Cameron has another of his surveys going, about your personal taste in variable scoping. It's something I've written about in the past, but my approach has evolved since then, so I figure it's worth writing about again.

Previously my position was that all references (if-statements, display, etc.) should be scoped, while it was not strictly necessary for variable definition (foo=42) — unless required to actually put the variable where you want it, e.g. in Request scope. I still think this approach has merit, and for the same reasons (you never find yourself asking, "ok, but WHERE is the variable foo coming from?") but its primary drawback is verbosity.

Since then, CFScript has matured (which is not to say that it "is mature"), and I find myself writing more JavaScript than CFML/CFScript, anyway. So, it's only natural that my personal style when writing CFML/CFScript is starting to take on the appearance of my JavaScript, too.

This means that I am tending to use traditional var foo = 42; statements in my CFCs over my previously-preferred style of var local = {}; = 42;. I preferred the latter because of its explicitness. As of CF9 we no longer needed the var local = {}; but I still find littering my code with dozens of local. prefixes to be a bit verbose, cumbersome, and at times distracting.

Another part of the evolution of my style has been that my code gets smaller and more decoupled (and in many cases, functional), which means the surface area of any given function is smaller and more manageable, so we don't need as much brain power to keep everything in our heads at once. Since I've got some additional brain bandwidth available from that change, I find myself preferring the more terse var-scoped approach, because I love terseness. This sort of creates a feedback loop: By writing smaller, more discrete functions, I'm able to use a more terse syntax, which takes up less space (mentally and physically), which itself makes the functions smaller and more manageable.

In the end, my preference is still that if you can't look at a variable and immediately know where its value was set — even when reviewing the code 2 years later — then you need to be more explicit. It's just that my tooling and my general style have enabled me to reduce the amount of time that extreme specificity is required.

Tools help! I can look at a FW/1 controller and tell you that a variable named is input from the user: a form or url variable. Likewise, this means that things not prefixed with rc. are not user-generated and are then more likely to be var-scoped. My controllers don't use anything variables-scoped except injected services, so those service methods are prefixed by the service name: fooService.getFoos();. I could write variables.fooService.getFoos() but what's the point? All in all, those controllers are very easy to follow. (Well done, Sean!)

Likewise, my FW/1 services use injected service dependencies and no other variables-scoped data. If I need a config setting, it's available through my configService. So knowing this, all unscoped variables inside my functions are (better be!) var-scoped locals.

But that's just my personal style. What is yours like? (And hey, take a minute to fill out Adam Cameron's Survey, too!)

Idiosyncrasies of using CFContent to send files to the client in ColdFusion

I've found some idiosyncrasies in using CFContent to deliver files to the browser with ColdFusion (e.g. shielded downloads), so I thought I would share them here.

I have only tested what I'm about to share in ColdFusion 10, but I have no reason to believe that it will be any different with other versions, as it appears to be entirely how things are handled client-side.

I can never remember what the appropriate header name is for specifying the file name, so the first thing I did was google for it. That took me to Ben Nadel's blog post on streaming files -- a slightly different matter, but it had the answer I was after:

<cfheader name="content-disposition" value="attachment; filename='filename.xlsx'" />

This worked great, at first, in Chrome. When I got around to various browser tests, I found that if my file name contained a space, as in file name.xlsx then Firefox would save it as 'file (no extension -- nothing after the space). Equally as odd, Safari got the name correct (file name.xlsx) but appended .html.

Changing the single quotes to double quotes fixes FireFox's quirk, and adding a Content-Type header fixes Safari's, so the final result looks like this:

<cfheader name="Content-Disposition" value="attachment; filename=""#rc.fileName#""" />
<cfheader name="Content-Type" value="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet" />
<cfcontent reset="true" file="#rc.filePath#" deletefile="true" />

It's 2014... We can make an almost-convincing hoverboard hoax but we still need to test everything in every browser on every platform.

CFHTTP SSL Stopped Working after OSX Mavericks Upgrade? Here's Why!

Like so many before me, I've recently been banging my head against issues with CFHTTP and SSL, particularly only on Mac OS X. Eventually I landed on the right Google phrase and read enough links to find this gem, which while only tangentially related, brought my memory back in a flash.

Apple, in their infinite wisdom, decided to stop distributing Java with OSX. And I hadn't realized it at the time that I upgraded, because ColdFusion continued to function, but the upgrade deleted much of the Java JDK, including (you're probably guessing right...) the cacerts file. Not even Verisign signed certificates are trusted if you don't have any cacerts file.

It wasn't until I figured out that my cacerts file (and many other bits of the JDK) were missing that I found the Jira ticket that solved the puzzle.

Thanks, Apple!

Here's what you can do about it: ColdFusion 10 now officially supports Java 7 (as of update 8), so you need to upgrade.

Being a fan of minimalism (e.g. not installing tons of useless junk) I opted to download the Java SE 7 JRE package -- because the JRE is for people who want to RUN java apps, while the JDK is for people who want to WRITE java apps -- for OSX, and installed it; though I was perplexed that it didn't let me choose an install location, or even tell me what it was after it was complete. I had to find out via Stack Overflow -- and as indicated in the comments there, using a JRE installed into the Internet Plugins folder to run your app server isn't exactly the brightest idea.

Right then... Thanks, Oracle!

With that great idea flushed down the toilet, I gave up any hope for sanity and downloaded the Java SE 7 JDK. Again, it didn't let me choose an install location, or bother telling me where it installed. Thankfully, someone else in the same Stack Overflow thread mentioned that the command /usr/libexec/java_home -v 1.7 will let you find the location of an installed JDK by version number; and it turned out that mine was installed to: /Library/Java/JavaVirtualMachines/jdk1.7.0_60.jdk/Contents/Home.

Next we need to tell ColdFusion to use this new JDK instead of the kneecapped one that Apple left behind during the Mavericks upgrade. ColdFusion gives us a decent UI for updating the value, but stores it in the file {CF_ROOT}/cfusion/bin/jvm.config, so make a backup of this file before you change anything. And don't delete your old JDK yet. If something goes wrong, you can just put back your backup of jvm.config to point CF back at the old JDK.

With your backup made, open your CF Administrator and navigate to Server Settings > Java and JVM. Next to Java Virtual Machine Path tap the Browse Server button. (Sure, you could paste it in, but why risk a stray space or missing slash, etc screwing things up?) Find the folder listed as the result of the java_home command earlier and select it.

Then just restart ColdFusion and you're good to go! (If you're not, copy your backup of jvm.config back into {CF_ROOT}/cfusion/bin/jvm.config and restart CF again...)

Verify that you're now on Java 7 by clicking the small "i" icon in the upper-right of the CF Administrator, and checking the value of Java Version -- you want to see 1.7.0_60 or later.

I hope I never have to go through that again, and I hope maybe it helps a few of you out there.

What It's like to Write Event-Companion Mobile Apps

Writing event-companion apps (conference schedule, session reviews, maps, social integrations, etc) can be a fun and rewarding way to make a living. I've been doing it now for about 3 years and I would say without any hesitation that I love my job.

But it can also be HELL. So I thought I would write about it.

I've been told by numerous doctors that women don't remember the pain of child birth, because if they did then nobody would ever have more than one child. (Anecdotally, despite not having any anesthesia at all, my wife can't recall the pain during our first child's birth...) It's a theory that makes a certain amount of sense to me, so I'm just going to run with it.

For the same reasons, I think compartmentalization is an important skill for programmers. If we could remember the frustration and pain of debugging every missing semicolon, every browser inconsistency, every fat-fingered data input, every off-by-one bug, every memory leak... We would all probably go do something else.

But we don't, because the highs of success are so elating.

These are some of the lows.

Apple Sucks

And I don't mean from the perspective of UI/UX, hardware, OS, or any of that crap. That's a flame war better had over drinks and in person. No, what I'm talking about here is the process of getting an app into the app store.

First you have to get everything to compile and code-sign correctly. Certain stuff has to be in your computer's Keychain, other things need to be referenced from XCode / CLI arguments. The documentation is almost as bad as trying to understand the jargon used in the American Legislative process.

Then you've got to configure your app in iTunes Connect, literally the worst Web App ever created. With urls like this: (an actual url to the summary page of one of my apps)

I don't know what WebObjects is, but I'm assuming it's a web framework, and if I ever see it on a job posting, I'm going to run far, far away.

The policies built into the app are arcane and at times mystifying. For instance, once a binary is available in the App Store, you can not change the name of the app as viewed in the App Store. For example, if you submitted with, "Reunion" and you want it to say, "Reunion 2014," you must upload a new binary. It doesn't have to have changed at all, except you have to change the version number.

So that you can change the App Store listing.


What would make more sense? Allow changing it, but require moderator approval. I get that it's there to protect customers from potential abuse -- so just make sure we're not changing "Reunion" to "OMG Best Flashlight Tethering App Ever" and move on. That approval should take about 30 to 60 seconds, depending on how drastically the name has changed.

And while we're on the moderation queue... Why the heck does testing my app and approving it, a process that should take less than an hour, have to wait in line for between 3 and 10 business days? Google doesn't seem to be suffering too much from their automated heuristics that run in lieu of Apple-style human moderation, and my app updates go out in minutes, or at the worst, hours, after I've uploaded them. That gives me, the developer, the ability to respond to customer feedback quickly. A 3-10 business day review queue makes me look bad.

To their credit, wait times have been trending down, and every now and then you'll get lucky and get one reviewed same-day.

And the review process is not First-In-First-Out, either. I've got an app update "Waiting for Review" right now, which I uploaded on June 1st. I've also got an app update that I uploaded on the morning of the 3rd and that has been "In Review" since 34 minutes after upload. Shouldn't apps uploaded on June 1st be reviewed before apps uploaded on June 3rd?

Sure, you can request an expedited review, but if you're unlucky enough to get someone that's in a bad mood reviewing your request, it will be arbitrarily rejected with no explanation.

Allegedly the review process is for the sake of the security and privacy of end users, but clearly it's a broken system. It's security theater. Apple is the TSA of mobile app clearinghouses.

None of this is to claim that Google is perfect. The Play Store has its share of problems. But it stays out of my way and allows me to get updates to my users in a timely manner; something that Apple just won't allow.

Third Party APIs Suck

And usually each one sucks in a new, different, magical way.

LinkedIn's API only allows the app to use the OAuth connection tokens for 60 days. Unless you want to redirect through the LinkedIn login page every time your app starts, hopeful that the user's cookie will still be logged in, so that the key will be refreshed (guess what: it won't for mobile apps, because they don't set a cookie), then you only have 60 days before the user will need to log into LinkedIn again, if you're to continue using the LinkedIn API to provide value to your user. If your event is only over a single weekend, this isn't a big deal. If you're writing an app that will be useful year-round, don't plan on getting much value out of LinkedIn without annoying your user every other month.

Facebook's API changes more frequently than the site design, and usually breaks stuff. They refuse to acknowledge bugs where things work differently between iOS and Android. And they have their own definition of how OAuth should work, so it's not like anyone else's.

Twitter's API, from a development standpoint, is not terribly bad. They don't allow CORS requests, which I don't think is a problem for native-app or server-side requests, but is a huge problem for PhoneGap apps. Personally I get around this with a copy of CodeBird acting as a CORS-friendly proxy running on Heroku. So you'll launch your app with Twitter support and you'll do ok. Then one day you'll wake up to an email that says your API Key has had its write access disabled because you "broke a rule in the API TOS." Have you looked at the API TOS? There are hundreds of rules and some of them can be broken in multiple ways. And they don't bother to tell you what you did wrong. Oh, and they don't care that your event started last night and users are angrily shaking their fists at you right now because they can't tweet from your app. I did find their response to my appeal to be within a reasonable time frame (a few hours), but I don't know if my request to @Support expedited that review at all. Apparently they use an automated tool to sweep for infringing apps, and it's possible to get picked up as a false-positive. That's what happened to me.

And then there are other APIs, provided by your customers or their 4th party vendors. Nearly always those suck, too. Slow. No support for batch processes or searching. Latitude and Longitude delivered as {longitude},{latitude}. The list goes on and on.

Nobody Tests

Under penalty of death, I still don't think you can get adequate testing from customers. Until the night before the event starts. And then invariably they find some tiny little detail that requires submitting a new build to Apple. So you wait with fingers crossed and hope it goes out in time.

At least for me, these days, programming is about taking numerous other api's and combining them in interesting and useful ways; maybe adding a little sugar to the UI to enhance the experience. When that plan comes together, it's a thing of beauty... But until it does, you'll be cursing like a sailor.