Your SlideShare is downloading. ×
Grant
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Grant

115
views

Published on

Grant is a Ruby gem and Rails plugin that forces you to make explicit security decisions about the operations performed on your ActiveRecord models. It provides a declarative way to specify rules …

Grant is a Ruby gem and Rails plugin that forces you to make explicit security decisions about the operations performed on your ActiveRecord models. It provides a declarative way to specify rules granting permission to perform CRUD operations on ActiveRecord objects. This presentation covers the basic usage of Grant, highlighting a few of the features that make it different from other solutions available.

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
115
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
1
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Grantsecurity plugin for Rails Jeff Kunkle
  • 2. Leveraging Ruby’s Open Classes and MetaprogrammingCapabilities, Combined with Active Record Features toDevelop a Security Plugin for Ruby on Rails Jeff Kunkle
  • 3. class EmployeesController < ApplicationController before_filter :authorize, :if => :update def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] endend
  • 4. class EmployeesController < ApplicationController def list @employees = Employee.all end def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] endclass EmployeesController <end ApplicationController before_filter :authorize, :if => :update end def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] endend
  • 5. video from http://railscasts.com
  • 6. video from http://railscasts.com
  • 7. Is my app secure?
  • 8. class EmployeesController < ApplicationController def list @employees = Employee.all end def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] end endend
  • 9. class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) }end
  • 10. class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) }endclass EmployeesController < ApplicationController def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] endend
  • 11. Quiz
  • 12. Quizclass Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) }end
  • 13. Quizclass Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) }endclass User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) endend
  • 14. Quizclass Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) }endclass User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) endendclass EmployeesController < ApplicationController ? def update emp = Employee.find params[:id] emp.update_attributes params[:employee] endend
  • 15. Grant::ModelSecurityError: find permission notgranted to User:7 for resource Employee:25 from /Users/jkunkle/project/vendor/plugins/grant/lib/grant/model_security_manager.rb:75:in`permission_not_granted from /Users/jkunkle/project/vendor/plugins/grant/lib/grant/model_security_manager.rb:60:in`apply_security from /Users/jkunkle/project/vendor/plugins/grant/lib/grant/model_security_manager.rb:44:in`after_find
  • 16. Grant is all or nothingclass Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:find) grant(:destroy) { |user, model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) endend
  • 17. ... associations tooclass Employee < ActiveRecord::Base include Grant::ModelSecurity has_many :reviews grant(:find) grant(:destroy) { |user, model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) end grant(:add => :reviews, :remove => :reviews) do |user, model| user.has_role?(:manager) endend
  • 18. How does it work? Hook methods Dynamic Methods Active Record Callbacks Around Aliases
  • 19. Show and Tell
  • 20. Show and Tell .. and answer lots of questions
  • 21. Grant Security Anxiety Reliefhttp://github.com/nearinfinity/grant