Grantsecurity plugin for Rails                            Jeff Kunkle
Leveraging Ruby’s Open        Classes and     MetaprogrammingCapabilities, Combined with Active Record Features toDevelop ...
class EmployeesController < ApplicationController  before_filter :authorize, :if => :update def list   @employees = Employ...
class EmployeesController < ApplicationController                          def list                            @employees ...
video from http://railscasts.com
video from http://railscasts.com
Is my app secure?
class EmployeesController < ApplicationController def list   @employees = Employee.all end  def update    if user.has_role...
class Employee < ActiveRecord::Base  include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) ...
class Employee < ActiveRecord::Base  include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) ...
Quiz
Quizclass Employee < ActiveRecord::Base  include Grant::ModelSecurity  grant(:update) { |user, model| user.has_role?(:mana...
Quizclass Employee < ActiveRecord::Base  include Grant::ModelSecurity  grant(:update) { |user, model| user.has_role?(:mana...
Quizclass Employee < ActiveRecord::Base  include Grant::ModelSecurity  grant(:update) { |user, model| user.has_role?(:mana...
Grant::ModelSecurityError: find permission notgranted to User:7 for resource Employee:25	 from /Users/jkunkle/project/vendo...
Grant is all or nothingclass Employee < ActiveRecord::Base  include Grant::ModelSecurity grant(:find) grant(:destroy) { |u...
... associations tooclass Employee < ActiveRecord::Base  include Grant::ModelSecurity has_many :reviews grant(:find) grant...
How does it work?  Hook methods  Dynamic Methods  Active Record Callbacks  Around Aliases
Show and Tell
Show and Tell  .. and answer lots of questions
Grant             Security             Anxiety              Reliefhttp://github.com/nearinfinity/grant
Grant
Grant
Grant
Upcoming SlideShare
Loading in …5
×

Grant

263 views

Published on

Grant is a Ruby gem and Rails plugin that forces you to make explicit security decisions about the operations performed on your ActiveRecord models. It provides a declarative way to specify rules granting permission to perform CRUD operations on ActiveRecord objects. This presentation covers the basic usage of Grant, highlighting a few of the features that make it different from other solutions available.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
263
On SlideShare
0
From Embeds
0
Number of Embeds
10
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Grant

  1. 1. Grantsecurity plugin for Rails Jeff Kunkle
  2. 2. Leveraging Ruby’s Open Classes and MetaprogrammingCapabilities, Combined with Active Record Features toDevelop a Security Plugin for Ruby on Rails Jeff Kunkle
  3. 3. class EmployeesController < ApplicationController before_filter :authorize, :if => :update def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] endend
  4. 4. class EmployeesController < ApplicationController def list @employees = Employee.all end def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] endclass EmployeesController <end ApplicationController before_filter :authorize, :if => :update end def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] endend
  5. 5. video from http://railscasts.com
  6. 6. video from http://railscasts.com
  7. 7. Is my app secure?
  8. 8. class EmployeesController < ApplicationController def list @employees = Employee.all end def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] end endend
  9. 9. class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) }end
  10. 10. class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) }endclass EmployeesController < ApplicationController def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] endend
  11. 11. Quiz
  12. 12. Quizclass Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) }end
  13. 13. Quizclass Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) }endclass User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) endend
  14. 14. Quizclass Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) }endclass User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) endendclass EmployeesController < ApplicationController ? def update emp = Employee.find params[:id] emp.update_attributes params[:employee] endend
  15. 15. Grant::ModelSecurityError: find permission notgranted to User:7 for resource Employee:25 from /Users/jkunkle/project/vendor/plugins/grant/lib/grant/model_security_manager.rb:75:in`permission_not_granted from /Users/jkunkle/project/vendor/plugins/grant/lib/grant/model_security_manager.rb:60:in`apply_security from /Users/jkunkle/project/vendor/plugins/grant/lib/grant/model_security_manager.rb:44:in`after_find
  16. 16. Grant is all or nothingclass Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:find) grant(:destroy) { |user, model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) endend
  17. 17. ... associations tooclass Employee < ActiveRecord::Base include Grant::ModelSecurity has_many :reviews grant(:find) grant(:destroy) { |user, model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) end grant(:add => :reviews, :remove => :reviews) do |user, model| user.has_role?(:manager) endend
  18. 18. How does it work? Hook methods Dynamic Methods Active Record Callbacks Around Aliases
  19. 19. Show and Tell
  20. 20. Show and Tell .. and answer lots of questions
  21. 21. Grant Security Anxiety Reliefhttp://github.com/nearinfinity/grant

×