SlideShare a Scribd company logo

Comparison of different access controls

Download as PPTX, PDF
R
Rashmi Nair

Comparison of different access controls - Role Based Authorization.

Technology
1 of 29
Comparison of Different Access Controls in Rails By Rashmi Nair
About Me I am Team Lead at Icicle Technologies. I am working in ROR for past 5 years. On twitter you can find me - @rashmignair
Authentication ❏ Allowing users to sign in and identify themselves is called authentication(Identifies a user) eg: same as you need to swap in order to enter your office. ❏ It can be implemented using Devise or Omniauth ❏ It a flexible authentication solution for Rails based on Warden. ❏ Its encrypts and stores a password in the database to validate the authenticity of a user while signing in.
Authorization ❏ Controls what a user is allowed to do. ❏ Once a user logins, need to check what the user is allowed to access and perform. ❏ These checks are on the basis of different roles mentioned in the application and the functions that the role can perform
Role-Based Authorization ❏ Role-based authorization is suitable for simple applications without complex access rules. ❏ A big advantage is easy conceptualization; it is easy to imagine personas, each with different (but uniform) privileges.
Implementing Role-Based Authorization ❏ Implement using CanCan (cancancan) ❏ Implement using Pundit
Implement using CanCan ❏ Simple and powerful ❏ Authorization library for Ruby on Rails ❏ All permissions are defined in a single location (the Ability class)
Implementation ❏ Add gem to your Gemfile and run the bundle command. >> gem "cancan" ❏ Define Abilities >> rails g cancan:ability
app/models/ability.rb class Ability include CanCan::Ability def initialize(user) end end
Advantage ❏ Check Abilities & Authorization ❏ Handle Unauthorized Access ❏ Manage authorization in a single file Disadvantage ❏ Ability files quickly become too big to manage, and there is no built in strategy for splitting up abilities across multiple files.
Disadvantage ❏ Even worse, there is no natural way to structure ability files. We usually resort to comments to divide the file into sections for different models. ❏ All ability rules need to be evaluated for every request. While not a huge performance hit, it seems like a built in wastefulness. ❏ The test suite depends on ActiveRecord < 3.1
Implement using Pundit ❏ It provides a set of helpers which guide you in leveraging regular Ruby classes and object oriented design patterns. ❏ It helps to build a simple, robust and scalable authorization system.
Installation ❏ gem "pundit" ❏ Add the following in Application controller class ApplicationController < ActionController::Base include Pundit protect_from_forgeryend
❏ rails g pundit:install ❏ It focusses on Policies ❏ Mention the policies to be followed for the model in a class which has the same name as the model followed by policy for eg: TaskPolicy
class TaskPolicy < ApplicationPolicy def initialize(user, task) @user = user @task = task end def create? user.role?(:project_manager) || user.role?(:team_lead) end def update? user.role?(:project_manager) || user.role?(:team_lead) || user.id == @task.user_id end end
class TasksController < ApplicationController def index @tasks = policy_scope(Task) end def create @task = Task.new(params[:task]) authorize @task, :create? @task.save redirect_to @task end def show @task = Task.where(params[:id]) authorize @task, :show? end end
Implementing Scopes ❏ Define a class called a policy scope ❏ The class has the name Scope and is nested under the Policy class ❏ Instances of this class respond to the method resolve, which should return some kind of result which can be iterated over.
class TaskPolicy < ApplicationPolicy class Scope attr_reader :user, :scope def initialize(user, scope) @user = user @scope = scope end def resolve if user.role?(:project_manager) scope.all else scope.where(:published => true) end end end def update? user.role?(:project_manager) || user.role?(:team_lead) || user.id == scope.user_id end end
Advantage ❏ segregating access rules into a central location. ❏ policy objects are lightweight ❏ keeps your authorization logic out of controllers and models. Disadvantage ❏ Passing new parameter to the policy_scoped method is difficult
Use Case ❏ Considering an example for a system, with the following roles - Project Manager, Team Lead, Team Members ❏ Rules to be defined are as follows: 1. Project Manager can do everything(Creating Milestone, Adding Tasks, Add Members to Project) 2. Team Lead(Add Task, Update Task, Delete Task ) 3. Members(Can only view all the task, but can update only the task assigned to them)
Project Manager class Ability include CanCan::Ability def initialize(user) # Define abilities for the passed in user here. For example: if user.role?(:project_manager) can :manage, :all else ……. end end end class TaskPolicy < ApplicationPolicy class Scope end def create? user.role?(:project_manager) end def update? user.role?(:project_manager) end end
Team Lead class Ability include CanCan::Ability def initialize(user) # Define abilities for the passed in user here. For example: if user.role?(:project_manager) can :manage, :all else can :read, :all if user.role?(:team_lead) can :update, Task can :delete, Task end end end end class TaskPolicy < ApplicationPolicy class Scope end def create? user.role?(:project_manager) || user.role?(:team_lead) end def update? user.role?(:project_manager) || user.role?(:team_lead) end end
Team Member class Ability include CanCan::Ability def initialize(user) if user.role?(:project_manager) can :manage, :all else can :read, :all can :update, Task do |task| task.try(:user) == user || user.role?(:team_lead) end if user.role?(:team_lead) can :delete, Task end end end end class TaskPolicy < ApplicationPolicy def initialize(current_user, model) @user = current_user @task = model end def create? user.role?(:project_manager) || user.role?(:team_lead) end def update? user.role?(:project_manager) || user.role?(:team_lead) || @user == @task.user end end
View File (Cancan) views/tasks/index.html.erb <% if can? :create, Task -%> <%= link_to 'Add Task', new_task_path -%> <% end -%> <% @task.each do |task| -%> <p> Task Name: <% @task.task_name -%></p> <p><%= link_to 'Show', task_path(@task) %></p> end
View File (Pundit) <% if policy(@task).show? %> <%= link_to 'Task', task_path(@task) %> <% end %> <% policy_scope(@user.tasks).each do |task| %> <li> <h2><%= task.task_name %></h2> <p><%= link_to "Edit", [:edit, task] if policy(task).edit? %></p> </li> <% end %>
Comparison Cancan ❏ simple approach is to isolate all authorization logic into a single Ability class. ❏ single user role Pundit ❏ provides a set of helpers to build your own authorization system using plain Ruby classes. ❏ supports complex application with multiple roles
CanCan Pundit ❏ drawback is that all abilities for that user’s role needs to be evaluated for each request ❏ Become difficult to use when there are complex roles ❏ No support for Rails 4 ❏ only evaluates the ability for the requested resource’s action ❏ can be leveraged in building your own authorization system that meets your project’s needs ❏ Has support for Rails 4
References http://www.elabs.se/blog/52-simple-authorization-in-ruby-on-rails-apps https://github.com/elabs/pundit http://www.distilnetworks.com/cancan-vs-pundit-choose-pundit-authorization/
Thank You

Recommended

PHP Unit Testing
PHP Unit TestingPHP Unit Testing
PHP Unit TestingTagged Social
 
Laravel Unit Testing
Laravel Unit TestingLaravel Unit Testing
Laravel Unit TestingDr. Syed Hassan Amin
 
Behavior Driven Development Testing (BDD)
Behavior Driven Development Testing (BDD)Behavior Driven Development Testing (BDD)
Behavior Driven Development Testing (BDD)Dignitas Digital Pvt. Ltd.
 
Introduction to React JS
Introduction to React JSIntroduction to React JS
Introduction to React JSArno Lordkronos
 
Automation solution using jbehave, selenium and hudson
Automation solution using jbehave, selenium and hudsonAutomation solution using jbehave, selenium and hudson
Automation solution using jbehave, selenium and hudsonPankaj Nakhat
 
Jbehave selenium
Jbehave seleniumJbehave selenium
Jbehave seleniumVadim Goncharenko
 
20150516 modern web_conf_tw
20150516 modern web_conf_tw20150516 modern web_conf_tw
20150516 modern web_conf_twTse-Ching Ho
 
Scaladays 2014 introduction to scalatest selenium dsl
Scaladays 2014 introduction to scalatest selenium dslScaladays 2014 introduction to scalatest selenium dsl
Scaladays 2014 introduction to scalatest selenium dslMatthew Farwell
 

Recommended

PHP Unit Testing
PHP Unit TestingPHP Unit Testing
PHP Unit TestingTagged Social
 
Laravel Unit Testing
Laravel Unit TestingLaravel Unit Testing
Laravel Unit TestingDr. Syed Hassan Amin
 
Behavior Driven Development Testing (BDD)
Behavior Driven Development Testing (BDD)Behavior Driven Development Testing (BDD)
Behavior Driven Development Testing (BDD)Dignitas Digital Pvt. Ltd.
 
Introduction to React JS
Introduction to React JSIntroduction to React JS
Introduction to React JSArno Lordkronos
 
Automation solution using jbehave, selenium and hudson
Automation solution using jbehave, selenium and hudsonAutomation solution using jbehave, selenium and hudson
Automation solution using jbehave, selenium and hudsonPankaj Nakhat
 
Jbehave selenium
Jbehave seleniumJbehave selenium
Jbehave seleniumVadim Goncharenko
 
20150516 modern web_conf_tw
20150516 modern web_conf_tw20150516 modern web_conf_tw
20150516 modern web_conf_twTse-Ching Ho
 
Scaladays 2014 introduction to scalatest selenium dsl
Scaladays 2014 introduction to scalatest selenium dslScaladays 2014 introduction to scalatest selenium dsl
Scaladays 2014 introduction to scalatest selenium dslMatthew Farwell
 
Django best practices for logging and signals
Django best practices for logging and signals Django best practices for logging and signals
Django best practices for logging and signals flywindy
 
Angularjs architecture
Angularjs architectureAngularjs architecture
Angularjs architectureMichael He
 
Angular training - Day 3 - custom directives, $http, $resource, setup with ye...
Angular training - Day 3 - custom directives, $http, $resource, setup with ye...Angular training - Day 3 - custom directives, $http, $resource, setup with ye...
Angular training - Day 3 - custom directives, $http, $resource, setup with ye...murtazahaveliwala
 
Behavior Driven Development (BDD) and Agile Testing
Behavior Driven Development (BDD) and Agile TestingBehavior Driven Development (BDD) and Agile Testing
Behavior Driven Development (BDD) and Agile Testingdversaci
 
Modern Web Application Development Workflow - EclipseCon Europe 2014
Modern Web Application Development Workflow - EclipseCon Europe 2014Modern Web Application Development Workflow - EclipseCon Europe 2014
Modern Web Application Development Workflow - EclipseCon Europe 2014Stéphane Bégaudeau
 
BDD with JBehave and Selenium
BDD with JBehave and SeleniumBDD with JBehave and Selenium
BDD with JBehave and SeleniumNikolay Vasilev
 
5 angularjs features
5 angularjs features5 angularjs features
5 angularjs featuresAlexey (Mr_Mig) Migutsky
 
DataBase Connectivity
DataBase ConnectivityDataBase Connectivity
DataBase ConnectivityAkankshaji
 
Product! - The road to production deployment
Product! - The road to production deploymentProduct! - The road to production deployment
Product! - The road to production deploymentFilippo Zanella
 
JDBC – Java Database Connectivity
JDBC – Java Database ConnectivityJDBC – Java Database Connectivity
JDBC – Java Database ConnectivityInformation Technology
 
Strut2-Spring-Hibernate
Strut2-Spring-HibernateStrut2-Spring-Hibernate
Strut2-Spring-HibernateJay Shah
 
Simpletest - A beginners guide
Simpletest - A beginners guideSimpletest - A beginners guide
Simpletest - A beginners guideEd Conolly
 
AngularJS introduction
AngularJS introductionAngularJS introduction
AngularJS introductionTania Gonzales
 
Page Object Model and Implementation in Selenium
Page Object Model and Implementation in Selenium Page Object Model and Implementation in Selenium
Page Object Model and Implementation in Selenium Zoe Gilbert
 
Automated php unit testing in drupal 8
Automated php unit testing in drupal 8Automated php unit testing in drupal 8
Automated php unit testing in drupal 8Jay Friendly
 
AngularJS Beginner Day One
AngularJS Beginner Day OneAngularJS Beginner Day One
AngularJS Beginner Day OneTroy Miles
 
Easy tests with Selenide and Easyb
Easy tests with Selenide and EasybEasy tests with Selenide and Easyb
Easy tests with Selenide and EasybIakiv Kramarenko
 
AngularJS 101 - Everything you need to know to get started
AngularJS 101 - Everything you need to know to get startedAngularJS 101 - Everything you need to know to get started
AngularJS 101 - Everything you need to know to get startedStéphane Bégaudeau
 
Single Page Applications with AngularJS 2.0
Single Page Applications with AngularJS 2.0 Single Page Applications with AngularJS 2.0
Single Page Applications with AngularJS 2.0 Sumanth Chinthagunta
 
Beginning AngularJS
Beginning AngularJSBeginning AngularJS
Beginning AngularJSTroy Miles
 
Software Testing & PHPSpec
Software Testing & PHPSpecSoftware Testing & PHPSpec
Software Testing & PHPSpecDarren Craig
 
Practical catalyst
Practical catalystPractical catalyst
Practical catalystdwm042
 

More Related Content

What's hot

Django best practices for logging and signals
Django best practices for logging and signals Django best practices for logging and signals
Django best practices for logging and signals flywindy
 
Angularjs architecture
Angularjs architectureAngularjs architecture
Angularjs architectureMichael He
 
Angular training - Day 3 - custom directives, $http, $resource, setup with ye...
Angular training - Day 3 - custom directives, $http, $resource, setup with ye...Angular training - Day 3 - custom directives, $http, $resource, setup with ye...
Angular training - Day 3 - custom directives, $http, $resource, setup with ye...murtazahaveliwala
 
Behavior Driven Development (BDD) and Agile Testing
Behavior Driven Development (BDD) and Agile TestingBehavior Driven Development (BDD) and Agile Testing
Behavior Driven Development (BDD) and Agile Testingdversaci
 
Modern Web Application Development Workflow - EclipseCon Europe 2014
Modern Web Application Development Workflow - EclipseCon Europe 2014Modern Web Application Development Workflow - EclipseCon Europe 2014
Modern Web Application Development Workflow - EclipseCon Europe 2014Stéphane Bégaudeau
 
BDD with JBehave and Selenium
BDD with JBehave and SeleniumBDD with JBehave and Selenium
BDD with JBehave and SeleniumNikolay Vasilev
 
DataBase Connectivity
DataBase ConnectivityDataBase Connectivity
DataBase ConnectivityAkankshaji
 
Product! - The road to production deployment
Product! - The road to production deploymentProduct! - The road to production deployment
Product! - The road to production deploymentFilippo Zanella
 
Strut2-Spring-Hibernate
Strut2-Spring-HibernateStrut2-Spring-Hibernate
Strut2-Spring-HibernateJay Shah
 
Simpletest - A beginners guide
Simpletest - A beginners guideSimpletest - A beginners guide
Simpletest - A beginners guideEd Conolly
 
AngularJS introduction
AngularJS introductionAngularJS introduction
AngularJS introductionTania Gonzales
 
Page Object Model and Implementation in Selenium
Page Object Model and Implementation in Selenium Page Object Model and Implementation in Selenium
Page Object Model and Implementation in Selenium Zoe Gilbert
 
Automated php unit testing in drupal 8
Automated php unit testing in drupal 8Automated php unit testing in drupal 8
Automated php unit testing in drupal 8Jay Friendly
 
AngularJS Beginner Day One
AngularJS Beginner Day OneAngularJS Beginner Day One
AngularJS Beginner Day OneTroy Miles
 
Easy tests with Selenide and Easyb
Easy tests with Selenide and EasybEasy tests with Selenide and Easyb
Easy tests with Selenide and EasybIakiv Kramarenko
 
AngularJS 101 - Everything you need to know to get started
AngularJS 101 - Everything you need to know to get startedAngularJS 101 - Everything you need to know to get started
AngularJS 101 - Everything you need to know to get startedStéphane Bégaudeau
 
Single Page Applications with AngularJS 2.0
Single Page Applications with AngularJS 2.0 Single Page Applications with AngularJS 2.0
Single Page Applications with AngularJS 2.0 Sumanth Chinthagunta
 
Beginning AngularJS
Beginning AngularJSBeginning AngularJS
Beginning AngularJSTroy Miles
 

What's hot (20)

Django best practices for logging and signals
Django best practices for logging and signals Django best practices for logging and signals
Django best practices for logging and signals
 
Angularjs architecture
Angularjs architectureAngularjs architecture
Angularjs architecture
 
Angular training - Day 3 - custom directives, $http, $resource, setup with ye...
Angular training - Day 3 - custom directives, $http, $resource, setup with ye...Angular training - Day 3 - custom directives, $http, $resource, setup with ye...
Angular training - Day 3 - custom directives, $http, $resource, setup with ye...
 
Behavior Driven Development (BDD) and Agile Testing
Behavior Driven Development (BDD) and Agile TestingBehavior Driven Development (BDD) and Agile Testing
Behavior Driven Development (BDD) and Agile Testing
 
Modern Web Application Development Workflow - EclipseCon Europe 2014
Modern Web Application Development Workflow - EclipseCon Europe 2014Modern Web Application Development Workflow - EclipseCon Europe 2014
Modern Web Application Development Workflow - EclipseCon Europe 2014
 
BDD with JBehave and Selenium
BDD with JBehave and SeleniumBDD with JBehave and Selenium
BDD with JBehave and Selenium
 
5 angularjs features
5 angularjs features5 angularjs features
5 angularjs features
 
DataBase Connectivity
DataBase ConnectivityDataBase Connectivity
DataBase Connectivity
 
Product! - The road to production deployment
Product! - The road to production deploymentProduct! - The road to production deployment
Product! - The road to production deployment
 
JDBC – Java Database Connectivity
JDBC – Java Database ConnectivityJDBC – Java Database Connectivity
JDBC – Java Database Connectivity
 
Strut2-Spring-Hibernate
Strut2-Spring-HibernateStrut2-Spring-Hibernate
Strut2-Spring-Hibernate
 
Simpletest - A beginners guide
Simpletest - A beginners guideSimpletest - A beginners guide
Simpletest - A beginners guide
 
AngularJS introduction
AngularJS introductionAngularJS introduction
AngularJS introduction
 
Page Object Model and Implementation in Selenium
Page Object Model and Implementation in Selenium Page Object Model and Implementation in Selenium
Page Object Model and Implementation in Selenium
 
Automated php unit testing in drupal 8
Automated php unit testing in drupal 8Automated php unit testing in drupal 8
Automated php unit testing in drupal 8
 
AngularJS Beginner Day One
AngularJS Beginner Day OneAngularJS Beginner Day One
AngularJS Beginner Day One
 
Easy tests with Selenide and Easyb
Easy tests with Selenide and EasybEasy tests with Selenide and Easyb
Easy tests with Selenide and Easyb
 
AngularJS 101 - Everything you need to know to get started
AngularJS 101 - Everything you need to know to get startedAngularJS 101 - Everything you need to know to get started
AngularJS 101 - Everything you need to know to get started
 
Single Page Applications with AngularJS 2.0
Single Page Applications with AngularJS 2.0 Single Page Applications with AngularJS 2.0
Single Page Applications with AngularJS 2.0
 
Beginning AngularJS
Beginning AngularJSBeginning AngularJS
Beginning AngularJS
 

Similar to Comparison of different access controls

Software Testing & PHPSpec
Software Testing & PHPSpecSoftware Testing & PHPSpec
Software Testing & PHPSpecDarren Craig
 
Practical catalyst
Practical catalystPractical catalyst
Practical catalystdwm042
 
Ruby/Rails
Ruby/RailsRuby/Rails
Ruby/Railsrstankov
 
Oops concepts in php
Oops concepts in phpOops concepts in php
Oops concepts in phpCPD INDIA
 
PHP - Introduction to Object Oriented Programming with PHP
PHP - Introduction to Object Oriented Programming with PHPPHP - Introduction to Object Oriented Programming with PHP
PHP - Introduction to Object Oriented Programming with PHPVibrant Technologies & Computers
 
Intro to Ruby on Rails
Intro to Ruby on RailsIntro to Ruby on Rails
Intro to Ruby on RailsMark Menard
 
How to disassemble one monster app into an ecosystem of 30
How to disassemble one monster app into an ecosystem of 30How to disassemble one monster app into an ecosystem of 30
How to disassemble one monster app into an ecosystem of 30fiyuer
 
Exploring Symfony's Code
Exploring Symfony's CodeExploring Symfony's Code
Exploring Symfony's CodeWildan Maulana
 
Rupicon 2014 Action pack
Rupicon 2014 Action packRupicon 2014 Action pack
Rupicon 2014 Action packrupicon
 
Patterns in Python
Patterns in PythonPatterns in Python
Patterns in Pythondn
 
2011-02-03 LA RubyConf Rails3 TDD Workshop
2011-02-03 LA RubyConf Rails3 TDD Workshop2011-02-03 LA RubyConf Rails3 TDD Workshop
2011-02-03 LA RubyConf Rails3 TDD WorkshopWolfram Arnold
 
AEM Sightly Deep Dive
AEM Sightly Deep DiveAEM Sightly Deep Dive
AEM Sightly Deep DiveGabriel Walt
 
OOP Is More Than Cars and Dogs
OOP Is More Than Cars and DogsOOP Is More Than Cars and Dogs
OOP Is More Than Cars and DogsChris Tankersley
 

Similar to Comparison of different access controls (20)

Software Testing & PHPSpec
Software Testing & PHPSpecSoftware Testing & PHPSpec
Software Testing & PHPSpec
 
Practical catalyst
Practical catalystPractical catalyst
Practical catalyst
 
Ruby/Rails
Ruby/RailsRuby/Rails
Ruby/Rails
 
Oops concepts in php
Oops concepts in phpOops concepts in php
Oops concepts in php
 
PHP - Introduction to Object Oriented Programming with PHP
PHP - Introduction to Object Oriented Programming with PHPPHP - Introduction to Object Oriented Programming with PHP
PHP - Introduction to Object Oriented Programming with PHP
 
Intro to Ruby on Rails
Intro to Ruby on RailsIntro to Ruby on Rails
Intro to Ruby on Rails
 
Struts 2
Struts 2Struts 2
Struts 2
 
How to disassemble one monster app into an ecosystem of 30
How to disassemble one monster app into an ecosystem of 30How to disassemble one monster app into an ecosystem of 30
How to disassemble one monster app into an ecosystem of 30
 
Software Development with PHP & Laravel
Software Development with PHP & LaravelSoftware Development with PHP & Laravel
Software Development with PHP & Laravel
 
Effective PHP. Part 4
Effective PHP. Part 4Effective PHP. Part 4
Effective PHP. Part 4
 
Pyramid patterns
Pyramid patternsPyramid patterns
Pyramid patterns
 
Exploring Symfony's Code
Exploring Symfony's CodeExploring Symfony's Code
Exploring Symfony's Code
 
Rupicon 2014 Action pack
Rupicon 2014 Action packRupicon 2014 Action pack
Rupicon 2014 Action pack
 
Patterns in Python
Patterns in PythonPatterns in Python
Patterns in Python
 
CodeIgniter & MVC
CodeIgniter & MVCCodeIgniter & MVC
CodeIgniter & MVC
 
Automation tips
Automation tipsAutomation tips
Automation tips
 
2011-02-03 LA RubyConf Rails3 TDD Workshop
2011-02-03 LA RubyConf Rails3 TDD Workshop2011-02-03 LA RubyConf Rails3 TDD Workshop
2011-02-03 LA RubyConf Rails3 TDD Workshop
 
AEM Sightly Deep Dive
AEM Sightly Deep DiveAEM Sightly Deep Dive
AEM Sightly Deep Dive
 
OOP Is More Than Cars and Dogs
OOP Is More Than Cars and DogsOOP Is More Than Cars and Dogs
OOP Is More Than Cars and Dogs
 
Only oop
Only oopOnly oop
Only oop
 

Recently uploaded

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGMarianaLemus7
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
APIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDGAPIForce Zurich 5 April Automation LPDG
APIForce Zurich 5 April Automation LPDG
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 

Comparison of different access controls

  • 1. Comparison of Different Access Controls in Rails By Rashmi Nair
  • 2. About Me I am Team Lead at Icicle Technologies. I am working in ROR for past 5 years. On twitter you can find me - @rashmignair
  • 3. Authentication ❏ Allowing users to sign in and identify themselves is called authentication(Identifies a user) eg: same as you need to swap in order to enter your office. ❏ It can be implemented using Devise or Omniauth ❏ It a flexible authentication solution for Rails based on Warden. ❏ Its encrypts and stores a password in the database to validate the authenticity of a user while signing in.
  • 4. Authorization ❏ Controls what a user is allowed to do. ❏ Once a user logins, need to check what the user is allowed to access and perform. ❏ These checks are on the basis of different roles mentioned in the application and the functions that the role can perform
  • 5. Role-Based Authorization ❏ Role-based authorization is suitable for simple applications without complex access rules. ❏ A big advantage is easy conceptualization; it is easy to imagine personas, each with different (but uniform) privileges.
  • 6. Implementing Role-Based Authorization ❏ Implement using CanCan (cancancan) ❏ Implement using Pundit
  • 7. Implement using CanCan ❏ Simple and powerful ❏ Authorization library for Ruby on Rails ❏ All permissions are defined in a single location (the Ability class)
  • 8. Implementation ❏ Add gem to your Gemfile and run the bundle command. >> gem "cancan" ❏ Define Abilities >> rails g cancan:ability
  • 9. app/models/ability.rb class Ability include CanCan::Ability def initialize(user) end end
  • 10. Advantage ❏ Check Abilities & Authorization ❏ Handle Unauthorized Access ❏ Manage authorization in a single file Disadvantage ❏ Ability files quickly become too big to manage, and there is no built in strategy for splitting up abilities across multiple files.
  • 11. Disadvantage ❏ Even worse, there is no natural way to structure ability files. We usually resort to comments to divide the file into sections for different models. ❏ All ability rules need to be evaluated for every request. While not a huge performance hit, it seems like a built in wastefulness. ❏ The test suite depends on ActiveRecord < 3.1
  • 12. Implement using Pundit ❏ It provides a set of helpers which guide you in leveraging regular Ruby classes and object oriented design patterns. ❏ It helps to build a simple, robust and scalable authorization system.
  • 13. Installation ❏ gem "pundit" ❏ Add the following in Application controller class ApplicationController < ActionController::Base include Pundit protect_from_forgeryend
  • 14. ❏ rails g pundit:install ❏ It focusses on Policies ❏ Mention the policies to be followed for the model in a class which has the same name as the model followed by policy for eg: TaskPolicy
  • 15. class TaskPolicy < ApplicationPolicy def initialize(user, task) @user = user @task = task end def create? user.role?(:project_manager) || user.role?(:team_lead) end def update? user.role?(:project_manager) || user.role?(:team_lead) || user.id == @task.user_id end end
  • 16. class TasksController < ApplicationController def index @tasks = policy_scope(Task) end def create @task = Task.new(params[:task]) authorize @task, :create? @task.save redirect_to @task end def show @task = Task.where(params[:id]) authorize @task, :show? end end
  • 17. Implementing Scopes ❏ Define a class called a policy scope ❏ The class has the name Scope and is nested under the Policy class ❏ Instances of this class respond to the method resolve, which should return some kind of result which can be iterated over.
  • 18. class TaskPolicy < ApplicationPolicy class Scope attr_reader :user, :scope def initialize(user, scope) @user = user @scope = scope end def resolve if user.role?(:project_manager) scope.all else scope.where(:published => true) end end end def update? user.role?(:project_manager) || user.role?(:team_lead) || user.id == scope.user_id end end
  • 19. Advantage ❏ segregating access rules into a central location. ❏ policy objects are lightweight ❏ keeps your authorization logic out of controllers and models. Disadvantage ❏ Passing new parameter to the policy_scoped method is difficult
  • 20. Use Case ❏ Considering an example for a system, with the following roles - Project Manager, Team Lead, Team Members ❏ Rules to be defined are as follows: 1. Project Manager can do everything(Creating Milestone, Adding Tasks, Add Members to Project) 2. Team Lead(Add Task, Update Task, Delete Task ) 3. Members(Can only view all the task, but can update only the task assigned to them)
  • 21. Project Manager class Ability include CanCan::Ability def initialize(user) # Define abilities for the passed in user here. For example: if user.role?(:project_manager) can :manage, :all else ……. end end end class TaskPolicy < ApplicationPolicy class Scope end def create? user.role?(:project_manager) end def update? user.role?(:project_manager) end end
  • 22. Team Lead class Ability include CanCan::Ability def initialize(user) # Define abilities for the passed in user here. For example: if user.role?(:project_manager) can :manage, :all else can :read, :all if user.role?(:team_lead) can :update, Task can :delete, Task end end end end class TaskPolicy < ApplicationPolicy class Scope end def create? user.role?(:project_manager) || user.role?(:team_lead) end def update? user.role?(:project_manager) || user.role?(:team_lead) end end
  • 23. Team Member class Ability include CanCan::Ability def initialize(user) if user.role?(:project_manager) can :manage, :all else can :read, :all can :update, Task do |task| task.try(:user) == user || user.role?(:team_lead) end if user.role?(:team_lead) can :delete, Task end end end end class TaskPolicy < ApplicationPolicy def initialize(current_user, model) @user = current_user @task = model end def create? user.role?(:project_manager) || user.role?(:team_lead) end def update? user.role?(:project_manager) || user.role?(:team_lead) || @user == @task.user end end
  • 24. View File (Cancan) views/tasks/index.html.erb <% if can? :create, Task -%> <%= link_to 'Add Task', new_task_path -%> <% end -%> <% @task.each do |task| -%> <p> Task Name: <% @task.task_name -%></p> <p><%= link_to 'Show', task_path(@task) %></p> end
  • 25. View File (Pundit) <% if policy(@task).show? %> <%= link_to 'Task', task_path(@task) %> <% end %> <% policy_scope(@user.tasks).each do |task| %> <li> <h2><%= task.task_name %></h2> <p><%= link_to "Edit", [:edit, task] if policy(task).edit? %></p> </li> <% end %>
  • 26. Comparison Cancan ❏ simple approach is to isolate all authorization logic into a single Ability class. ❏ single user role Pundit ❏ provides a set of helpers to build your own authorization system using plain Ruby classes. ❏ supports complex application with multiple roles
  • 27. CanCan Pundit ❏ drawback is that all abilities for that user’s role needs to be evaluated for each request ❏ Become difficult to use when there are complex roles ❏ No support for Rails 4 ❏ only evaluates the ability for the requested resource’s action ❏ can be leveraged in building your own authorization system that meets your project’s needs ❏ Has support for Rails 4
  • 28. References http://www.elabs.se/blog/52-simple-authorization-in-ruby-on-rails-apps https://github.com/elabs/pundit http://www.distilnetworks.com/cancan-vs-pundit-choose-pundit-authorization/