More Related Content
What's hot
What's hot (19)
Similar to Grant
Similar to Grant (20)
Recently uploaded
Recently uploaded (20)
Grant
- 1. Grant security plugin for Rails Jeff Kunkle
- 2. Leveraging Ruby’s Open Classes and Metaprogramming Capabilities, Combined with Active Record Features to Develop a Security Plugin for Ruby on Rails Jeff Kunkle
- 3. class EmployeesController < ApplicationController before_filter :authorize, :if => :update def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
- 4. class EmployeesController < ApplicationController def list @employees = Employee.all end def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] end class EmployeesController <end ApplicationController before_filter :authorize, :if => :update end def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
- 9. Is my app secure?
- 11. class EmployeesController < ApplicationController def list @employees = Employee.all end def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] end end end
- 12. class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end
- 13. class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end class EmployeesController < ApplicationController def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
- 14. Quiz
- 15. Quiz class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end
- 16. Quiz class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end class User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) end end
- 17. Quiz class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end class User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) end end class EmployeesController < ApplicationController ? def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
- 18. Grant::ModelSecurityError: find permission not granted to User:7 for resource Employee:25 from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:75:in `permission_not_granted' from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:60:in `apply_security' from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:44:in `after_find'
- 19. Grant is all or nothing class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:find) grant(:destroy) { |user, model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) end end
- 20. ... associations too class Employee < ActiveRecord::Base include Grant::ModelSecurity has_many :reviews grant(:find) grant(:destroy) { |user, model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) end grant(:add => :reviews, :remove => :reviews) do |user, model| user.has_role?(:manager) end end
- 21. How does it work? Hook methods Dynamic Methods Active Record Callbacks Around Aliases
- 22. Show and Tell
- 23. Show and Tell .. and answer lots of questions
- 24. Grant Security Anxiety Relief http://github.com/nearinfinity/grant