Download to read offline
![class EmployeesController < ApplicationController
before_filter :authorize, :if => :update
def list
@employees = Employee.all
end
def update
emp = Employee.find params[:id]
emp.update_attributes params[:employee]
end
end](https://image.slidesharecdn.com/grant-130220210518-phpapp01/85/Grant-3-320.jpg)
![class EmployeesController < ApplicationController
def list
@employees = Employee.all
end
def update
if user.has_role?(:manager)
emp = Employee.find params[:id]
emp.update_attributes params[:employee]
end
class EmployeesController <end
ApplicationController
before_filter :authorize, :if => :update
end
def list
@employees = Employee.all
end
def update
emp = Employee.find params[:id]
emp.update_attributes params[:employee]
end
end](https://image.slidesharecdn.com/grant-130220210518-phpapp01/85/Grant-4-320.jpg)
![class EmployeesController < ApplicationController
def list
@employees = Employee.all
end
def update
if user.has_role?(:manager)
emp = Employee.find params[:id]
emp.update_attributes params[:employee]
end
end
end](https://image.slidesharecdn.com/grant-130220210518-phpapp01/85/Grant-11-320.jpg)
![class Employee < ActiveRecord::Base
include Grant::ModelSecurity
grant(:update) { |user, model| user.has_role?(:manager) }
end
class EmployeesController < ApplicationController
def list
@employees = Employee.all
end
def update
emp = Employee.find params[:id]
emp.update_attributes params[:employee]
end
end](https://image.slidesharecdn.com/grant-130220210518-phpapp01/85/Grant-13-320.jpg)
![Quiz
class Employee < ActiveRecord::Base
include Grant::ModelSecurity
grant(:update) { |user, model| user.has_role?(:manager) }
end
class User < ActiveRecord::Base
def has_role?(role)
[:employee, :manager].include?(role)
end
end](https://image.slidesharecdn.com/grant-130220210518-phpapp01/85/Grant-16-320.jpg)
![Quiz
class Employee < ActiveRecord::Base
include Grant::ModelSecurity
grant(:update) { |user, model| user.has_role?(:manager) }
end
class User < ActiveRecord::Base
def has_role?(role)
[:employee, :manager].include?(role)
end
end
class EmployeesController < ApplicationController
?
def update
emp = Employee.find params[:id]
emp.update_attributes params[:employee]
end
end](https://image.slidesharecdn.com/grant-130220210518-phpapp01/85/Grant-17-320.jpg)
Grant
- 1. Grant security plugin forRails Jeff Kunkle
- 2. Leveraging Ruby’s Open Classes and Metaprogramming Capabilities, Combined with Active Record Features to Develop a Security Plugin for Ruby on Rails Jeff Kunkle
- 3. class EmployeesController <ApplicationController before_filter :authorize, :if => :update def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
- 4. class EmployeesController <ApplicationController def list @employees = Employee.all end def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] end class EmployeesController <end ApplicationController before_filter :authorize, :if => :update end def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
- 5.
- 6.
- 9. Is my appsecure?
- 11. class EmployeesController <ApplicationController def list @employees = Employee.all end def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] end end end
- 12. class Employee <ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end
- 13. class Employee <ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end class EmployeesController < ApplicationController def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
- 14.
- 15. Quiz class Employee <ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end
- 16. Quiz class Employee <ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end class User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) end end
- 17. Quiz class Employee <ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end class User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) end end class EmployeesController < ApplicationController ? def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
- 18. Grant::ModelSecurityError: find permissionnot granted to User:7 for resource Employee:25 from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:75:in `permission_not_granted' from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:60:in `apply_security' from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:44:in `after_find'
- 19. Grant is allor nothing class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:find) grant(:destroy) { |user, model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) end end
- 20. ... associations too classEmployee < ActiveRecord::Base include Grant::ModelSecurity has_many :reviews grant(:find) grant(:destroy) { |user, model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) end grant(:add => :reviews, :remove => :reviews) do |user, model| user.has_role?(:manager) end end
- 21. How does itwork? Hook methods Dynamic Methods Active Record Callbacks Around Aliases
- 22.
- 23. Show and Tell .. and answer lots of questions
- 24. Grant Security Anxiety Relief http://github.com/nearinfinity/grant