Download to read offline
![set_contact
…
private
def set_contact
@contact = current_user.contacts.find_by(:uuid =>
params[:id])
end
…](https://image.slidesharecdn.com/securingrailskeeprubyweird-151023170654-lva1-app6891/85/Securing-Rails-Keep-Ruby-Weird-25-320.jpg)
![set_contact with Team
…
private
def set_contact
@contact = current_user.team.contacts.find_by(:uuid =>
params[:id])
end
…](https://image.slidesharecdn.com/securingrailskeeprubyweird-151023170654-lva1-app6891/85/Securing-Rails-Keep-Ruby-Weird-26-320.jpg)
Uploaded byMarcus Carey
Securing Rails Keep Ruby Weird
This document discusses various tools for logging and security testing like Burp, Nikto, and Brakeman. It then covers Devise authentication gems and using UUIDs for contacts. Models are shown for Users that belong to Teams, and Teams that have many Users. Methods are updated to scope contacts to the current user's team by using current_user.team instead of just current_user. RailsConf 2015 talks on security are mentioned and contact info is provided for a security company.
Securing Rails Keep Ruby Weird
- 1.
- 3. Information wants tobe free.
- 4. LOG ALL THETHINGS!
- 7.
- 8.
- 9.
- 10.
- 11.
- 17.
- 18.
- 19. Gemfile # Devise Authentication gem'devise' # Devise zxcvbn for password strength checks gem 'devise_zxcvbn’ # Devise Security Extension gem 'devise_security_extension’ # Devise Google Authenticator gem 'devise_google_authenticator', '0.3.16'
- 22. User Model class User< ActiveRecord::Base … end
- 23. Team Model class Team< ActiveRecord::Base has_many :users, dependent: :destroy … end
- 24. User Model withTeam class User < ActiveRecord::Base belongs_to :team … end
- 25. set_contact … private def set_contact @contact =current_user.contacts.find_by(:uuid => params[:id]) end …
- 26. set_contact with Team … private defset_contact @contact = current_user.team.contacts.find_by(:uuid => params[:id]) end …
- 27. UUID Usage class Contact< ActiveRecord::Base belongs_to :team before_create :create_uuid def to_param uuid end private def create_uuid begin self.uuid = SecureRandom.uuid end while self.class.exists?(:uuid => uuid) end end
- 28. current_user # GET /contacts/new defnew @contact = current_user.contacts.new end # GET /contacts/1/edit def edit end # POST /contacts # POST /contacts.json def create @contact = current_user.contacts.new(contact_params)
- 29. current_user with Team #GET /contacts/new def new @contact = current_user.team.contacts.new end # GET /contacts/1/edit def edit end # POST /contacts # POST /contacts.json def create @contact = current_user.team.contacts.new(contact_params)
- 30. RailsConf 2015 • TheWorld of Rails Security • Metasecurity: Beyond Patching Vulnerabilities
- 31.