Post on 12-Sep-2014
description
Grantsecurity plugin for Rails
Jeff Kunkle
Leveraging Ruby’s Open Classes and
Metaprogramming Capabilities, Combined with Active Record Features to
Develop a Security Plugin for Ruby on Rails
Jeff Kunkle
class EmployeesController < ApplicationControllerbefore_filter :authorize, :if => :update
def list@employees = Employee.all
end
def updateemp = Employee.find params[:id]emp.update_attributes params[:employee]
endend
class EmployeesController < ApplicationControllerbefore_filter :authorize, :if => :update
def list@employees = Employee.all
end
def updateemp = Employee.find params[:id]emp.update_attributes params[:employee]
endend
class EmployeesController < ApplicationController
def list@employees = Employee.all
end
def updateif user.has_role?(:manager)emp = Employee.find params[:id]emp.update_attributes params[:employee]
endend
end
video from http://railscasts.com
video from http://railscasts.com
Is my app secure?
class EmployeesController < ApplicationController
def list@employees = Employee.all
end
def updateif user.has_role?(:manager)emp = Employee.find params[:id]emp.update_attributes params[:employee]
endend
end
class Employee < ActiveRecord::Baseinclude Grant::ModelSecurity
grant(:update) { |user, model| user.has_role?(:manager) }
end
class Employee < ActiveRecord::Baseinclude Grant::ModelSecurity
grant(:update) { |user, model| user.has_role?(:manager) }
end
class EmployeesController < ApplicationController
def list@employees = Employee.all
end
def updateemp = Employee.find params[:id]emp.update_attributes params[:employee]
endend
Quiz
Quizclass Employee < ActiveRecord::Baseinclude Grant::ModelSecuritygrant(:update) { |user, model| user.has_role?(:manager) }
end
class User < ActiveRecord::Basedef has_role?(role)[:employee, :manager].include?(role)
end end
Quizclass Employee < ActiveRecord::Baseinclude Grant::ModelSecuritygrant(:update) { |user, model| user.has_role?(:manager) }
end
class User < ActiveRecord::Basedef has_role?(role)[:employee, :manager].include?(role)
end end
Quiz
class EmployeesController < ApplicationControllerdef updateemp = Employee.find params[:id]emp.update_attributes params[:employee]
endend
class Employee < ActiveRecord::Baseinclude Grant::ModelSecuritygrant(:update) { |user, model| user.has_role?(:manager) }
end
?
Grant::ModelSecurityError: find permission not granted to User:7 for resource Employee:25
from /Users/jkunkle/project/vendor/plugins/grant/lib/grant/model_security_manager.rb:75:in `permission_not_granted' from /Users/jkunkle/project/vendor/plugins/grant/lib/grant/model_security_manager.rb:60:in `apply_security' from /Users/jkunkle/project/vendor/plugins/grant/lib/grant/model_security_manager.rb:44:in `after_find'
class Employee < ActiveRecord::Baseinclude Grant::ModelSecurity
grant(:find)grant(:destroy) { |user, model| user.has_role?(:admin) }grant(:update, :create) do |user, model| user.has_role?(:manager)
end
end
Grant is all or nothing
class Employee < ActiveRecord::Baseinclude Grant::ModelSecurity
has_many :reviews
grant(:find)grant(:destroy) { |user, model| user.has_role?(:admin) }grant(:update, :create) do |user, model| user.has_role?(:manager)
endgrant(:add => :reviews, :remove => :reviews) do |user, model| user.has_role?(:manager)
end
end
... associations too
How does it work?Hook methodsDynamic MethodsActive Record CallbacksAround Aliases
Show and Tell
Show and Tell.. and answer lots of questions
GrantSecurity Anxiety Relief
http://github.com/nearinfinity/grant