Grant
24
Grant security plugin for Rails Jeff Kunkle
-
date post
12-Sep-2014 -
Category
Technology
-
view
290 -
download
6
description
Grant is a Ruby gem and Rails plugin that forces you to make explicit security decisions about the operations performed on your ActiveRecord models. It provides a declarative way to specify rules granting permission to perform CRUD operations on ActiveRecord objects. This presentation covers the basic usage of Grant, highlighting a few of the features that make it different from other solutions available.
Transcript of Grant
Grantsecurity plugin for Rails
Jeff Kunkle
Leveraging Ruby’s Open Classes and
Metaprogramming Capabilities, Combined with Active Record Features to
Develop a Security Plugin for Ruby on Rails
Jeff Kunkle
class EmployeesController < ApplicationControllerbefore_filter :authorize, :if => :update
def list@employees = Employee.all
end
def updateemp = Employee.find params[:id]emp.update_attributes params[:employee]
endend
class EmployeesController < ApplicationControllerbefore_filter :authorize, :if => :update
def list@employees = Employee.all
end
def updateemp = Employee.find params[:id]emp.update_attributes params[:employee]
endend
class EmployeesController < ApplicationController
def list@employees = Employee.all
end
def updateif user.has_role?(:manager)emp = Employee.find params[:id]emp.update_attributes params[:employee]
endend
end
video from http://railscasts.com
video from http://railscasts.com
Is my app secure?
class EmployeesController < ApplicationController
def list@employees = Employee.all
end
def updateif user.has_role?(:manager)emp = Employee.find params[:id]emp.update_attributes params[:employee]
endend
end
class Employee < ActiveRecord::Baseinclude Grant::ModelSecurity
grant(:update) { |user, model| user.has_role?(:manager) }
end
class Employee < ActiveRecord::Baseinclude Grant::ModelSecurity
grant(:update) { |user, model| user.has_role?(:manager) }
end
class EmployeesController < ApplicationController
def list@employees = Employee.all
end
def updateemp = Employee.find params[:id]emp.update_attributes params[:employee]
endend
Quiz
Quizclass Employee < ActiveRecord::Baseinclude Grant::ModelSecuritygrant(:update) { |user, model| user.has_role?(:manager) }
end
class User < ActiveRecord::Basedef has_role?(role)[:employee, :manager].include?(role)
end end
Quizclass Employee < ActiveRecord::Baseinclude Grant::ModelSecuritygrant(:update) { |user, model| user.has_role?(:manager) }
end
class User < ActiveRecord::Basedef has_role?(role)[:employee, :manager].include?(role)
end end
Quiz
class EmployeesController < ApplicationControllerdef updateemp = Employee.find params[:id]emp.update_attributes params[:employee]
endend
class Employee < ActiveRecord::Baseinclude Grant::ModelSecuritygrant(:update) { |user, model| user.has_role?(:manager) }
end
?
Grant::ModelSecurityError: find permission not granted to User:7 for resource Employee:25
from /Users/jkunkle/project/vendor/plugins/grant/lib/grant/model_security_manager.rb:75:in `permission_not_granted' from /Users/jkunkle/project/vendor/plugins/grant/lib/grant/model_security_manager.rb:60:in `apply_security' from /Users/jkunkle/project/vendor/plugins/grant/lib/grant/model_security_manager.rb:44:in `after_find'
class Employee < ActiveRecord::Baseinclude Grant::ModelSecurity
grant(:find)grant(:destroy) { |user, model| user.has_role?(:admin) }grant(:update, :create) do |user, model| user.has_role?(:manager)
end
end
Grant is all or nothing
class Employee < ActiveRecord::Baseinclude Grant::ModelSecurity
has_many :reviews
grant(:find)grant(:destroy) { |user, model| user.has_role?(:admin) }grant(:update, :create) do |user, model| user.has_role?(:manager)
endgrant(:add => :reviews, :remove => :reviews) do |user, model| user.has_role?(:manager)
end
end
... associations too
How does it work?Hook methodsDynamic MethodsActive Record CallbacksAround Aliases
Show and Tell
Show and Tell.. and answer lots of questions
GrantSecurity Anxiety Relief
http://github.com/nearinfinity/grant
