SlideShare une entreprise Scribd logo

Grant

J
Jeff Kunkle

Grant is a Ruby gem and Rails plugin that forces you to make explicit security decisions about the operations performed on your ActiveRecord models. It provides a declarative way to specify rules granting permission to perform CRUD operations on ActiveRecord objects. This presentation covers the basic usage of Grant, highlighting a few of the features that make it different from other solutions available.

Technologie
1  sur  24
Télécharger pour lire hors ligne
Grant security plugin for Rails Jeff Kunkle
Leveraging Ruby’s Open Classes and Metaprogramming Capabilities, Combined with Active Record Features to Develop a Security Plugin for Ruby on Rails Jeff Kunkle
class EmployeesController < ApplicationController before_filter :authorize, :if => :update def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
class EmployeesController < ApplicationController def list @employees = Employee.all end def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] end class EmployeesController <end ApplicationController before_filter :authorize, :if => :update end def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
video from http://railscasts.com
video from http://railscasts.com
Is my app secure?
class EmployeesController < ApplicationController def list @employees = Employee.all end def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] end end end
class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end
class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end class EmployeesController < ApplicationController def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
Quiz
Quiz class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end
Quiz class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end class User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) end end
Quiz class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end class User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) end end class EmployeesController < ApplicationController ? def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
Grant::ModelSecurityError: find permission not granted to User:7 for resource Employee:25 from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:75:in `permission_not_granted' from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:60:in `apply_security' from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:44:in `after_find'
Grant is all or nothing class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:find) grant(:destroy) { |user, model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) end end
... associations too class Employee < ActiveRecord::Base include Grant::ModelSecurity has_many :reviews grant(:find) grant(:destroy) { |user, model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) end grant(:add => :reviews, :remove => :reviews) do |user, model| user.has_role?(:manager) end end
How does it work? Hook methods Dynamic Methods Active Record Callbacks Around Aliases
Show and Tell
Show and Tell .. and answer lots of questions
Grant Security Anxiety Relief http://github.com/nearinfinity/grant

Recommandé

Rupicon 2014 Action pack
Rupicon 2014 Action packRupicon 2014 Action pack
Rupicon 2014 Action packrupicon
 
Les06 (using subqueries to solve queries)
Les06 (using subqueries to solve queries)Les06 (using subqueries to solve queries)
Les06 (using subqueries to solve queries)Achmad Solichin
 
How to implement multiple authentication guards in laravel 8
How to implement multiple authentication guards in laravel 8How to implement multiple authentication guards in laravel 8
How to implement multiple authentication guards in laravel 8Katy Slemon
 
Les06
Les06Les06
Les06Sudharsan S
 
Lightning Components Best Practices by Fabien Taillon
Lightning Components Best Practices by Fabien TaillonLightning Components Best Practices by Fabien Taillon
Lightning Components Best Practices by Fabien TaillonBordeaux Salesforce Developer Group
 
Ruby on rails integration testing with minitest and capybara
Ruby on rails integration testing with minitest and capybaraRuby on rails integration testing with minitest and capybara
Ruby on rails integration testing with minitest and capybaraAndolasoft Inc
 
Les06
Les06Les06
Les06Vijay Kumar
 
Angular performance improvments
Angular performance improvmentsAngular performance improvments
Angular performance improvmentsEliran Eliassy
 

Recommandé

Rupicon 2014 Action pack
Rupicon 2014 Action packRupicon 2014 Action pack
Rupicon 2014 Action packrupicon
 
Les06 (using subqueries to solve queries)
Les06 (using subqueries to solve queries)Les06 (using subqueries to solve queries)
Les06 (using subqueries to solve queries)Achmad Solichin
 
How to implement multiple authentication guards in laravel 8
How to implement multiple authentication guards in laravel 8How to implement multiple authentication guards in laravel 8
How to implement multiple authentication guards in laravel 8Katy Slemon
 
Les06
Les06Les06
Les06Sudharsan S
 
Lightning Components Best Practices by Fabien Taillon
Lightning Components Best Practices by Fabien TaillonLightning Components Best Practices by Fabien Taillon
Lightning Components Best Practices by Fabien TaillonBordeaux Salesforce Developer Group
 
Ruby on rails integration testing with minitest and capybara
Ruby on rails integration testing with minitest and capybaraRuby on rails integration testing with minitest and capybara
Ruby on rails integration testing with minitest and capybaraAndolasoft Inc
 
Les06
Les06Les06
Les06Vijay Kumar
 
Angular performance improvments
Angular performance improvmentsAngular performance improvments
Angular performance improvmentsEliran Eliassy
 
هیبرید کارا، از رویا تا واقعیت!
هیبرید کارا، از رویا تا واقعیت!هیبرید کارا، از رویا تا واقعیت!
هیبرید کارا، از رویا تا واقعیت!Web Standards School
 
AngularJs-training
AngularJs-trainingAngularJs-training
AngularJs-trainingPratchaya Suputsopon
 
Rails introduction
Rails introductionRails introduction
Rails introductionПавел Калашников
 
2007 Zend Con Mvc
2007 Zend Con Mvc2007 Zend Con Mvc
2007 Zend Con MvcPablo Morales
 
Dive into React Performance
Dive into React PerformanceDive into React Performance
Dive into React PerformanceChing Ting Wu
 
Test Drive Development in Ruby On Rails
Test Drive Development in Ruby On RailsTest Drive Development in Ruby On Rails
Test Drive Development in Ruby On RailsNyros Technologies
 
Confident Refactoring - Ember SF Meetup
Confident Refactoring - Ember SF MeetupConfident Refactoring - Ember SF Meetup
Confident Refactoring - Ember SF MeetupFastly
 
Some tips to improve developer experience with Symfony
Some tips to improve developer experience with SymfonySome tips to improve developer experience with Symfony
Some tips to improve developer experience with Symfonytyomo4ka
 
Function Returns
Function ReturnsFunction Returns
Function Returnsprimeteacher32
 
Functions
FunctionsFunctions
Functionsprimeteacher32
 
Workflow demo
Workflow demoWorkflow demo
Workflow demoKamal Raj
 
Painless Javascript Unit Testing
Painless Javascript Unit TestingPainless Javascript Unit Testing
Painless Javascript Unit TestingBenjamin Wilson
 
EMC Documentum - xCP 2.x Updating Java Services
EMC Documentum - xCP 2.x Updating Java ServicesEMC Documentum - xCP 2.x Updating Java Services
EMC Documentum - xCP 2.x Updating Java ServicesHaytham Ghandour
 
Function Parameters
Function ParametersFunction Parameters
Function Parametersprimeteacher32
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best PracticesWen-Tien Chang
 
e computer notes - Subqueries
e computer notes - Subqueriese computer notes - Subqueries
e computer notes - Subqueriesecomputernotes
 
Using velocity Templates(An overview)
Using velocity Templates(An overview)Using velocity Templates(An overview)
Using velocity Templates(An overview)Nwabueze Obioma
 
Defensive Apex Programming
Defensive Apex ProgrammingDefensive Apex Programming
Defensive Apex ProgrammingSalesforce Developers
 
What's new in Rails 5 - API Mode & Action Cable overview
What's new in Rails 5 - API Mode & Action Cable overviewWhat's new in Rails 5 - API Mode & Action Cable overview
What's new in Rails 5 - API Mode & Action Cable overviewMaxim Veksler
 
Simple restfull app_s
Simple restfull app_sSimple restfull app_s
Simple restfull app_snetwix
 
Comparison of different access controls
Comparison of different access controlsComparison of different access controls
Comparison of different access controlsRashmi Nair
 
Simplify Your Rails Controllers With a Vengeance
Simplify Your Rails Controllers With a VengeanceSimplify Your Rails Controllers With a Vengeance
Simplify Your Rails Controllers With a Vengeancebrianauton
 

Contenu connexe

Tendances

هیبرید کارا، از رویا تا واقعیت!
هیبرید کارا، از رویا تا واقعیت!هیبرید کارا، از رویا تا واقعیت!
هیبرید کارا، از رویا تا واقعیت!Web Standards School
 
Dive into React Performance
Dive into React PerformanceDive into React Performance
Dive into React PerformanceChing Ting Wu
 
Test Drive Development in Ruby On Rails
Test Drive Development in Ruby On RailsTest Drive Development in Ruby On Rails
Test Drive Development in Ruby On RailsNyros Technologies
 
Confident Refactoring - Ember SF Meetup
Confident Refactoring - Ember SF MeetupConfident Refactoring - Ember SF Meetup
Confident Refactoring - Ember SF MeetupFastly
 
Some tips to improve developer experience with Symfony
Some tips to improve developer experience with SymfonySome tips to improve developer experience with Symfony
Some tips to improve developer experience with Symfonytyomo4ka
 
Workflow demo
Workflow demoWorkflow demo
Workflow demoKamal Raj
 
Painless Javascript Unit Testing
Painless Javascript Unit TestingPainless Javascript Unit Testing
Painless Javascript Unit TestingBenjamin Wilson
 
EMC Documentum - xCP 2.x Updating Java Services
EMC Documentum - xCP 2.x Updating Java ServicesEMC Documentum - xCP 2.x Updating Java Services
EMC Documentum - xCP 2.x Updating Java ServicesHaytham Ghandour
 
e computer notes - Subqueries
e computer notes - Subqueriese computer notes - Subqueries
e computer notes - Subqueriesecomputernotes
 
Using velocity Templates(An overview)
Using velocity Templates(An overview)Using velocity Templates(An overview)
Using velocity Templates(An overview)Nwabueze Obioma
 
What's new in Rails 5 - API Mode & Action Cable overview
What's new in Rails 5 - API Mode & Action Cable overviewWhat's new in Rails 5 - API Mode & Action Cable overview
What's new in Rails 5 - API Mode & Action Cable overviewMaxim Veksler
 

Tendances (19)

هیبرید کارا، از رویا تا واقعیت!
هیبرید کارا، از رویا تا واقعیت!هیبرید کارا، از رویا تا واقعیت!
هیبرید کارا، از رویا تا واقعیت!
 
AngularJs-training
AngularJs-trainingAngularJs-training
AngularJs-training
 
Rails introduction
Rails introductionRails introduction
Rails introduction
 
2007 Zend Con Mvc
2007 Zend Con Mvc2007 Zend Con Mvc
2007 Zend Con Mvc
 
Dive into React Performance
Dive into React PerformanceDive into React Performance
Dive into React Performance
 
Test Drive Development in Ruby On Rails
Test Drive Development in Ruby On RailsTest Drive Development in Ruby On Rails
Test Drive Development in Ruby On Rails
 
Confident Refactoring - Ember SF Meetup
Confident Refactoring - Ember SF MeetupConfident Refactoring - Ember SF Meetup
Confident Refactoring - Ember SF Meetup
 
Some tips to improve developer experience with Symfony
Some tips to improve developer experience with SymfonySome tips to improve developer experience with Symfony
Some tips to improve developer experience with Symfony
 
Function Returns
Function ReturnsFunction Returns
Function Returns
 
Functions
FunctionsFunctions
Functions
 
Workflow demo
Workflow demoWorkflow demo
Workflow demo
 
Painless Javascript Unit Testing
Painless Javascript Unit TestingPainless Javascript Unit Testing
Painless Javascript Unit Testing
 
EMC Documentum - xCP 2.x Updating Java Services
EMC Documentum - xCP 2.x Updating Java ServicesEMC Documentum - xCP 2.x Updating Java Services
EMC Documentum - xCP 2.x Updating Java Services
 
Function Parameters
Function ParametersFunction Parameters
Function Parameters
 
Rails Best Practices
Rails Best PracticesRails Best Practices
Rails Best Practices
 
e computer notes - Subqueries
e computer notes - Subqueriese computer notes - Subqueries
e computer notes - Subqueries
 
Using velocity Templates(An overview)
Using velocity Templates(An overview)Using velocity Templates(An overview)
Using velocity Templates(An overview)
 
Defensive Apex Programming
Defensive Apex ProgrammingDefensive Apex Programming
Defensive Apex Programming
 
What's new in Rails 5 - API Mode & Action Cable overview
What's new in Rails 5 - API Mode & Action Cable overviewWhat's new in Rails 5 - API Mode & Action Cable overview
What's new in Rails 5 - API Mode & Action Cable overview
 

Similaire à Grant

Simple restfull app_s
Simple restfull app_sSimple restfull app_s
Simple restfull app_snetwix
 
Comparison of different access controls
Comparison of different access controlsComparison of different access controls
Comparison of different access controlsRashmi Nair
 
Simplify Your Rails Controllers With a Vengeance
Simplify Your Rails Controllers With a VengeanceSimplify Your Rails Controllers With a Vengeance
Simplify Your Rails Controllers With a Vengeancebrianauton
 
Testing Legacy Rails Apps
Testing Legacy Rails AppsTesting Legacy Rails Apps
Testing Legacy Rails AppsRabble .
 
Rails best practices_slides
Rails best practices_slidesRails best practices_slides
Rails best practices_slidesCao Van An
 
How to disassemble one monster app into an ecosystem of 30
How to disassemble one monster app into an ecosystem of 30How to disassemble one monster app into an ecosystem of 30
How to disassemble one monster app into an ecosystem of 30fiyuer
 
Curso Symfony - Clase 3
Curso Symfony - Clase 3Curso Symfony - Clase 3
Curso Symfony - Clase 3Javier Eguiluz
 
Rails Plugin Development 101 (...and some...)
Rails Plugin Development 101 (...and some...)Rails Plugin Development 101 (...and some...)
Rails Plugin Development 101 (...and some...)Jim Myhrberg
 
More to RoC weibo
More to RoC weiboMore to RoC weibo
More to RoC weiboshaokun
 
Resource and view
Resource and viewResource and view
Resource and viewPapp Laszlo
 
Código Saudável => Programador Feliz - Rs on Rails 2010
Código Saudável => Programador Feliz - Rs on Rails 2010Código Saudável => Programador Feliz - Rs on Rails 2010
Código Saudável => Programador Feliz - Rs on Rails 2010Plataformatec
 
How To Test Everything
How To Test EverythingHow To Test Everything
How To Test Everythingnoelrap
 
Software Testing & PHPSpec
Software Testing & PHPSpecSoftware Testing & PHPSpec
Software Testing & PHPSpecDarren Craig
 
Ruby on rails
Ruby on rails Ruby on rails
Ruby on rails Mohit Jain
 
LvivPy - Flask in details
LvivPy - Flask in detailsLvivPy - Flask in details
LvivPy - Flask in detailsMax Klymyshyn
 
Ruby on Rails : RESTful 和 Ajax
Ruby on Rails : RESTful 和 AjaxRuby on Rails : RESTful 和 Ajax
Ruby on Rails : RESTful 和 AjaxWen-Tien Chang
 

Similaire à Grant (20)

Simple restfull app_s
Simple restfull app_sSimple restfull app_s
Simple restfull app_s
 
Comparison of different access controls
Comparison of different access controlsComparison of different access controls
Comparison of different access controls
 
Simplify Your Rails Controllers With a Vengeance
Simplify Your Rails Controllers With a VengeanceSimplify Your Rails Controllers With a Vengeance
Simplify Your Rails Controllers With a Vengeance
 
Testing Legacy Rails Apps
Testing Legacy Rails AppsTesting Legacy Rails Apps
Testing Legacy Rails Apps
 
Rails best practices_slides
Rails best practices_slidesRails best practices_slides
Rails best practices_slides
 
How to disassemble one monster app into an ecosystem of 30
How to disassemble one monster app into an ecosystem of 30How to disassemble one monster app into an ecosystem of 30
How to disassemble one monster app into an ecosystem of 30
 
Curso Symfony - Clase 3
Curso Symfony - Clase 3Curso Symfony - Clase 3
Curso Symfony - Clase 3
 
Rails Plugin Development 101 (...and some...)
Rails Plugin Development 101 (...and some...)Rails Plugin Development 101 (...and some...)
Rails Plugin Development 101 (...and some...)
 
The Rails Way
The Rails WayThe Rails Way
The Rails Way
 
More to RoC weibo
More to RoC weiboMore to RoC weibo
More to RoC weibo
 
Resource and view
Resource and viewResource and view
Resource and view
 
Código Saudável => Programador Feliz - Rs on Rails 2010
Código Saudável => Programador Feliz - Rs on Rails 2010Código Saudável => Programador Feliz - Rs on Rails 2010
Código Saudável => Programador Feliz - Rs on Rails 2010
 
How To Test Everything
How To Test EverythingHow To Test Everything
How To Test Everything
 
Software Testing & PHPSpec
Software Testing & PHPSpecSoftware Testing & PHPSpec
Software Testing & PHPSpec
 
Laravel tips-2019-04
Laravel tips-2019-04Laravel tips-2019-04
Laravel tips-2019-04
 
Practical Celery
Practical CeleryPractical Celery
Practical Celery
 
Cramp websockets
Cramp websocketsCramp websockets
Cramp websockets
 
Ruby on rails
Ruby on rails Ruby on rails
Ruby on rails
 
LvivPy - Flask in details
LvivPy - Flask in detailsLvivPy - Flask in details
LvivPy - Flask in details
 
Ruby on Rails : RESTful 和 Ajax
Ruby on Rails : RESTful 和 AjaxRuby on Rails : RESTful 和 Ajax
Ruby on Rails : RESTful 和 Ajax
 

Dernier

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 

Dernier (20)

Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Grant

  • 1. Grant security plugin for Rails Jeff Kunkle
  • 2. Leveraging Ruby’s Open Classes and Metaprogramming Capabilities, Combined with Active Record Features to Develop a Security Plugin for Ruby on Rails Jeff Kunkle
  • 3. class EmployeesController < ApplicationController before_filter :authorize, :if => :update def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
  • 4. class EmployeesController < ApplicationController def list @employees = Employee.all end def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] end class EmployeesController <end ApplicationController before_filter :authorize, :if => :update end def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
  • 7.
  • 8.
  • 9. Is my app secure?
  • 10.
  • 11. class EmployeesController < ApplicationController def list @employees = Employee.all end def update if user.has_role?(:manager) emp = Employee.find params[:id] emp.update_attributes params[:employee] end end end
  • 12. class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end
  • 13. class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end class EmployeesController < ApplicationController def list @employees = Employee.all end def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
  • 14. Quiz
  • 15. Quiz class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end
  • 16. Quiz class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end class User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) end end
  • 17. Quiz class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:update) { |user, model| user.has_role?(:manager) } end class User < ActiveRecord::Base def has_role?(role) [:employee, :manager].include?(role) end end class EmployeesController < ApplicationController ? def update emp = Employee.find params[:id] emp.update_attributes params[:employee] end end
  • 18. Grant::ModelSecurityError: find permission not granted to User:7 for resource Employee:25 from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:75:in `permission_not_granted' from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:60:in `apply_security' from /Users/jkunkle/project/vendor/plugins/grant/ lib/grant/model_security_manager.rb:44:in `after_find'
  • 19. Grant is all or nothing class Employee < ActiveRecord::Base include Grant::ModelSecurity grant(:find) grant(:destroy) { |user, model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) end end
  • 20. ... associations too class Employee < ActiveRecord::Base include Grant::ModelSecurity has_many :reviews grant(:find) grant(:destroy) { |user, model| user.has_role?(:admin) } grant(:update, :create) do |user, model| user.has_role?(:manager) end grant(:add => :reviews, :remove => :reviews) do |user, model| user.has_role?(:manager) end end
  • 21. How does it work? Hook methods Dynamic Methods Active Record Callbacks Around Aliases
  • 23. Show and Tell .. and answer lots of questions
  • 24. Grant Security Anxiety Relief http://github.com/nearinfinity/grant