monty 0.3.0 → 0.3.1
Sign up to get free protection for your applications and to get access to all the features.
- data/lib/monty.rb +1 -1
- data/lib/monty/delivery.rb +28 -12
- data/test/monty/test_delivery.rb +23 -0
- data/test/monty/test_watch.rb +60 -0
- metadata +4 -3
data/lib/monty.rb
CHANGED
data/lib/monty/delivery.rb
CHANGED
@@ -30,7 +30,9 @@ module Monty
|
|
30
30
|
|
31
31
|
@access_rights_regex = Monty.regex(@access_rights)
|
32
32
|
|
33
|
-
@
|
33
|
+
@path += "/" unless @path =~ /\/$/
|
34
|
+
|
35
|
+
(@access_rights_regex =~ @path && method_not_denied?) || method_match?
|
34
36
|
end
|
35
37
|
|
36
38
|
private
|
@@ -38,23 +40,37 @@ module Monty
|
|
38
40
|
# Actions like create and update are determined by the HTTP method.
|
39
41
|
# If the request is against the root resource path and the REQUEST_METHOD
|
40
42
|
# is POST, determine if the user has access rights to /create or
|
41
|
-
# /update (if _method=put)
|
43
|
+
# /update (if _method=put) or /destroy (if _method=_delete)
|
42
44
|
#
|
43
45
|
# @return [true|false] if request is allowed when considering the HTTP method
|
44
46
|
def method_match?
|
47
|
+
#If it is not a GET method OR the request is not against the root of a resource
|
48
|
+
return false if @method == :get || !(Monty::Resource.regex =~ (@path))
|
45
49
|
|
46
|
-
|
47
|
-
|
48
|
-
@path += "/" unless @path =~ /\/$/
|
50
|
+
post_rest_access
|
51
|
+
end
|
49
52
|
|
53
|
+
# Actions like create and update are determined by the HTTP method.
|
54
|
+
# If the request is against the root resource path and the REQUEST_METHOD
|
55
|
+
# is POST, determine if the user is denied access to /create or
|
56
|
+
# /update (if _method=put) or /destroy (if _method=_delete)
|
57
|
+
#
|
58
|
+
# @return [true|false] if request is not allowed when considering the HTTP method
|
59
|
+
def method_not_denied?
|
50
60
|
if @method == :post
|
51
|
-
|
52
|
-
|
53
|
-
|
54
|
-
|
55
|
-
|
56
|
-
|
57
|
-
|
61
|
+
post_rest_access
|
62
|
+
else
|
63
|
+
true
|
64
|
+
end
|
65
|
+
end
|
66
|
+
|
67
|
+
def post_rest_access
|
68
|
+
if put?
|
69
|
+
@access_rights_regex =~ "#{@path}update"
|
70
|
+
elsif delete?
|
71
|
+
@access_rights_regex =~ "#{@path}destroy"
|
72
|
+
else
|
73
|
+
@access_rights_regex =~ "#{@path}create"
|
58
74
|
end
|
59
75
|
end
|
60
76
|
|
@@ -0,0 +1,23 @@
|
|
1
|
+
require 'helper'
|
2
|
+
|
3
|
+
class TestMontyDelivery < Test::Unit::TestCase
|
4
|
+
|
5
|
+
def setup
|
6
|
+
@env = { 'REQUEST_PATH' => '/users',
|
7
|
+
'REQUEST_METHOD' => 'GET',
|
8
|
+
'rack.session' => {:access_rights => '\/users'} }
|
9
|
+
@delivery = Monty::Delivery.new(@env)
|
10
|
+
end
|
11
|
+
|
12
|
+
def test_delivery_initialized
|
13
|
+
assert_equal @delivery.path, '/users'
|
14
|
+
assert_equal @delivery.method, :get
|
15
|
+
end
|
16
|
+
|
17
|
+
#allowed? is really tested in test_watch
|
18
|
+
def test_name_error_is_rescued
|
19
|
+
#TODO: figure out how to test this
|
20
|
+
end
|
21
|
+
|
22
|
+
end
|
23
|
+
|
data/test/monty/test_watch.rb
CHANGED
@@ -146,5 +146,65 @@ class TestMonty < Test::Unit::TestCase
|
|
146
146
|
get '/posts/show/', {}
|
147
147
|
assert last_response.ok?
|
148
148
|
end
|
149
|
+
|
150
|
+
def test_it_denies_uri_access_to_destroy
|
151
|
+
Authorization.permission :posts do
|
152
|
+
resource :posts do
|
153
|
+
except :destroy
|
154
|
+
end
|
155
|
+
end
|
156
|
+
Authorization.public_access :posts
|
157
|
+
|
158
|
+
post '/posts', {:id => 1, :_method => "delete"}
|
159
|
+
assert last_response.redirect?
|
160
|
+
|
161
|
+
post '/posts/', {:id => 1, :_method => "delete"}
|
162
|
+
assert last_response.redirect?
|
163
|
+
|
164
|
+
post '/posts/', {:_method => "put"}
|
165
|
+
assert last_response.ok?
|
166
|
+
|
167
|
+
get '/posts/show', {}
|
168
|
+
assert last_response.ok?
|
169
|
+
|
170
|
+
get '/posts', {}
|
171
|
+
assert last_response.ok?
|
172
|
+
|
173
|
+
get '/posts/', {}
|
174
|
+
assert last_response.ok?
|
175
|
+
|
176
|
+
get '/posts/show/', {}
|
177
|
+
assert last_response.ok?
|
178
|
+
end
|
179
|
+
|
180
|
+
def test_it_denies_uri_access_to_new_create_and_destroy
|
181
|
+
Authorization.permission :users do
|
182
|
+
resource :users do
|
183
|
+
except :new, :create, :destroy
|
184
|
+
end
|
185
|
+
end
|
186
|
+
Authorization.public_access :users
|
187
|
+
|
188
|
+
get '/users/new'
|
189
|
+
assert last_response.redirect?
|
190
|
+
|
191
|
+
post '/users', {:id => 1, :_method => "delete"}
|
192
|
+
assert last_response.redirect?
|
193
|
+
|
194
|
+
post '/users', {:id => 1, :_method => "create"}
|
195
|
+
assert last_response.redirect?
|
196
|
+
|
197
|
+
post '/users', {:id => 1, :_method => "put"}
|
198
|
+
assert last_response.ok?
|
199
|
+
|
200
|
+
get '/users', {}
|
201
|
+
assert last_response.ok?
|
202
|
+
|
203
|
+
get '/users/', {}
|
204
|
+
assert last_response.ok?
|
205
|
+
|
206
|
+
get '/users/show/', {}
|
207
|
+
assert last_response.ok?
|
208
|
+
end
|
149
209
|
end
|
150
210
|
|
metadata
CHANGED
@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
|
|
5
5
|
segments:
|
6
6
|
- 0
|
7
7
|
- 3
|
8
|
-
-
|
9
|
-
version: 0.3.
|
8
|
+
- 1
|
9
|
+
version: 0.3.1
|
10
10
|
platform: ruby
|
11
11
|
authors:
|
12
12
|
- stonean
|
@@ -14,7 +14,7 @@ autorequire:
|
|
14
14
|
bindir: bin
|
15
15
|
cert_chain: []
|
16
16
|
|
17
|
-
date: 2010-05-
|
17
|
+
date: 2010-05-27 00:00:00 -04:00
|
18
18
|
default_executable:
|
19
19
|
dependencies:
|
20
20
|
- !ruby/object:Gem::Dependency
|
@@ -92,6 +92,7 @@ specification_version: 3
|
|
92
92
|
summary: Rack based authorization system
|
93
93
|
test_files:
|
94
94
|
- test/helper.rb
|
95
|
+
- test/monty/test_delivery.rb
|
95
96
|
- test/monty/test_configuration.rb
|
96
97
|
- test/monty/test_access.rb
|
97
98
|
- test/monty/test_watch.rb
|