monty 0.3.0 → 0.3.1

Sign up to get free protection for your applications and to get access to all the features.
@@ -6,7 +6,7 @@ module Monty
6
6
  class << self
7
7
  # App version
8
8
  def version
9
- '0.3.0'
9
+ '0.3.1'
10
10
  end
11
11
 
12
12
  # @return [Regexp] with \A \z boundaries
@@ -30,7 +30,9 @@ module Monty
30
30
 
31
31
  @access_rights_regex = Monty.regex(@access_rights)
32
32
 
33
- @access_rights_regex.match(@path) || method_match?
33
+ @path += "/" unless @path =~ /\/$/
34
+
35
+ (@access_rights_regex =~ @path && method_not_denied?) || method_match?
34
36
  end
35
37
 
36
38
  private
@@ -38,23 +40,37 @@ module Monty
38
40
  # Actions like create and update are determined by the HTTP method.
39
41
  # If the request is against the root resource path and the REQUEST_METHOD
40
42
  # is POST, determine if the user has access rights to /create or
41
- # /update (if _method=put)
43
+ # /update (if _method=put) or /destroy (if _method=_delete)
42
44
  #
43
45
  # @return [true|false] if request is allowed when considering the HTTP method
44
46
  def method_match?
47
+ #If it is not a GET method OR the request is not against the root of a resource
48
+ return false if @method == :get || !(Monty::Resource.regex =~ (@path))
45
49
 
46
- return false if @method == :get || !Monty::Resource.regex.match(@path)
47
-
48
- @path += "/" unless @path =~ /\/$/
50
+ post_rest_access
51
+ end
49
52
 
53
+ # Actions like create and update are determined by the HTTP method.
54
+ # If the request is against the root resource path and the REQUEST_METHOD
55
+ # is POST, determine if the user is denied access to /create or
56
+ # /update (if _method=put) or /destroy (if _method=_delete)
57
+ #
58
+ # @return [true|false] if request is not allowed when considering the HTTP method
59
+ def method_not_denied?
50
60
  if @method == :post
51
- if put?
52
- @access_rights_regex.match("#{@path}update")
53
- elsif delete?
54
- @access_rights_regex.match("#{@path}destroy")
55
- else
56
- @access_rights_regex.match("#{@path}create")
57
- end
61
+ post_rest_access
62
+ else
63
+ true
64
+ end
65
+ end
66
+
67
+ def post_rest_access
68
+ if put?
69
+ @access_rights_regex =~ "#{@path}update"
70
+ elsif delete?
71
+ @access_rights_regex =~ "#{@path}destroy"
72
+ else
73
+ @access_rights_regex =~ "#{@path}create"
58
74
  end
59
75
  end
60
76
 
@@ -0,0 +1,23 @@
1
+ require 'helper'
2
+
3
+ class TestMontyDelivery < Test::Unit::TestCase
4
+
5
+ def setup
6
+ @env = { 'REQUEST_PATH' => '/users',
7
+ 'REQUEST_METHOD' => 'GET',
8
+ 'rack.session' => {:access_rights => '\/users'} }
9
+ @delivery = Monty::Delivery.new(@env)
10
+ end
11
+
12
+ def test_delivery_initialized
13
+ assert_equal @delivery.path, '/users'
14
+ assert_equal @delivery.method, :get
15
+ end
16
+
17
+ #allowed? is really tested in test_watch
18
+ def test_name_error_is_rescued
19
+ #TODO: figure out how to test this
20
+ end
21
+
22
+ end
23
+
@@ -146,5 +146,65 @@ class TestMonty < Test::Unit::TestCase
146
146
  get '/posts/show/', {}
147
147
  assert last_response.ok?
148
148
  end
149
+
150
+ def test_it_denies_uri_access_to_destroy
151
+ Authorization.permission :posts do
152
+ resource :posts do
153
+ except :destroy
154
+ end
155
+ end
156
+ Authorization.public_access :posts
157
+
158
+ post '/posts', {:id => 1, :_method => "delete"}
159
+ assert last_response.redirect?
160
+
161
+ post '/posts/', {:id => 1, :_method => "delete"}
162
+ assert last_response.redirect?
163
+
164
+ post '/posts/', {:_method => "put"}
165
+ assert last_response.ok?
166
+
167
+ get '/posts/show', {}
168
+ assert last_response.ok?
169
+
170
+ get '/posts', {}
171
+ assert last_response.ok?
172
+
173
+ get '/posts/', {}
174
+ assert last_response.ok?
175
+
176
+ get '/posts/show/', {}
177
+ assert last_response.ok?
178
+ end
179
+
180
+ def test_it_denies_uri_access_to_new_create_and_destroy
181
+ Authorization.permission :users do
182
+ resource :users do
183
+ except :new, :create, :destroy
184
+ end
185
+ end
186
+ Authorization.public_access :users
187
+
188
+ get '/users/new'
189
+ assert last_response.redirect?
190
+
191
+ post '/users', {:id => 1, :_method => "delete"}
192
+ assert last_response.redirect?
193
+
194
+ post '/users', {:id => 1, :_method => "create"}
195
+ assert last_response.redirect?
196
+
197
+ post '/users', {:id => 1, :_method => "put"}
198
+ assert last_response.ok?
199
+
200
+ get '/users', {}
201
+ assert last_response.ok?
202
+
203
+ get '/users/', {}
204
+ assert last_response.ok?
205
+
206
+ get '/users/show/', {}
207
+ assert last_response.ok?
208
+ end
149
209
  end
150
210
 
metadata CHANGED
@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
5
5
  segments:
6
6
  - 0
7
7
  - 3
8
- - 0
9
- version: 0.3.0
8
+ - 1
9
+ version: 0.3.1
10
10
  platform: ruby
11
11
  authors:
12
12
  - stonean
@@ -14,7 +14,7 @@ autorequire:
14
14
  bindir: bin
15
15
  cert_chain: []
16
16
 
17
- date: 2010-05-20 00:00:00 -04:00
17
+ date: 2010-05-27 00:00:00 -04:00
18
18
  default_executable:
19
19
  dependencies:
20
20
  - !ruby/object:Gem::Dependency
@@ -92,6 +92,7 @@ specification_version: 3
92
92
  summary: Rack based authorization system
93
93
  test_files:
94
94
  - test/helper.rb
95
+ - test/monty/test_delivery.rb
95
96
  - test/monty/test_configuration.rb
96
97
  - test/monty/test_access.rb
97
98
  - test/monty/test_watch.rb