RubyGems - monty - Versions diffs - 0.3.0 → 0.3.1 - Mend

monty 0.3.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

data/lib/monty.rb CHANGED

@@ -6,7 +6,7 @@ module Monty
   class << self
     # App version
     def version
-      '0.3.0'
+      '0.3.1'
     end
     # @return [Regexp] with \A \z boundaries

data/lib/monty/delivery.rb CHANGED

@@ -30,7 +30,9 @@ module Monty
       @access_rights_regex = Monty.regex(@access_rights)
-      @access_rights_regex.match(@path) || method_match?
+      @path += "/" unless @path =~ /\/$/
+      (@access_rights_regex =~ @path && method_not_denied?) || method_match?
     end
     private
@@ -38,23 +40,37 @@ module Monty
     # Actions like create and update are determined by the HTTP method.
     # If the request is against the root resource path and the REQUEST_METHOD
     # is POST, determine if the user has access rights to /create or
-    # /update (if _method=put)
+    # /update (if _method=put) or /destroy (if _method=_delete)
     #
     # @return [true|false] if request is allowed when considering the HTTP method
     def method_match?
+      #If it is not a GET method OR the request is not against the root of a resource
+      return false if @method == :get || !(Monty::Resource.regex =~ (@path))
-      return false if @method == :get || !Monty::Resource.regex.match(@path)
-      @path += "/" unless @path =~ /\/$/
+      post_rest_access
+    end
+    # Actions like create and update are determined by the HTTP method.
+    # If the request is against the root resource path and the REQUEST_METHOD
+    # is POST, determine if the user is denied access to /create or
+    # /update (if _method=put) or /destroy (if _method=_delete)
+    #
+    # @return [true|false] if request is not allowed when considering the HTTP method
+    def method_not_denied?
       if @method == :post
-        if put?
-          @access_rights_regex.match("#{@path}update")
-        elsif delete?
-          @access_rights_regex.match("#{@path}destroy")
-        else
-          @access_rights_regex.match("#{@path}create")
-        end
+        post_rest_access
+      else
+        true
+      end
+    end
+    def post_rest_access
+      if put?
+        @access_rights_regex =~ "#{@path}update"
+      elsif delete?
+        @access_rights_regex =~ "#{@path}destroy"
+      else
+        @access_rights_regex =~ "#{@path}create"
       end
     end

data/test/monty/test_delivery.rb ADDED

@@ -0,0 +1,23 @@
+require 'helper'
+class TestMontyDelivery < Test::Unit::TestCase
+  def setup
+    @env = {  'REQUEST_PATH'    => '/users',
+              'REQUEST_METHOD'  => 'GET',
+              'rack.session'    => {:access_rights => '\/users'} }
+    @delivery = Monty::Delivery.new(@env)
+  end
+  def test_delivery_initialized
+    assert_equal @delivery.path, '/users'
+    assert_equal @delivery.method, :get
+  end
+  #allowed? is really tested in test_watch
+  def test_name_error_is_rescued
+    #TODO: figure out how to test this
+  end
+end

data/test/monty/test_watch.rb CHANGED

@@ -146,5 +146,65 @@ class TestMonty < Test::Unit::TestCase
     get '/posts/show/', {}
     assert last_response.ok?
   end
+  def test_it_denies_uri_access_to_destroy
+    Authorization.permission :posts do
+      resource :posts do
+        except :destroy
+      end
+    end
+    Authorization.public_access :posts
+    post '/posts', {:id => 1, :_method => "delete"}
+    assert last_response.redirect?
+    post '/posts/', {:id => 1, :_method => "delete"}
+    assert last_response.redirect?
+    post '/posts/', {:_method => "put"}
+    assert last_response.ok?
+    get '/posts/show', {}
+    assert last_response.ok?
+    get '/posts', {}
+    assert last_response.ok?
+    get '/posts/', {}
+    assert last_response.ok?
+    get '/posts/show/', {}
+    assert last_response.ok?
+  end
+  def test_it_denies_uri_access_to_new_create_and_destroy
+    Authorization.permission :users do
+      resource :users do
+        except :new, :create, :destroy
+      end
+    end
+    Authorization.public_access :users
+    get '/users/new'
+    assert last_response.redirect?
+    post '/users', {:id => 1, :_method => "delete"}
+    assert last_response.redirect?
+    post '/users', {:id => 1, :_method => "create"}
+    assert last_response.redirect?
+    post '/users', {:id => 1, :_method => "put"}
+    assert last_response.ok?
+    get '/users', {}
+    assert last_response.ok?
+    get '/users/', {}
+    assert last_response.ok?
+    get '/users/show/', {}
+    assert last_response.ok?
+  end
 end

metadata CHANGED

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments:
   - 0
   - 3
-  - 0
-  version: 0.3.0
+  - 1
+  version: 0.3.1
 platform: ruby
 authors:
 - stonean
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2010-05-20 00:00:00 -04:00
+date: 2010-05-27 00:00:00 -04:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency
@@ -92,6 +92,7 @@ specification_version: 3
 summary: Rack based authorization system
 test_files:
 - test/helper.rb
+- test/monty/test_delivery.rb
 - test/monty/test_configuration.rb
 - test/monty/test_access.rb
 - test/monty/test_watch.rb