monty 0.3.0 → 0.3.1

data/lib/monty.rb

@@ -6,7 +6,7 @@ module Monty
   class << self
     # App version
     def version
-      '0.3.0'
+      '0.3.1'
     end
 
     # @return [Regexp] with \A \z boundaries

data/lib/monty/delivery.rb

@@ -30,7 +30,9 @@ module Monty
 
       @access_rights_regex = Monty.regex(@access_rights)
 
-      @access_rights_regex.match(@path) || method_match?
+      @path += "/" unless @path =~ /\/$/
+
+      (@access_rights_regex =~ @path && method_not_denied?) || method_match?
     end
 
     private
@@ -38,23 +40,37 @@ module Monty
     # Actions like create and update are determined by the HTTP method.
     # If the request is against the root resource path and the REQUEST_METHOD
     # is POST, determine if the user has access rights to /create or 
-    # /update (if _method=put)
+    # /update (if _method=put) or /destroy (if _method=_delete)
     #
     # @return [true|false] if request is allowed when considering the HTTP method 
     def method_match?
+      #If it is not a GET method OR the request is not against the root of a resource
+      return false if @method == :get || !(Monty::Resource.regex =~ (@path))
 
-      return false if @method == :get || !Monty::Resource.regex.match(@path)
-
-      @path += "/" unless @path =~ /\/$/
+      post_rest_access
+    end
 
+    # Actions like create and update are determined by the HTTP method.
+    # If the request is against the root resource path and the REQUEST_METHOD
+    # is POST, determine if the user is denied access to /create or 
+    # /update (if _method=put) or /destroy (if _method=_delete)
+    #
+    # @return [true|false] if request is not allowed when considering the HTTP method 
+    def method_not_denied?
       if @method == :post
-        if put?
-          @access_rights_regex.match("#{@path}update")
-        elsif delete?
-          @access_rights_regex.match("#{@path}destroy")
-        else
-          @access_rights_regex.match("#{@path}create")
-        end
+        post_rest_access 
+      else
+        true
+      end
+    end
+
+    def post_rest_access
+      if put?
+        @access_rights_regex =~ "#{@path}update"
+      elsif delete?
+        @access_rights_regex =~ "#{@path}destroy"
+      else
+        @access_rights_regex =~ "#{@path}create"
       end
     end
 

data/test/monty/test_delivery.rb

@@ -0,0 +1,23 @@
+require 'helper'
+
+class TestMontyDelivery < Test::Unit::TestCase
+
+  def setup
+    @env = {  'REQUEST_PATH'    => '/users',
+              'REQUEST_METHOD'  => 'GET',
+              'rack.session'    => {:access_rights => '\/users'} }
+    @delivery = Monty::Delivery.new(@env)
+  end
+
+  def test_delivery_initialized
+    assert_equal @delivery.path, '/users'
+    assert_equal @delivery.method, :get
+  end
+
+  #allowed? is really tested in test_watch
+  def test_name_error_is_rescued
+    #TODO: figure out how to test this
+  end
+
+end
+

data/test/monty/test_watch.rb

@@ -146,5 +146,65 @@ class TestMonty < Test::Unit::TestCase
     get '/posts/show/', {}
     assert last_response.ok?
   end
+
+  def test_it_denies_uri_access_to_destroy
+    Authorization.permission :posts do
+      resource :posts do
+        except :destroy
+      end
+    end
+    Authorization.public_access :posts
+
+    post '/posts', {:id => 1, :_method => "delete"}
+    assert last_response.redirect?
+
+    post '/posts/', {:id => 1, :_method => "delete"}
+    assert last_response.redirect?
+
+    post '/posts/', {:_method => "put"}
+    assert last_response.ok?
+
+    get '/posts/show', {}
+    assert last_response.ok?
+
+    get '/posts', {}
+    assert last_response.ok?
+
+    get '/posts/', {}
+    assert last_response.ok?
+
+    get '/posts/show/', {}
+    assert last_response.ok?
+  end
+
+  def test_it_denies_uri_access_to_new_create_and_destroy
+    Authorization.permission :users do
+      resource :users do
+        except :new, :create, :destroy
+      end
+    end
+    Authorization.public_access :users
+
+    get '/users/new'
+    assert last_response.redirect?
+
+    post '/users', {:id => 1, :_method => "delete"}
+    assert last_response.redirect?
+
+    post '/users', {:id => 1, :_method => "create"}
+    assert last_response.redirect?
+
+    post '/users', {:id => 1, :_method => "put"}
+    assert last_response.ok?
+
+    get '/users', {}
+    assert last_response.ok?
+
+    get '/users/', {}
+    assert last_response.ok?
+
+    get '/users/show/', {}
+    assert last_response.ok?
+  end
 end
 

metadata

@@ -5,8 +5,8 @@ version: !ruby/object:Gem::Version
   segments: 
   - 0
   - 3
-  - 0
-  version: 0.3.0
+  - 1
+  version: 0.3.1
 platform: ruby
 authors: 
 - stonean
@@ -14,7 +14,7 @@ autorequire:
 bindir: bin
 cert_chain: []
 
-date: 2010-05-20 00:00:00 -04:00
+date: 2010-05-27 00:00:00 -04:00
 default_executable: 
 dependencies: 
 - !ruby/object:Gem::Dependency 
@@ -92,6 +92,7 @@ specification_version: 3
 summary: Rack based authorization system
 test_files: 
 - test/helper.rb
+- test/monty/test_delivery.rb
 - test/monty/test_configuration.rb
 - test/monty/test_access.rb
 - test/monty/test_watch.rb