RubyGems - rest-sinatra - Versions diffs - 0.3.3 → 0.4.0 - Mend

rest-sinatra 0.3.3 → 0.4.0

Files changed (7) hide show

data/VERSION +1 -1
data/lib/rest-sinatra.rb +118 -60
data/rest-sinatra.gemspec +2 -2
data/spec/unit/helpers/sources.rb +3 -0
data/spec/unit/posts_and_comments_spec.rb +8 -0
data/spec/unit/sources_spec.rb +4 -0
metadata +2 -2

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 0.3.3
1	+ 0.4.0

data/lib/rest-sinatra.rb CHANGED Viewed

@@ -20,6 +20,7 @@ module RestSinatra
     def _resource(name, resource_type, &block)
       config = evaluate_block(name, resource_type, &block)
+      config[:resource] = self
       validate(config)
       build_resource(config)
       config
@@ -30,13 +31,15 @@ module RestSinatra
       scope.extend(ResourceMethods)
       scope.instance_eval do
         @c = {
-          :name             => name,
-          :resource_type    => resource_type,
-          :model            => nil,
-          :read_only        => [],
-          :permission       => nil,
-          :callbacks        => {},
-          :nested_resources => []
+          :name                 => name,
+          :resource_type        => resource_type,
+          :model                => nil,
+          :read_only            => [],
+          :resource             => nil,
+          :permission_to_view   => nil,
+          :permission_to_modify => nil,
+          :callbacks            => {},
+          :nested_resources     => []
         }
       end
       scope.instance_eval(&block)
@@ -66,36 +69,51 @@ module RestSinatra
     end
     def build_parent_resource(config)
-      callbacks = config[:callbacks]
-      model     = config[:model]
-      name      = config[:name]
-      read_only = config[:read_only]
+      callbacks            = config[:callbacks]
+      model                = config[:model]
+      name                 = config[:name]
+      permission_to_view   = config[:permission_to_view]
+      permission_to_modify = config[:permission_to_modify]
+      read_only            = config[:read_only]
+      resource             = config[:resource]
       get '/?' do
-        require_at_least(:basic)
+        permission_check(
+          :default  => :basic,
+          :override => permission_to_view
+        )
         validate_before_find_all(params, model)
-        @documents = find_with_filters(params, model)
-        @documents.render
+        documents = find_with_filters(params, model)
+        permitted = documents.select { |document| resource.permit_view?(@current_user, document) }
+        sanitized = permitted.map { |document| resource.sanitize(@current_user, document) }
+        sanitized.render
       end
       get '/:id/?' do |id|
-        require_at_least(:basic)
+        permission_check(
+          :default  => :basic,
+          :override => permission_to_view
+        )
         id = params.delete("id")
         validate_before_find_one(params, model)
-        @document = find_document!(model, id)
-        @document.render
+        document = find_document!(model, id)
+        unauthorized_api_key! unless resource.permit_view?(@current_user, document)
+        sanitized = resource.sanitize(@current_user, document)
+        sanitized.render
       end
       post '/?' do
-        require_at_least(:curator)
+        permission_check(
+          :default  => :admin,
+          :override => permission_to_modify
+        )
+        unauthorized_api_key! unless resource.permit_modify?(@current_user, nil)
         validate_before_create(params, model, read_only)
         callback(callbacks[:before_save])
         callback(callbacks[:before_create])
         @document = model.new(params)
-        unless @document.valid?
-          error 400, { "errors" => @document.errors.errors }.to_json
-        end
-        error 500, [].to_json unless @document.save
+        invalid_document! unless @document.valid?
+        internal_server_error! unless @document.save
         callback(callbacks[:after_create])
         callback(callbacks[:after_save])
         response.status = 201
@@ -104,25 +122,31 @@ module RestSinatra
       end
       put '/:id/?' do
-        require_at_least(:curator)
+        permission_check(
+          :default  => :admin,
+          :override => permission_to_modify
+        )
         id = params.delete("id")
         @document = find_document!(model, id)
+        unauthorized_api_key! unless resource.permit_modify?(@current_user, @document)
         validate_before_update(params, model, read_only)
         callback(callbacks[:before_save])
         callback(callbacks[:before_update])
         @document = model.update(id, params)
-        unless @document.valid?
-          error 400, { "errors" => @document.errors.errors }.to_json
-        end
+        invalid_document! unless @document.valid?
         callback(callbacks[:after_update])
         callback(callbacks[:after_save])
         @document.render
       end
       delete '/:id/?' do
-        require_at_least(:curator)
+        permission_check(
+          :default  => :admin,
+          :override => permission_to_modify
+        )
         id = params.delete("id")
         @document = find_document!(model, id)
+        unauthorized_api_key! unless resource.permit_modify?(@current_user, @document)
         callback(callbacks[:before_destroy])
         @document.destroy
         callback(callbacks[:after_destroy])
@@ -132,7 +156,7 @@ module RestSinatra
       helpers do
         def find_document!(model, id)
           document = model.find_by_id(id)
-          error 404, [].to_json unless document
+          not_found! unless document
           document
         end
       end
@@ -151,44 +175,67 @@ module RestSinatra
     # klass       : nested resource class
     # association : a method on the parent model that will return child models
     def build_nested_resource(klass, association, parent_config, child_config)
-      callbacks       = child_config[:callbacks]
-      child_model     = child_config[:model]
-      child_name      = child_config[:name]
-      permission      = child_config[:permission]
-      read_only       = child_config[:read_only]
+      callbacks            = child_config[:callbacks]
+      child_model          = child_config[:model]
+      child_name           = child_config[:name]
+      child_resource       = child_config[:resource]
+      permission_to_view   = child_config[:permission_to_view]
+      permission_to_modify = child_config[:permission_to_modify]
+      read_only            = child_config[:read_only]
       parent_model    = parent_config[:model]
       parent_name     = parent_config[:name]
+      parent_resource = parent_config[:resource]
       get "/:parent_id/#{child_name}/?" do
+        permission_check(
+          :default  => :basic,
+          :override => permission_to_view
+        )
         parent_id = params.delete("parent_id")
-        permission_check(:basic, permission, parent_id)
-        @parent_document = find_parent!(parent_model, parent_id)
-        all_child_documents = @parent_document.send(association)
+        parent_document = find_parent!(parent_model, parent_id)
+        unauthorized_api_key! unless parent_resource.permit_view?(@current_user, parent_document)
+        all_child_documents = parent_document.send(association)
         validate_before_find_all(params, child_model) # ?
-        @child_documents = nested_find_with_filters(all_child_documents, params, parent_model)
-        @child_documents.render
+        child_documents = nested_find_with_filters(all_child_documents, params, parent_model)
+        permitted = child_documents.select do |child_document|
+          child_resource.permit_view?(@current_user, child_document)
+        end
+        sanitized = permitted.map { |document| child_resource.sanitize(@current_user, document) }
+        sanitized.render
       end
       get "/:parent_id/#{child_name}/:child_id/?" do
+        permission_check(
+          :default  => :basic,
+          :override => permission_to_view
+        )
         parent_id = params.delete("parent_id")
-        permission_check(:basic, permission, parent_id)
         child_id = params.delete("child_id")
         validate_before_find_one(params, child_model) # ?
-        @parent_document, @child_document = find_documents!(parent_model, parent_id, association, child_id)
-        @child_document.render
+        parent_document = find_parent!(parent_model, parent_id)
+        unauthorized_api_key! unless parent_resource.permit_view?(@current_user, parent_document)
+        child_document = find_child!(parent_document, association, child_id)
+        unauthorized_api_key! unless child_resource.permit_view?(@current_user, child_document)
+        sanitized = child_resource.sanitize(@current_user, child_document)
+        sanitized.render
       end
       post "/:parent_id/#{child_name}/?" do
+        permission_check(
+          :default  => :admin,
+          :override => permission_to_modify
+        )
         parent_id = params.delete("parent_id")
-        permission_check(:curator, permission, parent_id)
         @parent_document = find_parent!(parent_model, parent_id)
+        unauthorized_api_key! unless parent_resource.permit_modify?(@current_user, @parent_document)
+        unauthorized_api_key! unless child_resource.permit_modify?(@current_user, nil)
         validate_before_create(params, child_model, read_only)
         callback(callbacks[:before_save])
         callback(callbacks[:before_create])
         @child_document = child_model.new(params)
         @parent_document.send(association) << @child_document
-        error 500, [].to_json unless @parent_document.save
+        internal_server_error! unless @parent_document.save
         callback(callbacks[:after_create])
         callback(callbacks[:after_save])
         response.status = 201
@@ -199,52 +246,58 @@ module RestSinatra
       end
       put "/:parent_id/#{child_name}/:child_id/?" do
+        permission_check(
+          :default  => :admin,
+          :override => permission_to_modify
+        )
         parent_id = params.delete("parent_id")
-        permission_check(:curator, permission, parent_id)
         child_id = params.delete("child_id")
-        @parent_document, @child_document = find_documents!(parent_model, parent_id, association, child_id)
+        @parent_document = find_parent!(parent_model, parent_id)
+        unauthorized_api_key! unless parent_resource.permit_modify?(@current_user, @parent_document)
+        @child_document = find_child!(@parent_document, association, child_id)
+        unauthorized_api_key! unless child_resource.permit_modify?(@current_user, @child_document)
         validate_before_update(params, child_model, read_only)
         callback(callbacks[:before_save])
         callback(callbacks[:before_update])
         @child_document.attributes = params
         child_index = @parent_document.send(association).index(@child_document)
         @parent_document.send(association)[child_index] = @child_document
-        error 500, [].to_json unless @parent_document.save
+        internal_server_error! unless @parent_document.save
         callback(callbacks[:after_update])
         callback(callbacks[:after_save])
         @child_document.render
       end
       delete "/:parent_id/#{child_name}/:child_id/?" do
+        permission_check(
+          :default  => :admin,
+          :override => permission_to_modify
+        )
         parent_id = params.delete("parent_id")
-        permission_check(:curator, permission, parent_id)
         child_id = params.delete("child_id")
-        @parent_document, @child_document = find_documents!(parent_model, parent_id, association, child_id)
+        @parent_document = find_parent!(parent_model, parent_id)
+        unauthorized_api_key! unless parent_resource.permit_modify?(@current_user, @parent_document)
+        @child_document = find_child!(@parent_document, association, child_id)
+        unauthorized_api_key! unless child_resource.permit_modify?(@current_user, @child_document)
         callback(callbacks[:before_destroy])
         @parent_document.send(association).delete(@child_document)
         callback(callbacks[:after_destroy])
-        error 500, [].to_json unless @parent_document.save
+        internal_server_error! unless @parent_document.save
         { "id" => child_id }.to_json
       end
       helpers do
         def find_parent!(parent_model, parent_id)
           parent_document = parent_model.find_by_id(parent_id)
-          error 404, [].to_json unless parent_document
+          not_found! unless parent_document
           parent_document
         end
         def find_child!(parent_document, association, child_id)
           child_document = parent_document.send(association).detect { |x| x.id == child_id }
-          error 404, [].to_json unless child_document
+          not_found! unless child_document
           child_document
         end
-        def find_documents!(parent_model, parent_id, association, child_id)
-          parent_document = find_parent!(parent_model, parent_id)
-          child_document = find_child!(parent_document, association, child_id)
-          [parent_document, child_document]
-        end
       end
     end
@@ -269,9 +322,14 @@ module RestSinatra
       @c[:read_only] << attribute
     end
-    def permission(level)
-      raise "permission already declared" if @c[:permission]
-      @c[:permission] = level
+    def permission_to_view(level)
+      raise "permission already declared" if @c[:permission_to_view]
+      @c[:permission_to_view] = level
+    end
+    def permission_to_modify(level)
+      raise "permission already declared" if @c[:permission_to_modify]
+      @c[:permission_to_modify] = level
     end
     def callback(name, &block)

data/rest-sinatra.gemspec CHANGED Viewed

@@ -5,11 +5,11 @@
 Gem::Specification.new do |s|
   s.name = %q{rest-sinatra}
-  s.version = "0.3.3"
+  s.version = "0.4.0"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["David James"]
-  s.date = %q{2009-10-11}
+  s.date = %q{2009-10-14}
   s.description = %q{Provides a DSL for making RESTful Sinatra actions with MongoMapper models.}
   s.email = %q{djames@sunlightfoundation.com}
   s.extra_rdoc_files = [

data/spec/unit/helpers/sources.rb CHANGED Viewed

@@ -8,5 +8,8 @@ class Sources
   @r = resource "sources" do
     model Source
+    permission_to_view :basic
+    permission_to_modify :owner
   end
 end

data/spec/unit/posts_and_comments_spec.rb CHANGED Viewed

@@ -17,6 +17,10 @@ describe "Posts" do
       @config[:model].should == Post
     end
+    it "resource should be Posts" do
+      @config[:resource].should == Posts
+    end
     it "read_only should be correct" do
       @config[:read_only].should == [:created_at, :updated_at]
     end
@@ -133,6 +137,10 @@ describe "Comments" do
       @config[:model].should == Comment
     end
+    it "model should be Comments" do
+      @config[:resource].should == Comments
+    end
     it "read_only should be correct" do
       @config[:read_only].should == [:created_at]
     end

data/spec/unit/sources_spec.rb CHANGED Viewed

@@ -15,6 +15,10 @@ describe "Sources" do
     it "model should be Source" do
       @config[:model].should == Source
     end
+    it "resource should be Sources" do
+      @config[:resource].should == Sources
+    end
     it "read_only should be empty" do
       @config[:read_only].should == []

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rest-sinatra
 version: !ruby/object:Gem::Version
-  version: 0.3.3
+  version: 0.4.0
 platform: ruby
 authors:
 - David James
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2009-10-11 00:00:00 -04:00
+date: 2009-10-14 00:00:00 -04:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency