RubyGems - rest-sinatra - Versions diffs - 0.3.3 → 0.4.0 - Mend

rest-sinatra 0.3.3 → 0.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

data/VERSION +1 -1
data/lib/rest-sinatra.rb +118 -60
data/rest-sinatra.gemspec +2 -2
data/spec/unit/helpers/sources.rb +3 -0
data/spec/unit/posts_and_comments_spec.rb +8 -0
data/spec/unit/sources_spec.rb +4 -0
metadata +2 -2

data/VERSION CHANGED Viewed

	@@ -1 +1 @@
1	- 0.3.3
1	+ 0.4.0

data/lib/rest-sinatra.rb CHANGED Viewed

@@ -20,6 +20,7 @@ module RestSinatra
     def _resource(name, resource_type, &block)
       config = evaluate_block(name, resource_type, &block)
+      config[:resource] = self
       validate(config)
       build_resource(config)
       config
@@ -30,13 +31,15 @@ module RestSinatra
       scope.extend(ResourceMethods)
       scope.instance_eval do
         @c = {
-          :name             => name,
-          :resource_type    => resource_type,
-          :model            => nil,
-          :read_only        => [],
-          :permission       => nil,
-          :callbacks        => {},
-          :nested_resources => []
+          :name                 => name,
+          :resource_type        => resource_type,
+          :model                => nil,
+          :read_only            => [],
+          :resource             => nil,
+          :permission_to_view   => nil,
+          :permission_to_modify => nil,
+          :callbacks            => {},
+          :nested_resources     => []
         }
       end
       scope.instance_eval(&block)
@@ -66,36 +69,51 @@ module RestSinatra
     end
     def build_parent_resource(config)
-      callbacks = config[:callbacks]
-      model     = config[:model]
-      name      = config[:name]
-      read_only = config[:read_only]
+      callbacks            = config[:callbacks]
+      model                = config[:model]
+      name                 = config[:name]
+      permission_to_view   = config[:permission_to_view]
+      permission_to_modify = config[:permission_to_modify]
+      read_only            = config[:read_only]
+      resource             = config[:resource]
       get '/?' do
-        require_at_least(:basic)
+        permission_check(
+          :default  => :basic,
+          :override => permission_to_view
+        )
         validate_before_find_all(params, model)
-        @documents = find_with_filters(params, model)
-        @documents.render
+        documents = find_with_filters(params, model)
+        permitted = documents.select { |document| resource.permit_view?(@current_user, document) }
+        sanitized = permitted.map { |document| resource.sanitize(@current_user, document) }
+        sanitized.render
       end
       get '/:id/?' do |id|
-        require_at_least(:basic)
+        permission_check(
+          :default  => :basic,
+          :override => permission_to_view
+        )
         id = params.delete("id")
         validate_before_find_one(params, model)
-        @document = find_document!(model, id)
-        @document.render
+        document = find_document!(model, id)
+        unauthorized_api_key! unless resource.permit_view?(@current_user, document)
+        sanitized = resource.sanitize(@current_user, document)
+        sanitized.render
       end
       post '/?' do
-        require_at_least(:curator)
+        permission_check(
+          :default  => :admin,
+          :override => permission_to_modify
+        )
+        unauthorized_api_key! unless resource.permit_modify?(@current_user, nil)
         validate_before_create(params, model, read_only)
         callback(callbacks[:before_save])
         callback(callbacks[:before_create])
         @document = model.new(params)
-        unless @document.valid?
-          error 400, { "errors" => @document.errors.errors }.to_json
-        end
-        error 500, [].to_json unless @document.save
+        invalid_document! unless @document.valid?
+        internal_server_error! unless @document.save
         callback(callbacks[:after_create])
         callback(callbacks[:after_save])
         response.status = 201
@@ -104,25 +122,31 @@ module RestSinatra
       end
       put '/:id/?' do
-        require_at_least(:curator)
+        permission_check(
+          :default  => :admin,
+          :override => permission_to_modify
+        )
         id = params.delete("id")
         @document = find_document!(model, id)
+        unauthorized_api_key! unless resource.permit_modify?(@current_user, @document)
         validate_before_update(params, model, read_only)
         callback(callbacks[:before_save])
         callback(callbacks[:before_update])
         @document = model.update(id, params)
-        unless @document.valid?
-          error 400, { "errors" => @document.errors.errors }.to_json
-        end
+        invalid_document! unless @document.valid?
         callback(callbacks[:after_update])
         callback(callbacks[:after_save])
         @document.render
       end
       delete '/:id/?' do
-        require_at_least(:curator)
+        permission_check(
+          :default  => :admin,
+          :override => permission_to_modify
+        )
         id = params.delete("id")
         @document = find_document!(model, id)
+        unauthorized_api_key! unless resource.permit_modify?(@current_user, @document)
         callback(callbacks[:before_destroy])
         @document.destroy
         callback(callbacks[:after_destroy])
@@ -132,7 +156,7 @@ module RestSinatra
       helpers do
         def find_document!(model, id)
           document = model.find_by_id(id)
-          error 404, [].to_json unless document
+          not_found! unless document
           document
         end
       end
@@ -151,44 +175,67 @@ module RestSinatra
     # klass       : nested resource class
     # association : a method on the parent model that will return child models
     def build_nested_resource(klass, association, parent_config, child_config)
-      callbacks       = child_config[:callbacks]
-      child_model     = child_config[:model]
-      child_name      = child_config[:name]
-      permission      = child_config[:permission]
-      read_only       = child_config[:read_only]
+      callbacks            = child_config[:callbacks]
+      child_model          = child_config[:model]
+      child_name           = child_config[:name]
+      child_resource       = child_config[:resource]
+      permission_to_view   = child_config[:permission_to_view]
+      permission_to_modify = child_config[:permission_to_modify]
+      read_only            = child_config[:read_only]
       parent_model    = parent_config[:model]
       parent_name     = parent_config[:name]
+      parent_resource = parent_config[:resource]
       get "/:parent_id/#{child_name}/?" do
+        permission_check(
+          :default  => :basic,
+          :override => permission_to_view
+        )
         parent_id = params.delete("parent_id")
-        permission_check(:basic, permission, parent_id)
-        @parent_document = find_parent!(parent_model, parent_id)
-        all_child_documents = @parent_document.send(association)
+        parent_document = find_parent!(parent_model, parent_id)
+        unauthorized_api_key! unless parent_resource.permit_view?(@current_user, parent_document)
+        all_child_documents = parent_document.send(association)
         validate_before_find_all(params, child_model) # ?
-        @child_documents = nested_find_with_filters(all_child_documents, params, parent_model)
-        @child_documents.render
+        child_documents = nested_find_with_filters(all_child_documents, params, parent_model)
+        permitted = child_documents.select do |child_document|
+          child_resource.permit_view?(@current_user, child_document)
+        end
+        sanitized = permitted.map { |document| child_resource.sanitize(@current_user, document) }
+        sanitized.render
       end
       get "/:parent_id/#{child_name}/:child_id/?" do
+        permission_check(
+          :default  => :basic,
+          :override => permission_to_view
+        )
         parent_id = params.delete("parent_id")
-        permission_check(:basic, permission, parent_id)
         child_id = params.delete("child_id")
         validate_before_find_one(params, child_model) # ?
-        @parent_document, @child_document = find_documents!(parent_model, parent_id, association, child_id)
-        @child_document.render
+        parent_document = find_parent!(parent_model, parent_id)
+        unauthorized_api_key! unless parent_resource.permit_view?(@current_user, parent_document)
+        child_document = find_child!(parent_document, association, child_id)
+        unauthorized_api_key! unless child_resource.permit_view?(@current_user, child_document)
+        sanitized = child_resource.sanitize(@current_user, child_document)
+        sanitized.render
       end
       post "/:parent_id/#{child_name}/?" do
+        permission_check(
+          :default  => :admin,
+          :override => permission_to_modify
+        )
         parent_id = params.delete("parent_id")
-        permission_check(:curator, permission, parent_id)
         @parent_document = find_parent!(parent_model, parent_id)
+        unauthorized_api_key! unless parent_resource.permit_modify?(@current_user, @parent_document)
+        unauthorized_api_key! unless child_resource.permit_modify?(@current_user, nil)
         validate_before_create(params, child_model, read_only)
         callback(callbacks[:before_save])
         callback(callbacks[:before_create])
         @child_document = child_model.new(params)
         @parent_document.send(association) << @child_document
-        error 500, [].to_json unless @parent_document.save
+        internal_server_error! unless @parent_document.save
         callback(callbacks[:after_create])
         callback(callbacks[:after_save])
         response.status = 201
@@ -199,52 +246,58 @@ module RestSinatra
       end
       put "/:parent_id/#{child_name}/:child_id/?" do
+        permission_check(
+          :default  => :admin,
+          :override => permission_to_modify
+        )
         parent_id = params.delete("parent_id")
-        permission_check(:curator, permission, parent_id)
         child_id = params.delete("child_id")
-        @parent_document, @child_document = find_documents!(parent_model, parent_id, association, child_id)
+        @parent_document = find_parent!(parent_model, parent_id)
+        unauthorized_api_key! unless parent_resource.permit_modify?(@current_user, @parent_document)
+        @child_document = find_child!(@parent_document, association, child_id)
+        unauthorized_api_key! unless child_resource.permit_modify?(@current_user, @child_document)
         validate_before_update(params, child_model, read_only)
         callback(callbacks[:before_save])
         callback(callbacks[:before_update])
         @child_document.attributes = params
         child_index = @parent_document.send(association).index(@child_document)
         @parent_document.send(association)[child_index] = @child_document
-        error 500, [].to_json unless @parent_document.save
+        internal_server_error! unless @parent_document.save
         callback(callbacks[:after_update])
         callback(callbacks[:after_save])
         @child_document.render
       end
       delete "/:parent_id/#{child_name}/:child_id/?" do
+        permission_check(
+          :default  => :admin,
+          :override => permission_to_modify
+        )
         parent_id = params.delete("parent_id")
-        permission_check(:curator, permission, parent_id)
         child_id = params.delete("child_id")
-        @parent_document, @child_document = find_documents!(parent_model, parent_id, association, child_id)
+        @parent_document = find_parent!(parent_model, parent_id)
+        unauthorized_api_key! unless parent_resource.permit_modify?(@current_user, @parent_document)
+        @child_document = find_child!(@parent_document, association, child_id)
+        unauthorized_api_key! unless child_resource.permit_modify?(@current_user, @child_document)
         callback(callbacks[:before_destroy])
         @parent_document.send(association).delete(@child_document)
         callback(callbacks[:after_destroy])
-        error 500, [].to_json unless @parent_document.save
+        internal_server_error! unless @parent_document.save
         { "id" => child_id }.to_json
       end
       helpers do
         def find_parent!(parent_model, parent_id)
           parent_document = parent_model.find_by_id(parent_id)
-          error 404, [].to_json unless parent_document
+          not_found! unless parent_document
           parent_document
         end
         def find_child!(parent_document, association, child_id)
           child_document = parent_document.send(association).detect { |x| x.id == child_id }
-          error 404, [].to_json unless child_document
+          not_found! unless child_document
           child_document
         end
-        def find_documents!(parent_model, parent_id, association, child_id)
-          parent_document = find_parent!(parent_model, parent_id)
-          child_document = find_child!(parent_document, association, child_id)
-          [parent_document, child_document]
-        end
       end
     end
@@ -269,9 +322,14 @@ module RestSinatra
       @c[:read_only] << attribute
     end
-    def permission(level)
-      raise "permission already declared" if @c[:permission]
-      @c[:permission] = level
+    def permission_to_view(level)
+      raise "permission already declared" if @c[:permission_to_view]
+      @c[:permission_to_view] = level
+    end
+    def permission_to_modify(level)
+      raise "permission already declared" if @c[:permission_to_modify]
+      @c[:permission_to_modify] = level
     end
     def callback(name, &block)

data/rest-sinatra.gemspec CHANGED Viewed

@@ -5,11 +5,11 @@
 Gem::Specification.new do |s|
   s.name = %q{rest-sinatra}
-  s.version = "0.3.3"
+  s.version = "0.4.0"
   s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
   s.authors = ["David James"]
-  s.date = %q{2009-10-11}
+  s.date = %q{2009-10-14}
   s.description = %q{Provides a DSL for making RESTful Sinatra actions with MongoMapper models.}
   s.email = %q{djames@sunlightfoundation.com}
   s.extra_rdoc_files = [

data/spec/unit/helpers/sources.rb CHANGED Viewed

@@ -8,5 +8,8 @@ class Sources
   @r = resource "sources" do
     model Source
+    permission_to_view :basic
+    permission_to_modify :owner
   end
 end

data/spec/unit/posts_and_comments_spec.rb CHANGED Viewed

@@ -17,6 +17,10 @@ describe "Posts" do
       @config[:model].should == Post
     end
+    it "resource should be Posts" do
+      @config[:resource].should == Posts
+    end
     it "read_only should be correct" do
       @config[:read_only].should == [:created_at, :updated_at]
     end
@@ -133,6 +137,10 @@ describe "Comments" do
       @config[:model].should == Comment
     end
+    it "model should be Comments" do
+      @config[:resource].should == Comments
+    end
     it "read_only should be correct" do
       @config[:read_only].should == [:created_at]
     end

data/spec/unit/sources_spec.rb CHANGED Viewed

@@ -15,6 +15,10 @@ describe "Sources" do
     it "model should be Source" do
       @config[:model].should == Source
     end
+    it "resource should be Sources" do
+      @config[:resource].should == Sources
+    end
     it "read_only should be empty" do
       @config[:read_only].should == []

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rest-sinatra
 version: !ruby/object:Gem::Version
-  version: 0.3.3
+  version: 0.4.0
 platform: ruby
 authors:
 - David James
@@ -9,7 +9,7 @@ autorequire:
 bindir: bin
 cert_chain: []
-date: 2009-10-11 00:00:00 -04:00
+date: 2009-10-14 00:00:00 -04:00
 default_executable:
 dependencies:
 - !ruby/object:Gem::Dependency