Ensure routes can be disabled by setting *_route to nil/false

This already worked by accident, because Rodauth would call request.is with nil/false, which wouldn't match anything, so the matcher would be skipped. However, this would result in route hash having a "/" key, which isn't correct. So, we make sure to skip writing into the route hash when the *_route method is set to nil/false, and add tests, ensuring that internal requests still work. We also add documentation for this feature to the guide for changing routes.
jeremyevans · May 30, 2022 · fadebee · fadebee
1 parent 4c8179a
commit fadebee
Show file tree

Hide file tree

Showing 3 changed files with 39 additions and 1 deletion.
diff --git a/doc/guides/paths.rdoc b/doc/guides/paths.rdoc
@@ -37,3 +37,15 @@ setting:
 
     # ...
   end
+
+There are cases where you may want to disable certain routes. For example, you
+may want to enable the create_account feature to allow creating admins, but
+only make it possible programmatically via internal requests. In this case,
+you should set the corresponding <tt>*_route</tt> method to +nil+:
+
+  plugin :rodauth, name: :admin do
+    enable :create_account
+
+    # disable the /create-account route
+    create_account_route nil
+  end
diff --git a/lib/rodauth/features/base.rb b/lib/rodauth/features/base.rb
@@ -402,7 +402,8 @@ def post_configure
       db.extension :date_arithmetic if use_date_arithmetic?
       route_hash= {}
       self.class.routes.each do |meth|
-        route_hash["/#{send("#{meth.to_s.sub(/\Ahandle_/, '')}_route")}"] = meth
+        route_meth = "#{meth.to_s.sub(/\Ahandle_/, '')}_route"
+        route_hash["/#{send(route_meth)}"] = meth if send(route_meth)
       end
       self.class.route_hash = route_hash.freeze
     end

diff --git a/spec/rodauth_spec.rb b/spec/rodauth_spec.rb
@@ -270,6 +270,31 @@
     page.text.must_equal 'http://www.example.com/auth/login?a[]=b&a[]=c'
   end
 
+  it "should support disabling routes" do
+    rodauth do
+      enable :create_account, :internal_request
+      create_account_route nil
+      login_route false
+    end
+    @no_freeze = true
+    roda do |r|
+      r.rodauth
+      r.root { "home" }
+    end
+    @app.not_found { "not found" }
+
+    visit '/create-account'
+    page.html.must_equal "not found"
+
+    visit '/'
+    page.html.must_equal "home"
+
+    @app.rodauth.route_hash.must_equal({})
+
+    @app.rodauth.create_account(login: "user@example.com", password: "secret")
+    @app.rodauth.account_exists?(login: "user@example.com").must_equal true
+  end
+
   it "should support session key prefix" do
     rodauth do
       session_key_prefix "prefix_"