From e14821c80975534e1249097ad7cfea6addce8ece Mon Sep 17 00:00:00 2001 From: Tony Arcieri Date: Thu, 28 Apr 2016 15:31:57 -0700 Subject: [PATCH] Use explicit HTTP_METHODS whitelist when 'ALL' method is used Before ALL functioned as a blanked method whitelist. This constrains which methods are allowed to the ones in Rails::Auth::ACL::Resource::HTTP_METHODS --- lib/rails/auth/acl/resource.rb | 5 +++-- spec/rails/auth/acl/resource_spec.rb | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/rails/auth/acl/resource.rb b/lib/rails/auth/acl/resource.rb index 8204602..6166228 100644 --- a/lib/rails/auth/acl/resource.rb +++ b/lib/rails/auth/acl/resource.rb @@ -57,7 +57,7 @@ def match(env) # @return [Boolean] method and path *only* match the given environment # def match!(env) - return false unless @http_methods.nil? || @http_methods.include?(env["REQUEST_METHOD".freeze]) + return false unless @http_methods.include?(env["REQUEST_METHOD".freeze]) return false unless @path =~ env["PATH_INFO".freeze] return false unless @host.nil? || @host =~ env["HTTP_HOST".freeze] true @@ -68,7 +68,8 @@ def match!(env) def extract_methods(methods) methods = Array(methods) - return nil if methods.include?("ALL") + return HTTP_METHODS if methods == ["ALL"] + raise ParseError, "method 'ALL' cannot be used with other methods" if methods.include?("ALL") methods.each do |method| raise ParseError, "invalid HTTP method: #{method}" unless HTTP_METHODS.include?(method) diff --git a/spec/rails/auth/acl/resource_spec.rb b/spec/rails/auth/acl/resource_spec.rb index eff0ac9..7ca066b 100644 --- a/spec/rails/auth/acl/resource_spec.rb +++ b/spec/rails/auth/acl/resource_spec.rb @@ -30,7 +30,7 @@ {} ) - expect(resource.http_methods).to eq nil + expect(resource.http_methods).to eq Rails::Auth::ACL::Resource::HTTP_METHODS end context "errors" do