trpalmer · trpalmer · Jul 29, 2017 · Jul 27, 2017 · Jul 28, 2017
diff --git a/src/AttributeAuthorization.Tests/AuthRoutePermissionsTests.cs b/src/AttributeAuthorization.Tests/AuthRoutePermissionsTests.cs
@@ -9,12 +9,14 @@ namespace AttributeAuthorization.Tests
     public class AuthRoutePermissionsTests
     {
         private HttpRequestMessage _request;
+        private HttpRequestMessage _postRequest;
         private bool _authResolverCalled;
         private bool _shouldAllowUndefinedCalled;
 
         public AuthRoutePermissionsTests()
         {
-            _request = new HttpRequestMessage(HttpMethod.Get, "http://localhost/test");    
+            _request = new HttpRequestMessage(HttpMethod.Get, "http://localhost/test");
+            _postRequest = new HttpRequestMessage(HttpMethod.Post, "http://localhost/test");
         }
 
         [Fact]
@@ -76,6 +78,9 @@ private void AddRoute(string templateName = "template")
             _request.Properties[HttpPropertyKeys.HttpRouteDataKey] =
                 new HttpRouteData(new HttpRoute(templateName,
                 new HttpRouteValueDictionary(new { Controller = "controller", Action = "action" })));
+            _postRequest.Properties[HttpPropertyKeys.HttpRouteDataKey] =
+                new HttpRouteData(new HttpRoute(templateName,
+                    new HttpRouteValueDictionary(new { Controller = "controller", Action = "action" })));
         }
 
         [Fact]
@@ -139,6 +144,70 @@ public void When_Has_Permissions_Allowed()
             Assert.True(actual);    
         }
 
+        [Fact]
+        public void When_Has_Verb_And_Permissions_Allowed()
+        {
+            AddRoute();
+            var permissions =
+                new AuthRoutePermissions(
+                    new Dictionary<string, AuthPermissions>
+                    {
+                        { "GET:template", new AuthPermissions { Accepted = new List<string> { "write", "write2" } } }
+                    }, request =>
+                    {
+                        _authResolverCalled = true;
+                        return new List<string> { "write" };
+                    });
+
+            var actual = permissions.IsAllowed(_request);
+
+            Assert.True(actual);
+        }
+
+        [Fact]
+        public void When_Has_Verb_And_Permissions_NotAllowed()
+        {
+            AddRoute();
+            var permissions =
+                new AuthRoutePermissions(
+                    new Dictionary<string, AuthPermissions>
+                    {
+                        { "GET:template", new AuthPermissions { Accepted = new List<string> { "write", "write2" } } }
+                    }, request =>
+                    {
+                        _authResolverCalled = true;
+                        return new List<string> { "write" };
+                    });
+
+            var actual = permissions.IsAllowed(_postRequest);
+
+            Assert.False(actual);
+        }
+
+        [Fact]
+        public void When_Request_Has_Verb_And_Permissions_DoesNot()
+        {
+            AddRoute();
+            var permissions =
+                new AuthRoutePermissions(
+                    new Dictionary<string, AuthPermissions>
+                    {
+                        { "template", new AuthPermissions { Accepted = new List<string> { "write", "write2" } } }
+                    }, request =>
+                    {
+                        _authResolverCalled = true;
+                        return new List<string> { "write" };
+                    });
+
+            var actual = permissions.IsAllowed(_postRequest);
+
+            Assert.True(actual);
+
+            var getActual = permissions.IsAllowed(_request);
+
+            Assert.True(getActual);
+        }
+
         [Fact]
         public void When_Auth_Not_Required_Allowed()
         {
@@ -178,6 +247,5 @@ public void When_Auth_Not_Required_And_Permissions_NotAllowed()
 
             Assert.False(actual);
         }
-
     }
 }
diff --git a/src/AttributeAuthorization.Tests/Properties/AssemblyInfo.cs b/src/AttributeAuthorization.Tests/Properties/AssemblyInfo.cs
@@ -32,5 +32,5 @@
 // You can specify all the values or you can default the Build and Revision Numbers 
 // by using the '*' as shown below:
 // [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.0.0.0")]
-[assembly: AssemblyFileVersion("1.0.0.0")]
+[assembly: AssemblyVersion("1.1.0.0")]
+[assembly: AssemblyFileVersion("1.1.0.0")]
diff --git a/src/AttributeAuthorization.Tests/RoutePermissionsBuilderTests.cs b/src/AttributeAuthorization.Tests/RoutePermissionsBuilderTests.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Net.Http;
 using System.Text;
 using System.Threading.Tasks;
 using System.Web.Http;
@@ -22,16 +23,17 @@ public RoutePermissionsBuilderTests()
         }
 
         private void BuildPermissions(string method, Type restrictTo = null,
-            Action<IHttpRoute, Dictionary<string, AuthPermissions>> undefinedRouteAction = null)
+            Action<IHttpRoute, Dictionary<string, AuthPermissions>> undefinedRouteAction = null, HttpRouteValueDictionary constraints = null)
         {
             restrictTo = restrictTo ?? typeof(TestController);
             _configuration.Services.Replace(typeof(IHttpControllerTypeResolver), new DefaultHttpControllerTypeResolver(t => t == restrictTo));
-            _configuration.Routes.Add("test", new HttpRoute(TemplateName, 
+            _configuration.Routes.Add("test", new HttpRoute(TemplateName,
                 new HttpRouteValueDictionary 
                 {
                     { "controller", restrictTo.Name.Replace("Controller", "") },
                     { "action", method}
-                }));
+                },
+                constraints));
 
             var builder = new RoutePermissionsBuilder(_configuration, undefinedRouteAction);
             _permissions = builder.Build();
@@ -57,6 +59,15 @@ private AuthPermissions GetPermission()
             return result;
         }
 
+        private AuthPermissions GetPermissionWithVerb(HttpMethod method)
+        {
+            AuthPermissions result = null;
+            _permissions.TryGetValue(method + ":" + TemplateName, out result);
+
+            return result;
+        }
+
+
         [Fact]
         public void RequiresNoAuth_WithPermissions()
         {
@@ -108,6 +119,53 @@ public void When_Class_RequiresAuth_Method_Inherits()
             accepted.Sort();
             Assert.Equal(new List<string> { "permission1", "permission2" }, accepted);
         }
+
+        [Fact]
+        public void When_Permissions_Have_Verbs_RouteTemplateIsNull()
+        {
+            var constraints = new Constraints(new List<string> { "GET" });
+            BuildPermissions("GetPermission", typeof(Test4Controller), null,
+                new HttpRouteValueDictionary
+                {
+                    {"inboundHttpMethod", constraints }
+                });
+
+            var auth = GetPermission();
+
+            Assert.Null(auth);
+        }
+
+        [Fact]
+        public void When_Permissions_Have_Verbs()
+        {
+            var constraints = new Constraints(new List<string> { HttpMethod.Get.Method });
+            BuildPermissions("GetPermission", typeof(Test4Controller), null,
+                new HttpRouteValueDictionary
+                {
+                    {"inboundHttpMethod", constraints }
+                });
+
+            var auth = GetPermissionWithVerb(HttpMethod.Get);
+            Assert.NotNull(auth);
+            Assert.False(auth.AuthNotRequired);
+            var accepted = auth.Accepted;
+            accepted.Sort();
+            Assert.Equal(new List<string> { "permission1", "permission2" }, accepted);
+        }
+
+        [Fact]
+        public void When_Permissions_Have_Verbs_NotAllowed()
+        {
+            var constraints = new Constraints(new List<string> { HttpMethod.Get.Method });
+            BuildPermissions("GetPermission", typeof(Test4Controller), null,
+                new HttpRouteValueDictionary
+                {
+                    {"inboundHttpMethod", constraints }
+                });
+
+            var auth = GetPermissionWithVerb(HttpMethod.Post);
+            Assert.Null(auth);
+        }
     }
 
     public class TestController : ApiController
@@ -157,4 +215,31 @@ public string GetPermission()
             return "GetPermission";
         }
     }
+
+    [RequiresAuth("permission1")]
+    public class Test4Controller : ApiController
+    {
+        [RequiresAuth("permission2")]
+        [AcceptVerbs("GET")]
+        public string GetPermission()
+        {
+            return "GetPermission";
+        }
+
+        [RequiresAuth("permission2")]
+        [AcceptVerbs("GET")]
+        public string PostPermission()
+        {
+            return "PostPermission";
+        }
+    }
+
+    public class Constraints
+    {
+        public Constraints(List<string> allowedMethods)
+        {
+            AllowedMethods = allowedMethods;
+        }
+        public List<string> AllowedMethods { get; set; }
+    }
 }
diff --git a/src/AttributeAuthorization/AuthRoutePermissions.cs b/src/AttributeAuthorization/AuthRoutePermissions.cs
@@ -48,15 +48,17 @@ private bool InternalAuthNotRequired(HttpRequestMessage request, out AuthPermiss
 
             var route = FindRoute(request);
 
-            if (route != null && _routePermissions.ContainsKey(route.Route.RouteTemplate))
+            if (route != null)
             {
-                permissions = _routePermissions[route.Route.RouteTemplate];
-                result = (!permissions.Accepted.Any() && permissions.AuthNotRequired);
-            }
-            else
-            {
-                result = _shouldAllowNotDefined(request);
+                permissions = GetPermissions(route.Route, request);
+                if (permissions != null)
+                {
+                    result = (!permissions.Accepted.Any() && permissions.AuthNotRequired);
+                    return result;
+                }
             }
+            result = _shouldAllowNotDefined(request);
+
             return result;
         }
 
@@ -84,5 +86,19 @@ public IHttpRouteData FindRoute(HttpRequestMessage request)
             }
             return result;
         }
+
+        private AuthPermissions GetPermissions(IHttpRoute route, HttpRequestMessage request)
+        {
+            string key = request.Method + ":" + route.RouteTemplate;
+            if (_routePermissions.ContainsKey(key))
+            {
+                return _routePermissions[key];
+            }
+            if (_routePermissions.ContainsKey(route.RouteTemplate))
+            {
+                return _routePermissions[route.RouteTemplate];
+            }
+            return null;
+        }
     }
 }
diff --git a/src/AttributeAuthorization/Properties/AssemblyInfo.cs b/src/AttributeAuthorization/Properties/AssemblyInfo.cs
@@ -9,5 +9,5 @@
 [assembly: AssemblyCopyright("Copyright © 2014 tpalmer")]
 [assembly: ComVisible(false)]
 [assembly: Guid("3b530efd-1d4d-4f0b-8d8a-99cd8f39855e")]
-[assembly: AssemblyVersion("1.0.0.0")]
-[assembly: AssemblyFileVersion("1.0.0.0")]
+[assembly: AssemblyVersion("1.1.0.0")]
+[assembly: AssemblyFileVersion("1.1.0.0")]