Permalink
Browse files

HTTP Basic: check authorization before parameter validation errors, s…

…o we return 401 whether the params are good or not on protected routes.
  • Loading branch information...
1 parent c949ae6 commit 415a7ad0118e103980c4827741bc6891e1968c3e Kyle Brett committed Apr 24, 2012
Showing with 46 additions and 5 deletions.
  1. +7 −5 lib/dzl/dsl_subjects/parameter_block.rb
  2. +12 −0 lib/dzl/examples/fun_with_params.rb
  3. +27 −0 spec/fun_with_params_spec.rb
@@ -57,18 +57,20 @@ def validate(parandidates, request)
end
end
- if !errors.empty?
- Dzl::ValueOrError.new(e: errors)
- elsif @opts[:protection]
+ if @opts[:protection]
protection_errors = @opts[:protection].collect do |protection|
protection.allow?(parandidates, request)
end.select { |result| result.error? }
- if protection_errors.empty?
+ if protection_errors.empty? && errors.empty?
Dzl::ValueOrError.new(v: parandidates)
+ elsif !protection_errors.empty?
+ protection_errors.first
else
- protection_errors[0]
+ Dzl::ValueOrError.new(e: errors)
end
+ elsif !errors.empty?
+ Dzl::ValueOrError.new(e: errors)
else
Dzl::ValueOrError.new(v: parandidates)
end
@@ -36,6 +36,18 @@ class Dzl::Examples::FunWithParams < Dzl::Examples::Base
end
end
+ post '/body' do
+ required :foo, :bar
+ end
+
+ post '/other_protected', :get do
+ required :foo
+
+ protect do
+ http_basic username: 'no', password: 'way'
+ end
+ end
+
endpoint '/arithmetic' do
optional :int do
type Fixnum
@@ -126,6 +126,14 @@ def app; Dzl::Examples::FunWithParams; end
get '/protected' do |response|
response.status.should == 401
end
+
+ post '/other_protected', foo: 'present' do |response|
+ response.status.should == 401
+ end
+
+ get '/other_protected' do |response|
+ response.status.should == 401
+ end
end
it 'should present the http basic challenge with invalid credentials' do
@@ -140,6 +148,17 @@ def app; Dzl::Examples::FunWithParams; end
get '/protected' do |response|
response.status.should == 200
end
+
+ post '/other_protected', foo: 'present' do |response|
+ response.status.should == 200
+ end
+ end
+
+ it 'should 404 with valid auth and bad params' do
+ authorize('no', 'way')
+ post '/other_protected' do |response|
+ response.status.should == 404
+ end
end
end
@@ -237,5 +256,13 @@ def app; Dzl::Examples::FunWithParams; end
}
end
end
+
+ describe '/body' do
+ specify 'works' do
+ post('/body', foo: 'hello', bar: 'world') do |response|
+ response.status.should == 200
+ end
+ end
+ end
end
end

0 comments on commit 415a7ad

Please sign in to comment.