[Jifty-commit] r5164 - in jifty/trunk: . lib/Jifty/Plugin t/TestApp-Plugin-OAuth/lib/TestApp/Plugin/OAuth t/TestApp-Plugin-OAuth/t
Jifty commits
jifty-commit at lists.jifty.org
Fri Feb 22 17:34:06 EST 2008
Author: sartak
Date: Fri Feb 22 17:34:04 2008
New Revision: 5164
Modified:
jifty/trunk/ (props changed)
jifty/trunk/lib/Jifty/Plugin/OAuth.pm
jifty/trunk/t/TestApp-Plugin-OAuth/lib/TestApp/Plugin/OAuth/Dispatcher.pm
jifty/trunk/t/TestApp-Plugin-OAuth/lib/TestApp/Plugin/OAuth/Model/User.pm
jifty/trunk/t/TestApp-Plugin-OAuth/t/06-read-only.t
Log:
r52017 at onn: sartak | 2008-02-22 17:33:44 -0500
OAuth: test that delete fails when the access token forbids write access
We need to hook into JDBI::Record's before_$crud triggers because current_user_can may just say "yes the owner can delete" and we want to prevent that
Modified: jifty/trunk/lib/Jifty/Plugin/OAuth.pm
==============================================================================
--- jifty/trunk/lib/Jifty/Plugin/OAuth.pm (original)
+++ jifty/trunk/lib/Jifty/Plugin/OAuth.pm Fri Feb 22 17:34:04 2008
@@ -13,22 +13,55 @@
my $record = shift;
my $right = shift;
- # not oauthed? usual rules
+ # not oauthed, so use default
$record->current_user->is_oauthed
or return 'ignore';
-
my $token = $record->current_user->oauth_token;
- # read access? usual rules
- $right eq 'read'
- or return 'ignore';
+ # OAuthed users have no read restrictions, so use default
+ return 'ignore' if $right eq 'read';
- # if the token does not give write access, then WE DO NOT HAVE IT
- return 'deny' unless $token->__value('can_write');
+ # token gives write access, so use default
+ return 'ignore' if $token->__value('can_write');
- # we have not been forbidden from updating, so: usual rules
- return 'ignore';
+ # we have been forbidden from writing!
+ Jifty->log->error("Unable to $right " . ref($record) . " " . $record->id . " because the OAuth access token does not allow it.");
+ return 'deny';
});
+
+ for my $type (qw/create set delete/) {
+ Jifty::DBI::Record->add_trigger(
+ abortable => 1,
+ name => "before_$type",
+ callback => sub {
+ my $record = shift;
+
+ # not a Jifty::Object, so allow write
+ $record->can('current_user')
+ or return 1;
+
+ # not oauthed, so allow write
+ $record->current_user->is_oauthed
+ or return 1;
+
+ my $token = $record->current_user->oauth_token;
+
+ # token gives write access, so allow write
+ return 1 if $token->__value('can_write');
+
+ # we have been forbidden from writing!
+ Jifty->log->debug("Unable to $type " . ref($record) . " " . $record->id . " because the OAuth access token does not allow it.");
+ my $ret = Class::ReturnValue->new;
+ $ret->as_array(0, "Your OAuth access token denies you write access.");
+ $ret->as_error(
+ errno => 1,
+ message => 'Your OAuth access token denies you write access.',
+ );
+ my $return = $ret->return_value;
+ return $ret->return_value;
+ },
+ );
+ }
}
=head1 NAME
Modified: jifty/trunk/t/TestApp-Plugin-OAuth/lib/TestApp/Plugin/OAuth/Dispatcher.pm
==============================================================================
--- jifty/trunk/t/TestApp-Plugin-OAuth/lib/TestApp/Plugin/OAuth/Dispatcher.pm (original)
+++ jifty/trunk/t/TestApp-Plugin-OAuth/lib/TestApp/Plugin/OAuth/Dispatcher.pm Fri Feb 22 17:34:04 2008
@@ -6,19 +6,15 @@
my @login_required = qw{
oauth/authorize
nuke/?
- =
+ =/?
};
my $login_required = join '|', map {"^$_"} @login_required;
-$login_required = qr/$login_required/;
+$login_required = qr/($login_required)/;
before '**' => run {
- if (Jifty->web->current_user->id) {
- my $top = Jifty->web->navigation;
- $top->child( _('Pick!') => url => '/pick' );
- $top->child( _('Choices') => url => '/choices' );
- }
- elsif ($1 =~ $login_required) {
+ my $path = $1;
+ if (!Jifty->web->current_user->user_object && $path =~ $login_required) {
tangent '/login';
}
};
Modified: jifty/trunk/t/TestApp-Plugin-OAuth/lib/TestApp/Plugin/OAuth/Model/User.pm
==============================================================================
--- jifty/trunk/t/TestApp-Plugin-OAuth/lib/TestApp/Plugin/OAuth/Model/User.pm (original)
+++ jifty/trunk/t/TestApp-Plugin-OAuth/lib/TestApp/Plugin/OAuth/Model/User.pm Fri Feb 22 17:34:04 2008
@@ -17,6 +17,7 @@
sub current_user_can {
my $self = shift;
+ return 1 if $self->current_user->is_superuser;
return 1 if $_[0] eq 'create';
my $id = $self->__value('id');
Modified: jifty/trunk/t/TestApp-Plugin-OAuth/t/06-read-only.t
==============================================================================
--- jifty/trunk/t/TestApp-Plugin-OAuth/t/06-read-only.t (original)
+++ jifty/trunk/t/TestApp-Plugin-OAuth/t/06-read-only.t Fri Feb 22 17:34:04 2008
@@ -5,7 +5,7 @@
use Test::More;
BEGIN {
if (eval { require Net::OAuth::Request; require Crypt::OpenSSL::RSA; 1 }) {
- plan tests => 58;
+ plan tests => 22;
}
else {
plan skip_all => "Net::OAuth or Crypt::OpenSSL::RSA isn't installed";
@@ -82,11 +82,12 @@
);
$cmech->content_contains("You Zer", "REST GET works while OAuthed");
# }}}
-# REST PUT {{{
+# REST DELETE {{{
response_is(
- url => "/=/model/User/id/$uid.yml",
+ url => "/=/model/User/id/$uid.yml!DELETE",
+ id => $uid,
code => 200,
- method => 'DELETE',
+ method => 'POST',
testname => "200 - protected resource request",
consumer_secret => 'bar',
oauth_consumer_key => 'foo',
@@ -94,6 +95,11 @@
oauth_token => $token_obj->token,
token_secret => $token_obj->secret,
);
-$cmech->content_contains("You Zer", "REST DELETE doesn't work while the consumer has no write access");
+
+$cmech->content_like(qr/failure: 1/, "failed to delete");
+
+my $user_copy = TestApp::Plugin::OAuth::Model::User->new(current_user => Jifty::CurrentUser->superuser);
+$user_copy->load($uid);
+is($user_copy->name, "You Zer", "REST DELETE doesn't work while the consumer has no write access");
# }}}
More information about the Jifty-commit
mailing list