Issue #2 resolved

The :auth plugin doesn't handle two permissions criteria with the same matching pattern

Michael Granger repo owner created an issue 2012-10-12

When specifying permissions for an application, there's currently no way (without workarounds) to apply two different permission sets to requests that have the same path but different HTTP verbs (or any criteria other than path). E.g.,

# No auth required to get the API description
no_auth_for( '' ) {|req| req.verb == :GET }

# Require ou=it,cn=inventory AppPerms for all other access
require_perms_for %r{.*}, :it_assets_webapp

# Require membership in the POSIX 'sysadmin' group for any writes
require_perms_for( %r{.*}, :@sysadmin ) {|req, m| req.verb != :GET }

This is supposed to mean:

A 'GET /' request is allowed by anyone
A request to anything else requires that the user be granted the it_assets_webapp permission.
A request other than a GET also requires membership in the sysadmin POSIX group.

What happens instead is that the third declaration replaces the second one because its pattern is the same.

Comments (3)

Michael Granger reporter
- edited description
Fix the description syntax.
- 2012-10-12T16:09:24+00:00
Michael Granger reporter
- changed status to open
- 2012-10-12T16:09:42+00:00
Michael Granger reporter
- changed status to resolved
Fix multiple permission criteria in the auth plugin (fixes #2)

→ <<cset d661773e0781>>
- 2013-02-06T16:06:20+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: resolved

Version: –

Votes: 0

Watchers: 1

Strelka

Issues

The :auth plugin doesn't handle two permissions criteria with the same matching pattern

Comments (3)

Help