- edited description
Issues
Issue #2
resolved
The :auth plugin doesn't handle two permissions criteria with the same matching pattern
When specifying permissions for an application, there's currently no way (without workarounds) to apply two different permission sets to requests that have the same path but different HTTP verbs (or any criteria other than path). E.g.,
# No auth required to get the API description no_auth_for( '' ) {|req| req.verb == :GET } # Require ou=it,cn=inventory AppPerms for all other access require_perms_for %r{.*}, :it_assets_webapp # Require membership in the POSIX 'sysadmin' group for any writes require_perms_for( %r{.*}, :@sysadmin ) {|req, m| req.verb != :GET }
This is supposed to mean:
- A 'GET /' request is allowed by anyone
- A request to anything else requires that the user be granted the
it_assets_webapppermission. - A request other than a
GETalso requires membership in thesysadminPOSIX group.
What happens instead is that the third declaration replaces the second one because its pattern is the same.
Comments (3)
-
Michael Granger reporter
-
Michael Granger reporter
- changed status to open
-
Michael Granger reporter
- changed status to resolved
Fix multiple permission criteria in the auth plugin (fixes
#2)→ <<cset d661773e0781>>
- Log in to comment
Fix the description syntax.