Issue #2 resolved

The :auth plugin doesn't handle two permissions criteria with the same matching pattern

Michael Granger
repo owner created an issue

When specifying permissions for an application, there's currently no way (without workarounds) to apply two different permission sets to requests that have the same path but different HTTP verbs (or any criteria other than path). E.g.,

# No auth required to get the API description
no_auth_for( '' ) {|req| req.verb == :GET }

# Require ou=it,cn=inventory AppPerms for all other access
require_perms_for %r{.*}, :it_assets_webapp

# Require membership in the POSIX 'sysadmin' group for any writes
require_perms_for( %r{.*}, :@sysadmin ) {|req, m| req.verb != :GET }

This is supposed to mean:

  • A 'GET /' request is allowed by anyone
  • A request to anything else requires that the user be granted the it_assets_webapp permission.
  • A request other than a GET also requires membership in the sysadmin POSIX group.

What happens instead is that the third declaration replaces the second one because its pattern is the same.

Comments (3)

  1. Log in to comment