- edited description
The :auth plugin doesn't handle two permissions criteria with the same matching pattern
Issue #2
resolved
When specifying permissions for an application, there's currently no way (without workarounds) to apply two different permission sets to requests that have the same path but different HTTP verbs (or any criteria other than path). E.g.,
# No auth required to get the API description no_auth_for( '' ) {|req| req.verb == :GET } # Require ou=it,cn=inventory AppPerms for all other access require_perms_for %r{.*}, :it_assets_webapp # Require membership in the POSIX 'sysadmin' group for any writes require_perms_for( %r{.*}, :@sysadmin ) {|req, m| req.verb != :GET }
This is supposed to mean:
- A 'GET /' request is allowed by anyone
- A request to anything else requires that the user be granted the
it_assets_webapp
permission. - A request other than a
GET
also requires membership in thesysadmin
POSIX group.
What happens instead is that the third declaration replaces the second one because its pattern is the same.
Comments (3)
-
-
- changed status to open
-
- changed status to resolved
Fix multiple permission criteria in the auth plugin (fixes
#2)→ <<cset d661773e0781>>
- Log in to comment
Fix the description syntax.