added ability to support no permission check

sinapam · sinapam · commit ec118e400f18 · 2020-06-03T15:58:08.000+07:00
diff --git a/Cpp/odin-views/permission.cpp b/Cpp/odin-views/permission.cpp
@@ -25,6 +25,13 @@ namespace {
             const fostlib::string &path,
             fostlib::http::server::request &req,
             const fostlib::host &host) {
+
+        if (not config.isobject()) {
+            // If config is not an object, expecting this to be a view, meaning always go to this view without checking permission  
+            return fostlib::urlhandler::view::execute(
+                    config, path, req, host);
+        }
+
         const auto &permission = config["permission"];
         bool granted = false;
         if (odin::c_jwt_trust.value() && req.headers().exists("__jwt")) {
@@ -40,6 +47,7 @@ namespace {
                 }
             }
         }
+
         if (not granted) {
             fostlib::pg::connection cnx{fostgres::connection(config, req)};
             fostlib::json where;
@@ -61,8 +69,14 @@ namespace {
             return fostlib::urlhandler::view::execute(
                     config["allowed"], path, req, host);
         } else {
-            return fostlib::urlhandler::view::execute(
-                    config["forbidden"], path, req, host);
+            if (config.has_key("forbidden")) {
+                return fostlib::urlhandler::view::execute(
+                        config["forbidden"], path, req, host);
+            } else {
+                // Default forbidden view is fost.response.403
+                return fostlib::urlhandler::view::execute(
+                    fostlib::json("fost.response.403"), path, req, host);
+            }
         }
     }
 
@@ -96,19 +110,13 @@ namespace {
                 const fostlib::host &host) const {
 
             auto method_config = fostlib::json();
-
             if (req.method() == "HEAD" and config.has_key("GET")) {
                 // HEAD method always use the same permission as GET
                 method_config = config["GET"];
             } else {
                 method_config = config[req.method()]; 
             }
 
-            // If forbidden is not defined, put default as 403 view
-            if (not method_config.has_key("forbidden")) {
-                fostlib::insert(method_config, "forbidden", "fost.response.403");
-            }
-
             return check_permission(method_config, config, path, req, host);
         }
     } c_permission_method;
diff --git a/tests/permissions-test-view.by-method.json b/tests/permissions-test-view.by-method.json
@@ -30,16 +30,10 @@
                                 }
                             }
                         },
-                        "by-method-specified-otherwise/": {
+                        "by-method-no-permission-check/": {
                             "view": "odin.permission.method",
                             "configuration": {
-                                "PUT": {
-                                    "permission": "write-permission",
-                                    "allowed": "permission-required-view"
-                                },
-                                "otherwise": {
-                                    "view": "fost.response.405"
-                                }
+                                "GET": "read-only-view"     
                             }
                         }
                     }
diff --git a/tests/permissions.by-method.fg b/tests/permissions.by-method.fg
@@ -46,9 +46,6 @@ PUT test/permission /by-method/identity-1/ {"full_name": "Identity 1"} 403
 # Check other HTTP methods (HEAD is supported by default with GET)
 HEAD test/permission /by-method/identity-1/ 200
 
-# Default for unspecified method returns forbidden 403
-POST test/permission /by-method/identity-1/ {"full_name": "Identity 1"} 403
-
 # Set superuser, should have all permission
 odin.superuser read-user-1
 GET odin/api /me/permissions 200 {"columns": ["permission"],
@@ -120,7 +117,7 @@ odin.user.expire write-user-2
 GET odin/api /me/permissions 200 {"columns": ["permission"], "rows": []}
 PUT test/permission /by-method-specified-forbidden/identity-1/ {"full_name": "Identity 1"} 200 {}
 
-## Test permission by method with specified otherwise
+## Test permission by method with no permission check
 
 # Set up the read user account
 odin.user read-user-3 read-user-3 password1234
@@ -131,9 +128,9 @@ odin.jwt.authorization read-user-3 password1234
 GET odin/api /me/permissions 200 {"columns": ["permission"],
     "rows": [["read-permission"]]}
 
-# Check that the web API checks the permissions for the methods
-GET test/permission /by-method/identity-1/ 200
-PUT test/permission /by-method/identity-1/ {"full_name": "Identity 1"} 403
+# Check the web API response to user with some permission
+GET test/permission /by-method-no-permission-check/identity-1/ 200
 
-# Default for unspecified method returns forbidden 403
-POST test/permission /by-method/identity-1/ {"full_name": "Identity 1"} 405
+# Check the web API response to user with no permission
+odin.user.expire read-user-3
+GET test/permission /by-method-no-permission-check/identity-1/ 200

Original file line number	Diff line number	Diff line change
`@@ -30,16 +30,10 @@`
`30`	`30`	`}`
`31`	`31`	`}`
`32`	`32`	`},`
`33`		`- "by-method-specified-otherwise/": {`
	`33`	`+ "by-method-no-permission-check/": {`
`34`	`34`	`"view": "odin.permission.method",`
`35`	`35`	`"configuration": {`
`36`		`- "PUT": {`
`37`		`- "permission": "write-permission",`
`38`		`- "allowed": "permission-required-view"`
`39`		`- },`
`40`		`- "otherwise": {`
`41`		`- "view": "fost.response.405"`
`42`		`- }`
	`36`	`+ "GET": "read-only-view"`
`43`	`37`	`}`
`44`	`38`	`}`
`45`	`39`	`}`