diff --git a/lib/remote_storage/swift.rb b/lib/remote_storage/swift.rb index 66f269a..aa6c3a3 100644 --- a/lib/remote_storage/swift.rb +++ b/lib/remote_storage/swift.rb @@ -24,12 +24,14 @@ module RemoteStorage return true if ["GET", "HEAD"].include?(request_method) && !listing end + server.halt 401, "Unauthorized" if token.empty? + authorizations = redis.smembers("authorizations:#{user}:#{token}") permission = directory_permission(authorizations, directory) - server.halt 401 unless permission + server.halt 401, "Unauthorized" unless permission if ["PUT", "DELETE"].include? request_method - server.halt 401 unless permission == "rw" + server.halt 401, "Unauthorized" unless permission == "rw" end end diff --git a/spec/swift/app_spec.rb b/spec/swift/app_spec.rb index 29e5e4f..fd70aa4 100644 --- a/spec/swift/app_spec.rb +++ b/spec/swift/app_spec.rb @@ -173,6 +173,29 @@ describe "App" do purge_redis end + context "not authorized" do + + describe "with no token" do + it "says it's not authorized" do + delete "/phil/food/aguacate" + + last_response.status.must_equal 401 + last_response.body.must_equal "Unauthorized" + end + end + + describe "with wrong token" do + it "says it's not authorized" do + header "Authorization", "Bearer wrongtoken" + delete "/phil/food/aguacate" + + last_response.status.must_equal 401 + last_response.body.must_equal "Unauthorized" + end + end + + end + context "authorized" do before do redis.sadd "authorizations:phil:amarillo", [":rw"] @@ -248,6 +271,29 @@ describe "App" do purge_redis end + context "not authorized" do + + describe "without token" do + it "says it's not authorized" do + get "/phil/food/" + + last_response.status.must_equal 401 + last_response.body.must_equal "Unauthorized" + end + end + + describe "with wrong token" do + it "says it's not authorized" do + header "Authorization", "Bearer wrongtoken" + get "/phil/food/" + + last_response.status.must_equal 401 + last_response.body.must_equal "Unauthorized" + end + end + + end + context "authorized" do before do