diff options
author | mr <mr@mrautenberg.de> | 2011-01-10 17:04:49 +0100 |
---|---|---|
committer | mr <mr@mrautenberg.de> | 2011-01-10 17:04:49 +0100 |
commit | 57cab7b2e22b4f07ee7f53afb15d05873abeca6d (patch) | |
tree | d5f200ebe42b09af365229d8a9fad4c724288d57 /lib | |
parent | a0bcb593e95320bff832f5cca9b9f4c105c817d3 (diff) |
A&A
Diffstat (limited to 'lib')
-rw-r--r-- | lib/helper.rb | 36 |
1 files changed, 24 insertions, 12 deletions
diff --git a/lib/helper.rb b/lib/helper.rb index 6b616bc..857c5b5 100644 --- a/lib/helper.rb +++ b/lib/helper.rb @@ -15,25 +15,42 @@ helpers do return unless authorized?(subjectid) end + #Check Authorization for URI with method and subjectid. def authorized?(subjectid) + uri = clean_uri("#{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['REQUEST_URI']}") if CONFIG[:authorization][:authorize_request].include?(request.env['REQUEST_METHOD']) - ret = OpenTox::Authorization.authorize("#{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['REQUEST_URI']}", request.env['REQUEST_METHOD'], subjectid) - LOGGER.debug "OpenTox helpers OpenTox::Authorization authorized? method: #{request.env['REQUEST_METHOD']} , URI: #{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['REQUEST_URI']}, subjectid: #{subjectid} with return #{ret}." + ret = OpenTox::Authorization.authorize(uri, request.env['REQUEST_METHOD'], subjectid) + LOGGER.debug "OpenTox helpers OpenTox::Authorization authorized? method: #{request.env['REQUEST_METHOD']} , URI: #{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['REQUEST_URI']}, subjectid: #{subjectid} with return >>#{ret}<<" return ret end if CONFIG[:authorization][:authenticate_request].include?(env['REQUEST_METHOD']) - if OpenTox::Authorization.is_token_valid(subjectid) - return true - end + return true if OpenTox::Authorization.is_token_valid(subjectid) end LOGGER.debug "Not authorized for: #{request.env['rack.url_scheme']}://#{request['REQUEST_URI']} with Method: #{request.env['REQUEST_METHOD']} with Token #{subjectid}" return false end + #cleans URI from querystring and file-extension. Sets port 80 to emptystring + # @param [String] uri + def clean_uri(uri) + out = URI.parse(uri) + out.path = out.path[0, out.path.rindex(/[0-9]/) + 1] if out.path.rindex(/[0-9]/) #cuts after id for a&a + "#{out.scheme}:" + (out.port != 80 ? out.port : "") + "//#{out.host}#{out.path}" + end + + def check_subjectid(subjectid) + return false if !subjectid + return true if subjectid.size > 62 + false + end + + #unprotected uris for login/logout, webapplication ... def unprotected_requests case env['REQUEST_URI'] when /\/login$|\/logout$|\/predict$|\/toxcreate\/models$/ return true + when /\/features/ + return false when /\/compound|\/feature|\/task|\/toxcreate/ #to fix: read from config | validation should be protected return true else @@ -41,23 +58,18 @@ helpers do end end - def check_subjectid(subjectid) - return false if !subjectid - return true if subjectid.size > 62 - false - end end before do unless unprotected_requests or CONFIG[:authorization][:free_request].include?(env['REQUEST_METHOD']) begin subjectid = session[:subjectid] if session[:subjectid] - subjectid = params[:subjectid] if params[:subjectid] and !check_subjectid(subjectid) + subjectid = params[:subjectid] if params[:subjectid] and !check_subjectid(subjectid) subjectid = request.env['HTTP_SUBJECTID'] if request.env['HTTP_SUBJECTID'] and !check_subjectid(subjectid) # see http://rack.rubyforge.org/doc/SPEC.html subjectid = CGI.unescape(subjectid) if subjectid.include?("%23") rescue - LOGGER.debug "OpenTox ruby api wrapper: helper before filter: NO subjectid." + LOGGER.debug "OpenTox ruby api wrapper: helper before filter: NO subjectid for URI: #{request.env['rack.url_scheme']}://#{request.env['HTTP_HOST']}#{request.env['REQUEST_URI']}" subjectid = "" end protected!(subjectid) if AA_SERVER |