funcool / buddy

Security library for Clojure
Apache License 2.0
827 stars 38 forks source link

Parse params for wrap-access-rules? #31

Closed joelkuiper closed 9 years ago

joelkuiper commented 9 years ago

I'm using the Buddy wrap-access-rules. Currently I have a seq of rules of:

[{:uris ["/projects/:project-id" "/projects/:project-id/*"] :handler owns-project?}]

but when inspecting the request map in owns-project? the project-id is not in the there (the map is empty, in fact).

So the owns-project? function fails. What would be the best way of handling this? I'm using buddy-auth in my middleware like:

(def auth-backend
  (session-backend
   {:unauthorized-handler security/unauthorized-handler}))

(defn production-middleware [handler]
  (-> handler
     (wrap-access-rules {:rules security/rules} :on-error security/unauthorized-handler)
     (wrap-authentication auth-backend)
     wrap-restful-format
     (wrap-idle-session-timeout
      {:timeout (* 60 30)
       :timeout-response (redirect "/")})
     (wrap-defaults
      (->
       site-defaults
       (assoc-in [:static :resources] "public")
       (assoc-in [:session :store] (memory-store session/mem))))
     (wrap-internal-error :log #(timbre/error %))))
niwinz commented 9 years ago

At this point, buddy-auth matches the urls as is but not passes any parameter to the request. But, I think it would be interesting feature to add.

I will add it in the next version, thanks for reporting this.

joelkuiper commented 9 years ago

Thanks!

Currently I've solved it by manually adding in the clout library. Something like

(defn match
  [request routes]
  (into {} (map #(clout/route-matches % request) routes)))

(def project-routes
  ["/projects/:project-id"
   "/projects/:project-id/*"])
(defn is-owner?
  [request]
  (let [params (match request project-routes)]
   ; ... auth logic here  
   ))

(def rules
   {:uris project-routes
    :handler {:and [logged-in? is-owner?]}})

Which is less than elegant, but works for now! Thank you for considering the feature :smile:

niwinz commented 9 years ago

I just have released the buddy-auth 0.5.1 (it is not included in the last metapackage of buddy, so you can include the new dependency expliclty).

joelkuiper commented 9 years ago

Thanks :+1:

RyanBertrand commented 8 years ago

@joelkuiper Thanks for pointing me in the right direction! Works great but I agree on the elegant part :100:

@niwinz Thanks for the great library - really enjoying it!