bengler · skogsmaskin · Jun 25, 2013
diff --git a/api/v1/callbacks.rb b/api/v1/callbacks.rb
@@ -1,36 +1,5 @@
 class CheckpointV1 < Sinatra::Base
 
-  # @apidoc
-  # Perform all relevant callbacks checking if the provided action is allowed for the current
-  # identity. The verdict is returned in the 'allowed' parameter. If the action is disallowed
-  # the reason is provided in the 'reason' field and the url of the denying callback will be in
-  # the 'url'-field.
-  #
-  # @category Checkpoint/Callbacks
-  # @path /api/checkpoint/v1/callbacks/allowed/:method/:uid
-  # @http GET
-  # @example /api/checkpoint/v1/callbacks/allowed/create/post.blog:acme.blog
-  # @required [String] method One of 'create', 'update', 'delete'
-  # @required [String] uid The uid of the object in question
-  # @optional [Integer] identity Ask for a specific identity (default: current identity)
-  # @optional [String] * Any other parameter provided will be forwarded to each callback for its consideration
-  # @status 200 Result hash
-  # @status 500 One or more of the callbacks failed, please call again later
-
-  get "/callbacks/allowed/:method/:uid" do
-    params[:identity] ||= current_identity.try(:id)
-    params[:session] ||= current_session.key
-    params.delete('splat')
-    params.delete('captures')
-    if banned_path = Banning.banned?(params.to_options)
-      pg :callback_result, :locals => {:allowed => false, :url => request.url,
-        :reason => "This identity is banned from '#{banned_path}'."}
-    else
-      allowed, url, reason = Callback.allow?(params.to_options)
-      pg :callback_result, :locals => {:allowed => allowed, :url => url, :reason => reason}
-    end
-  end
-
   # @apidoc
   # Get all callbacks for the current realm. Requires god permissions.
   #
@@ -96,6 +65,37 @@ class CheckpointV1 < Sinatra::Base
     [status, pg(:callback, :locals => { :callback => callback })]
   end
 
+  # @apidoc
+  # Perform all relevant callbacks checking if the provided action is allowed for the current
+  # identity. The verdict is returned in the 'allowed' parameter. If the action is disallowed
+  # the reason is provided in the 'reason' field and the url of the denying callback will be in
+  # the 'url'-field.
+  #
+  # @category Checkpoint/Callbacks
+  # @path /api/checkpoint/v1/callbacks/allowed/:method/:uid
+  # @http POST
+  # @example /api/checkpoint/v1/callbacks/allowed/create/post.blog:acme.blog
+  # @required [String] method One of 'create', 'update', 'delete'
+  # @required [String] uid The uid of the object in question
+  # @optional [Integer] identity Ask for a specific identity (default: current identity)
+  # @optional [String] * Any other parameter provided will be forwarded to each callback for its consideration
+  # @status 200 Result hash
+  # @status 500 One or more of the callbacks failed, please call again later
+
+  post "/callbacks/allowed/:method/:uid" do
+    params[:identity] ||= current_identity.try(:id)
+    params[:session] ||= current_session.key
+    params.delete('splat')
+    params.delete('captures')
+    if banned_path = Banning.banned?(params.to_options)
+      pg :callback_result, :locals => {:allowed => false, :url => request.url,
+        :reason => "This identity is banned from '#{banned_path}'."}
+    else
+      allowed, url, reason = Callback.allow?(params.to_options)
+      pg :callback_result, :locals => {:allowed => allowed, :url => url, :reason => reason}
+    end
+  end
+
   # @apidoc
   # Delete a specific callback. Requires god permissions.
   #

diff --git a/lib/checkpoint/models/callback.rb b/lib/checkpoint/models/callback.rb
@@ -27,7 +27,7 @@ def self.allow?(params)
     # else will be ignored.
     allow = :default
     urls_for_path(path).each do |url|
-      response = Pebblebed::Http.get(url, params)
+      response = Pebblebed::Http.post(url, params)
       record = JSON.parse(response.body)
       next unless record.keys.include?('allowed') # skip if there is no allow key in the response
       # If dissallowed, return with the denying callback and reason supplied (if any)

diff --git a/spec/api/v1/bannings_spec.rb b/spec/api/v1/bannings_spec.rb
@@ -183,7 +183,7 @@ def app
 
   it "short circuits callbacks precluding any actual callback-processing" do
     Banning.declare!(:path => "area51.a", :fingerprint => 'fingerprint1')
-    get "/callbacks/allowed/create/post.blog:area51.a.b.c", :identity => crook.id
+    post "/callbacks/allowed/create/post.blog:area51.a.b.c", :identity => crook.id
     response = JSON.parse(last_response.body)
     response['allowed'].should be_false
     response['reason'].should_not be_nil

diff --git a/spec/api/v1/callbacks_spec.rb b/spec/api/v1/callbacks_spec.rb
@@ -38,6 +38,7 @@ def app
     last_response.status.should eq 403
 
     callback = Callback.create!(:path => "area51.a.b.c", :url => "/")
+
     get "/callbacks/#{callback.id}", :session => stranger_session
     last_response.status.should eq 403
 
@@ -107,22 +108,23 @@ def app
 
     before :each do
       # A callback that accepts nothing
-      stub_request(:get, "http://nay.org/?identity=7&method=create&session=#{stranger_session}&uid=post.blog:area51.b.c.d.e").
+      stub_request(:post, "http://nay.org/").
+         with(:body => "{\"method\":\"create\",\"identity\":7,\"uid\":\"post.blog:area51.b.c.d.e\",\"session\":\"#{stranger_session}\"}").
          to_return(:status => 200, :body => '{"allowed":false, "reason": "You are not worthy"}',
            :headers => {'Content-Type' => 'application/json'})
 
     end
 
     it "specifies default rules if there are no callbacks" do
-      get "/callbacks/allowed/create/post.blog:area51.b.c", :session => stranger_session
+      post "/callbacks/allowed/create/post.blog:area51.b.c", :session => stranger_session
       last_response.status.should eq 200
       result = JSON.parse(last_response.body)
       result['allowed'].should eq 'default'
     end
 
     it "denies with a reason" do
       Callback.create!(:path => "area51.b.c", :url => "http://nay.org")
-      get "/callbacks/allowed/create/post.blog:area51.b.c.d.e", :identity => 7, :session => stranger_session
+      post "/callbacks/allowed/create/post.blog:area51.b.c.d.e", :identity => 7, :session => stranger_session
       last_response.status.should eq 200
       result = JSON.parse(last_response.body)
       result['allowed'].should be_false

diff --git a/spec/lib/models/callback_spec.rb b/spec/lib/models/callback_spec.rb
@@ -27,12 +27,14 @@
 
     before :each do
       # A callback that accepts everything
-      stub_http_request(:get, "http://yay.org/?identity=7&method=create&uid=post.blog:a.b.c.d.e").
+      stub_http_request(:post, "http://yay.org/").
+         with(:body => "{\"method\":\"create\",\"identity\":7,\"uid\":\"post.blog:a.b.c.d.e\"}").
          to_return(:status => 200, :body => '{"allow":true}',
            :headers => {'Content-Type' => 'application/json'})
 
       # A callback that accepts nothing
-      stub_http_request(:get, "http://nay.org/?identity=7&method=create&uid=post.blog:a.b.c.d.e").
+      stub_http_request(:post, "http://nay.org/").
+         with(:body => "{\"method\":\"create\",\"identity\":7,\"uid\":\"post.blog:a.b.c.d.e\"}").
          to_return(:status => 200, :body => '{"allowed":false, "reason": "You are not worthy"}',
            :headers => {'Content-Type' => 'application/json'})
     end