diff --git a/src/Falco/Request.fs b/src/Falco/Request.fs index dbb8736..8d6b232 100644 --- a/src/Falco/Request.fs +++ b/src/Falco/Request.fs @@ -398,9 +398,9 @@ let ifAuthenticatedInRole (roles : string seq) (handleOk : HttpHandler) : HttpHandler = authenticate authScheme (fun authenticateResult ctx -> - let isInRole = Seq.exists authenticateResult.Principal.IsInRole roles - match authenticateResult.Succeeded, isInRole with - | true, true -> + let isInRole = authenticateResult.Succeeded && Seq.exists authenticateResult.Principal.IsInRole roles + match isInRole with + | true -> handleOk ctx | _ -> ctx.ForbidAsync()) diff --git a/test/Falco.Tests/RequestTests.fs b/test/Falco.Tests/RequestTests.fs index 9fcc5a9..b6479c2 100644 --- a/test/Falco.Tests/RequestTests.fs +++ b/test/Falco.Tests/RequestTests.fs @@ -493,6 +493,28 @@ let ``Request.ifAuthenticatedInRole should allow users in correct role`` () = visited |> should equal true } +[] +let ``Request.ifAuthenticatedInRole should allow users who have one of the required roles, but not all`` () = + let ctx = getHttpContextWriteable true + + let mutable visited = false + + let handle : HttpHandler = fun ctx -> + visited <- true + Response.ofEmpty ctx + + task { + let roleTheUserHas = Common.AuthRoles[0]; + let acceptableRoles = + seq { + "roleTheUserDoesNotHave"; + roleTheUserHas; + "anotherRoleTheUserDoeNotHave"; + } + do! Request.ifAuthenticatedInRole AuthScheme acceptableRoles handle ctx + visited |> should equal true + } + [] let ``Request.ifAuthenticatedInRole should block users not in role`` () = let ctx = getHttpContextWriteable true @@ -507,3 +529,18 @@ let ``Request.ifAuthenticatedInRole should block users not in role`` () = do! Request.ifAuthenticatedInRole AuthScheme ["admin2"] handle ctx visited |> should equal false } + +[] +let ``Request.ifAuthenticatedInRole should block non-authenticated users`` () = + let ctx = getHttpContextWriteable false + + let mutable visited = false + + let handle : HttpHandler = fun ctx -> + visited <- true + Response.ofEmpty ctx + + task { + do! Request.ifAuthenticatedInRole AuthScheme ["admin2"] handle ctx + visited |> should equal false + } \ No newline at end of file