Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 3 additions & 3 deletions src/Falco/Request.fs
Original file line number Diff line number Diff line change
Expand Up @@ -398,9 +398,9 @@ let ifAuthenticatedInRole
(roles : string seq)
(handleOk : HttpHandler) : HttpHandler =
authenticate authScheme (fun authenticateResult ctx ->
let isInRole = Seq.exists authenticateResult.Principal.IsInRole roles
match authenticateResult.Succeeded, isInRole with
| true, true ->
let isInRole = authenticateResult.Succeeded && Seq.exists authenticateResult.Principal.IsInRole roles
match isInRole with
| true ->
handleOk ctx
| _ ->
ctx.ForbidAsync())
Expand Down
37 changes: 37 additions & 0 deletions test/Falco.Tests/RequestTests.fs
Original file line number Diff line number Diff line change
Expand Up @@ -493,6 +493,28 @@ let ``Request.ifAuthenticatedInRole should allow users in correct role`` () =
visited |> should equal true
}

[<Fact>]
let ``Request.ifAuthenticatedInRole should allow users who have one of the required roles, but not all`` () =
let ctx = getHttpContextWriteable true

let mutable visited = false

let handle : HttpHandler = fun ctx ->
visited <- true
Response.ofEmpty ctx

task {
let roleTheUserHas = Common.AuthRoles[0];
let acceptableRoles =
seq {
"roleTheUserDoesNotHave";
roleTheUserHas;
"anotherRoleTheUserDoeNotHave";
}
do! Request.ifAuthenticatedInRole AuthScheme acceptableRoles handle ctx
visited |> should equal true
}

[<Fact>]
let ``Request.ifAuthenticatedInRole should block users not in role`` () =
let ctx = getHttpContextWriteable true
Expand All @@ -507,3 +529,18 @@ let ``Request.ifAuthenticatedInRole should block users not in role`` () =
do! Request.ifAuthenticatedInRole AuthScheme ["admin2"] handle ctx
visited |> should equal false
}

[<Fact>]
let ``Request.ifAuthenticatedInRole should block non-authenticated users`` () =
let ctx = getHttpContextWriteable false

let mutable visited = false

let handle : HttpHandler = fun ctx ->
visited <- true
Response.ofEmpty ctx

task {
do! Request.ifAuthenticatedInRole AuthScheme ["admin2"] handle ctx
visited |> should equal false
}