add allowed_methods to @expose

Author: amol-

tests/test_expose_allowed_methods.py

@@ -0,0 +1,86 @@
+# -*- coding: utf-8 -*-
+import json
+import pytest
+import tg
+
+from tests.base import TestWSGIController, make_app
+from tg.controllers import TGController
+from tg.decorators import expose
+
+
+class AllowedMethodsController(TGController):
+    @expose(allowed_methods=["POST"])
+    def only_post(self):
+        return "posted"
+
+    @expose(allowed_methods=["GET"])
+    def only_get(self):
+        return "readable"
+
+
+class TestExposeAllowedMethods(TestWSGIController):
+    def setup_method(self):
+        TestWSGIController.setup_method(self)
+        self.app = make_app(AllowedMethodsController)
+
+    def test_disallowed_method_returns_405(self):
+        response = self.app.get("/only_post", status=405)
+        assert response.status_code == 405
+        assert response.headers["Allow"] == "POST"
+
+    def test_allowed_method_succeeds(self):
+        response = self.app.post("/only_post")
+        assert response.text == "posted"
+
+    def test_get_request_allows_head_and_lists_header(self):
+        response = self.app.post("/only_get", status=405)
+        assert response.headers["Allow"] == "GET, HEAD"
+        head_response = self.app.head("/only_get", status=200)
+        assert head_response.status_code == 200
+
+
+class StackedMethodsController(TGController):
+    @expose()
+    @expose(allowed_methods=["POST"])
+    @expose("json", allowed_methods=["DELETE"])
+    def stacked(self):
+        return getattr(tg.request, "method", "UNKNOWN").lower()
+
+
+class TestStackedExposeAllowedMethods(TestWSGIController):
+    def setup_method(self):
+        TestWSGIController.setup_method(self)
+        self.app = make_app(StackedMethodsController)
+
+    def test_methods_from_multiple_expose_are_merged(self):
+        post_response = self.app.post("/stacked")
+        assert "post" in post_response.text
+        delete_response = self.app.delete("/stacked")
+        assert "delete" in delete_response.text
+        self.app.get("/stacked", status=405)
+
+
+class ParentAllowedMethodsController(TGController):
+    @expose("json", allowed_methods=["GET"])
+    def endpoint(self):
+        return dict(message="parent")
+
+
+class ChildAllowedMethodsController(ParentAllowedMethodsController):
+    @expose(inherit=True, allowed_methods=["POST"])
+    def endpoint(self):
+        return dict(message="child")
+
+
+class TestInheritedExposeAllowedMethods(TestWSGIController):
+    def setup_method(self):
+        TestWSGIController.setup_method(self)
+        self.app = make_app(ChildAllowedMethodsController)
+
+    def test_inherited_methods_are_merged(self):
+        get_data = json.loads(self.app.get("/endpoint").text)
+        assert get_data["message"] == "child"
+        self.app.head("/endpoint", status=200)
+        post_data = json.loads(self.app.post("/endpoint").text)
+        assert post_data["message"] == "child"
+        self.app.put("/endpoint", status=405)

tg/controllers/decoratedcontroller.py

@@ -13,6 +13,7 @@
 
 import tg
 from tg.configuration.utils import TGConfigError
+from tg.exceptions import HTTPMethodNotAllowed
 from tg.flash import flash
 from tg.predicates import NotAuthorizedError, not_anonymous
 from tg.render import render as tg_render
@@ -87,6 +88,9 @@ def _call(self, action, params, remainder=None, context=None):
         if not resp_headers.get("Content-Type"):
             resp_headers.pop("Content-Type", None)
 
+        # Enforce limited HTTP Methods in case they were registered
+        self._enforce_allowed_methods(action.decoration, context.request)
+ 
         if remainder:
             remainder = tuple(map(urllib.request.url2pathname, remainder or []))
         else:
@@ -149,6 +153,18 @@ def _call(self, action, params, remainder=None, context=None):
 
         return response["response"]
 
+    @staticmethod
+    def _enforce_allowed_methods(decoration, request):
+        if not decoration or not decoration._allowed_methods:
+            return
+
+        method = request.method.upper()
+        if method in decoration._allowed_methods:
+            return
+
+        allow_header = ", ".join(sorted(decoration._allowed_methods))
+        raise HTTPMethodNotAllowed(headers=dict(Allow=allow_header))
+
     @classmethod
     def _perform_validate(cls, controller, params, context):
         """Run validation for the controller with the given parameters.

tg/decorators/decoration.py

@@ -39,6 +39,7 @@ def __init__(self, controller):
         self.hooks = dict(
             before_validate=[], before_call=[], before_render=[], after_render=[]
         )
+        self._allowed_methods = None
 
     def __repr__(self):  # pragma: no cover
         return "<Decoration %s for %r>" % (id(self), self.controller)
@@ -101,6 +102,10 @@ def merge(self, deco):
         # Inherit al validators registered on parent.
         self.validations = deco.validations + self.validations
 
+        if deco._allowed_methods:
+            self._allowed_methods = self._allowed_methods or set()
+            self._allowed_methods.update(deco._allowed_methods)
+
     def register_template_engine(
         self, content_type, engine, template, exclude_names, render_params
     ):
@@ -291,3 +296,21 @@ def _register_controller_wrapper(self, wrapper):
 
     def _register_validation(self, validation):
         self.validations.insert(0, validation)
+
+    def _register_allowed_methods(self, methods):
+        if methods is None:
+            return
+
+        if isinstance(methods, str):
+            methods = [methods]
+
+        normalized_methods = {
+            method.strip().upper() for method in methods if method and method.strip()
+        }
+        if not normalized_methods:
+            return
+
+        self._allowed_methods = self._allowed_methods or set()
+        self._allowed_methods.update(normalized_methods)
+        if "GET" in normalized_methods:
+            self._allowed_methods.add("HEAD")

tg/decorators/decorators.py

@@ -105,6 +105,9 @@ class expose(object):
         class. This will let the exposed method expose the same template
         as the overridden method template and keep the same hooks and
         validation that the parent method had.
+      allowed_methods
+        Restrict the HTTP verbs that can reach the controller. Requests using
+        other methods raise :class:`tg.exceptions.HTTPMethodNotAllowed`.
 
     The expose decorator registers a number of attributes on the
     decorated function, but does not actually wrap the function the way
@@ -166,6 +169,7 @@ def __init__(
         custom_format=None,
         render_params=None,
         inherit=False,
+        allowed_methods=None,
     ):
         self.engine = None
         self.template = template
@@ -175,12 +179,14 @@ def __init__(
         self.render_params = render_params
 
         self.inherit = inherit
+        self.allowed_methods = allowed_methods
         self._func = None
 
     def __call__(self, func):
         self._func = func
         deco = Decoration.get_decoration(func)
         deco._register_exposition(self, self.inherit)
+        deco._register_allowed_methods(self.allowed_methods)
         return func
 
     def _resolve_options(self):