From cc2d1b21e67643e237d968793d31b7b9437a1640 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sat, 27 Oct 2018 10:37:28 +0300
Subject: Change: require method for authz

---
 muck/authz.py         |  5 ++++-
 muck/authz_tests.py   | 10 +++++++---
 muck/request.py       |  2 +-
 muck/request_tests.py |  2 +-
 4 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/muck/authz.py b/muck/authz.py
index c48294c..a9d5dda 100644
--- a/muck/authz.py
+++ b/muck/authz.py
@@ -21,7 +21,10 @@ class AuthorizationChecker:
     def __init__(self, signing_key_text):
         self._tc = muck.TokenChecker(signing_key_text.strip().encode('ascii'))
 
-    def request_is_allowed(self, r, required_scopes):
+    def request_is_allowed(self, r, required_method, required_scopes):
+        if r.get_method() != required_method:
+            return False
+
         token = self._get_token(r)
         if token is None:
             return False
diff --git a/muck/authz_tests.py b/muck/authz_tests.py
index 0128c6b..fffb96b 100644
--- a/muck/authz_tests.py
+++ b/muck/authz_tests.py
@@ -39,12 +39,16 @@ class AuthorizationCheckerTests(unittest.TestCase):
 
     def test_denies_if_token_parsing_fails(self):
         r = muck.Request(method='GET')
-        self.assertFalse(self.ac.request_is_allowed(r, []))
+        self.assertFalse(self.ac.request_is_allowed(r, 'GET', []))
 
     def test_denies_if_token_lacks_required_scope(self):
         r = self.create_request([])
-        self.assertFalse(self.ac.request_is_allowed(r, ['foo']))
+        self.assertFalse(self.ac.request_is_allowed(r, 'GET', ['foo']))
+
+    def test_denies_if_method_is_wrong(self):
+        r = self.create_request(['foo'])
+        self.assertFalse(self.ac.request_is_allowed(r, 'DELETE', ['foo']))
 
     def test_allows_for_acceptable_request(self):
         r = self.create_request(['foo'])
-        self.assertTrue(self.ac.request_is_allowed(r, ['foo']))
+        self.assertTrue(self.ac.request_is_allowed(r, 'GET', ['foo']))
diff --git a/muck/request.py b/muck/request.py
index 4f0e86c..f6e406e 100644
--- a/muck/request.py
+++ b/muck/request.py
@@ -20,7 +20,7 @@ class Request:
         self._method = method
         self._headers = {}
 
-    def method(self):
+    def get_method(self):
         return self._method
 
     def add_headers(self, headers):
diff --git a/muck/request_tests.py b/muck/request_tests.py
index 7151d67..7de2393 100644
--- a/muck/request_tests.py
+++ b/muck/request_tests.py
@@ -26,7 +26,7 @@ class RequestTests(unittest.TestCase):
 
     def test_has_method(self):
         r = muck.Request(method='GET')
-        self.assertEqual(r.method(), 'GET')
+        self.assertEqual(r.get_method(), 'GET')
 
     def test_returns_authorization_header(self):
         r = muck.Request(method='GET')
-- 
cgit v1.2.1