Last updated by admin 5 years ago
Looking at the Ruby example for the benchmarks I see they have more flexibility (but less readable syntax!) for HTTP method restriction.

Basically they appear to be able to specify access for groups of actions in one go, and also can specify a redirect if the action is denied, which is nice although not always desirable (returning an error is appropriate in some cases, like bad REST requests).

Here's how we might support this ourselves, with greater readability:

def allowedMethods = [
  ['destroy', 'create', 'update'] : [method:'POST', onDeny: { redirect(action:'list') }],
  'create' : 'GET'
  1. The onDeny closure could have access to the standard controller dynamic properties and methods like redirect, render etc.
  2. Make allowedMethods keys support lists as well as strings. This info would be pre-extracted into a map of permitted methods per action, merged after processing all the elements in allowedMethods. The tricky part comes in mapping onDeny closures to actions if there are collisions. This could be tackled just by using the last declared onDeny that applies to a given action.