# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 2018-12-26 03:03:31
# Node ID 088155584e2eef83427685db3ab17350d4fcf2ef
# Parent  c6ce891312efa7578a0b35de74414be7249d0a53

auth: make sure request.authuser *always* has been checked for check_ip_allowed - there is thus no need to check it later

diff --git a/kallithea/controllers/login.py b/kallithea/controllers/login.py
--- a/kallithea/controllers/login.py
+++ b/kallithea/controllers/login.py
@@ -76,10 +76,8 @@ class LoginController(BaseController):
         else:
             c.came_from = url('home')
 
-        ip_allowed = AuthUser.check_ip_allowed(request.authuser, request.ip_addr)
-
         # redirect if already logged in
-        if request.authuser.is_authenticated and ip_allowed:
+        if request.authuser.is_authenticated:
             raise HTTPFound(location=c.came_from)
 
         if request.POST:
diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py
--- a/kallithea/lib/auth.py
+++ b/kallithea/lib/auth.py
@@ -777,9 +777,6 @@ class LoginRequired(object):
         loc = "%s:%s" % (controller.__class__.__name__, func.__name__)
         log.debug('Checking access for user %s @ %s', user, loc)
 
-        if not AuthUser.check_ip_allowed(user, request.ip_addr):
-            raise _redirect_to_login(_('IP %s not allowed') % request.ip_addr)
-
         # Check if we used an API key to authenticate.
         api_key = user.authenticating_api_key
         if api_key is not None:
diff --git a/kallithea/lib/base.py b/kallithea/lib/base.py
--- a/kallithea/lib/base.py
+++ b/kallithea/lib/base.py
@@ -529,12 +529,17 @@ class BaseController(TGController):
                 if type.lower() == 'bearer':
                     bearer_token = params
 
-            request.authuser = self._determine_auth_user(
+            authuser = self._determine_auth_user(
                 request.GET.get('api_key'),
                 bearer_token,
                 session.get('authuser'),
             )
 
+            if not AuthUser.check_ip_allowed(authuser, request.ip_addr):
+                raise webob.exc.HTTPForbidden()
+
+            request.authuser = authuser
+
             log.info('IP: %s User: %s accessed %s',
                 request.ip_addr, request.authuser,
                 safe_unicode(_get_access_path(environ)),