# HG changeset patch # User Søren Løvborg # Date 2015-09-08 11:00:02 # Node ID 23a86f1c33a1e64b4ae150b16749f6c629bee149 # Parent c64c076b96c3d73905558f8139176722dc877a56 auth: note that we never emit authuser "cookies" for the default user The only place where we set "authuser" in the session is in log_in_user, which is called only by the internal auth system and by auth plugins. The internal auth system cannot log a user in as the default user, because the default user doesn't have a password (and cannot have a password assigned). Auth plugins cannot log a user in as the default user, because the user doesn't have the right extern_type. As such, it's a bug if log_in_user is ever called with the default user (which this commit documents with an assert). This realization makes the is_authenticated field of the authuser cookie redundant, as it's always True. It also emphasizes that is_default_user and is_authenticated are mutually exclusive. diff --git a/kallithea/controllers/login.py b/kallithea/controllers/login.py --- a/kallithea/controllers/login.py +++ b/kallithea/controllers/login.py @@ -81,7 +81,7 @@ class LoginController(BaseController): ip_allowed = AuthUser.check_ip_allowed(self.authuser, self.ip_addr) # redirect if already logged in - if self.authuser.is_authenticated and not self.authuser.is_default_user and ip_allowed: + if self.authuser.is_authenticated and ip_allowed: raise HTTPFound(location=c.came_from) if request.POST: diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py --- a/kallithea/lib/auth.py +++ b/kallithea/lib/auth.py @@ -626,7 +626,6 @@ class AuthUser(object): """ Serializes this login session to a cookie `dict`. """ return { 'user_id': self.user_id, - 'is_authenticated': self.is_authenticated or self.is_default_user, 'is_external_auth': self.is_external_auth, } @@ -640,9 +639,7 @@ class AuthUser(object): user_id=cookie.get('user_id'), is_external_auth=cookie.get('is_external_auth', False), ) - if not au.is_default_user and au.user_id is not None: - # user is not authenticated and not empty - au.is_authenticated = cookie.get('is_authenticated') + au.is_authenticated = True return au @classmethod diff --git a/kallithea/lib/base.py b/kallithea/lib/base.py --- a/kallithea/lib/base.py +++ b/kallithea/lib/base.py @@ -116,8 +116,9 @@ def log_in_user(user, remember, is_exter auth_user = AuthUser(dbuser=user, is_external_auth=is_external_auth) - if not auth_user.is_default_user: - auth_user.is_authenticated = True + # It should not be possible to explicitly log in as the default user. + assert not auth_user.is_default_user + auth_user.is_authenticated = True # Start new session to prevent session fixation attacks. session.invalidate() @@ -392,7 +393,9 @@ class BaseController(WSGIController): # Authenticate by session cookie # In ancient login sessions, 'authuser' may not be a dict. # In that case, the user will have to log in again. - if isinstance(session_authuser, dict): + # v0.3 and earlier included an 'is_authenticated' key; if present, + # this must be True. + if isinstance(session_authuser, dict) and session_authuser.get('is_authenticated', True): try: return AuthUser.from_cookie(session_authuser) except UserCreationError as e: diff --git a/kallithea/tests/__init__.py b/kallithea/tests/__init__.py --- a/kallithea/tests/__init__.py +++ b/kallithea/tests/__init__.py @@ -220,7 +220,6 @@ class TestController(BaseTestCase): user = user and User.get(user) user = user and user.username self.assertEqual(user, expected_username) - self.assertEqual(cookie.get('is_authenticated'), True) def authentication_token(self): return self.app.get(url('authentication_token')).body