# HG changeset patch # User Mads Kiilerich # Date 2018-02-06 00:32:48 # Node ID 9f976d75b04c97624474404da2d17e0d087face7 # Parent 228dd29e79dacfc2fa16e00f084eb0249758af16 auth: restore anonymous repository access Dominik Ruf found that aa25ef34ebab introduced a regression in anonymous access to repositories ... if that is enabled. The refactoring was too strict when it missed that not all repo permission checks require a logged in user. Read access can be granted to the default user ... but not write or admin. Instead of the commands used in aa25ef34ebab, the following commands are used to consistently also allow the default user in all decorators where we only need repo read access: # Introduce explicit allow_default_user=True - that was the default before aa25ef34ebab sed -i 's/@LoginRequired()/@LoginRequired(allow_default_user=True)/g' `hg mani` sed -i 's/@LoginRequired(\(..*\))/@LoginRequired(\1, allow_default_user=True)/g' `hg mani` # The primary case: Replace @NotAnonymous with removal of allow_default_user=True perl -0pi -e 's/\@LoginRequired\((?:(.*), )?allow_default_user=True\)\n\s*\@NotAnonymous\(\)/\@LoginRequired(\1)/g' `hg mani` # If there is a global permission check, no anonymous is ever allowed perl -0pi -e 's/\@LoginRequired\(allow_default_user=True\)(\n\s*\@HasPermission)/\@LoginRequired()\1/g' `hg mani` # Repo access for write or admin also assume no default user perl -0pi -e 's/\@LoginRequired\(allow_default_user=True\)(\n\s*\@HasRepoPermissionLevelDecorator\('"'(write|admin)'"'\))/\@LoginRequired()\1/g' `hg mani` diff --git a/kallithea/controllers/changelog.py b/kallithea/controllers/changelog.py --- a/kallithea/controllers/changelog.py +++ b/kallithea/controllers/changelog.py @@ -71,7 +71,7 @@ class ChangelogController(BaseRepoContro h.flash(safe_str(e), category='error') raise HTTPBadRequest() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def index(self, repo_name, revision=None, f_path=None): limit = 2000 @@ -149,7 +149,7 @@ class ChangelogController(BaseRepoContro c.first_revision = c.cs_pagination[0] # pagination is never empty here! return render('changelog/changelog.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def changelog_details(self, cs): if request.environ.get('HTTP_X_PARTIAL_XHR'): diff --git a/kallithea/controllers/changeset.py b/kallithea/controllers/changeset.py --- a/kallithea/controllers/changeset.py +++ b/kallithea/controllers/changeset.py @@ -326,22 +326,22 @@ class ChangesetController(BaseRepoContro c.jsdata = graph_data(c.db_repo_scm_instance, revs) return render('changeset/changeset_range.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def index(self, revision, method='show'): return self._index(revision, method=method) - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def changeset_raw(self, revision): return self._index(revision, method='raw') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def changeset_patch(self, revision): return self._index(revision, method='patch') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def changeset_download(self, revision): return self._index(revision, method='download') @@ -412,7 +412,7 @@ class ChangesetController(BaseRepoContro else: raise HTTPForbidden() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') @jsonify def changeset_info(self, repo_name, revision): @@ -424,7 +424,7 @@ class ChangesetController(BaseRepoContro else: raise HTTPBadRequest() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') @jsonify def changeset_children(self, repo_name, revision): @@ -437,7 +437,7 @@ class ChangesetController(BaseRepoContro else: raise HTTPBadRequest() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') @jsonify def changeset_parents(self, repo_name, revision): diff --git a/kallithea/controllers/compare.py b/kallithea/controllers/compare.py --- a/kallithea/controllers/compare.py +++ b/kallithea/controllers/compare.py @@ -165,14 +165,14 @@ class CompareController(BaseRepoControll return other_changesets, org_changesets, ancestors - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def index(self, repo_name): c.compare_home = True c.a_ref_name = c.cs_ref_name = None return render('compare/compare_diff.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def compare(self, repo_name, org_ref_type, org_ref_name, other_ref_type, other_ref_name): org_ref_name = org_ref_name.strip() diff --git a/kallithea/controllers/feed.py b/kallithea/controllers/feed.py --- a/kallithea/controllers/feed.py +++ b/kallithea/controllers/feed.py @@ -51,7 +51,7 @@ ttl = "5" class FeedController(BaseRepoController): - @LoginRequired(api_access=True) + @LoginRequired(api_access=True, allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def _before(self, *args, **kwargs): super(FeedController, self)._before(*args, **kwargs) diff --git a/kallithea/controllers/files.py b/kallithea/controllers/files.py --- a/kallithea/controllers/files.py +++ b/kallithea/controllers/files.py @@ -123,7 +123,7 @@ class FilesController(BaseRepoController return file_node - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def index(self, repo_name, revision, f_path, annotate=False): # redirect to given revision from form if given @@ -198,7 +198,7 @@ class FilesController(BaseRepoController return render('files/files.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') @jsonify def history(self, repo_name, revision, f_path): @@ -220,7 +220,7 @@ class FilesController(BaseRepoController } return data - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def authors(self, repo_name, revision, f_path): changeset = self.__get_cs(revision) @@ -232,7 +232,7 @@ class FilesController(BaseRepoController c.authors.append((h.email(a), h.person(a))) return render('files/files_history_box.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def rawfile(self, repo_name, revision, f_path): cs = self.__get_cs(revision) @@ -244,7 +244,7 @@ class FilesController(BaseRepoController response.content_type = file_node.mimetype return file_node.content - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def raw(self, repo_name, revision, f_path): cs = self.__get_cs(revision) @@ -497,7 +497,7 @@ class FilesController(BaseRepoController return render('files/files_add.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def archivefile(self, repo_name, fname): fileformat = None @@ -583,7 +583,7 @@ class FilesController(BaseRepoController response.content_type = str(content_type) return get_chunked_archive(archive_path) - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def diff(self, repo_name, f_path): ignore_whitespace = request.GET.get('ignorews') == '1' @@ -684,7 +684,7 @@ class FilesController(BaseRepoController return render('files/file_diff.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def diff_2way(self, repo_name, f_path): diff1 = request.GET.get('diff1', '') @@ -771,7 +771,7 @@ class FilesController(BaseRepoController return hist_l, changesets - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') @jsonify def nodelist(self, repo_name, revision, f_path): diff --git a/kallithea/controllers/followers.py b/kallithea/controllers/followers.py --- a/kallithea/controllers/followers.py +++ b/kallithea/controllers/followers.py @@ -40,7 +40,7 @@ log = logging.getLogger(__name__) class FollowersController(BaseRepoController): - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def followers(self, repo_name): p = safe_int(request.GET.get('page'), 1) diff --git a/kallithea/controllers/forks.py b/kallithea/controllers/forks.py --- a/kallithea/controllers/forks.py +++ b/kallithea/controllers/forks.py @@ -105,7 +105,7 @@ class ForksController(BaseRepoController return defaults - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def forks(self, repo_name): p = safe_int(request.GET.get('page'), 1) diff --git a/kallithea/controllers/home.py b/kallithea/controllers/home.py --- a/kallithea/controllers/home.py +++ b/kallithea/controllers/home.py @@ -109,7 +109,7 @@ class HomeController(BaseController): else: raise HTTPBadRequest() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') @jsonify def repo_refs_data(self, repo_name): diff --git a/kallithea/controllers/pullrequests.py b/kallithea/controllers/pullrequests.py --- a/kallithea/controllers/pullrequests.py +++ b/kallithea/controllers/pullrequests.py @@ -198,7 +198,7 @@ class PullrequestsController(BaseRepoCon return request.authuser.admin or owner or reviewer - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def show_all(self, repo_name): c.from_ = request.GET.get('from_') or '' @@ -447,7 +447,7 @@ class PullrequestsController(BaseRepoCon raise HTTPFound(location=url('my_pullrequests')) raise HTTPForbidden() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def show(self, repo_name, pull_request_id, extra=None): repo_model = RepoModel() diff --git a/kallithea/controllers/summary.py b/kallithea/controllers/summary.py --- a/kallithea/controllers/summary.py +++ b/kallithea/controllers/summary.py @@ -102,7 +102,7 @@ class SummaryController(BaseRepoControll region_invalidate(_get_readme_from_cache, None, '_get_readme_from_cache', repo_name, kind) return _get_readme_from_cache(repo_name, kind) - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def index(self, repo_name): p = safe_int(request.GET.get('page'), 1) @@ -169,7 +169,7 @@ class SummaryController(BaseRepoControll else: raise HTTPBadRequest() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def statistics(self, repo_name): if c.db_repo.enable_statistics: