# HG changeset patch
# User Søren Løvborg <kwi@kwi.dk>
# Date 2015-07-14 14:00:17
# Node ID f103b1a2383bc4fba5d28f9732ba832025e3bf00
# Parent  8394211b1c32649b9861ad19dcc14eda9fe9e469

BaseController: hide "Log out" link for external login sessions

If user is authorized by external means (API key or container auth),
Kallithea is not actually able to log the user out and should not show
the "Log out" link.

diff --git a/kallithea/controllers/login.py b/kallithea/controllers/login.py
--- a/kallithea/controllers/login.py
+++ b/kallithea/controllers/login.py
@@ -116,7 +116,8 @@ class LoginController(BaseController):
                 # Exception itself
                 h.flash(e, 'error')
             else:
-                log_in_user(user, c.form_result['remember'])
+                log_in_user(user, c.form_result['remember'],
+                    is_external_auth=False)
                 return self._redirect_to_origin(c.came_from)
 
         return render('/login.html')
diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py
--- a/kallithea/lib/auth.py
+++ b/kallithea/lib/auth.py
@@ -476,7 +476,8 @@ class AuthUser(object):
     so, set `is_authenticated` to True.
     """
 
-    def __init__(self, user_id=None, api_key=None, username=None):
+    def __init__(self, user_id=None, api_key=None, username=None,
+            is_external_auth=False):
 
         self.user_id = user_id
         self._api_key = api_key
@@ -489,6 +490,7 @@ class AuthUser(object):
         self.is_authenticated = False
         self.admin = False
         self.inherit_default_permissions = False
+        self.is_external_auth = is_external_auth
 
         self.propagate_data()
         self._instance = None
@@ -633,6 +635,7 @@ class AuthUser(object):
             'user_id': self.user_id,
             'username': self.username,
             'is_authenticated': self.is_authenticated,
+            'is_external_auth': self.is_external_auth,
         }
 
     @staticmethod
@@ -644,6 +647,7 @@ class AuthUser(object):
         au = AuthUser(
             user_id=cookie.get('user_id'),
             username=cookie.get('username'),
+            is_external_auth=cookie.get('is_external_auth', False),
         )
         if not au.is_authenticated and au.user_id is not None:
             # user is not authenticated and not empty
diff --git a/kallithea/lib/base.py b/kallithea/lib/base.py
--- a/kallithea/lib/base.py
+++ b/kallithea/lib/base.py
@@ -104,7 +104,7 @@ def _get_access_path(environ):
     return path
 
 
-def log_in_user(user, remember):
+def log_in_user(user, remember, is_external_auth):
     """
     Log a `User` in and update session and cookies. If `remember` is True,
     the session cookie is set to expire in a year; otherwise, it expires at
@@ -115,7 +115,8 @@ def log_in_user(user, remember):
     user.update_lastlogin()
     meta.Session().commit()
 
-    auth_user = AuthUser(user_id=user.user_id)
+    auth_user = AuthUser(user_id=user.user_id,
+                         is_external_auth=is_external_auth)
     auth_user.set_authenticated()
 
     # Start new session to prevent session fixation attacks.
@@ -384,7 +385,7 @@ class BaseController(WSGIController):
         # Authenticate by API key
         if api_key:
             # when using API_KEY we are sure user exists.
-            return AuthUser(api_key=api_key)
+            return AuthUser(api_key=api_key, is_external_auth=True)
 
         # Authenticate by session cookie
         cookie = session.get('authuser')
@@ -415,7 +416,8 @@ class BaseController(WSGIController):
                 if auth_info:
                     username = auth_info['username']
                     user = User.get_by_username(username, case_insensitive=True)
-                    return log_in_user(user, remember=False)
+                    return log_in_user(user, remember=False,
+                                       is_external_auth=True)
 
         # User is anonymous
         return AuthUser()
diff --git a/kallithea/templates/base/base.html b/kallithea/templates/base/base.html
--- a/kallithea/templates/base/base.html
+++ b/kallithea/templates/base/base.html
@@ -348,7 +348,10 @@
             <ol class="links">
               <li><a href="${h.url('notifications')}">${_('Notifications')}: ${c.unread_notifications}</a></li>
               <li>${h.link_to(_(u'My Account'),h.url('my_account'))}</li>
-              <li class="logout">${h.link_to(_(u'Log Out'),h.url('logout_home'))}</li>
+              %if not c.authuser.is_external_auth:
+                ## Cannot log out if using external (container) authentication.
+                <li class="logout">${h.link_to(_(u'Log Out'), h.url('logout_home'))}</li>
+              %endif
             </ol>
             </div>
           %endif
diff --git a/kallithea/tests/functional/test_admin_auth_settings.py b/kallithea/tests/functional/test_admin_auth_settings.py
--- a/kallithea/tests/functional/test_admin_auth_settings.py
+++ b/kallithea/tests/functional/test_admin_auth_settings.py
@@ -175,3 +175,15 @@ class TestAuthSettingsController(TestCon
             extra_environ={'REMOTE_USER': r'example\jane'},
             resulting_username=r'jane',
         )
+
+    def test_container_auth_no_logout(self):
+        self._container_auth_setup(
+            auth_container_header='REMOTE_USER',
+            auth_container_fallback_header='',
+            auth_container_clean_username='True',
+        )
+        response = self.app.get(
+            url=url(controller='admin/my_account', action='my_account'),
+            extra_environ={'REMOTE_USER': 'john'},
+        )
+        self.assertNotIn('Log Out', response.normal_body)