kallithea Changeset - 088155584e2e

Changeset - 088155584e2e

Parent rev.

Child rev.

[Not reviewed]

default

0 3 0

Mads Kiilerich - 7 years ago 2018-12-26 03:03:31
mads@kiilerich.com

auth: make sure request.authuser *always* has been checked for check_ip_allowed - there is thus no need to check it later

3 files changed with 7 insertions and 7 deletions:

kallithea/controllers/login.py

kallithea/lib/auth.py

kallithea/lib/base.py

0 comments (0 inline, 0 general)

kallithea/controllers/login.py

➞

Show inline comments

@@ @@ -76,10 +76,8 @@ class LoginController(BaseController): @@
         else:
             c.came_from = url('home')
         ip_allowed = AuthUser.check_ip_allowed(request.authuser, request.ip_addr)
         # redirect if already logged in
-        if request.authuser.is_authenticated and ip_allowed:
         if request.authuser.is_authenticated:
             raise HTTPFound(location=c.came_from)
         if request.POST:

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -777,9 +777,6 @@ class LoginRequired(object): @@
         loc = "%s:%s" % (controller.__class__.__name__, func.__name__)
         log.debug('Checking access for user %s @ %s', user, loc)
         if not AuthUser.check_ip_allowed(user, request.ip_addr):
             raise _redirect_to_login(_('IP %s not allowed') % request.ip_addr)
         # Check if we used an API key to authenticate.
         api_key = user.authenticating_api_key
         if api_key is not None:

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -529,12 +529,17 @@ class BaseController(TGController): @@
                 if type.lower() == 'bearer':
                     bearer_token = params
-            request.authuser = self._determine_auth_user(
             authuser = self._determine_auth_user(
                 request.GET.get('api_key'),
                 bearer_token,
                 session.get('authuser'),
+            )
             if not AuthUser.check_ip_allowed(authuser, request.ip_addr):
                 raise webob.exc.HTTPForbidden()
             request.authuser = authuser
             log.info('IP: %s User: %s accessed %s',
                 request.ip_addr, request.authuser,
                 safe_unicode(_get_access_path(environ)),

0 comments (0 inline, 0 general)