kallithea Changeset - 1e83cda87899

Changeset - 1e83cda87899

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Mads Kiilerich - 7 years ago 2019-01-03 01:22:06
mads@kiilerich.com

auth: drop unused AuthUser.is_authenticated

It seems like other ways of tracking authentication state are better. AuthUser
is a *potentially* authenticated user. We prefer to keep it as that, without
modifying the AuthUser object if the user actually should be authenticated.

The primariy indicator that a user is authenticated is when the AuthUser is set
as request.authuser .

(Alternatively, we could create an AuthenticatedUser sub-class and move things
like access control checks there. That would help ensuring it is used
correctly, without having to check an is_authenticated flag.)

2 files changed with 4 insertions and 10 deletions:

kallithea/lib/auth.py

kallithea/lib/base.py

0 comments (0 inline, 0 general)

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -379,10 +379,9 @@ class AuthUser(object): @@
     adding various non-persistent data. If lookup fails but anonymous
     access to Kallithea is enabled, the default user is loaded instead.
     `AuthUser` does not by itself authenticate users and the constructor
     sets the `is_authenticated` field to False. It's up to other parts
     of the code to check e.g. if a supplied password is correct, and if
     so, set `is_authenticated` to True.
     `AuthUser` does not by itself authenticate users. It's up to other parts of
     the code to check e.g. if a supplied password is correct, and if so, trust
     the AuthUser object as an authenticated user.
     However, `AuthUser` does refuse to load a user that is not `active`.
@@ @@ -401,8 +400,6 @@ class AuthUser(object): @@
     def __init__(self, user_id=None, dbuser=None, authenticating_api_key=None,
             is_external_auth=False):
         self.is_authenticated = False
         self.is_external_auth = is_external_auth
         self.authenticating_api_key = authenticating_api_key
@@ @@ -571,8 +568,7 @@ class AuthUser(object): @@
             return False
     def __repr__(self):
         return "<AuthUser('id:%s[%s] auth:%s')>" \
             % (self.user_id, self.username, (self.is_authenticated or self.is_default_user))
         return "<AuthUser('id:%s[%s]')>" % (self.user_id, self.username)
     def to_cookie(self):
         """ Serializes this login session to a cookie `dict`. """
@@ @@ -591,7 +587,6 @@ class AuthUser(object): @@
             user_id=cookie.get('user_id'),
             is_external_auth=cookie.get('is_external_auth', False),
+        )
         au.is_authenticated = True
         return au
     @classmethod

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -124,7 +124,6 @@ def log_in_user(user, remember, is_exter @@
                          is_external_auth=is_external_auth)
     # It should not be possible to explicitly log in as the default user.
     assert not auth_user.is_default_user
     auth_user.is_authenticated = True
     # Start new session to prevent session fixation attacks.
     session.invalidate()

0 comments (0 inline, 0 general)