Changeset - 1f831a8a590c
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Mads Kiilerich - 6 years ago 2019-06-06 23:47:43
mads@kiilerich.com
auth: fix failure when editing inactive users

AuthUser._fill_data did not work on users that not were active, and we could thus not even *talk* about inactive users.

To make things more simple, inline the function. That also makes it clear that dbuser can't be None.
1 file changed with 7 insertions and 21 deletions:
kallithea/lib/auth.py
7
21
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -395,122 +395,108 @@ class AuthUser(object):
 
    only happen on the login page (as all other requests are redirected).
 

			




	
	
	
		
 
    `is_default_user` specifically checks if the AuthUser is the user named

			




	
	
	
		
 
    "default". Use `is_anonymous` to check for both "default" and "no user".

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    @classmethod

			




	
	
	
		
 
    def make(cls, dbuser=None, is_external_auth=False, ip_addr=None):

			




	
	
	
		
 
        """Create an AuthUser to be authenticated ... or return None if user for some reason can't be authenticated.

			




	
	
	
		
 
        Checks that a non-None dbuser is provided, is active, and that the IP address is ok.

			




	
	
	
		
 
        """

			




	
	
	
		
 
        assert ip_addr is not None

			




	
	
	
		
 
        if dbuser is None:

			




	
	
	
		
 
            log.info('No db user for authentication')

			




	
	
	
		
 
            return None

			




	
	
	
		
 
        if not dbuser.active:

			




	
	
	
		
 
            log.info('Db user %s not active', dbuser.username)

			




	
	
	
		
 
            return None

			




	
	
	
		
 
        allowed_ips = AuthUser.get_allowed_ips(dbuser.user_id, cache=True)

			




	
	
	
		
 
        if not check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):

			




	
	
	
		
 
            log.info('Access for %s from %s forbidden - not in %s', dbuser.username, ip_addr, allowed_ips)

			




	
	
	
		
 
            return None

			




	
	
	
		
 
        return cls(dbuser=dbuser, is_external_auth=is_external_auth)

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, user_id=None, dbuser=None, is_external_auth=False):

			




	
	
	
		
 
        self.is_external_auth = is_external_auth # container auth - don't show logout option

			




	
	
	
		
 

			




	
	
	
		
 
        # These attributes will be overridden by fill_data, below, unless the

			




	
	
	
		
 
        # requested user cannot be found and the default anonymous user is

			




	
	
	
		
 
        # not enabled.

			




	
	
	
		
 
        self.user_id = None

			




	
	
	
		
 
        self.username = None

			




	
	
	
		
 
        self.api_key = None

			




	
	
	
		
 
        self.name = ''

			




	
	
	
		
 
        self.lastname = ''

			




	
	
	
		
 
        self.email = ''

			




	
	
	
		
 
        self.admin = False

			




	
	
	
		
 

			




	
	
	
		
 
        # Look up database user, if necessary.

			




	
	
	
		
 
        if user_id is not None:

			




	
	
	
		
 
            assert dbuser is None

			




	
	
	
		
 
            log.debug('Auth User lookup by USER ID %s', user_id)

			




	
	
	
		
 
            dbuser = UserModel().get(user_id)

			




	
	
	
		
 
            assert dbuser is not None

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            assert dbuser is not None

			




	
	
	
		
 
            log.debug('Auth User lookup by database user %s', dbuser)

			




	
	
	
		
 

			




	
	
	
		
 
        if self._fill_data(dbuser):

			




	
	
	
		
 
            self.is_default_user = dbuser.is_default_user

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            assert dbuser.is_default_user

			




	
	
	
		
 
            assert not self.username

			




	
	
	
		
 
        log.debug('filling %s data', dbuser)

			




	
	
	
		
 
        self.is_anonymous = dbuser.is_default_user

			




	
	
	
		
 
        if dbuser.is_default_user and not dbuser.active:

			




	
	
	
		
 
            self.username = 'None'

			




	
	
	
		
 
            self.is_default_user = False

			




	
	
	
		
 
        self.is_anonymous = dbuser.is_default_user

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('Auth User is now %s', self)

			




	
	
	
		
 

			




	
	
	
		
 
    def _fill_data(self, dbuser):

			




	
	
	
		
 
        """

			




	
	
	
		
 
        Copies database fields from a `db.User` to this `AuthUser`. Does

			




	
	
	
		
 
        not copy `api_keys` and `permissions` attributes.

			




	
	
	
		
 

			




	
	
	
		
 
        Checks that `dbuser` is `active` (and not None) before copying;

			




	
	
	
		
 
        returns True on success.

			




	
	
	
		
 
        """

			




	
	
	
		
 
        if dbuser is not None and dbuser.active:

			




	
	
	
		
 
            log.debug('filling %s data', dbuser)

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            # copy non-confidential database fields from a `db.User` to this `AuthUser`.

			




	
	
	
		
 
            for k, v in dbuser.get_dict().iteritems():

			




	
	
	
		
 
                assert k not in ['api_keys', 'permissions']

			




	
	
	
		
 
                setattr(self, k, v)

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        return False

			




	
	
	
		
 
            self.is_default_user = dbuser.is_default_user

			




	
	
	
		
 
        log.debug('Auth User is now %s', self)

			




	
	
	
		
 

			




	
	
	
		
 
    @LazyProperty

			




	
	
	
		
 
    def permissions(self):

			




	
	
	
		
 
        return self.__get_perms(user=self, cache=False)

			




	
	
	
		
 

			




	
	
	
		
 
    def has_repository_permission_level(self, repo_name, level, purpose=None):

			




	
	
	
		
 
        required_perms = {

			




	
	
	
		
 
            'read': ['repository.read', 'repository.write', 'repository.admin'],

			




	
	
	
		
 
            'write': ['repository.write', 'repository.admin'],

			




	
	
	
		
 
            'admin': ['repository.admin'],

			




	
	
	
		
 
        }[level]

			




	
	
	
		
 
        actual_perm = self.permissions['repositories'].get(repo_name)

			




	
	
	
		
 
        ok = actual_perm in required_perms

			




	
	
	
		
 
        log.debug('Checking if user %r can %r repo %r (%s): %s (has %r)',

			




	
	
	
		
 
            self.username, level, repo_name, purpose, ok, actual_perm)

			




	
	
	
		
 
        return ok

			




	
	
	
		
 

			




	
	
	
		
 
    def has_repository_group_permission_level(self, repo_group_name, level, purpose=None):

			




	
	
	
		
 
        required_perms = {

			




	
	
	
		
 
            'read': ['group.read', 'group.write', 'group.admin'],

			




	
	
	
		
 
            'write': ['group.write', 'group.admin'],

			




	
	
	
		
 
            'admin': ['group.admin'],

			




	
	
	
		
 
        }[level]

			




	
	
	
		
 
        actual_perm = self.permissions['repositories_groups'].get(repo_group_name)

			




	
	
	
		
 
        ok = actual_perm in required_perms

			




	
	
	
		
 
        log.debug('Checking if user %r can %r repo group %r (%s): %s (has %r)',

			




	
	
	
		
 
            self.username, level, repo_group_name, purpose, ok, actual_perm)

			




	
	
	
		
 
        return ok

			




	
	
	
		
 

			




	
	
	
		
 
    def has_user_group_permission_level(self, user_group_name, level, purpose=None):

			




	
	
	
		
 
        required_perms = {

			




	
	
	
		
 
            'read': ['usergroup.read', 'usergroup.write', 'usergroup.admin'],

			




	
	
	
		
 
            'write': ['usergroup.write', 'usergroup.admin'],

			




	
	
	
		
 
            'admin': ['usergroup.admin'],

			




	
	
	
		
 
        }[level]

			




	
	
	
		
 
        actual_perm = self.permissions['user_groups'].get(user_group_name)

			




	
	
	
		
 
        ok = actual_perm in required_perms

			




	
	
	
		
 
        log.debug('Checking if user %r can %r user group %r (%s): %s (has %r)',

			




	
	
	
		
 
            self.username, level, user_group_name, purpose, ok, actual_perm)

			




	
	
	
		
 
        return ok

			




	
	
	
		
 

			




	
	
	
		
 
    @property

			




	
	
	
		
 
    def api_keys(self):

			




	
	
	
		
 
        return self._get_api_keys()

			




	
	
	
		
 

			




	
	
	
		
 
    def __get_perms(self, user, cache=False):

			




	
	
	
		
 
        """

			




	
	
	
		
 
        Fills user permission attribute with permissions taken from database

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.