kallithea Changeset - 23a86f1c33a1

Changeset - 23a86f1c33a1

Parent rev.

Child rev.

[Not reviewed]

default

0 4 0

Søren Løvborg - 10 years ago 2015-09-08 11:00:02
sorenl@unity3d.com

auth: note that we never emit authuser "cookies" for the default user

The only place where we set "authuser" in the session is in log_in_user,
which is called only by the internal auth system and by auth plugins.
The internal auth system cannot log a user in as the default user,
because the default user doesn't have a password (and cannot have a
password assigned). Auth plugins cannot log a user in as the default
user, because the user doesn't have the right extern_type. As such, it's
a bug if log_in_user is ever called with the default user (which this
commit documents with an assert).

This realization makes the is_authenticated field of the authuser cookie
redundant, as it's always True. It also emphasizes that is_default_user
and is_authenticated are mutually exclusive.

4 files changed with 8 insertions and 9 deletions:

kallithea/controllers/login.py

kallithea/lib/auth.py

kallithea/lib/base.py

kallithea/tests/__init__.py

0 comments (0 inline, 0 general)

kallithea/controllers/login.py

➞

Show inline comments

@@ @@ -78,13 +78,13 @@ class LoginController(BaseController): @@
         else:
             c.came_from = url('home')
         ip_allowed = AuthUser.check_ip_allowed(self.authuser, self.ip_addr)
         # redirect if already logged in
-        if self.authuser.is_authenticated and not self.authuser.is_default_user and ip_allowed:
         if self.authuser.is_authenticated and ip_allowed:
             raise HTTPFound(location=c.came_from)
         if request.POST:
             # import Login Form validator class
             login_form = LoginForm()
             try:

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -623,13 +623,12 @@ class AuthUser(object): @@
             % (self.user_id, self.username, (self.is_authenticated or self.is_default_user))
     def to_cookie(self):
         """ Serializes this login session to a cookie `dict`. """
         return {
             'user_id': self.user_id,
             'is_authenticated': self.is_authenticated or self.is_default_user,
             'is_external_auth': self.is_external_auth,
+        }
     @staticmethod
     def from_cookie(cookie):
         """
@@ @@ -637,15 +636,13 @@ class AuthUser(object): @@
         """
         au = AuthUser(
             user_id=cookie.get('user_id'),
             is_external_auth=cookie.get('is_external_auth', False),
+        )
         if not au.is_default_user and au.user_id is not None:
             # user is not authenticated and not empty
             au.is_authenticated = cookie.get('is_authenticated')
         au.is_authenticated = True
         return au
     @classmethod
     def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):
         _set = set()

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -113,14 +113,15 @@ def log_in_user(user, remember, is_exter @@
     """
     user.update_lastlogin()
     meta.Session().commit()
     auth_user = AuthUser(dbuser=user,
                          is_external_auth=is_external_auth)
     if not auth_user.is_default_user:
         auth_user.is_authenticated = True
     # It should not be possible to explicitly log in as the default user.
     assert not auth_user.is_default_user
     auth_user.is_authenticated = True
     # Start new session to prevent session fixation attacks.
     session.invalidate()
     session['authuser'] = cookie = auth_user.to_cookie()
     # If they want to be remembered, update the cookie.
@@ @@ -389,13 +390,15 @@ class BaseController(WSGIController): @@
             return AuthUser(dbuser=User.get_by_api_key(api_key),
                             is_external_auth=True)
         # Authenticate by session cookie
         # In ancient login sessions, 'authuser' may not be a dict.
         # In that case, the user will have to log in again.
         if isinstance(session_authuser, dict):
         # v0.3 and earlier included an 'is_authenticated' key; if present,
         # this must be True.
         if isinstance(session_authuser, dict) and session_authuser.get('is_authenticated', True):
             try:
                 return AuthUser.from_cookie(session_authuser)
             except UserCreationError as e:
                 # container auth or other auth functions that create users on
                 # the fly can throw UserCreationError to signal issues with
                 # user creation. Explanation should be provided in the

kallithea/tests/__init__.py

➞

Show inline comments

@@ @@ -217,13 +217,12 @@ class TestController(BaseTestCase): @@
     def assert_authenticated_user(self, response, expected_username):
         cookie = response.session.get('authuser')
         user = cookie and cookie.get('user_id')
         user = user and User.get(user)
         user = user and user.username
         self.assertEqual(user, expected_username)
         self.assertEqual(cookie.get('is_authenticated'), True)
     def authentication_token(self):
         return self.app.get(url('authentication_token')).body
     def checkSessionFlash(self, response, msg=None, skip=0, _matcher=lambda msg, m: msg in m):
         if 'flash' not in response.session:

0 comments (0 inline, 0 general)