kallithea Changeset - 23a86f1c33a1

Changeset - 23a86f1c33a1

Parent rev.

Child rev.

[Not reviewed]

default

0 4 0

Søren Løvborg - 10 years ago 2015-09-08 11:00:02
sorenl@unity3d.com

auth: note that we never emit authuser "cookies" for the default user

The only place where we set "authuser" in the session is in log_in_user,
which is called only by the internal auth system and by auth plugins.
The internal auth system cannot log a user in as the default user,
because the default user doesn't have a password (and cannot have a
password assigned). Auth plugins cannot log a user in as the default
user, because the user doesn't have the right extern_type. As such, it's
a bug if log_in_user is ever called with the default user (which this
commit documents with an assert).

This realization makes the is_authenticated field of the authuser cookie
redundant, as it's always True. It also emphasizes that is_default_user
and is_authenticated are mutually exclusive.

4 files changed with 7 insertions and 8 deletions:

kallithea/controllers/login.py

kallithea/lib/auth.py

kallithea/lib/base.py

kallithea/tests/__init__.py

0 comments (0 inline, 0 general)

kallithea/controllers/login.py

➞

Show inline comments

@@ @@ -81,7 +81,7 @@ class LoginController(BaseController): @@
         ip_allowed = AuthUser.check_ip_allowed(self.authuser, self.ip_addr)
         # redirect if already logged in
-        if self.authuser.is_authenticated and not self.authuser.is_default_user and ip_allowed:
         if self.authuser.is_authenticated and ip_allowed:
             raise HTTPFound(location=c.came_from)
         if request.POST:

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -626,7 +626,6 @@ class AuthUser(object): @@
         """ Serializes this login session to a cookie `dict`. """
         return {
             'user_id': self.user_id,
             'is_authenticated': self.is_authenticated or self.is_default_user,
             'is_external_auth': self.is_external_auth,
+        }
@@ @@ -640,9 +639,7 @@ class AuthUser(object): @@
             user_id=cookie.get('user_id'),
             is_external_auth=cookie.get('is_external_auth', False),
+        )
         if not au.is_default_user and au.user_id is not None:
             # user is not authenticated and not empty
             au.is_authenticated = cookie.get('is_authenticated')
         au.is_authenticated = True
         return au
     @classmethod

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -116,7 +116,8 @@ def log_in_user(user, remember, is_exter @@
     auth_user = AuthUser(dbuser=user,
                          is_external_auth=is_external_auth)
     if not auth_user.is_default_user:
     # It should not be possible to explicitly log in as the default user.
     assert not auth_user.is_default_user
         auth_user.is_authenticated = True
     # Start new session to prevent session fixation attacks.
@@ @@ -392,7 +393,9 @@ class BaseController(WSGIController): @@
         # Authenticate by session cookie
         # In ancient login sessions, 'authuser' may not be a dict.
         # In that case, the user will have to log in again.
         if isinstance(session_authuser, dict):
         # v0.3 and earlier included an 'is_authenticated' key; if present,
         # this must be True.
         if isinstance(session_authuser, dict) and session_authuser.get('is_authenticated', True):
             try:
                 return AuthUser.from_cookie(session_authuser)
             except UserCreationError as e:

kallithea/tests/__init__.py

➞

Show inline comments

@@ @@ -220,7 +220,6 @@ class TestController(BaseTestCase): @@
         user = user and User.get(user)
         user = user and user.username
         self.assertEqual(user, expected_username)
         self.assertEqual(cookie.get('is_authenticated'), True)
     def authentication_token(self):
         return self.app.get(url('authentication_token')).body

0 comments (0 inline, 0 general)