Changeset - 3598e2a4e051
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Søren Løvborg - 10 years ago 2015-09-03 17:08:19
sorenl@unity3d.com
auth: remove redundant is_authenticated check

It turns out the user.is_authenticated check is redundant, since it's
True for both anonymous users and logged in users, and API key users
are handled prior to the check.
1 file changed with 4 insertions and 4 deletions:
kallithea/lib/auth.py
4
4
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -718,100 +718,100 @@ def redirect_to_login(message=None):
 
        h.flash(h.literal(message), category='warning')
 
    log.debug('Redirecting to login page, origin: %s', p)
 
    return redirect(url('login_home', came_from=p, **request.GET))
 

			




	
	
	
		
 
class LoginRequired(object):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Must be logged in to execute this function else

			




	
	
	
		
 
    redirect to login page

			




	
	
	
		
 

			




	
	
	
		
 
    :param api_access: if enabled this checks only for valid auth token

			




	
	
	
		
 
        and grants access based on valid token

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, api_access=False):

			




	
	
	
		
 
        self.api_access = api_access

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, func):

			




	
	
	
		
 
        return decorator(self.__wrapper, func)

			




	
	
	
		
 

			




	
	
	
		
 
    def __wrapper(self, func, *fargs, **fkwargs):

			




	
	
	
		
 
        controller = fargs[0]

			




	
	
	
		
 
        user = controller.authuser

			




	
	
	
		
 
        loc = "%s:%s" % (controller.__class__.__name__, func.__name__)

			




	
	
	
		
 
        log.debug('Checking access for user %s @ %s', user, loc)

			




	
	
	
		
 

			




	
	
	
		
 
        if not AuthUser.check_ip_allowed(user, controller.ip_addr):

			




	
	
	
		
 
            return redirect_to_login(_('IP %s not allowed') % controller.ip_addr)

			




	
	
	
		
 

			




	
	
	
		
 
        # check if we used an API key and it's a valid one

			




	
	
	
		
 
        api_key = request.GET.get('api_key')

			




	
	
	
		
 
        if api_key is not None:

			




	
	
	
		
 
            # explicit controller is enabled or API is in our whitelist

			




	
	
	
		
 
            if self.api_access or allowed_api_access(loc, api_key=api_key):

			




	
	
	
		
 
                if api_key in user.api_keys:

			




	
	
	
		
 
                    log.info('user %s authenticated with API key ****%s @ %s',

			




	
	
	
		
 
                             user, api_key[-4:], loc)

			




	
	
	
		
 
                    return func(*fargs, **fkwargs)

			




	
	
	
		
 
                else:

			




	
	
	
		
 
                    log.warning('API key ****%s is NOT valid', api_key[-4:])

			




	
	
	
		
 
                    return redirect_to_login(_('Invalid API key'))

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                # controller does not allow API access

			




	
	
	
		
 
                log.warning('API access to %s is not allowed', loc)

			




	
	
	
		
 
                return abort(403)

			




	
	
	
		
 

			




	
	
	
		
 
        # CSRF protection: Whenever a request has ambient authority (whether

			




	
	
	
		
 
        # through a session cookie or its origin IP address), it must include

			




	
	
	
		
 
        # the correct token, unless the HTTP method is GET or HEAD (and thus

			




	
	
	
		
 
        # guaranteed to be side effect free.

			




	
	
	
		
 
        # Note that the 'is_authenticated' flag is True for anonymous users too,

			




	
	
	
		
 
        # but not when the user is authenticated by API key.

			




	
	
	
		
 
        if user.is_authenticated and request.method not in ['GET', 'HEAD']:

			




	
	
	
		
 
        # guaranteed to be side effect free. In practice, the only situation

			




	
	
	
		
 
        # where we allow side effects without ambient authority is when the

			




	
	
	
		
 
        # authority comes from an API key; and that is handled above.

			




	
	
	
		
 
        if request.method not in ['GET', 'HEAD']:

			




	
	
	
		
 
            token = request.POST.get(secure_form.token_key)

			




	
	
	
		
 
            if not token or token != secure_form.authentication_token():

			




	
	
	
		
 
                log.error('CSRF check failed')

			




	
	
	
		
 
                return abort(403)

			




	
	
	
		
 

			




	
	
	
		
 
        # regular user authentication

			




	
	
	
		
 
        if user.is_authenticated:

			




	
	
	
		
 
            log.info('user %s authenticated with regular auth @ %s', user, loc)

			




	
	
	
		
 
            return func(*fargs, **fkwargs)

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            log.warning('user %s NOT authenticated with regular auth @ %s', user, loc)

			




	
	
	
		
 
            return redirect_to_login()

			




	
	
	
		
 

			




	
	
	
		
 
class NotAnonymous(object):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Must be logged in to execute this function else

			




	
	
	
		
 
    redirect to login page"""

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, func):

			




	
	
	
		
 
        return decorator(self.__wrapper, func)

			




	
	
	
		
 

			




	
	
	
		
 
    def __wrapper(self, func, *fargs, **fkwargs):

			




	
	
	
		
 
        cls = fargs[0]

			




	
	
	
		
 
        self.user = cls.authuser

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('Checking if user is not anonymous @%s', cls)

			




	
	
	
		
 

			




	
	
	
		
 
        anonymous = self.user.username == User.DEFAULT_USER

			




	
	
	
		
 

			




	
	
	
		
 
        if anonymous:

			




	
	
	
		
 
            return redirect_to_login(_('You need to be a registered user to '

			




	
	
	
		
 
                    'perform this action'))

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            return func(*fargs, **fkwargs)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class PermsDecorator(object):

			




	
	
	
		
 
    """Base class for controller decorators"""

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, *required_perms):

			




	
	
	
		
 
        self.required_perms = set(required_perms)

			




	
	
	
		
 
        self.user_perms = None

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, func):

			




	
	
	
		
 
        return decorator(self.__wrapper, func)

			




	
	
	
		
 

			




	
	
	
		
 
    def __wrapper(self, func, *fargs, **fkwargs):

			




	
	
	
		
 
        cls = fargs[0]

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.