Changeset - 3598e2a4e051
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Søren Løvborg - 10 years ago 2015-09-03 17:08:19
sorenl@unity3d.com
auth: remove redundant is_authenticated check

It turns out the user.is_authenticated check is redundant, since it's
True for both anonymous users and logged in users, and API key users
are handled prior to the check.
1 file changed with 4 insertions and 4 deletions:
kallithea/lib/auth.py
4
4
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -670,196 +670,196 @@ class AuthUser(object):
 
                    _set.add(ip.ip_addr)
 
                except ObjectDeletedError:
 
                    # since we use heavy caching sometimes it happens that we get
 
                    # deleted objects here, we just skip them
 
                    pass
 

			




	
	
	
		
 
        user_ips = UserIpMap.query().filter(UserIpMap.user_id == user_id)

			




	
	
	
		
 
        if cache:

			




	
	
	
		
 
            user_ips = user_ips.options(FromCache("sql_cache_short",

			




	
	
	
		
 
                                                  "get_user_ips_%s" % user_id))

			




	
	
	
		
 

			




	
	
	
		
 
        for ip in user_ips:

			




	
	
	
		
 
            try:

			




	
	
	
		
 
                _set.add(ip.ip_addr)

			




	
	
	
		
 
            except ObjectDeletedError:

			




	
	
	
		
 
                # since we use heavy caching sometimes it happens that we get

			




	
	
	
		
 
                # deleted objects here, we just skip them

			




	
	
	
		
 
                pass

			




	
	
	
		
 
        return _set or set(['0.0.0.0/0', '::/0'])

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def set_available_permissions(config):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    This function will propagate pylons globals with all available defined

			




	
	
	
		
 
    permission given in db. We don't want to check each time from db for new

			




	
	
	
		
 
    permissions since adding a new permission also requires application restart

			




	
	
	
		
 
    ie. to decorate new views with the newly created permission

			




	
	
	
		
 

			




	
	
	
		
 
    :param config: current pylons config instance

			




	
	
	
		
 

			




	
	
	
		
 
    """

			




	
	
	
		
 
    log.info('getting information about all available permissions')

			




	
	
	
		
 
    try:

			




	
	
	
		
 
        sa = meta.Session

			




	
	
	
		
 
        all_perms = sa.query(Permission).all()

			




	
	
	
		
 
        config['available_permissions'] = [x.permission_name for x in all_perms]

			




	
	
	
		
 
    finally:

			




	
	
	
		
 
        meta.Session.remove()

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 
# CHECK DECORATORS

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 

			




	
	
	
		
 
def redirect_to_login(message=None):

			




	
	
	
		
 
    from kallithea.lib import helpers as h

			




	
	
	
		
 
    p = url.current()

			




	
	
	
		
 
    if message:

			




	
	
	
		
 
        h.flash(h.literal(message), category='warning')

			




	
	
	
		
 
    log.debug('Redirecting to login page, origin: %s', p)

			




	
	
	
		
 
    return redirect(url('login_home', came_from=p, **request.GET))

			




	
	
	
		
 

			




	
	
	
		
 
class LoginRequired(object):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Must be logged in to execute this function else

			




	
	
	
		
 
    redirect to login page

			




	
	
	
		
 

			




	
	
	
		
 
    :param api_access: if enabled this checks only for valid auth token

			




	
	
	
		
 
        and grants access based on valid token

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, api_access=False):

			




	
	
	
		
 
        self.api_access = api_access

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, func):

			




	
	
	
		
 
        return decorator(self.__wrapper, func)

			




	
	
	
		
 

			




	
	
	
		
 
    def __wrapper(self, func, *fargs, **fkwargs):

			




	
	
	
		
 
        controller = fargs[0]

			




	
	
	
		
 
        user = controller.authuser

			




	
	
	
		
 
        loc = "%s:%s" % (controller.__class__.__name__, func.__name__)

			




	
	
	
		
 
        log.debug('Checking access for user %s @ %s', user, loc)

			




	
	
	
		
 

			




	
	
	
		
 
        if not AuthUser.check_ip_allowed(user, controller.ip_addr):

			




	
	
	
		
 
            return redirect_to_login(_('IP %s not allowed') % controller.ip_addr)

			




	
	
	
		
 

			




	
	
	
		
 
        # check if we used an API key and it's a valid one

			




	
	
	
		
 
        api_key = request.GET.get('api_key')

			




	
	
	
		
 
        if api_key is not None:

			




	
	
	
		
 
            # explicit controller is enabled or API is in our whitelist

			




	
	
	
		
 
            if self.api_access or allowed_api_access(loc, api_key=api_key):

			




	
	
	
		
 
                if api_key in user.api_keys:

			




	
	
	
		
 
                    log.info('user %s authenticated with API key ****%s @ %s',

			




	
	
	
		
 
                             user, api_key[-4:], loc)

			




	
	
	
		
 
                    return func(*fargs, **fkwargs)

			




	
	
	
		
 
                else:

			




	
	
	
		
 
                    log.warning('API key ****%s is NOT valid', api_key[-4:])

			




	
	
	
		
 
                    return redirect_to_login(_('Invalid API key'))

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                # controller does not allow API access

			




	
	
	
		
 
                log.warning('API access to %s is not allowed', loc)

			




	
	
	
		
 
                return abort(403)

			




	
	
	
		
 

			




	
	
	
		
 
        # CSRF protection: Whenever a request has ambient authority (whether

			




	
	
	
		
 
        # through a session cookie or its origin IP address), it must include

			




	
	
	
		
 
        # the correct token, unless the HTTP method is GET or HEAD (and thus

			




	
	
	
		
 
        # guaranteed to be side effect free.

			




	
	
	
		
 
        # Note that the 'is_authenticated' flag is True for anonymous users too,

			




	
	
	
		
 
        # but not when the user is authenticated by API key.

			




	
	
	
		
 
        if user.is_authenticated and request.method not in ['GET', 'HEAD']:

			




	
	
	
		
 
        # guaranteed to be side effect free. In practice, the only situation

			




	
	
	
		
 
        # where we allow side effects without ambient authority is when the

			




	
	
	
		
 
        # authority comes from an API key; and that is handled above.

			




	
	
	
		
 
        if request.method not in ['GET', 'HEAD']:

			




	
	
	
		
 
            token = request.POST.get(secure_form.token_key)

			




	
	
	
		
 
            if not token or token != secure_form.authentication_token():

			




	
	
	
		
 
                log.error('CSRF check failed')

			




	
	
	
		
 
                return abort(403)

			




	
	
	
		
 

			




	
	
	
		
 
        # regular user authentication

			




	
	
	
		
 
        if user.is_authenticated:

			




	
	
	
		
 
            log.info('user %s authenticated with regular auth @ %s', user, loc)

			




	
	
	
		
 
            return func(*fargs, **fkwargs)

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            log.warning('user %s NOT authenticated with regular auth @ %s', user, loc)

			




	
	
	
		
 
            return redirect_to_login()

			




	
	
	
		
 

			




	
	
	
		
 
class NotAnonymous(object):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Must be logged in to execute this function else

			




	
	
	
		
 
    redirect to login page"""

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, func):

			




	
	
	
		
 
        return decorator(self.__wrapper, func)

			




	
	
	
		
 

			




	
	
	
		
 
    def __wrapper(self, func, *fargs, **fkwargs):

			




	
	
	
		
 
        cls = fargs[0]

			




	
	
	
		
 
        self.user = cls.authuser

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('Checking if user is not anonymous @%s', cls)

			




	
	
	
		
 

			




	
	
	
		
 
        anonymous = self.user.username == User.DEFAULT_USER

			




	
	
	
		
 

			




	
	
	
		
 
        if anonymous:

			




	
	
	
		
 
            return redirect_to_login(_('You need to be a registered user to '

			




	
	
	
		
 
                    'perform this action'))

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            return func(*fargs, **fkwargs)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class PermsDecorator(object):

			




	
	
	
		
 
    """Base class for controller decorators"""

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, *required_perms):

			




	
	
	
		
 
        self.required_perms = set(required_perms)

			




	
	
	
		
 
        self.user_perms = None

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, func):

			




	
	
	
		
 
        return decorator(self.__wrapper, func)

			




	
	
	
		
 

			




	
	
	
		
 
    def __wrapper(self, func, *fargs, **fkwargs):

			




	
	
	
		
 
        cls = fargs[0]

			




	
	
	
		
 
        self.user = cls.authuser

			




	
	
	
		
 
        self.user_perms = self.user.permissions

			




	
	
	
		
 
        log.debug('checking %s permissions %s for %s %s',

			




	
	
	
		
 
          self.__class__.__name__, self.required_perms, cls, self.user)

			




	
	
	
		
 

			




	
	
	
		
 
        if self.check_permissions():

			




	
	
	
		
 
            log.debug('Permission granted for %s %s', cls, self.user)

			




	
	
	
		
 
            return func(*fargs, **fkwargs)

			




	
	
	
		
 

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            log.debug('Permission denied for %s %s', cls, self.user)

			




	
	
	
		
 
            anonymous = self.user.username == User.DEFAULT_USER

			




	
	
	
		
 

			




	
	
	
		
 
            if anonymous:

			




	
	
	
		
 
                return redirect_to_login(_('You need to be signed in to view this page'))

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                # redirect with forbidden ret code

			




	
	
	
		
 
                return abort(403)

			




	
	
	
		
 

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        """Dummy function for overriding"""

			




	
	
	
		
 
        raise Exception('You have to write this function in child class')

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasPermissionAllDecorator(PermsDecorator):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Checks for access permission for all given predicates. All of them

			




	
	
	
		
 
    have to be meet in order to fulfill the request

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        if self.required_perms.issubset(self.user_perms.get('global')):

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        return False

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasPermissionAnyDecorator(PermsDecorator):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Checks for access permission for any of given predicates. In order to

			




	
	
	
		
 
    fulfill the request any of predicates must be meet

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        if self.required_perms.intersection(self.user_perms.get('global')):

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        return False

			




	
	
	
		
 

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.