Changeset - 3598e2a4e051
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Søren Løvborg - 10 years ago 2015-09-03 17:08:19
sorenl@unity3d.com
auth: remove redundant is_authenticated check

It turns out the user.is_authenticated check is redundant, since it's
True for both anonymous users and logged in users, and API key users
are handled prior to the check.
1 file changed with 4 insertions and 4 deletions:
kallithea/lib/auth.py
4
4
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -763,10 +763,10 @@ class LoginRequired(object):
 
        # CSRF protection: Whenever a request has ambient authority (whether
 
        # through a session cookie or its origin IP address), it must include
 
        # the correct token, unless the HTTP method is GET or HEAD (and thus
 
        # guaranteed to be side effect free.
 
        # Note that the 'is_authenticated' flag is True for anonymous users too,
 
        # but not when the user is authenticated by API key.
 
        if user.is_authenticated and request.method not in ['GET', 'HEAD']:
 
        # guaranteed to be side effect free. In practice, the only situation
 
        # where we allow side effects without ambient authority is when the
 
        # authority comes from an API key; and that is handled above.
 
        if request.method not in ['GET', 'HEAD']:
 
            token = request.POST.get(secure_form.token_key)
 
            if not token or token != secure_form.authentication_token():
 
                log.error('CSRF check failed')
0 comments (0 inline, 0 general)
This site is powered by Kallithea 0.7.0, which is © 2010–2025 by various authors & licensed under GPLv3.