kallithea Changeset - 41e70d120a5e

Changeset - 41e70d120a5e

Parent rev.

Child rev.

[Not reviewed]

default

0 2 0

Mads Kiilerich - 9 years ago 2016-09-12 17:41:19
madski@unity3d.com

api: set authuser in the thread global request instace - and temporarily verify that it matches what is passed explicitly to auth methods

This makes it more like what middleware / controllers do for "normal" HTTP requests.

2 files changed with 14 insertions and 15 deletions:

kallithea/controllers/api/__init__.py

kallithea/lib/auth.py

0 comments (0 inline, 0 general)

kallithea/controllers/api/__init__.py

➞

Show inline comments

@@ @@ -31,12 +31,13 @@ import types @@
 import traceback
 import time
 import itertools
 from paste.response import replace_header
 from pylons.controllers import WSGIController
 from pylons import request
 from webob.exc import HTTPError
 from kallithea.model.db import User
 from kallithea.model import meta
 from kallithea.lib.compat import json
@@ @@ -187,13 +188,13 @@ class JSONRPCController(WSGIController): @@
         func_kwargs = dict(itertools.izip_longest(reversed(arglist), reversed(defaults),
                                                   fillvalue=default_empty))
         # this is little trick to inject logged in user for
         # perms decorators to work they expect the controller class to have
         # authuser attribute set
         self.authuser = auth_u
+        self.authuser = request.user = auth_u
         # This attribute will need to be first param of a method that uses
         # api_key, which is translated to instance of user at that name
         USER_SESSION_ATTR = 'apiuser'
         if USER_SESSION_ATTR not in arglist:

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -937,28 +937,24 @@ class PermsFunction(object): @@
             and instead evaluating it directly in a boolean context,
             which could have security implications.
         """
         raise AssertionError(self.__class__.__name__ + ' is not a bool and must be called!')
     def __call__(self, check_location='unspecified location', user=None):
         if not user:
             #TODO: remove this someday,put as user as attribute here
             user = request.user
         if user:
             assert user.user_id == request.user.user_id, (user, request.user)
         # init auth user if not already given
         if not isinstance(user, AuthUser):
             user = AuthUser(user.user_id)
         user = request.user
         assert user
         assert isinstance(user, AuthUser), user
         cls_name = self.__class__.__name__
         check_scope = self._scope()
         log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,
                   self.required_perms, user, check_scope,
                   check_location)
         if not user:
             log.debug('Empty request user')
             return False
         self.user_perms = user.permissions
         result = self.check_permissions()
         result_text = 'granted' if result else 'denied'
         log.debug('Permission to %s %s for user: %s @ %s',
             check_scope, result_text, user, check_location)
@@ @@ -1078,29 +1074,31 @@ class HasPermissionAnyMiddleware(object) @@
 class _BaseApiPerm(object):
     def __init__(self, *perms):
         self.required_perms = set(perms)
     def __call__(self, check_location=None, user=None, repo_name=None,
                  group_name=None):
         assert user
         assert user.user_id == request.user.user_id, (user, request.user)
         user = request.user
         assert user
         assert isinstance(user, AuthUser), user
         cls_name = self.__class__.__name__
         check_scope = 'user:%s' % (user)
         if repo_name:
             check_scope += ', repo:%s' % (repo_name)
         if group_name:
             check_scope += ', repo group:%s' % (group_name)
         log.debug('checking cls:%s %s %s @ %s',
                   cls_name, self.required_perms, check_scope, check_location)
         if not user:
             log.debug('Empty User passed into arguments')
             return False
         ## process user
         if not isinstance(user, AuthUser):
             user = AuthUser(user.user_id)
         if not check_location:
             check_location = 'unspecified'
         if self.check_permissions(user.permissions, repo_name, group_name):
             log.debug('Permission to %s granted for user: %s @ %s',
                       check_scope, user, check_location)
             return True

0 comments (0 inline, 0 general)