kallithea Changeset - 4cad3a52e0ed

Changeset - 4cad3a52e0ed

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Thomas De Schampheleire - 11 years ago 2015-03-25 09:11:15
thomas.de.schampheleire@gmail.com

auth: return early in LoginRequired on invalid IP

Simplify the code of the LoginRequired decorator by returning early when an
unacceptable condition is met.

Note: the 'return' of redirect_to_login() is not strictly needed since we
should not return from that function (redirection occurs). Adding it,
however, is a security measure in case redirect_to_login does not do what it
should do.

1 file changed with 17 insertions and 28 deletions:

kallithea/lib/auth.py

0 comments (0 inline, 0 general)

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -716,12 +716,20 @@ def set_available_permissions(config): @@
         meta.Session.remove()
 #==============================================================================
 # CHECK DECORATORS
 #==============================================================================
 def redirect_to_login(message=None):
     from kallithea.lib import helpers as h
     p = url.current()
     h.flash(h.literal(message), category='warning')
     log.debug('Redirecting to login page, origin: %s' % p)
     return redirect(url('login_home', came_from=p))
 class LoginRequired(object):
     """
     Must be logged in to execute this function else
     redirect to login page
     :param api_access: if enabled this checks only for valid auth token
@@ @@ -735,20 +743,17 @@ class LoginRequired(object): @@
         return decorator(self.__wrapper, func)
     def __wrapper(self, func, *fargs, **fkwargs):
         cls = fargs[0]
         user = cls.authuser
         loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
         log.debug('Checking access for user %s @ %s' % (user, loc))
         # check if our IP is allowed
         ip_access_valid = True
         if not user.ip_allowed:
             from kallithea.lib import helpers as h
             h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))),
                     category='warning')
             ip_access_valid = False
             return redirect_to_login(_('IP %s not allowed' % (user.ip_addr)))
         # check if we used an APIKEY and it's a valid one
         # defined whitelist of controllers which API access will be enabled
         _api_key = request.GET.get('api_key', '')
         api_access_valid = allowed_api_access(loc, api_key=_api_key)
@@ @@ -772,27 +777,23 @@ class LoginRequired(object): @@
                 log.error('CSRF check failed')
                 return abort(403)
         log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
         reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'
-        if ip_access_valid and (user.is_authenticated or api_access_valid):
         if user.is_authenticated or api_access_valid:
             log.info('user %s authenticating with:%s IS authenticated on func %s '
                      % (user, reason, loc)
+            )
             return func(*fargs, **fkwargs)
         else:
             log.warning('user %s authenticating with:%s NOT authenticated on func: %s: '
                      'IP_ACCESS:%s API_ACCESS:%s'
                      % (user, reason, loc, ip_access_valid, api_access_valid)
                      'API_ACCESS:%s'
                      % (user, reason, loc, api_access_valid)
+            )
             p = url.current()
             log.debug('redirecting to login page with %s' % p)
             return redirect(url('login_home', came_from=p))
             return redirect_to_login()
 class NotAnonymous(object):
     """
     Must be logged in to execute this function else
     redirect to login page"""
@@ @@ -805,19 +806,14 @@ class NotAnonymous(object): @@
         log.debug('Checking if user is not anonymous @%s' % cls)
         anonymous = self.user.username == User.DEFAULT_USER
         if anonymous:
             p = url.current()
             import kallithea.lib.helpers as h
             h.flash(_('You need to be a registered user to '
                       'perform this action'),
                     category='warning')
             return redirect(url('login_home', came_from=p))
             return redirect_to_login(_('You need to be a registered user to '
                     'perform this action'))
         else:
             return func(*fargs, **fkwargs)
 class PermsDecorator(object):
     """Base class for controller decorators"""
@@ @@ -842,20 +838,13 @@ class PermsDecorator(object): @@
         else:
             log.debug('Permission denied for %s %s' % (cls, self.user))
             anonymous = self.user.username == User.DEFAULT_USER
             if anonymous:
                 p = url.current()
                 import kallithea.lib.helpers as h
                 h.flash(_('You need to be signed in to '
                           'view this page'),
                         category='warning')
                 return redirect(url('login_home', came_from=p))
                 return redirect_to_login(_('You need to be signed in to view this page'))
             else:
                 # redirect with forbidden ret code
                 return abort(403)
     def check_permissions(self):
         """Dummy function for overriding"""

0 comments (0 inline, 0 general)