Changeset - 5a148717d392
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Mads Kiilerich - 10 years ago 2015-11-27 01:47:06
madski@unity3d.com
auth: let login helper function return exception to raise instead of raising it self

Make the execution flow more obvious by raising the exception where it matters.

Avoid redundant and potentially misleading return statement that tried to make
it clear that execution wouldn't continue after the function call.
1 file changed with 12 insertions and 9 deletions:
kallithea/lib/auth.py
12
9
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -691,69 +691,72 @@ def set_available_permissions(config):
 
    try:
 
        sa = meta.Session
 
        all_perms = sa.query(Permission).all()
 
        config['available_permissions'] = [x.permission_name for x in all_perms]
 
    finally:
 
        meta.Session.remove()
 

			




	
	
	
		
 

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 
# CHECK DECORATORS

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 

			




	
	
	
		
 
def redirect_to_login(message=None):

			




	
	
	
		
 
def _redirect_to_login(message=None):

			




	
	
	
		
 
    """Return an exception that must be raised. It will redirect to the login

			




	
	
	
		
 
    page which will redirect back to the current URL after authentication.

			




	
	
	
		
 
    The optional message will be shown in a flash message."""

			




	
	
	
		
 
    from kallithea.lib import helpers as h

			




	
	
	
		
 
    p = request.path_qs

			




	
	
	
		
 
    if message:

			




	
	
	
		
 
        h.flash(h.literal(message), category='warning')

			




	
	
	
		
 
    p = request.path_qs

			




	
	
	
		
 
    log.debug('Redirecting to login page, origin: %s', p)

			




	
	
	
		
 
    raise HTTPFound(location=url('login_home', came_from=p))

			




	
	
	
		
 
    return HTTPFound(location=url('login_home', came_from=p))

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class LoginRequired(object):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Must be logged in to execute this function else

			




	
	
	
		
 
    redirect to login page

			




	
	
	
		
 

			




	
	
	
		
 
    :param api_access: if enabled this checks only for valid auth token

			




	
	
	
		
 
        and grants access based on valid token

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, api_access=False):

			




	
	
	
		
 
        self.api_access = api_access

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, func):

			




	
	
	
		
 
        return decorator(self.__wrapper, func)

			




	
	
	
		
 

			




	
	
	
		
 
    def __wrapper(self, func, *fargs, **fkwargs):

			




	
	
	
		
 
        controller = fargs[0]

			




	
	
	
		
 
        user = controller.authuser

			




	
	
	
		
 
        loc = "%s:%s" % (controller.__class__.__name__, func.__name__)

			




	
	
	
		
 
        log.debug('Checking access for user %s @ %s', user, loc)

			




	
	
	
		
 

			




	
	
	
		
 
        if not AuthUser.check_ip_allowed(user, controller.ip_addr):

			




	
	
	
		
 
            return redirect_to_login(_('IP %s not allowed') % controller.ip_addr)

			




	
	
	
		
 
            raise _redirect_to_login(_('IP %s not allowed') % controller.ip_addr)

			




	
	
	
		
 

			




	
	
	
		
 
        # check if we used an API key and it's a valid one

			




	
	
	
		
 
        api_key = request.GET.get('api_key')

			




	
	
	
		
 
        if api_key is not None:

			




	
	
	
		
 
            # explicit controller is enabled or API is in our whitelist

			




	
	
	
		
 
            if self.api_access or allowed_api_access(loc, api_key=api_key):

			




	
	
	
		
 
                if api_key in user.api_keys:

			




	
	
	
		
 
                    log.info('user %s authenticated with API key ****%s @ %s',

			




	
	
	
		
 
                             user, api_key[-4:], loc)

			




	
	
	
		
 
                    return func(*fargs, **fkwargs)

			




	
	
	
		
 
                else:

			




	
	
	
		
 
                    log.warning('API key ****%s is NOT valid', api_key[-4:])

			




	
	
	
		
 
                    return redirect_to_login(_('Invalid API key'))

			




	
	
	
		
 
                    raise _redirect_to_login(_('Invalid API key'))

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                # controller does not allow API access

			




	
	
	
		
 
                log.warning('API access to %s is not allowed', loc)

			




	
	
	
		
 
                raise HTTPForbidden()

			




	
	
	
		
 

			




	
	
	
		
 
        # Only allow the following HTTP request methods. (We sometimes use POST

			




	
	
	
		
 
        # requests with a '_method' set to 'PUT' or 'DELETE'; but that is only

			




	
	
	
		
 
        # used for the route lookup, and does not affect request.method.)

			




	
	
	
		
 
        if request.method not in ['GET', 'HEAD', 'POST', 'PUT']:

			




	
	
	
		
 
            raise HTTPMethodNotAllowed()

			




	
	
	
		
 

			




	
	
	
		
 
        # Make sure CSRF token never appears in the URL. If so, invalidate it.

			




	
	
		
 
@@ -781,43 +784,43 @@ class LoginRequired(object):

			




	
	
	
		
 
        # than POST/PUT, but double-check since other Kallithea code relies on

			




	
	
	
		
 
        # this assumption.

			




	
	
	
		
 
        if request.method not in ['POST', 'PUT'] and request.POST:

			




	
	
	
		
 
            log.error('%r request with payload parameters; WebOb should have stopped this', request.method)

			




	
	
	
		
 
            raise HTTPBadRequest()

			




	
	
	
		
 

			




	
	
	
		
 
        # regular user authentication

			




	
	
	
		
 
        if user.is_authenticated or user.is_default_user:

			




	
	
	
		
 
            log.info('user %s authenticated with regular auth @ %s', user, loc)

			




	
	
	
		
 
            return func(*fargs, **fkwargs)

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            log.warning('user %s NOT authenticated with regular auth @ %s', user, loc)

			




	
	
	
		
 
            return redirect_to_login()

			




	
	
	
		
 
            raise _redirect_to_login()

			




	
	
	
		
 

			




	
	
	
		
 
class NotAnonymous(object):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Must be logged in to execute this function else

			




	
	
	
		
 
    redirect to login page"""

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, func):

			




	
	
	
		
 
        return decorator(self.__wrapper, func)

			




	
	
	
		
 

			




	
	
	
		
 
    def __wrapper(self, func, *fargs, **fkwargs):

			




	
	
	
		
 
        cls = fargs[0]

			




	
	
	
		
 
        self.user = cls.authuser

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('Checking if user is not anonymous @%s', cls)

			




	
	
	
		
 

			




	
	
	
		
 
        if self.user.is_default_user:

			




	
	
	
		
 
            return redirect_to_login(_('You need to be a registered user to '

			




	
	
	
		
 
                    'perform this action'))

			




	
	
	
		
 
            raise _redirect_to_login(_('You need to be a registered user to '

			




	
	
	
		
 
                                       'perform this action'))

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            return func(*fargs, **fkwargs)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class PermsDecorator(object):

			




	
	
	
		
 
    """Base class for controller decorators"""

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, *required_perms):

			




	
	
	
		
 
        self.required_perms = set(required_perms)

			




	
	
	
		
 
        self.user_perms = None

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, func):

			




	
	
		
 
@@ -828,25 +831,25 @@ class PermsDecorator(object):

			




	
	
	
		
 
        self.user = cls.authuser

			




	
	
	
		
 
        self.user_perms = self.user.permissions

			




	
	
	
		
 
        log.debug('checking %s permissions %s for %s %s',

			




	
	
	
		
 
          self.__class__.__name__, self.required_perms, cls, self.user)

			




	
	
	
		
 

			




	
	
	
		
 
        if self.check_permissions():

			




	
	
	
		
 
            log.debug('Permission granted for %s %s', cls, self.user)

			




	
	
	
		
 
            return func(*fargs, **fkwargs)

			




	
	
	
		
 

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            log.debug('Permission denied for %s %s', cls, self.user)

			




	
	
	
		
 
            if self.user.is_default_user:

			




	
	
	
		
 
                return redirect_to_login(_('You need to be signed in to view this page'))

			




	
	
	
		
 
                raise _redirect_to_login(_('You need to be signed in to view this page'))

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                raise HTTPForbidden()

			




	
	
	
		
 

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        """Dummy function for overriding"""

			




	
	
	
		
 
        raise Exception('You have to write this function in child class')

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasPermissionAllDecorator(PermsDecorator):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Checks for access permission for all given predicates. All of them

			




	
	
	
		
 
    have to be meet in order to fulfill the request

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.