Changeset - 7977ca209b1d
Parent rev.
Child rev.
[Not reviewed]
default
0 2 0
Mads Kiilerich - 7 years ago 2019-04-08 00:11:20
mads@kiilerich.com
auth: make User.get_by_api_key more strict about only returning active non-default users

Thus drop some extra checks against default user.
2 files changed with 7 insertions and 5 deletions:
kallithea/lib/base.py
5
5
kallithea/model/db.py
2
0 comments (0 inline, 0 general)
kallithea/lib/base.py
Show inline comments
 
@@ -390,17 +390,17 @@ class BaseController(TGController):
 
        if bearer_token is not None:
 
            api_key = bearer_token
 

			




	
	
	
		
 
        # Authenticate by API key

			




	
	
	
		
 
        if api_key is not None:

			




	
	
	
		
 
            dbuser = User.get_by_api_key(api_key)

			




	
	
	
		
 
            au = AuthUser.make(dbuser=dbuser, authenticating_api_key=api_key, is_external_auth=True, ip_addr=ip_addr)

			




	
	
	
		
 
            if au is None or au.is_anonymous:

			




	
	
	
		
 
                log.warning('API key ****%s is NOT valid', api_key[-4:])

			




	
	
	
		
 
                raise webob.exc.HTTPForbidden(_('Invalid API key'))

			




	
	
	
		
 
            return au

			




	
	
	
		
 
            if dbuser is None:

			




	
	
	
		
 
                log.info('No db user found for authentication with API key ****%s from %s',

			




	
	
	
		
 
                         api_key[-4:], ip_addr)

			




	
	
	
		
 
                return None

			




	
	
	
		
 
            return AuthUser.make(dbuser=dbuser, authenticating_api_key=api_key, is_external_auth=True, ip_addr=ip_addr)

			




	
	
	
		
 

			




	
	
	
		
 
        # Authenticate by session cookie

			




	
	
	
		
 
        # In ancient login sessions, 'authuser' may not be a dict.

			




	
	
	
		
 
        # In that case, the user will have to log in again.

			




	
	
	
		
 
        # v0.3 and earlier included an 'is_authenticated' key; if present,

			




	
	
	
		
 
        # this must be True.

			




        

    


    
    

    

        

                

                    kallithea/model/db.py
                

                

                  
                      
                        

                      

                      
                        
                  

                  
                      
                  
                      
                  
                      
                  
                      
                  
                  
                

                

                    Show inline comments
                    
                

        

        

            



	
	
		
 
@@ -595,12 +595,14 @@ class User(Base, BaseDbModel):

			




	
	
	
		
 

			




	
	
	
		
 
        if fallback and not res:

			




	
	
	
		
 
            # fallback to additional keys

			




	
	
	
		
 
            _res = UserApiKeys.query().filter_by(api_key=api_key, is_expired=False).first()

			




	
	
	
		
 
            if _res:

			




	
	
	
		
 
                res = _res.user

			




	
	
	
		
 
        if res is None or not res.active or res.is_default_user:

			




	
	
	
		
 
            return None

			




	
	
	
		
 
        return res

			




	
	
	
		
 

			




	
	
	
		
 
    @classmethod

			




	
	
	
		
 
    def get_by_email(cls, email, cache=False):

			




	
	
	
		
 
        q = cls.query().filter(func.lower(cls.email) == func.lower(email))

			




	
	
	
		
 

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.