Changeset - 7e8d80882865
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Søren Løvborg - 10 years ago 2015-07-26 13:58:50
kwi@kwi.dk
auth: refactor user lookup in AuthUser constructor for clarity

First, note that `fill_data` checks that the specified `db.User` is
`active` before copying anything, and returns False if not.

Now, previously when calling e.g. `AuthUser(user_id=anonymous_user_id)`,
`_propagate_data` would explicitly refuse to look up the anonymous
user, but then fall back to the anonymous user anyway (if `active`),
or use None values (if not `active`).

Given the same situation, the new code simply looks up the anonymous
user like it would any other user, and copies data using `fill_data`.
If the anonymous user is not `active`, we fall back to the existing
code path and behave as before (that is, use None values).
1 file changed with 14 insertions and 11 deletions:
kallithea/lib/auth.py
14
11
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -485,70 +485,73 @@ class AuthUser(object):
 
        self.name = ''
 
        self.lastname = ''
 
        self.email = ''
 
        self.is_authenticated = False
 
        self.admin = False
 
        self.inherit_default_permissions = False
 
        self.is_external_auth = is_external_auth
 

			




	
	
	
		
 
        self._propagate_data()

			




	
	
	
		
 

			




	
	
	
		
 
    @LazyProperty

			




	
	
	
		
 
    def permissions(self):

			




	
	
	
		
 
        return self.__get_perms(user=self, cache=False)

			




	
	
	
		
 

			




	
	
	
		
 
    @property

			




	
	
	
		
 
    def api_keys(self):

			




	
	
	
		
 
        return self._get_api_keys()

			




	
	
	
		
 

			




	
	
	
		
 
    def _propagate_data(self):

			




	
	
	
		
 
        user_model = UserModel()

			




	
	
	
		
 
        self.anonymous_user = User.get_default_user(cache=True)

			




	
	
	
		
 
        is_user_loaded = False

			




	
	
	
		
 

			




	
	
	
		
 
        # lookup by userid

			




	
	
	
		
 
        if self.user_id is not None and self.user_id != self.anonymous_user.user_id:

			




	
	
	
		
 
        if self.user_id is not None:

			




	
	
	
		
 
            log.debug('Auth User lookup by USER ID %s' % self.user_id)

			




	
	
	
		
 
            is_user_loaded = user_model.fill_data(self, user_model.get(self.user_id))

			




	
	
	
		
 

			




	
	
	
		
 
        # try go get user by API key

			




	
	
	
		
 
        elif self._api_key and self._api_key != self.anonymous_user.api_key:

			




	
	
	
		
 
        elif self._api_key:

			




	
	
	
		
 
            log.debug('Auth User lookup by API key %s' % self._api_key)

			




	
	
	
		
 
            is_user_loaded = user_model.fill_data(self, User.get_by_api_key(self._api_key))

			




	
	
	
		
 

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            log.debug('No data in %s that could been used to log in' % self)

			




	
	
	
		
 

			




	
	
	
		
 
        # If user cannot be found, try falling back to anonymous.

			




	
	
	
		
 
        if not is_user_loaded:

			




	
	
	
		
 
            # if we cannot authenticate user try anonymous

			




	
	
	
		
 
            if self.anonymous_user.active:

			




	
	
	
		
 
                user_model.fill_data(self, self.anonymous_user)

			




	
	
	
		
 
                # then we set this user is logged in

			




	
	
	
		
 
                self.is_authenticated = True

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                self.user_id = None

			




	
	
	
		
 
                self.username = None

			




	
	
	
		
 
                self.is_authenticated = False

			




	
	
	
		
 
            is_user_loaded =  user_model.fill_data(self, self.anonymous_user)

			




	
	
	
		
 

			




	
	
	
		
 
        # Still no luck? Give up.

			




	
	
	
		
 
        if not is_user_loaded:

			




	
	
	
		
 
            self.user_id = None

			




	
	
	
		
 
            self.username = None

			




	
	
	
		
 
            self.is_authenticated = False

			




	
	
	
		
 

			




	
	
	
		
 
        # The anonymous user is always "logged in".

			




	
	
	
		
 
        if self.user_id == self.anonymous_user.user_id:

			




	
	
	
		
 
            self.is_authenticated = True

			




	
	
	
		
 

			




	
	
	
		
 
        if not self.username:

			




	
	
	
		
 
            self.username = 'None'

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('Auth User is now %s' % self)

			




	
	
	
		
 

			




	
	
	
		
 
    def __get_perms(self, user, explicit=True, algo='higherwin', cache=False):

			




	
	
	
		
 
        """

			




	
	
	
		
 
        Fills user permission attribute with permissions taken from database

			




	
	
	
		
 
        works for permissions given for repositories, and for permissions that

			




	
	
	
		
 
        are granted to groups

			




	
	
	
		
 

			




	
	
	
		
 
        :param user: `AuthUser` instance

			




	
	
	
		
 
        :param explicit: In case there are permissions both for user and a group

			




	
	
	
		
 
            that user is part of, explicit flag will define if user will

			




	
	
	
		
 
            explicitly override permissions from group, if it's False it will

			




	
	
	
		
 
            make decision based on the algo

			




	
	
	
		
 
        :param algo: algorithm to decide what permission should be choose if

			




	
	
	
		
 
            it's multiple defined, eg user in two different groups. It also

			




	
	
	
		
 
            decides if explicit flag is turned off how to specify the permission

			




	
	
	
		
 
            for case when user is in a group + have defined separate permission

			




	
	
	
		
 
        """

			




	
	
	
		
 
        user_id = user.user_id

			




	
	
	
		
 
        user_is_admin = user.is_admin

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.