Changeset - 7e8d80882865
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Søren Løvborg - 10 years ago 2015-07-26 13:58:50
kwi@kwi.dk
auth: refactor user lookup in AuthUser constructor for clarity

First, note that `fill_data` checks that the specified `db.User` is
`active` before copying anything, and returns False if not.

Now, previously when calling e.g. `AuthUser(user_id=anonymous_user_id)`,
`_propagate_data` would explicitly refuse to look up the anonymous
user, but then fall back to the anonymous user anyway (if `active`),
or use None values (if not `active`).

Given the same situation, the new code simply looks up the anonymous
user like it would any other user, and copies data using `fill_data`.
If the anonymous user is not `active`, we fall back to the existing
code path and behave as before (that is, use None values).
1 file changed with 14 insertions and 11 deletions:
kallithea/lib/auth.py
14
11
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -461,118 +461,121 @@ class AuthUser(object):
 
    parts of the code, e.g. user management.
 

			




	
	
	
		
 
    Constructed from user ID, API key or cookie dict, it looks

			




	
	
	
		
 
    up the matching database `User` and copies all attributes to itself,

			




	
	
	
		
 
    adding various non-persistent data. If lookup fails but anonymous

			




	
	
	
		
 
    access to Kallithea is enabled, the default user is loaded instead.

			




	
	
	
		
 

			




	
	
	
		
 
    `AuthUser` does not by itself authenticate users and the constructor

			




	
	
	
		
 
    sets the `is_authenticated` field to False, except when falling back

			




	
	
	
		
 
    to the default anonymous user (if enabled). It's up to other parts

			




	
	
	
		
 
    of the code to check e.g. if a supplied password is correct, and if

			




	
	
	
		
 
    so, set `is_authenticated` to True.

			




	
	
	
		
 

			




	
	
	
		
 
    However, `AuthUser` does refuse to load a user that is not `active`.

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, user_id=None, api_key=None,

			




	
	
	
		
 
            is_external_auth=False):

			




	
	
	
		
 

			




	
	
	
		
 
        self.user_id = user_id

			




	
	
	
		
 
        self._api_key = api_key # API key passed as parameter

			




	
	
	
		
 

			




	
	
	
		
 
        self.api_key = None # API key set by user_model.fill_data

			




	
	
	
		
 
        self.username = None

			




	
	
	
		
 
        self.name = ''

			




	
	
	
		
 
        self.lastname = ''

			




	
	
	
		
 
        self.email = ''

			




	
	
	
		
 
        self.is_authenticated = False

			




	
	
	
		
 
        self.admin = False

			




	
	
	
		
 
        self.inherit_default_permissions = False

			




	
	
	
		
 
        self.is_external_auth = is_external_auth

			




	
	
	
		
 

			




	
	
	
		
 
        self._propagate_data()

			




	
	
	
		
 

			




	
	
	
		
 
    @LazyProperty

			




	
	
	
		
 
    def permissions(self):

			




	
	
	
		
 
        return self.__get_perms(user=self, cache=False)

			




	
	
	
		
 

			




	
	
	
		
 
    @property

			




	
	
	
		
 
    def api_keys(self):

			




	
	
	
		
 
        return self._get_api_keys()

			




	
	
	
		
 

			




	
	
	
		
 
    def _propagate_data(self):

			




	
	
	
		
 
        user_model = UserModel()

			




	
	
	
		
 
        self.anonymous_user = User.get_default_user(cache=True)

			




	
	
	
		
 
        is_user_loaded = False

			




	
	
	
		
 

			




	
	
	
		
 
        # lookup by userid

			




	
	
	
		
 
        if self.user_id is not None and self.user_id != self.anonymous_user.user_id:

			




	
	
	
		
 
        if self.user_id is not None:

			




	
	
	
		
 
            log.debug('Auth User lookup by USER ID %s' % self.user_id)

			




	
	
	
		
 
            is_user_loaded = user_model.fill_data(self, user_model.get(self.user_id))

			




	
	
	
		
 

			




	
	
	
		
 
        # try go get user by API key

			




	
	
	
		
 
        elif self._api_key and self._api_key != self.anonymous_user.api_key:

			




	
	
	
		
 
        elif self._api_key:

			




	
	
	
		
 
            log.debug('Auth User lookup by API key %s' % self._api_key)

			




	
	
	
		
 
            is_user_loaded = user_model.fill_data(self, User.get_by_api_key(self._api_key))

			




	
	
	
		
 

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            log.debug('No data in %s that could been used to log in' % self)

			




	
	
	
		
 

			




	
	
	
		
 
        # If user cannot be found, try falling back to anonymous.

			




	
	
	
		
 
        if not is_user_loaded:

			




	
	
	
		
 
            # if we cannot authenticate user try anonymous

			




	
	
	
		
 
            if self.anonymous_user.active:

			




	
	
	
		
 
                user_model.fill_data(self, self.anonymous_user)

			




	
	
	
		
 
                # then we set this user is logged in

			




	
	
	
		
 
                self.is_authenticated = True

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                self.user_id = None

			




	
	
	
		
 
                self.username = None

			




	
	
	
		
 
                self.is_authenticated = False

			




	
	
	
		
 
            is_user_loaded =  user_model.fill_data(self, self.anonymous_user)

			




	
	
	
		
 

			




	
	
	
		
 
        # Still no luck? Give up.

			




	
	
	
		
 
        if not is_user_loaded:

			




	
	
	
		
 
            self.user_id = None

			




	
	
	
		
 
            self.username = None

			




	
	
	
		
 
            self.is_authenticated = False

			




	
	
	
		
 

			




	
	
	
		
 
        # The anonymous user is always "logged in".

			




	
	
	
		
 
        if self.user_id == self.anonymous_user.user_id:

			




	
	
	
		
 
            self.is_authenticated = True

			




	
	
	
		
 

			




	
	
	
		
 
        if not self.username:

			




	
	
	
		
 
            self.username = 'None'

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('Auth User is now %s' % self)

			




	
	
	
		
 

			




	
	
	
		
 
    def __get_perms(self, user, explicit=True, algo='higherwin', cache=False):

			




	
	
	
		
 
        """

			




	
	
	
		
 
        Fills user permission attribute with permissions taken from database

			




	
	
	
		
 
        works for permissions given for repositories, and for permissions that

			




	
	
	
		
 
        are granted to groups

			




	
	
	
		
 

			




	
	
	
		
 
        :param user: `AuthUser` instance

			




	
	
	
		
 
        :param explicit: In case there are permissions both for user and a group

			




	
	
	
		
 
            that user is part of, explicit flag will define if user will

			




	
	
	
		
 
            explicitly override permissions from group, if it's False it will

			




	
	
	
		
 
            make decision based on the algo

			




	
	
	
		
 
        :param algo: algorithm to decide what permission should be choose if

			




	
	
	
		
 
            it's multiple defined, eg user in two different groups. It also

			




	
	
	
		
 
            decides if explicit flag is turned off how to specify the permission

			




	
	
	
		
 
            for case when user is in a group + have defined separate permission

			




	
	
	
		
 
        """

			




	
	
	
		
 
        user_id = user.user_id

			




	
	
	
		
 
        user_is_admin = user.is_admin

			




	
	
	
		
 
        user_inherit_default_permissions = user.inherit_default_permissions

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('Getting PERMISSION tree')

			




	
	
	
		
 
        compute = conditional_cache('short_term', 'cache_desc',

			




	
	
	
		
 
                                    condition=cache, func=_cached_perms_data)

			




	
	
	
		
 
        return compute(user_id, user_is_admin,

			




	
	
	
		
 
                       user_inherit_default_permissions, explicit, algo)

			




	
	
	
		
 

			




	
	
	
		
 
    def _get_api_keys(self):

			




	
	
	
		
 
        api_keys = [self.api_key]

			




	
	
	
		
 
        for api_key in UserApiKeys.query()\

			




	
	
	
		
 
                .filter(UserApiKeys.user_id == self.user_id)\

			




	
	
	
		
 
                .filter(or_(UserApiKeys.expires == -1,

			




	
	
	
		
 
                            UserApiKeys.expires >= time.time())).all():

			




	
	
	
		
 
            api_keys.append(api_key.api_key)

			




	
	
	
		
 

			




	
	
	
		
 
        return api_keys

			




	
	
	
		
 

			




	
	
	
		
 
    @property

			




	
	
	
		
 
    def is_admin(self):

			




	
	
	
		
 
        return self.admin

			




	
	
	
		
 

			




	
	
	
		
 
    @property

			




	
	
	
		
 
    def repositories_admin(self):

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.