kallithea Changeset - 81d8affd08f4

Changeset - 81d8affd08f4

Parent rev.

Child rev.

[Not reviewed]

default

0 3 0

Søren Løvborg - 10 years ago 2015-07-26 13:58:50
kwi@kwi.dk

auth: remove username from AuthUser session cookie

There's no reason to store the username when we store the user ID. We
have load the user from database anyway under all circumstances, to
verify e.g. that the user is (still) active.

This does not impact application code, but does impact a number of test
cases which explicitly checks the username stored in the session.

3 files changed with 14 insertions and 9 deletions:

kallithea/lib/auth.py

kallithea/tests/__init__.py

kallithea/tests/functional/test_login.py

0 comments (0 inline, 0 general)

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -605,49 +605,48 @@ class AuthUser(object): @@
         user (an `AuthUser` or `db.User`).
         """
         allowed_ips = AuthUser.get_allowed_ips(user.user_id, cache=True,
             inherit_from_default=user.inherit_default_permissions)
         if check_ip_access(source_ip=ip_addr, allowed_ips=allowed_ips):
             log.debug('IP:%s is in range of %s' % (ip_addr, allowed_ips))
             return True
         else:
             log.info('Access for IP:%s forbidden, '
                      'not in %s' % (ip_addr, allowed_ips))
             return False
     def __repr__(self):
         return "<AuthUser('id:%s[%s] auth:%s')>"\
             % (self.user_id, self.username, self.is_authenticated)
     def set_authenticated(self, authenticated=True):
         if self.user_id != self.anonymous_user.user_id:
             self.is_authenticated = authenticated
     def to_cookie(self):
         """ Serializes this login session to a cookie `dict`. """
         return {
             'user_id': self.user_id,
             'username': self.username,
             'is_authenticated': self.is_authenticated,
             'is_external_auth': self.is_external_auth,
+        }
     @staticmethod
     def from_cookie(cookie):
         """
         Deserializes an `AuthUser` from a cookie `dict`.
         """
         au = AuthUser(
             user_id=cookie.get('user_id'),
             is_external_auth=cookie.get('is_external_auth', False),
+        )
         if not au.is_authenticated and au.user_id is not None:
             # user is not authenticated and not empty
             au.set_authenticated(cookie.get('is_authenticated'))
         return au
     @classmethod
     def get_allowed_ips(cls, user_id, cache=False, inherit_from_default=False):
         _set = set()
         if inherit_from_default:

kallithea/tests/__init__.py

➞

Show inline comments

@@ @@ -192,49 +192,55 @@ class BaseTestCase(unittest.TestCase): @@
         UserNotification.query().delete()
         Session().commit()
 class TestController(BaseTestCase):
     def __init__(self, *args, **kwargs):
         BaseTestCase.__init__(self, *args, **kwargs)
         self.app = TestApp(self.wsgiapp)
         self.maxDiff = None
         self.index_location = config['app_conf']['index_dir']
     def log_user(self, username=TEST_USER_ADMIN_LOGIN,
                  password=TEST_USER_ADMIN_PASS):
         self._logged_username = username
         response = self.app.post(url(controller='login', action='index'),
                                  {'username': username,
                                   'password': password})
         if 'invalid user name' in response.body:
             self.fail('could not login using %s %s' % (username, password))
         self.assertEqual(response.status, '302 Found')
         ses = response.session['authuser']
         self.assertEqual(ses.get('username'), username)
         self.assert_authenticated_user(response, username)
         response = response.follow()
         self.assertEqual(ses.get('is_authenticated'), True)
         return response.session['authuser']
     def _get_logged_user(self):
         return User.get_by_username(self._logged_username)
     def assert_authenticated_user(self, response, expected_username):
         cookie = response.session.get('authuser')
         user = cookie and cookie.get('user_id')
         user = user and User.get(user)
         user = user and user.username
         self.assertEqual(user, expected_username)
         self.assertEqual(cookie.get('is_authenticated'), True)
     def authentication_token(self):
         return self.app.get(url('authentication_token')).body
     def checkSessionFlash(self, response, msg, skip=0):
         if 'flash' not in response.session:
             self.fail(safe_str(u'msg `%s` not found - session has no flash ' % msg))
         try:
             level, m = response.session['flash'][-1 - skip]
             if msg in m:
                 return
         except IndexError:
             pass
         self.fail(safe_str(u'msg `%s` not found in session flash (skipping %s): %s' %
                            (msg, skip,
                             ', '.join('`%s`' % m for level, m in response.session['flash']))))

kallithea/tests/functional/test_login.py

➞

Show inline comments

@@ @@ -10,61 +10,61 @@ from kallithea.lib.auth import check_pas @@
 from kallithea.lib import helpers as h
 from kallithea.model.api_key import ApiKeyModel
 from kallithea.model import validators
 from kallithea.model.db import User, Notification
 from kallithea.model.meta import Session
 fixture = Fixture()
 class TestLoginController(TestController):
     def setUp(self):
         self.remove_all_notifications()
         self.assertEqual(Notification.query().all(), [])
     def test_index(self):
         response = self.app.get(url(controller='login', action='index'))
         self.assertEqual(response.status, '200 OK')
         # Test response...
     def test_login_admin_ok(self):
         response = self.app.post(url(controller='login', action='index'),
                                  {'username': TEST_USER_ADMIN_LOGIN,
                                   'password': TEST_USER_ADMIN_PASS})
         self.assertEqual(response.status, '302 Found')
         self.assertEqual(response.session['authuser'].get('username'),
                          TEST_USER_ADMIN_LOGIN)
         self.assert_authenticated_user(response, TEST_USER_ADMIN_LOGIN)
         response = response.follow()
         response.mustcontain('/%s' % HG_REPO)
     def test_login_regular_ok(self):
         response = self.app.post(url(controller='login', action='index'),
                                  {'username': TEST_USER_REGULAR_LOGIN,
                                   'password': TEST_USER_REGULAR_PASS})
         self.assertEqual(response.status, '302 Found')
         self.assertEqual(response.session['authuser'].get('username'),
                          TEST_USER_REGULAR_LOGIN)
         self.assert_authenticated_user(response, TEST_USER_REGULAR_LOGIN)
         response = response.follow()
         response.mustcontain('/%s' % HG_REPO)
     def test_login_ok_came_from(self):
         test_came_from = '/_admin/users'
         response = self.app.post(url(controller='login', action='index',
                                      came_from=test_came_from),
                                  {'username': TEST_USER_ADMIN_LOGIN,
                                   'password': TEST_USER_ADMIN_PASS})
         self.assertEqual(response.status, '302 Found')
         response = response.follow()
         self.assertEqual(response.status, '200 OK')
         response.mustcontain('Users Administration')
     def test_login_do_not_remember(self):
         response = self.app.post(url(controller='login', action='index'),
                                  {'username': TEST_USER_REGULAR_LOGIN,
                                   'password': TEST_USER_REGULAR_PASS,
                                   'remember': False})
         self.assertIn('Set-Cookie', response.headers)
         for cookie in response.headers.getall('Set-Cookie'):
             self.assertFalse(re.search(r';\s+(Max-Age|Expires)=', cookie, re.IGNORECASE),

0 comments (0 inline, 0 general)