kallithea Changeset - 9f976d75b04c

Changeset - 9f976d75b04c

Parent rev.

Child rev.

[Not reviewed]

default

0 10 0

Mads Kiilerich - 8 years ago 2018-02-06 00:32:48
mads@kiilerich.com

auth: restore anonymous repository access

Dominik Ruf found that aa25ef34ebab introduced a regression in anonymous access
to repositories ... if that is enabled.

The refactoring was too strict when it missed that not all repo permission
checks require a logged in user. Read access can be granted to the default user
... but not write or admin.

Instead of the commands used in aa25ef34ebab, the following commands are used
to consistently also allow the default user in all decorators where we only need
repo read access:

# Introduce explicit allow_default_user=True - that was the default before aa25ef34ebab
sed -i 's/@LoginRequired()/@LoginRequired(allow_default_user=True)/g' `hg mani`
sed -i 's/@LoginRequired(\(..*\))/@LoginRequired(\1, allow_default_user=True)/g' `hg mani`
# The primary case: Replace @NotAnonymous with removal of allow_default_user=True
perl -0pi -e 's/\@LoginRequired\((?:(.*), )?allow_default_user=True\)\n\s*\@NotAnonymous\(\)/\@LoginRequired(\1)/g' `hg mani`
# If there is a global permission check, no anonymous is ever allowed
perl -0pi -e 's/\@LoginRequired\(allow_default_user=True\)(\n\s*\@HasPermission)/\@LoginRequired()\1/g' `hg mani`
# Repo access for write or admin also assume no default user
perl -0pi -e 's/\@LoginRequired\(allow_default_user=True\)(\n\s*\@HasRepoPermissionLevelDecorator\('"'(write|admin)'"'\))/\@LoginRequired()\1/g' `hg mani`

10 files changed with 28 insertions and 28 deletions:

kallithea/controllers/changelog.py

kallithea/controllers/changeset.py

kallithea/controllers/compare.py

kallithea/controllers/feed.py

kallithea/controllers/files.py

kallithea/controllers/followers.py

kallithea/controllers/forks.py

kallithea/controllers/home.py

kallithea/controllers/pullrequests.py

kallithea/controllers/summary.py

0 comments (0 inline, 0 general)

kallithea/controllers/changelog.py

➞

Show inline comments

@@ @@ -71,7 +71,7 @@ class ChangelogController(BaseRepoContro @@
             h.flash(safe_str(e), category='error')
         raise HTTPBadRequest()
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def index(self, repo_name, revision=None, f_path=None):
         limit = 2000
@@ @@ -149,7 +149,7 @@ class ChangelogController(BaseRepoContro @@
         c.first_revision = c.cs_pagination[0] # pagination is never empty here!
         return render('changelog/changelog.html')
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def changelog_details(self, cs):
         if request.environ.get('HTTP_X_PARTIAL_XHR'):

kallithea/controllers/changeset.py

➞

Show inline comments

@@ @@ -326,22 +326,22 @@ class ChangesetController(BaseRepoContro @@
                 c.jsdata = graph_data(c.db_repo_scm_instance, revs)
                 return render('changeset/changeset_range.html')
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def index(self, revision, method='show'):
         return self._index(revision, method=method)
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def changeset_raw(self, revision):
         return self._index(revision, method='raw')
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def changeset_patch(self, revision):
         return self._index(revision, method='patch')
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def changeset_download(self, revision):
         return self._index(revision, method='download')
@@ @@ -412,7 +412,7 @@ class ChangesetController(BaseRepoContro @@
         else:
             raise HTTPForbidden()
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     @jsonify
     def changeset_info(self, repo_name, revision):
@@ @@ -424,7 +424,7 @@ class ChangesetController(BaseRepoContro @@
         else:
             raise HTTPBadRequest()
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     @jsonify
     def changeset_children(self, repo_name, revision):
@@ @@ -437,7 +437,7 @@ class ChangesetController(BaseRepoContro @@
         else:
             raise HTTPBadRequest()
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     @jsonify
     def changeset_parents(self, repo_name, revision):

kallithea/controllers/compare.py

➞

Show inline comments

@@ @@ -165,14 +165,14 @@ class CompareController(BaseRepoControll @@
         return other_changesets, org_changesets, ancestors
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def index(self, repo_name):
         c.compare_home = True
         c.a_ref_name = c.cs_ref_name = None
         return render('compare/compare_diff.html')
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def compare(self, repo_name, org_ref_type, org_ref_name, other_ref_type, other_ref_name):
         org_ref_name = org_ref_name.strip()

kallithea/controllers/feed.py

➞

Show inline comments

@@ @@ -51,7 +51,7 @@ ttl = "5" @@
 class FeedController(BaseRepoController):
     @LoginRequired(api_access=True)
+    @LoginRequired(api_access=True, allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def _before(self, *args, **kwargs):
         super(FeedController, self)._before(*args, **kwargs)

kallithea/controllers/files.py

➞

Show inline comments

@@ @@ -123,7 +123,7 @@ class FilesController(BaseRepoController @@
         return file_node
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def index(self, repo_name, revision, f_path, annotate=False):
         # redirect to given revision from form if given
@@ @@ -198,7 +198,7 @@ class FilesController(BaseRepoController @@
         return render('files/files.html')
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     @jsonify
     def history(self, repo_name, revision, f_path):
@@ @@ -220,7 +220,7 @@ class FilesController(BaseRepoController @@
+            }
             return data
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def authors(self, repo_name, revision, f_path):
         changeset = self.__get_cs(revision)
@@ @@ -232,7 +232,7 @@ class FilesController(BaseRepoController @@
                 c.authors.append((h.email(a), h.person(a)))
             return render('files/files_history_box.html')
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def rawfile(self, repo_name, revision, f_path):
         cs = self.__get_cs(revision)
@@ @@ -244,7 +244,7 @@ class FilesController(BaseRepoController @@
         response.content_type = file_node.mimetype
         return file_node.content
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def raw(self, repo_name, revision, f_path):
         cs = self.__get_cs(revision)
@@ @@ -497,7 +497,7 @@ class FilesController(BaseRepoController @@
         return render('files/files_add.html')
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def archivefile(self, repo_name, fname):
         fileformat = None
@@ @@ -583,7 +583,7 @@ class FilesController(BaseRepoController @@
         response.content_type = str(content_type)
         return get_chunked_archive(archive_path)
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def diff(self, repo_name, f_path):
         ignore_whitespace = request.GET.get('ignorews') == '1'
@@ @@ -684,7 +684,7 @@ class FilesController(BaseRepoController @@
             return render('files/file_diff.html')
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def diff_2way(self, repo_name, f_path):
         diff1 = request.GET.get('diff1', '')
@@ @@ -771,7 +771,7 @@ class FilesController(BaseRepoController @@
         return hist_l, changesets
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     @jsonify
     def nodelist(self, repo_name, revision, f_path):

kallithea/controllers/followers.py

➞

Show inline comments

@@ @@ -40,7 +40,7 @@ log = logging.getLogger(__name__) @@
 class FollowersController(BaseRepoController):
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def followers(self, repo_name):
         p = safe_int(request.GET.get('page'), 1)

kallithea/controllers/forks.py

➞

Show inline comments

@@ @@ -105,7 +105,7 @@ class ForksController(BaseRepoController @@
         return defaults
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def forks(self, repo_name):
         p = safe_int(request.GET.get('page'), 1)

kallithea/controllers/home.py

➞

Show inline comments

@@ @@ -109,7 +109,7 @@ class HomeController(BaseController): @@
         else:
             raise HTTPBadRequest()
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     @jsonify
     def repo_refs_data(self, repo_name):

kallithea/controllers/pullrequests.py

➞

Show inline comments

@@ @@ -198,7 +198,7 @@ class PullrequestsController(BaseRepoCon @@
         return request.authuser.admin or owner or reviewer
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def show_all(self, repo_name):
         c.from_ = request.GET.get('from_') or ''
@@ @@ -447,7 +447,7 @@ class PullrequestsController(BaseRepoCon @@
             raise HTTPFound(location=url('my_pullrequests'))
         raise HTTPForbidden()
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def show(self, repo_name, pull_request_id, extra=None):
         repo_model = RepoModel()

kallithea/controllers/summary.py

➞

Show inline comments

@@ @@ -102,7 +102,7 @@ class SummaryController(BaseRepoControll @@
             region_invalidate(_get_readme_from_cache, None, '_get_readme_from_cache', repo_name, kind)
         return _get_readme_from_cache(repo_name, kind)
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def index(self, repo_name):
         p = safe_int(request.GET.get('page'), 1)
@@ @@ -169,7 +169,7 @@ class SummaryController(BaseRepoControll @@
         else:
             raise HTTPBadRequest()
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @HasRepoPermissionLevelDecorator('read')
     def statistics(self, repo_name):
         if c.db_repo.enable_statistics:

0 comments (0 inline, 0 general)