kallithea Changeset - aa25ef34ebab

Changeset - aa25ef34ebab

Parent rev.

Child rev.

[Not reviewed]

default

0 16 0

Mads Kiilerich - 8 years ago 2018-01-21 02:49:15
mads@kiilerich.com

auth: refactor to introduce @LoginRequired(allow_default_user=True) and deprecate @NotAnonymous()

It was error prone that @LoginRequired defaulted to allow anonymous users (if
'default' user is enabled). See also 245b4e3abf39.

Refactor code to make it more explicit and safe by default: Deprecate
@NotAnonymous by making it the default of @LoginRequired. That will make it
safe by default.

To preserve same functionality, set allow_default_user=True in all the cases
where @LoginRequired was *not* followed by @NotAnonymous or other permission
checks - that was done with some script hacks:
sed -i 's/@LoginRequired(\(..*\))/@LoginRequired(\1, allow_default_user=True)/g' `hg mani`
sed -i 's/@LoginRequired()/@LoginRequired(allow_default_user=True)/g' `hg mani`
perl -0pi -e 's/\@LoginRequired\(allow_default_user=True\)\n\s*\@NotAnonymous\(\)/\@LoginRequired()/g' `hg mani`
perl -0pi -e 's/\@LoginRequired\(allow_default_user=True\)(\n\s*\@Has(Repo)?Permission)/\@LoginRequired()\1/g' `hg mani`

It has been reviewed that all uses of allow_default_user=True are in places
where the there indeed wasn't any checking for default user before. These may
or may not be correct, but now they are explicit and can be spotted and fixed.

The few remaining uses of @NotAnonymous should probably be removed somehow.

16 files changed with 35 insertions and 55 deletions:

kallithea/controllers/admin/admin.py

kallithea/controllers/admin/gists.py

kallithea/controllers/admin/my_account.py

kallithea/controllers/admin/notifications.py

kallithea/controllers/admin/repo_groups.py

kallithea/controllers/admin/repos.py

kallithea/controllers/admin/settings.py

kallithea/controllers/admin/user_groups.py

kallithea/controllers/changeset.py

kallithea/controllers/forks.py

kallithea/controllers/home.py

kallithea/controllers/journal.py

kallithea/controllers/pullrequests.py

kallithea/controllers/search.py

kallithea/controllers/summary.py

kallithea/lib/auth.py

0 comments (0 inline, 0 general)

kallithea/controllers/admin/admin.py

➞

Show inline comments

@@ @@ -111,25 +111,25 @@ def _journal_filter(user_log, search_ter @@
         for term in qry:
             field = term.fieldname
             val = (term.text if not isinstance(term, query.DateRange)
                    else [term.startdate, term.enddate])
             filters.append(get_filterion(field, val, term))
         user_log = user_log.filter(or_(*filters))
     return user_log
 class AdminController(BaseController):
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     def _before(self, *args, **kwargs):
         super(AdminController, self)._before(*args, **kwargs)
     @HasPermissionAnyDecorator('hg.admin')
     def index(self):
         users_log = UserLog.query() \
                 .options(joinedload(UserLog.user)) \
                 .options(joinedload(UserLog.repository))
         # FILTERING
         c.search_term = request.GET.get('filter')
         users_log = _journal_filter(users_log, c.search_term)

kallithea/controllers/admin/gists.py

➞

Show inline comments

@@ @@ -32,49 +32,49 @@ import formencode.htmlfill @@
 from tg import request, response, tmpl_context as c
 from tg.i18n import ugettext as _
 from webob.exc import HTTPFound, HTTPNotFound, HTTPForbidden
 from kallithea.config.routing import url
 from kallithea.model.forms import GistForm
 from kallithea.model.gist import GistModel
 from kallithea.model.meta import Session
 from kallithea.model.db import Gist, User
 from kallithea.lib import helpers as h
 from kallithea.lib.base import BaseController, render, jsonify
-from kallithea.lib.auth import LoginRequired, NotAnonymous
 from kallithea.lib.auth import LoginRequired
 from kallithea.lib.utils2 import safe_int, safe_unicode, time_to_datetime
 from kallithea.lib.page import Page
 from sqlalchemy.sql.expression import or_
 from kallithea.lib.vcs.exceptions import VCSError, NodeNotChangedError
 log = logging.getLogger(__name__)
 class GistsController(BaseController):
     """REST Controller styled on the Atom Publishing Protocol"""
     def __load_defaults(self, extra_values=None):
         c.lifetime_values = [
             (str(-1), _('Forever')),
             (str(5), _('5 minutes')),
             (str(60), _('1 hour')),
             (str(60 * 24), _('1 day')),
             (str(60 * 24 * 30), _('1 month')),
+        ]
         if extra_values:
             c.lifetime_values.append(extra_values)
         c.lifetime_options = [(c.lifetime_values, _("Lifetime"))]
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     def index(self):
         not_default_user = not request.authuser.is_default_user
         c.show_private = request.GET.get('private') and not_default_user
         c.show_public = request.GET.get('public') and not_default_user
         gists = Gist().query() \
             .filter_by(is_expired=False) \
             .order_by(Gist.created_on.desc())
         # MY private
         if c.show_private and not c.show_public:
             gists = gists.filter(Gist.gist_type == Gist.GIST_PRIVATE) \
@@ @@ -91,25 +91,24 @@ class GistsController(BaseController): @@
                              .filter(Gist.owner_id == request.authuser.user_id)
         # default show ALL public gists
         if not c.show_public and not c.show_private:
             gists = gists.filter(Gist.gist_type == Gist.GIST_PUBLIC)
         c.gists = gists
         p = safe_int(request.GET.get('page'), 1)
         c.gists_pager = Page(c.gists, page=p, items_per_page=10)
         return render('admin/gists/index.html')
     @LoginRequired()
     @NotAnonymous()
     def create(self):
         self.__load_defaults()
         gist_form = GistForm([x[0] for x in c.lifetime_values])()
         try:
             form_result = gist_form.to_python(dict(request.POST))
             # TODO: multiple files support, from the form
             filename = form_result['filename'] or Gist.DEFAULT_FILENAME
             nodes = {
                 filename: {
                     'content': form_result['content'],
                     'lexer': form_result['mimetype']  # None is autodetect
+                }
@@ @@ -134,65 +133,62 @@ class GistsController(BaseController): @@
                 errors=errors.error_dict or {},
                 prefix_error=False,
                 encoding="UTF-8",
                 force_defaults=False)
         except Exception as e:
             log.error(traceback.format_exc())
             h.flash(_('Error occurred during gist creation'), category='error')
             raise HTTPFound(location=url('new_gist'))
         raise HTTPFound(location=url('gist', gist_id=new_gist_id))
     @LoginRequired()
     @NotAnonymous()
     def new(self, format='html'):
         self.__load_defaults()
         return render('admin/gists/new.html')
     @LoginRequired()
     @NotAnonymous()
     def delete(self, gist_id):
         gist = GistModel().get_gist(gist_id)
         owner = gist.owner_id == request.authuser.user_id
         if h.HasPermissionAny('hg.admin')() or owner:
             GistModel().delete(gist)
             Session().commit()
             h.flash(_('Deleted gist %s') % gist.gist_access_id, category='success')
         else:
             raise HTTPForbidden()
         raise HTTPFound(location=url('gists'))
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     def show(self, gist_id, revision='tip', format='html', f_path=None):
         c.gist = Gist.get_or_404(gist_id)
         if c.gist.is_expired:
             log.error('Gist expired at %s',
                       time_to_datetime(c.gist.gist_expires))
             raise HTTPNotFound()
         try:
             c.file_changeset, c.files = GistModel().get_gist_files(gist_id,
                                                             revision=revision)
         except VCSError:
             log.error(traceback.format_exc())
             raise HTTPNotFound()
         if format == 'raw':
             content = '\n\n'.join([f.content for f in c.files if (f_path is None or safe_unicode(f.path) == f_path)])
             response.content_type = 'text/plain'
             return content
         return render('admin/gists/show.html')
     @LoginRequired()
     @NotAnonymous()
     def edit(self, gist_id, format='html'):
         c.gist = Gist.get_or_404(gist_id)
         if c.gist.is_expired:
             log.error('Gist expired at %s',
                       time_to_datetime(c.gist.gist_expires))
             raise HTTPNotFound()
         try:
             c.file_changeset, c.files = GistModel().get_gist_files(gist_id)
         except VCSError:
             log.error(traceback.format_exc())
             raise HTTPNotFound()
@@ @@ -233,25 +229,24 @@ class GistsController(BaseController): @@
                 Session().commit()
                 h.flash(_('Successfully updated gist data'), category='success')
             except Exception:
                 log.error(traceback.format_exc())
                 h.flash(_('Error occurred during update of gist %s') % gist_id,
                         category='error')
             raise HTTPFound(location=url('gist', gist_id=gist_id))
         return rendered
     @LoginRequired()
     @NotAnonymous()
     @jsonify
     def check_revision(self, gist_id):
         c.gist = Gist.get_or_404(gist_id)
         last_rev = c.gist.scm_instance.get_changeset()
         success = True
         revision = request.POST.get('revision')
         # TODO: maybe move this to model ?
         if revision != last_rev.raw_id:
             log.error('Last revision %s is different than submitted %s',
                       revision, last_rev)
             # our gist has newer version than we

kallithea/controllers/admin/my_account.py

➞

Show inline comments

@@ @@ -29,46 +29,45 @@ import logging @@
 import traceback
 import formencode
 from sqlalchemy import func
 from formencode import htmlfill
 from tg import request, tmpl_context as c
 from tg.i18n import ugettext as _
 from webob.exc import HTTPFound
 from kallithea.config.routing import url
 from kallithea.lib import helpers as h
 from kallithea.lib import auth_modules
-from kallithea.lib.auth import LoginRequired, NotAnonymous, AuthUser
 from kallithea.lib.auth import LoginRequired, AuthUser
 from kallithea.lib.base import BaseController, render
 from kallithea.lib.utils2 import generate_api_key, safe_int
 from kallithea.model.db import Repository, UserEmailMap, User, UserFollowing
 from kallithea.model.forms import UserForm, PasswordChangeForm
 from kallithea.model.user import UserModel
 from kallithea.model.repo import RepoModel
 from kallithea.model.api_key import ApiKeyModel
 from kallithea.model.meta import Session
 log = logging.getLogger(__name__)
 class MyAccountController(BaseController):
     """REST Controller styled on the Atom Publishing Protocol"""
     # To properly map this controller, ensure your config/routing.py
     # file has a resource setup:
     #     map.resource('setting', 'settings', controller='admin/settings',
     #         path_prefix='/admin', name_prefix='admin_')
     @LoginRequired()
     @NotAnonymous()
     def _before(self, *args, **kwargs):
         super(MyAccountController, self)._before(*args, **kwargs)
     def __load_data(self):
         c.user = User.get(request.authuser.user_id)
         if c.user.is_default_user:
             h.flash(_("You can't edit this user since it's"
                       " crucial for entire application"), category='warning')
             raise HTTPFound(location=url('users'))
     def _load_my_repos_data(self, watched=False):
         if watched:

kallithea/controllers/admin/notifications.py

➞

Show inline comments

@@ @@ -26,43 +26,42 @@ Original author and date, and relevant c @@
 """
 import logging
 import traceback
 from tg import request
 from tg import tmpl_context as c
 from webob.exc import HTTPBadRequest, HTTPForbidden
 from kallithea.model.db import Notification
 from kallithea.model.notification import NotificationModel
 from kallithea.model.meta import Session
-from kallithea.lib.auth import LoginRequired, NotAnonymous
 from kallithea.lib.auth import LoginRequired
 from kallithea.lib.base import BaseController, render
 from kallithea.lib import helpers as h
 from kallithea.lib.page import Page
 from kallithea.lib.utils2 import safe_int
 log = logging.getLogger(__name__)
 class NotificationsController(BaseController):
     """REST Controller styled on the Atom Publishing Protocol"""
     # To properly map this controller, ensure your config/routing.py
     # file has a resource setup:
     #     map.resource('notification', 'notifications', controller='_admin/notifications',
     #         path_prefix='/_admin', name_prefix='_admin_')
     @LoginRequired()
     @NotAnonymous()
     def _before(self, *args, **kwargs):
         super(NotificationsController, self)._before(*args, **kwargs)
     def index(self, format='html'):
         c.user = request.authuser
         notif = NotificationModel().query_for_user(request.authuser.user_id,
                                             filter_=request.GET.getall('type'))
         p = safe_int(request.GET.get('page'), 1)
         c.notifications = Page(notif, page=p, items_per_page=10)
         c.pull_request_type = Notification.TYPE_PULL_REQUEST
         c.comment_type = [Notification.TYPE_CHANGESET_COMMENT,

kallithea/controllers/admin/repo_groups.py

➞

Show inline comments

@@ @@ -49,25 +49,25 @@ from kallithea.model.repo_group import R @@
 from kallithea.model.forms import RepoGroupForm, RepoGroupPermsForm
 from kallithea.model.meta import Session
 from kallithea.model.repo import RepoModel
 from kallithea.lib.utils2 import safe_int
 from sqlalchemy.sql.expression import func
 log = logging.getLogger(__name__)
 class RepoGroupsController(BaseController):
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     def _before(self, *args, **kwargs):
         super(RepoGroupsController, self)._before(*args, **kwargs)
     def __load_defaults(self, extras=(), exclude=()):
         """extras is used for keeping current parent ignoring permissions
         exclude is used for not moving group to itself TODO: also exclude descendants
         Note: only admin can create top level groups
         """
         repo_groups = AvailableRepoGroupChoices([], 'admin', extras)
         exclude_group_ids = set(rg.group_id for rg in exclude)
         c.repo_groups = [rg for rg in repo_groups
                          if rg[0] not in exclude_group_ids]

kallithea/controllers/admin/repos.py

➞

Show inline comments

@@ @@ -51,25 +51,25 @@ from kallithea.lib.exceptions import Att @@
 from kallithea.lib.utils2 import safe_int
 log = logging.getLogger(__name__)
 class ReposController(BaseRepoController):
     """
     REST Controller styled on the Atom Publishing Protocol"""
     # To properly map this controller, ensure your config/routing.py
     # file has a resource setup:
     #     map.resource('repo', 'repos')
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     def _before(self, *args, **kwargs):
         super(ReposController, self)._before(*args, **kwargs)
     def _load_repo(self):
         repo_obj = c.db_repo
         if repo_obj is None:
             h.not_mapped_error(c.repo_name)
             raise HTTPFound(location=url('repos'))
         return repo_obj
@@ @@ -160,34 +160,32 @@ class ReposController(BaseRepoController @@
                 raise HTTPForbidden
             defaults.update({'repo_group': parent_group})
         return htmlfill.render(
             render('admin/repos/repo_add.html'),
             defaults=defaults,
             errors={},
             prefix_error=False,
             encoding="UTF-8",
             force_defaults=False)
     @LoginRequired()
     @NotAnonymous()
     def repo_creating(self, repo_name):
         c.repo = repo_name
         c.task_id = request.GET.get('task_id')
         if not c.repo:
             raise HTTPNotFound()
         return render('admin/repos/repo_creating.html')
     @LoginRequired()
     @NotAnonymous()
     @jsonify
     def repo_check(self, repo_name):
         c.repo = repo_name
         task_id = request.GET.get('task_id')
         if task_id and task_id not in ['None']:
             from kallithea import CELERY_ON
             from kallithea.lib import celerypylons
             if CELERY_ON:
                 task = celerypylons.result.AsyncResult(task_id)
                 if task.failed():
                     raise HTTPInternalServerError(task.traceback)

kallithea/controllers/admin/settings.py

➞

Show inline comments

@@ @@ -50,25 +50,25 @@ from kallithea.model.notification import @@
 from kallithea.model.meta import Session
 from kallithea.lib.utils2 import str2bool, safe_unicode
 log = logging.getLogger(__name__)
 class SettingsController(BaseController):
     """REST Controller styled on the Atom Publishing Protocol"""
     # To properly map this controller, ensure your config/routing.py
     # file has a resource setup:
     #     map.resource('setting', 'settings', controller='admin/settings',
     #         path_prefix='/admin', name_prefix='admin_')
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     def _before(self, *args, **kwargs):
         super(SettingsController, self)._before(*args, **kwargs)
     def _get_hg_ui_settings(self):
         ret = Ui.query().all()
         settings = {}
         for each in ret:
             k = each.ui_section + '_' + each.ui_key
             v = each.ui_value
             if k == 'paths_/':
                 k = 'paths_root_path'

kallithea/controllers/admin/user_groups.py

➞

Show inline comments

@@ @@ -54,25 +54,25 @@ from kallithea.model.db import User, Use @@
     UserGroupRepoToPerm, UserGroupRepoGroupToPerm
 from kallithea.model.forms import UserGroupForm, UserGroupPermsForm, \
     CustomDefaultPermissionsForm
 from kallithea.model.meta import Session
 from kallithea.lib.utils import action_logger
 log = logging.getLogger(__name__)
 class UserGroupsController(BaseController):
     """REST Controller styled on the Atom Publishing Protocol"""
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     def _before(self, *args, **kwargs):
         super(UserGroupsController, self)._before(*args, **kwargs)
         c.available_permissions = config['available_permissions']
     def __load_data(self, user_group_id):
         c.group_members_obj = sorted((x.user for x in c.user_group.members),
                                      key=lambda u: u.username.lower())
         c.group_members = [(x.user_id, x.username) for x in c.group_members_obj]
         c.available_members = sorted(((x.user_id, x.username) for x in
                                       User.query().all()),
                                      key=lambda u: u[1].lower())

kallithea/controllers/changeset.py

➞

Show inline comments

@@ @@ -28,26 +28,25 @@ Original author and date, and relevant c @@
 import logging
 import traceback
 from collections import defaultdict
 from tg import tmpl_context as c, request, response
 from tg.i18n import ugettext as _
 from webob.exc import HTTPFound, HTTPForbidden, HTTPBadRequest, HTTPNotFound
 from kallithea.lib.vcs.exceptions import RepositoryError, \
     ChangesetDoesNotExistError, EmptyRepositoryError
 import kallithea.lib.helpers as h
 from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator, \
     NotAnonymous
 from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator
 from kallithea.lib.base import BaseRepoController, render, jsonify
 from kallithea.lib.utils import action_logger
 from kallithea.lib.compat import OrderedDict
 from kallithea.lib import diffs
 from kallithea.model.db import ChangesetComment, ChangesetStatus
 from kallithea.model.comment import ChangesetCommentsModel
 from kallithea.model.changeset_status import ChangesetStatusModel
 from kallithea.model.meta import Session
 from kallithea.model.repo import RepoModel
 from kallithea.lib.exceptions import StatusChangeOnClosedPullRequestError
 from kallithea.lib.vcs.backends.base import EmptyChangeset
 from kallithea.lib.utils2 import safe_unicode
@@ @@ -339,25 +338,24 @@ class ChangesetController(BaseRepoContro @@
     @LoginRequired()
     @HasRepoPermissionLevelDecorator('read')
     def changeset_patch(self, revision):
         return self._index(revision, method='patch')
     @LoginRequired()
     @HasRepoPermissionLevelDecorator('read')
     def changeset_download(self, revision):
         return self._index(revision, method='download')
     @LoginRequired()
     @NotAnonymous()
     @HasRepoPermissionLevelDecorator('read')
     @jsonify
     def comment(self, repo_name, revision):
         assert request.environ.get('HTTP_X_PARTIAL_XHR')
         status = request.POST.get('changeset_status')
         text = request.POST.get('text', '').strip()
         c.comment = create_comment(
             text,
             status,
             revision=revision,
@@ @@ -390,25 +388,24 @@ class ChangesetController(BaseRepoContro @@
         data = {
            'target_id': h.safeid(h.safe_unicode(request.POST.get('f_path'))),
+        }
         if c.comment is not None:
             data.update(c.comment.get_dict())
             data.update({'rendered_text':
                          render('changeset/changeset_comment_block.html')})
         return data
     @LoginRequired()
     @NotAnonymous()
     @HasRepoPermissionLevelDecorator('read')
     @jsonify
     def delete_comment(self, repo_name, comment_id):
         co = ChangesetComment.get_or_404(comment_id)
         if co.repo.repo_name != repo_name:
             raise HTTPNotFound()
         owner = co.author_id == request.authuser.user_id
         repo_admin = h.HasRepoPermissionLevel('admin')(repo_name)
         if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
             ChangesetCommentsModel().delete(comment=co)
             Session().commit()
             return True

kallithea/controllers/forks.py

➞

Show inline comments

@@ @@ -29,25 +29,25 @@ import logging @@
 import formencode
 import traceback
 from formencode import htmlfill
 from tg import tmpl_context as c, request
 from tg.i18n import ugettext as _
 from webob.exc import HTTPFound
 import kallithea.lib.helpers as h
 from kallithea.config.routing import url
 from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator, \
-    NotAnonymous, HasRepoPermissionLevel, HasPermissionAnyDecorator, HasPermissionAny
     HasRepoPermissionLevel, HasPermissionAnyDecorator, HasPermissionAny
 from kallithea.lib.base import BaseRepoController, render
 from kallithea.lib.page import Page
 from kallithea.lib.utils2 import safe_int
 from kallithea.model.db import Repository, UserFollowing, User, Ui
 from kallithea.model.repo import RepoModel
 from kallithea.model.forms import RepoForkForm
 from kallithea.model.scm import ScmModel, AvailableRepoGroupChoices
 log = logging.getLogger(__name__)
 class ForksController(BaseRepoController):
@@ @@ -114,43 +114,41 @@ class ForksController(BaseRepoController @@
         for r in Repository.get_repo_forks(repo_id):
             if not HasRepoPermissionLevel('read')(r.repo_name, 'get forks check'):
                 continue
             d.append(r)
         c.forks_pager = Page(d, page=p, items_per_page=20)
         if request.environ.get('HTTP_X_PARTIAL_XHR'):
             return render('/forks/forks_data.html')
         return render('/forks/forks.html')
     @LoginRequired()
     @NotAnonymous()
     @HasPermissionAnyDecorator('hg.admin', 'hg.fork.repository')
     @HasRepoPermissionLevelDecorator('read')
     def fork(self, repo_name):
         c.repo_info = Repository.get_by_repo_name(repo_name)
         if not c.repo_info:
             h.not_mapped_error(repo_name)
             raise HTTPFound(location=url('home'))
         defaults = self.__load_data()
         return htmlfill.render(
             render('forks/fork.html'),
             defaults=defaults,
             encoding="UTF-8",
             force_defaults=False)
     @LoginRequired()
     @NotAnonymous()
     @HasPermissionAnyDecorator('hg.admin', 'hg.fork.repository')
     @HasRepoPermissionLevelDecorator('read')
     def fork_create(self, repo_name):
         self.__load_defaults()
         c.repo_info = Repository.get_by_repo_name(repo_name)
         _form = RepoForkForm(old_data={'repo_type': c.repo_info.repo_type},
                              repo_groups=c.repo_groups,
                              landing_revs=c.landing_revs_choices)()
         form_result = {}
         task_id = None
         try:
             form_result = _form.to_python(dict(request.POST))

kallithea/controllers/home.py

➞

Show inline comments

@@ @@ -41,38 +41,38 @@ from kallithea.lib import helpers as h @@
 from kallithea.model.db import Repository, RepoGroup, User, UserGroup
 from kallithea.model.repo import RepoModel
 from kallithea.model.scm import UserGroupList
 log = logging.getLogger(__name__)
 class HomeController(BaseController):
     def about(self):
         return render('/about.html')
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     def index(self):
         c.group = None
         repo_groups_list = self.scm_model.get_repo_groups()
         repos_list = Repository.query(sorted=True).filter_by(group=None).all()
         c.data = RepoModel().get_repos_as_dict(repos_list=repos_list,
                                                repo_groups_list=repo_groups_list,
                                                admin=False, short_name=True)
         return render('/index.html')
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @jsonify
     def repo_switcher_data(self):
         # wrapper for conditional cache
         def _c():
             log.debug('generating switcher repo/groups list')
             all_repos = Repository.query(sorted=True).all()
             repo_iter = self.scm_model.get_repos(all_repos)
             all_groups = RepoGroup.query(sorted=True).all()
             repo_groups_iter = self.scm_model.get_repo_groups(all_groups)
             res = [{
                     'text': _('Groups'),
@@ @@ -136,25 +136,25 @@ class HomeController(BaseController): @@
         _bookmarks = repo.bookmarks.items()
         if _bookmarks:
             res.append({
                 'text': _('Bookmark'),
                 'children': [{'id': rev, 'text': name, 'type': 'book'} for name, rev in _bookmarks]
             })
         data = {
             'more': False,
             'results': res
+        }
         return data
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     @jsonify
     def users_and_groups_data(self):
         """
         Returns 'results' with a list of users and user groups.
         You can either use the 'key' GET parameter to get a user by providing
         the exact user key or you can use the 'query' parameter to
         search for users by user key, first name and last name.
         'types' defaults to just 'users' but can be set to 'users,groups' to
         get both users and groups.
         No more than 500 results (of each kind) will be returned.
         """

kallithea/controllers/journal.py

➞

Show inline comments

@@ @@ -37,25 +37,25 @@ from sqlalchemy.sql.expression import fu @@
 from webhelpers.feedgenerator import Atom1Feed, Rss201rev2Feed
 from webob.exc import HTTPBadRequest
 from tg import request, tmpl_context as c, response
 from tg.i18n import ugettext as _
 from kallithea.config.routing import url
 from kallithea.controllers.admin.admin import _journal_filter
 from kallithea.model.db import UserLog, UserFollowing, Repository, User
 from kallithea.model.meta import Session
 from kallithea.model.repo import RepoModel
 import kallithea.lib.helpers as h
-from kallithea.lib.auth import LoginRequired, NotAnonymous
 from kallithea.lib.auth import LoginRequired
 from kallithea.lib.base import BaseController, render
 from kallithea.lib.page import Page
 from kallithea.lib.utils2 import safe_int, AttributeDict
 log = logging.getLogger(__name__)
 language = 'en-us'
 ttl = "5"
 feed_nr = 20
@@ @@ -182,25 +182,24 @@ class JournalController(BaseController): @@
             feed.add_item(title=title,
                           pubdate=entry.action_date,
                           link=_url or h.canonical_url(''),
                           author_email=user.email,
                           author_name=user.full_contact,
                           description=desc)
         response.content_type = feed.mime_type
         return feed.writeString('utf-8')
     @LoginRequired()
     @NotAnonymous()
     def index(self):
         # Return a rendered template
         p = safe_int(request.GET.get('page'), 1)
         c.user = User.get(request.authuser.user_id)
         c.following = UserFollowing.query() \
             .filter(UserFollowing.user_id == request.authuser.user_id) \
             .options(joinedload(UserFollowing.follows_repository)) \
             .all()
         journal = self._get_journal_data(c.following)
         def url_generator(**kw):
@@ @@ -214,49 +213,46 @@ class JournalController(BaseController): @@
         repos_list = Repository.query(sorted=True) \
             .filter_by(owner_id=request.authuser.user_id).all()
         repos_data = RepoModel().get_repos_as_dict(repos_list=repos_list,
                                                    admin=True)
         # data used to render the grid
         c.data = repos_data
         return render('journal/journal.html')
     @LoginRequired(api_access=True)
     @NotAnonymous()
     def journal_atom(self):
         """
         Produce an atom-1.0 feed via feedgenerator module
         """
         following = UserFollowing.query() \
             .filter(UserFollowing.user_id == request.authuser.user_id) \
             .options(joinedload(UserFollowing.follows_repository)) \
             .all()
         return self._atom_feed(following, public=False)
     @LoginRequired(api_access=True)
     @NotAnonymous()
     def journal_rss(self):
         """
         Produce an rss feed via feedgenerator module
         """
         following = UserFollowing.query() \
             .filter(UserFollowing.user_id == request.authuser.user_id) \
             .options(joinedload(UserFollowing.follows_repository)) \
             .all()
         return self._rss_feed(following, public=False)
     @LoginRequired()
     @NotAnonymous()
     def toggle_following(self):
         user_id = request.POST.get('follows_user_id')
         if user_id:
             try:
                 self.scm_model.toggle_following_user(user_id,
                                             request.authuser.user_id)
                 Session().commit()
                 return 'ok'
             except Exception:
                 log.error(traceback.format_exc())
                 raise HTTPBadRequest()
@@ @@ -264,56 +260,56 @@ class JournalController(BaseController): @@
         if repo_id:
             try:
                 self.scm_model.toggle_following_repo(repo_id,
                                             request.authuser.user_id)
                 Session().commit()
                 return 'ok'
             except Exception:
                 log.error(traceback.format_exc())
                 raise HTTPBadRequest()
         raise HTTPBadRequest()
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     def public_journal(self):
         # Return a rendered template
         p = safe_int(request.GET.get('page'), 1)
         c.following = UserFollowing.query() \
             .filter(UserFollowing.user_id == request.authuser.user_id) \
             .options(joinedload(UserFollowing.follows_repository)) \
             .all()
         journal = self._get_journal_data(c.following)
         c.journal_pager = Page(journal, page=p, items_per_page=20)
         c.journal_day_aggregate = self._get_daily_aggregate(c.journal_pager)
         if request.environ.get('HTTP_X_PARTIAL_XHR'):
             return render('journal/journal_data.html')
         return render('journal/public_journal.html')
     @LoginRequired(api_access=True)
+    @LoginRequired(api_access=True, allow_default_user=True)
     def public_journal_atom(self):
         """
         Produce an atom-1.0 feed via feedgenerator module
         """
         c.following = UserFollowing.query() \
             .filter(UserFollowing.user_id == request.authuser.user_id) \
             .options(joinedload(UserFollowing.follows_repository)) \
             .all()
         return self._atom_feed(c.following)
     @LoginRequired(api_access=True)
+    @LoginRequired(api_access=True, allow_default_user=True)
     def public_journal_rss(self):
         """
         Produce an rss2 feed via feedgenerator module
         """
         c.following = UserFollowing.query() \
             .filter(UserFollowing.user_id == request.authuser.user_id) \
             .options(joinedload(UserFollowing.follows_repository)) \
             .all()
         return self._rss_feed(c.following)

kallithea/controllers/pullrequests.py

➞

Show inline comments

@@ @@ -27,26 +27,25 @@ Original author and date, and relevant c @@
 import logging
 import traceback
 import formencode
 from tg import request, tmpl_context as c
 from tg.i18n import ugettext as _
 from webob.exc import HTTPFound, HTTPNotFound, HTTPForbidden, HTTPBadRequest
 from kallithea.config.routing import url
 from kallithea.lib import helpers as h
 from kallithea.lib import diffs
 from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator, \
     NotAnonymous
 from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator
 from kallithea.lib.base import BaseRepoController, render, jsonify
 from kallithea.lib.page import Page
 from kallithea.lib.utils import action_logger
 from kallithea.lib.vcs.exceptions import EmptyRepositoryError, ChangesetDoesNotExistError
 from kallithea.lib.vcs.utils import safe_str
 from kallithea.lib.vcs.utils.hgcompat import unionrepo
 from kallithea.model.db import PullRequest, ChangesetStatus, ChangesetComment, \
     PullRequestReviewer, Repository, User
 from kallithea.model.pull_request import CreatePullRequestAction, CreatePullRequestIterationAction, PullRequestModel
 from kallithea.model.meta import Session
 from kallithea.model.repo import RepoModel
 from kallithea.model.comment import ChangesetCommentsModel
@@ @@ -209,25 +208,24 @@ class PullrequestsController(BaseRepoCon @@
         q = PullRequest.query(include_closed=c.closed, sorted=True)
         if c.from_:
             q = q.filter_by(org_repo=c.db_repo)
         else:
             q = q.filter_by(other_repo=c.db_repo)
         c.pull_requests = q.all()
         c.pullrequests_pager = Page(c.pull_requests, page=p, items_per_page=100)
         return render('/pullrequests/pullrequest_show_all.html')
     @LoginRequired()
     @NotAnonymous()
     def show_my(self):
         c.closed = request.GET.get('closed') or ''
         c.my_pull_requests = PullRequest.query(
             include_closed=c.closed,
             sorted=True,
         ).filter_by(owner_id=request.authuser.user_id).all()
         c.participate_in_pull_requests = []
         c.participate_in_pull_requests_todo = []
         done_status = set([ChangesetStatus.STATUS_APPROVED, ChangesetStatus.STATUS_REJECTED])
         for pr in PullRequest.query(
@@ @@ -235,25 +233,24 @@ class PullrequestsController(BaseRepoCon @@
             reviewer_id=request.authuser.user_id,
             sorted=True,
         ):
             status = pr.user_review_status(request.authuser.user_id) # very inefficient!!!
             if status in done_status:
                 c.participate_in_pull_requests.append(pr)
             else:
                 c.participate_in_pull_requests_todo.append(pr)
         return render('/pullrequests/pullrequest_show_my.html')
     @LoginRequired()
     @NotAnonymous()
     @HasRepoPermissionLevelDecorator('read')
     def index(self):
         org_repo = c.db_repo
         org_scm_instance = org_repo.scm_instance
         try:
             org_scm_instance.get_changeset()
         except EmptyRepositoryError as e:
             h.flash(h.literal(_('There are no changesets yet')),
                     category='warning')
             raise HTTPFound(location=url('summary_home', repo_name=org_repo.repo_name))
         org_rev = request.GET.get('rev_end')
@@ @@ -291,38 +288,36 @@ class PullrequestsController(BaseRepoCon @@
         else:
             c.a_repo = org_repo
             c.a_refs, c.default_a_ref = self._get_repo_refs(org_scm_instance, rev=other_rev)
         # gather forks and add to this list ... even though it is rare to
         # request forks to pull from their parent
         for fork in org_repo.forks:
             c.a_repos.append((fork.repo_name, fork.repo_name))
         return render('/pullrequests/pullrequest.html')
     @LoginRequired()
     @NotAnonymous()
     @HasRepoPermissionLevelDecorator('read')
     @jsonify
     def repo_info(self, repo_name):
         repo = c.db_repo
         refs, selected_ref = self._get_repo_refs(repo.scm_instance)
         return {
             'description': repo.description.split('\n', 1)[0],
             'selected_ref': selected_ref,
             'refs': refs,
+            }
     @LoginRequired()
     @NotAnonymous()
     @HasRepoPermissionLevelDecorator('read')
     def create(self, repo_name):
         repo = c.db_repo
         try:
             _form = PullRequestForm(repo.repo_id)().to_python(request.POST)
         except formencode.Invalid as errors:
             log.error(traceback.format_exc())
             log.error(str(errors))
             msg = _('Error creating pull request: %s') % errors.msg
             h.flash(msg, 'error')
             raise HTTPBadRequest
@@ @@ -374,25 +369,24 @@ class PullrequestsController(BaseRepoCon @@
         except Exception:
             h.flash(_('Error occurred while creating pull request'),
                     category='error')
             log.error(traceback.format_exc())
             raise HTTPFound(location=old_pull_request.url())
         h.flash(_('New pull request iteration created'),
                 category='success')
         raise HTTPFound(location=pull_request.url())
     # pullrequest_post for PR editing
     @LoginRequired()
     @NotAnonymous()
     @HasRepoPermissionLevelDecorator('read')
     def post(self, repo_name, pull_request_id):
         pull_request = PullRequest.get_or_404(pull_request_id)
         if pull_request.is_closed():
             raise HTTPForbidden()
         assert pull_request.other_repo.repo_name == repo_name
         # only owner or admin can update it
         owner = pull_request.owner_id == request.authuser.user_id
         repo_admin = h.HasRepoPermissionLevel('admin')(c.repo_name)
         if not (h.HasPermissionAny('hg.admin')() or repo_admin or owner):
             raise HTTPForbidden()
@@ @@ -431,25 +425,24 @@ class PullrequestsController(BaseRepoCon @@
         user = User.get(request.authuser.user_id)
         PullRequestModel().mention_from_description(user, pull_request, old_description)
         PullRequestModel().add_reviewers(user, pull_request, added_reviewers)
         PullRequestModel().remove_reviewers(user, pull_request, removed_reviewers)
         Session().commit()
         h.flash(_('Pull request updated'), category='success')
         raise HTTPFound(location=pull_request.url())
     @LoginRequired()
     @NotAnonymous()
     @HasRepoPermissionLevelDecorator('read')
     @jsonify
     def delete(self, repo_name, pull_request_id):
         pull_request = PullRequest.get_or_404(pull_request_id)
         # only owner can delete it !
         if pull_request.owner_id == request.authuser.user_id:
             PullRequestModel().delete(pull_request)
             Session().commit()
             h.flash(_('Successfully deleted pull request'),
                     category='success')
             raise HTTPFound(location=url('my_pullrequests'))
         raise HTTPForbidden()
@@ @@ -624,25 +617,24 @@ class PullrequestsController(BaseRepoCon @@
         # (badly named) pull-request status calculation based on reviewer votes
         (c.pull_request_reviewers,
          c.pull_request_pending_reviewers,
          c.current_voting_result,
          ) = cs_model.calculate_pull_request_result(c.pull_request)
         c.changeset_statuses = ChangesetStatus.STATUSES
         c.is_ajax_preview = False
         c.ancestors = None # [c.a_rev] ... but that is shown in an other way
         return render('/pullrequests/pullrequest_show.html')
     @LoginRequired()
     @NotAnonymous()
     @HasRepoPermissionLevelDecorator('read')
     @jsonify
     def comment(self, repo_name, pull_request_id):
         pull_request = PullRequest.get_or_404(pull_request_id)
         status = request.POST.get('changeset_status')
         close_pr = request.POST.get('save_close')
         delete = request.POST.get('save_delete')
         f_path = request.POST.get('f_path')
         line_no = request.POST.get('line')
         if (status or close_pr or delete) and (f_path or line_no):
@@ @@ -709,25 +701,24 @@ class PullrequestsController(BaseRepoCon @@
         data = {
            'target_id': h.safeid(h.safe_unicode(request.POST.get('f_path'))),
+        }
         if comment is not None:
             c.comment = comment
             data.update(comment.get_dict())
             data.update({'rendered_text':
                          render('changeset/changeset_comment_block.html')})
         return data
     @LoginRequired()
     @NotAnonymous()
     @HasRepoPermissionLevelDecorator('read')
     @jsonify
     def delete_comment(self, repo_name, comment_id):
         co = ChangesetComment.get(comment_id)
         if co.pull_request.is_closed():
             # don't allow deleting comments on closed pull request
             raise HTTPForbidden()
         owner = co.author_id == request.authuser.user_id
         repo_admin = h.HasRepoPermissionLevel('admin')(c.repo_name)
         if h.HasPermissionAny('hg.admin')() or repo_admin or owner:
             ChangesetCommentsModel().delete(comment=co)

kallithea/controllers/search.py

➞

Show inline comments

@@ @@ -40,25 +40,25 @@ from kallithea.lib.auth import LoginRequ @@
 from kallithea.lib.base import BaseRepoController, render
 from kallithea.lib.indexers import CHGSETS_SCHEMA, SCHEMA, CHGSET_IDX_NAME, \
     IDX_NAME, WhooshResultWrapper
 from kallithea.lib.page import Page
 from kallithea.lib.utils2 import safe_str, safe_int
 from kallithea.model.repo import RepoModel
 log = logging.getLogger(__name__)
 class SearchController(BaseRepoController):
     @LoginRequired()
+    @LoginRequired(allow_default_user=True)
     def index(self, repo_name=None):
         c.repo_name = repo_name
         c.formated_results = []
         c.runtime = ''
         c.cur_query = request.GET.get('q', None)
         c.cur_type = request.GET.get('type', 'content')
         c.cur_search = search_type = {'content': 'content',
                                       'commit': 'message',
                                       'path': 'path',
                                       'repository': 'repository'
                                       }.get(c.cur_type, 'content')

kallithea/controllers/summary.py

➞

Show inline comments

@@ @@ -34,26 +34,25 @@ from datetime import timedelta, date @@
 from tg import tmpl_context as c, request
 from tg.i18n import ugettext as _
 from webob.exc import HTTPBadRequest
 from beaker.cache import cache_region, region_invalidate
 from kallithea.lib.vcs.exceptions import ChangesetError, EmptyRepositoryError, \
     NodeDoesNotExistError
 from kallithea.config.conf import ALL_READMES, ALL_EXTS, LANGUAGES_EXTENSIONS_MAP
 from kallithea.model.db import Statistics, CacheInvalidation, User
 from kallithea.lib.utils2 import safe_int, safe_str
 from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator, \
     NotAnonymous
 from kallithea.lib.auth import LoginRequired, HasRepoPermissionLevelDecorator
 from kallithea.lib.base import BaseRepoController, render, jsonify
 from kallithea.lib.vcs.backends.base import EmptyChangeset
 from kallithea.lib.markup_renderer import MarkupRenderer
 from kallithea.lib.celerylib.tasks import get_commits_stats
 from kallithea.lib.compat import json
 from kallithea.lib.vcs.nodes import FileNode
 from kallithea.lib.page import RepoPage
 log = logging.getLogger(__name__)
 README_FILES = [''.join([x[0][0], x[1][0]]) for x in
                     sorted(list(itertools.product(ALL_READMES, ALL_EXTS)),
@@ @@ -153,25 +152,24 @@ class SummaryController(BaseRepoControll @@
                 sorted(lang_stats, reverse=True, key=lambda k: k[1])[:10]
+            )
         else:
             c.no_data = True
             c.trending_languages = []
         c.enable_downloads = c.db_repo.enable_downloads
         c.readme_data, c.readme_file = \
             self.__get_readme_data(c.db_repo)
         return render('summary/summary.html')
     @LoginRequired()
     @NotAnonymous()
     @HasRepoPermissionLevelDecorator('read')
     @jsonify
     def repo_size(self, repo_name):
         if request.is_xhr:
             return c.db_repo._repo_size()
         else:
             raise HTTPBadRequest()
     @LoginRequired()
     @HasRepoPermissionLevelDecorator('read')
     def statistics(self, repo_name):
         if c.db_repo.enable_statistics:

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -743,34 +743,38 @@ def _redirect_to_login(message=None): @@
     page which will redirect back to the current URL after authentication.
     The optional message will be shown in a flash message."""
     from kallithea.lib import helpers as h
     if message:
         h.flash(h.literal(message), category='warning')
     p = request.path_qs
     log.debug('Redirecting to login page, origin: %s', p)
     return HTTPFound(location=url('login_home', came_from=p))
 # Use as decorator
 class LoginRequired(object):
     """Client must be logged in as a valid User (but the "default" user,
     if enabled, is considered valid), or we'll redirect to the login page.
     """Client must be logged in as a valid User, or we'll redirect to the login
     page.
     If the "default" user is enabled and allow_default_user is true, that is
     considered valid too.
     Also checks that IP address is allowed, and if using API key instead
     of regular cookie authentication, checks that API key access is allowed
     (based on `api_access` parameter and the API view whitelist).
     """
     def __init__(self, api_access=False):
+    def __init__(self, api_access=False, allow_default_user=False):
         self.api_access = api_access
         self.allow_default_user = allow_default_user
     def __call__(self, func):
         return decorator(self.__wrapper, func)
     def __wrapper(self, func, *fargs, **fkwargs):
         controller = fargs[0]
         user = request.authuser
         loc = "%s:%s" % (controller.__class__.__name__, func.__name__)
         log.debug('Checking access for user %s @ %s', user, loc)
         if not AuthUser.check_ip_allowed(user, request.ip_addr):
             raise _redirect_to_login(_('IP %s not allowed') % request.ip_addr)
@@ @@ -792,27 +796,32 @@ class LoginRequired(object): @@
         # through a session cookie or its origin IP address), it must include
         # the correct token, unless the HTTP method is GET or HEAD (and thus
         # guaranteed to be side effect free. In practice, the only situation
         # where we allow side effects without ambient authority is when the
         # authority comes from an API key; and that is handled above.
         if request.method not in ['GET', 'HEAD']:
             token = request.POST.get(secure_form.token_key)
             if not token or token != secure_form.authentication_token():
                 log.error('CSRF check failed')
                 raise HTTPForbidden()
         # regular user authentication
-        if user.is_authenticated or user.is_default_user:
         if user.is_authenticated:
             log.info('user %s authenticated with regular auth @ %s', user, loc)
             return func(*fargs, **fkwargs)
         elif user.is_default_user:
             if self.allow_default_user:
                 log.info('default user @ %s', loc)
                 return func(*fargs, **fkwargs)
             log.info('default user is not accepted here @ %s', loc)
         else:
             log.warning('user %s NOT authenticated with regular auth @ %s', user, loc)
             raise _redirect_to_login()
 # Use as decorator
 class NotAnonymous(object):
     """Ensures that client is not logged in as the "default" user, and
     redirects to the login page otherwise. Must be used together with
     LoginRequired."""
     def __call__(self, func):

0 comments (0 inline, 0 general)