kallithea Changeset - afe30226491e

Changeset - afe30226491e

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Thomas De Schampheleire - 6 years ago 2020-03-24 11:24:05
thomas.de_schampheleire@nokia.com

login: assert that the validated user actually is found

Due to another bug, it was possible that authentication succeeded but the user
object couldn't be obtained. This was for example noticed when the LDAP auth
module did not correctly parse the email attribute, and a login via email
was attempted. In this case, the user was retrieved from email address and LDAP
found the user, but the email attribute in the Kallithea database was then
changed incorrectly and a subsequent retrieval based on the same original email
address would not find the user.

Such problem would lead to an assert in Kallithea:

File ".../kallithea/controllers/login.py", line 104, in index
auth_user = log_in_user(user, c.form_result['remember'], is_external_auth=False, ip_addr=request.ip_addr)
File ".../kallithea/lib/base.py", line 122, in log_in_user
assert not user.is_default_user, user
AttributeError: 'NoneType' object has no attribute 'is_default_user'

This assert cought the problem but is not a spot-on indicator of the real
problem. Instead, we can catch this problem sooner by adding an assert already
in the login controller.

1 file changed with 1 insertions and 0 deletions:

kallithea/controllers/login.py

0 comments (0 inline, 0 general)

kallithea/controllers/login.py

➞

Show inline comments

@@ @@ -62,48 +62,49 @@ class LoginController(BaseController): @@
           origin-relative-ref = path-absolute [ "?" query ] [ "#" fragment ]
         with the exception that '%' escapes are not validated and '#' is
         allowed inside the fragment part.
         """
         return _re.match(came_from) is not None
     def index(self):
         c.came_from = request.GET.get('came_from', '')
         if c.came_from:
             if not self._validate_came_from(c.came_from):
                 log.error('Invalid came_from (not server-relative): %r', c.came_from)
                 raise HTTPBadRequest()
         else:
             c.came_from = url('home')
         if request.POST:
             # import Login Form validator class
             login_form = LoginForm()()
             try:
                 c.form_result = login_form.to_python(dict(request.POST))
                 # form checks for username/password, now we're authenticated
                 username = c.form_result['username']
                 user = User.get_by_username_or_email(username, case_insensitive=True)
                 assert user is not None  # the same user get just passed in the form validation
             except formencode.Invalid as errors:
                 defaults = errors.value
                 # remove password from filling in form again
                 defaults.pop('password', None)
                 return htmlfill.render(
                     render('/login.html'),
                     defaults=errors.value,
                     errors=errors.error_dict or {},
                     prefix_error=False,
                     encoding="UTF-8",
                     force_defaults=False)
             except UserCreationError as e:
                 # container auth or other auth functions that create users on
                 # the fly can throw this exception signaling that there's issue
                 # with user creation, explanation should be provided in
                 # Exception itself
                 h.flash(e, 'error')
             else:
                 auth_user = log_in_user(user, c.form_result['remember'], is_external_auth=False, ip_addr=request.ip_addr)
                 # TODO: handle auth_user is None as failed authentication?
                 raise HTTPFound(location=c.came_from)
         else:
             # redirect if already logged in
             if not request.authuser.is_anonymous:

0 comments (0 inline, 0 general)