kallithea Changeset - b580691553f5

Changeset - b580691553f5

Parent rev.

Child rev.

[Not reviewed]

default

0 1 0

Søren Løvborg - 10 years ago 2015-07-26 14:10:44
kwi@kwi.dk

auth: turn dead AuthUser code into assertion

The result of db.User.get_dict never contains the keys 'api_keys' or
'permissions'. The keys returned by get_dict are 1) all the User table
columns, 2) the keys explicitly defined in User.__json__, and 3) the
keys defined in User.get_api_data, none of which include the two
blacklisted keys.

'api_keys' would be returned if __json__ called get_api_data with
argument details=True; but currently that is not the case.

In case there's a reason why these two keys must never appear in an
AuthUser object, the check has not been removed entirely; instead, it's
been turned into an assertion. This way, it will be noticed if __json__
is later modified to request detailed API data, for instance.

1 file changed with 2 insertions and 2 deletions:

kallithea/lib/auth.py

0 comments (0 inline, 0 general)

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -508,50 +508,50 @@ class AuthUser(object): @@
         # If user cannot be found, try falling back to anonymous.
         if not is_user_loaded:
             is_user_loaded =  self._fill_data(self.anonymous_user)
         # The anonymous user is always "logged in".
         if self.user_id == self.anonymous_user.user_id:
             self.is_authenticated = True
         if not self.username:
             self.username = 'None'
         log.debug('Auth User is now %s' % self)
     def _fill_data(self, dbuser):
         """
         Copies database fields from a `db.User` to this `AuthUser`. Does
         not copy `api_keys` and `permissions` attributes.
         Checks that `dbuser` is `active` (and not None) before copying;
         returns True on success.
         """
         if dbuser is not None and dbuser.active:
             log.debug('filling %s data', dbuser)
             for k, v in dbuser.get_dict().iteritems():
                 if k not in ['api_keys', 'permissions']:
                     setattr(self, k, v)
                 assert k not in ['api_keys', 'permissions']
                 setattr(self, k, v)
             return True
         return False
     @LazyProperty
     def permissions(self):
         return self.__get_perms(user=self, cache=False)
     @property
     def api_keys(self):
         return self._get_api_keys()
     def __get_perms(self, user, explicit=True, algo='higherwin', cache=False):
         """
         Fills user permission attribute with permissions taken from database
         works for permissions given for repositories, and for permissions that
         are granted to groups
         :param user: `AuthUser` instance
         :param explicit: In case there are permissions both for user and a group
             that user is part of, explicit flag will define if user will
             explicitly override permissions from group, if it's False it will
             make decision based on the algo
         :param algo: algorithm to decide what permission should be choose if
             it's multiple defined, eg user in two different groups. It also

0 comments (0 inline, 0 general)