Changeset - e9fe4ff57cbb
Parent rev.
Child rev.
[Not reviewed]
beta
0 1 0
Marcin Kuzminski - 15 years ago 2011-05-15 13:49:14
marcin@python-works.com
Do a redirect to login for anonymous users
1 file changed with 14 insertions and 0 deletions:
rhodecode/lib/auth.py
14
0 comments (0 inline, 0 general)
rhodecode/lib/auth.py
Show inline comments
 
@@ -221,379 +221,393 @@ def authenticate(username, password):
 
                pass
 
            except (Exception,):
 
                log.error(traceback.format_exc())
 
                pass
 
    return False
 

			




	
	
	
		
 

			




	
	
	
		
 
class  AuthUser(object):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    A simple object that handles all attributes of user in RhodeCode

			




	
	
	
		
 

			




	
	
	
		
 
    It does lookup based on API key,given user, or user present in session

			




	
	
	
		
 
    Then it fills all required information for such user. It also checks if

			




	
	
	
		
 
    anonymous access is enabled and if so, it returns default user as logged

			




	
	
	
		
 
    in

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, user_id=None, api_key=None):

			




	
	
	
		
 

			




	
	
	
		
 
        self.user_id = user_id

			




	
	
	
		
 
        self.api_key = None

			




	
	
	
		
 

			




	
	
	
		
 
        self.username = 'None'

			




	
	
	
		
 
        self.name = ''

			




	
	
	
		
 
        self.lastname = ''

			




	
	
	
		
 
        self.email = ''

			




	
	
	
		
 
        self.is_authenticated = False

			




	
	
	
		
 
        self.admin = False

			




	
	
	
		
 
        self.permissions = {}

			




	
	
	
		
 
        self._api_key = api_key

			




	
	
	
		
 
        self.propagate_data()

			




	
	
	
		
 

			




	
	
	
		
 
    def propagate_data(self):

			




	
	
	
		
 
        user_model = UserModel()

			




	
	
	
		
 
        self.anonymous_user = user_model.get_by_username('default', cache=True)

			




	
	
	
		
 
        if self._api_key and self._api_key != self.anonymous_user.api_key:

			




	
	
	
		
 
            #try go get user by api key

			




	
	
	
		
 
            log.debug('Auth User lookup by API KEY %s', self._api_key)

			




	
	
	
		
 
            user_model.fill_data(self, api_key=self._api_key)

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            log.debug('Auth User lookup by USER ID %s', self.user_id)

			




	
	
	
		
 
            if self.user_id is not None \

			




	
	
	
		
 
                and self.user_id != self.anonymous_user.user_id:

			




	
	
	
		
 
                user_model.fill_data(self, user_id=self.user_id)

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                if self.anonymous_user.active is True:

			




	
	
	
		
 
                    user_model.fill_data(self,

			




	
	
	
		
 
                                         user_id=self.anonymous_user.user_id)

			




	
	
	
		
 
                    #then we set this user is logged in

			




	
	
	
		
 
                    self.is_authenticated = True

			




	
	
	
		
 
                else:

			




	
	
	
		
 
                    self.is_authenticated = False

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('Auth User is now %s', self)

			




	
	
	
		
 
        user_model.fill_perms(self)

			




	
	
	
		
 

			




	
	
	
		
 
    @property

			




	
	
	
		
 
    def is_admin(self):

			




	
	
	
		
 
        return self.admin

			




	
	
	
		
 

			




	
	
	
		
 
    @property

			




	
	
	
		
 
    def full_contact(self):

			




	
	
	
		
 
        return '%s %s <%s>' % (self.name, self.lastname, self.email)

			




	
	
	
		
 

			




	
	
	
		
 
    def __repr__(self):

			




	
	
	
		
 
        return "<AuthUser('id:%s:%s|%s')>" % (self.user_id, self.username,

			




	
	
	
		
 
                                              self.is_authenticated)

			




	
	
	
		
 

			




	
	
	
		
 
    def set_authenticated(self, authenticated=True):

			




	
	
	
		
 

			




	
	
	
		
 
        if self.user_id != self.anonymous_user.user_id:

			




	
	
	
		
 
            self.is_authenticated = authenticated

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
def set_available_permissions(config):

			




	
	
	
		
 
    """This function will propagate pylons globals with all available defined

			




	
	
	
		
 
    permission given in db. We don't want to check each time from db for new

			




	
	
	
		
 
    permissions since adding a new permission also requires application restart

			




	
	
	
		
 
    ie. to decorate new views with the newly created permission

			




	
	
	
		
 

			




	
	
	
		
 
    :param config: current pylons config instance

			




	
	
	
		
 

			




	
	
	
		
 
    """

			




	
	
	
		
 
    log.info('getting information about all available permissions')

			




	
	
	
		
 
    try:

			




	
	
	
		
 
        sa = meta.Session()

			




	
	
	
		
 
        all_perms = sa.query(Permission).all()

			




	
	
	
		
 
    except:

			




	
	
	
		
 
        pass

			




	
	
	
		
 
    finally:

			




	
	
	
		
 
        meta.Session.remove()

			




	
	
	
		
 

			




	
	
	
		
 
    config['available_permissions'] = [x.permission_name for x in all_perms]

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 
# CHECK DECORATORS

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 
class LoginRequired(object):

			




	
	
	
		
 
    """

			




	
	
	
		
 
    Must be logged in to execute this function else

			




	
	
	
		
 
    redirect to login page

			




	
	
	
		
 

			




	
	
	
		
 
    :param api_access: if enabled this checks only for valid auth token

			




	
	
	
		
 
        and grants access based on valid token

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, api_access=False):

			




	
	
	
		
 
        self.api_access = api_access

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, func):

			




	
	
	
		
 
        return decorator(self.__wrapper, func)

			




	
	
	
		
 

			




	
	
	
		
 
    def __wrapper(self, func, *fargs, **fkwargs):

			




	
	
	
		
 
        cls = fargs[0]

			




	
	
	
		
 
        user = cls.rhodecode_user

			




	
	
	
		
 

			




	
	
	
		
 
        api_access_ok = False

			




	
	
	
		
 
        if self.api_access:

			




	
	
	
		
 
            log.debug('Checking API KEY access for %s', cls)

			




	
	
	
		
 
            if user.api_key == request.GET.get('api_key'):

			




	
	
	
		
 
                api_access_ok = True

			




	
	
	
		
 
            else:

			




	
	
	
		
 
                log.debug("API KEY token not valid")

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('Checking if %s is authenticated @ %s', user.username, cls)

			




	
	
	
		
 
        if user.is_authenticated or api_access_ok:

			




	
	
	
		
 
            log.debug('user %s is authenticated', user.username)

			




	
	
	
		
 
            return func(*fargs, **fkwargs)

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            log.warn('user %s NOT authenticated', user.username)

			




	
	
	
		
 
            p = url.current()

			




	
	
	
		
 

			




	
	
	
		
 
            log.debug('redirecting to login page with %s', p)

			




	
	
	
		
 
            return redirect(url('login_home', came_from=p))

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class NotAnonymous(object):

			




	
	
	
		
 
    """Must be logged in to execute this function else

			




	
	
	
		
 
    redirect to login page"""

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, func):

			




	
	
	
		
 
        return decorator(self.__wrapper, func)

			




	
	
	
		
 

			




	
	
	
		
 
    def __wrapper(self, func, *fargs, **fkwargs):

			




	
	
	
		
 
        cls = fargs[0]

			




	
	
	
		
 
        self.user = cls.rhodecode_user

			




	
	
	
		
 

			




	
	
	
		
 
        log.debug('Checking if user is not anonymous @%s', cls)

			




	
	
	
		
 

			




	
	
	
		
 
        anonymous = self.user.username == 'default'

			




	
	
	
		
 

			




	
	
	
		
 
        if anonymous:

			




	
	
	
		
 
            p = url.current()

			




	
	
	
		
 

			




	
	
	
		
 
            import rhodecode.lib.helpers as h

			




	
	
	
		
 
            h.flash(_('You need to be a registered user to '

			




	
	
	
		
 
                      'perform this action'),

			




	
	
	
		
 
                    category='warning')

			




	
	
	
		
 
            return redirect(url('login_home', came_from=p))

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            return func(*fargs, **fkwargs)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class PermsDecorator(object):

			




	
	
	
		
 
    """Base class for controller decorators"""

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, *required_perms):

			




	
	
	
		
 
        available_perms = config['available_permissions']

			




	
	
	
		
 
        for perm in required_perms:

			




	
	
	
		
 
            if perm not in available_perms:

			




	
	
	
		
 
                raise Exception("'%s' permission is not defined" % perm)

			




	
	
	
		
 
        self.required_perms = set(required_perms)

			




	
	
	
		
 
        self.user_perms = None

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, func):

			




	
	
	
		
 
        return decorator(self.__wrapper, func)

			




	
	
	
		
 

			




	
	
	
		
 
    def __wrapper(self, func, *fargs, **fkwargs):

			




	
	
	
		
 
        cls = fargs[0]

			




	
	
	
		
 
        self.user = cls.rhodecode_user

			




	
	
	
		
 
        self.user_perms = self.user.permissions

			




	
	
	
		
 
        log.debug('checking %s permissions %s for %s %s',

			




	
	
	
		
 
           self.__class__.__name__, self.required_perms, cls,

			




	
	
	
		
 
               self.user)

			




	
	
	
		
 

			




	
	
	
		
 
        if self.check_permissions():

			




	
	
	
		
 
            log.debug('Permission granted for %s %s', cls, self.user)

			




	
	
	
		
 
            return func(*fargs, **fkwargs)

			




	
	
	
		
 

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            log.warning('Permission denied for %s %s', cls, self.user)

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
            anonymous = self.user.username == 'default'

			




	
	
	
		
 

			




	
	
	
		
 
            if anonymous:

			




	
	
	
		
 
                p = url.current()

			




	
	
	
		
 

			




	
	
	
		
 
                import rhodecode.lib.helpers as h

			




	
	
	
		
 
                h.flash(_('You need to be a signed in to '

			




	
	
	
		
 
                          'view this page'),

			




	
	
	
		
 
                        category='warning')

			




	
	
	
		
 
                return redirect(url('login_home', came_from=p))

			




	
	
	
		
 

			




	
	
	
		
 
            else:

			




	
	
	
		
 
            #redirect with forbidden ret code

			




	
	
	
		
 
            return abort(403)

			




	
	
	
		
 

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        """Dummy function for overriding"""

			




	
	
	
		
 
        raise Exception('You have to write this function in child class')

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasPermissionAllDecorator(PermsDecorator):

			




	
	
	
		
 
    """Checks for access permission for all given predicates. All of them

			




	
	
	
		
 
    have to be meet in order to fulfill the request

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        if self.required_perms.issubset(self.user_perms.get('global')):

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        return False

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasPermissionAnyDecorator(PermsDecorator):

			




	
	
	
		
 
    """Checks for access permission for any of given predicates. In order to

			




	
	
	
		
 
    fulfill the request any of predicates must be meet

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        if self.required_perms.intersection(self.user_perms.get('global')):

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        return False

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasRepoPermissionAllDecorator(PermsDecorator):

			




	
	
	
		
 
    """Checks for access permission for all given predicates for specific

			




	
	
	
		
 
    repository. All of them have to be meet in order to fulfill the request

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        repo_name = get_repo_slug(request)

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            user_perms = set([self.user_perms['repositories'][repo_name]])

			




	
	
	
		
 
        except KeyError:

			




	
	
	
		
 
            return False

			




	
	
	
		
 
        if self.required_perms.issubset(user_perms):

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        return False

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasRepoPermissionAnyDecorator(PermsDecorator):

			




	
	
	
		
 
    """Checks for access permission for any of given predicates for specific

			




	
	
	
		
 
    repository. In order to fulfill the request any of predicates must be meet

			




	
	
	
		
 
    """

			




	
	
	
		
 

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        repo_name = get_repo_slug(request)

			




	
	
	
		
 

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            user_perms = set([self.user_perms['repositories'][repo_name]])

			




	
	
	
		
 
        except KeyError:

			




	
	
	
		
 
            return False

			




	
	
	
		
 
        if self.required_perms.intersection(user_perms):

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        return False

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 
# CHECK FUNCTIONS

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 
class PermsFunction(object):

			




	
	
	
		
 
    """Base function for other check functions"""

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, *perms):

			




	
	
	
		
 
        available_perms = config['available_permissions']

			




	
	
	
		
 

			




	
	
	
		
 
        for perm in perms:

			




	
	
	
		
 
            if perm not in available_perms:

			




	
	
	
		
 
                raise Exception("'%s' permission in not defined" % perm)

			




	
	
	
		
 
        self.required_perms = set(perms)

			




	
	
	
		
 
        self.user_perms = None

			




	
	
	
		
 
        self.granted_for = ''

			




	
	
	
		
 
        self.repo_name = None

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, check_Location=''):

			




	
	
	
		
 
        user = session.get('rhodecode_user', False)

			




	
	
	
		
 
        if not user:

			




	
	
	
		
 
            return False

			




	
	
	
		
 
        self.user_perms = user.permissions

			




	
	
	
		
 
        self.granted_for = user

			




	
	
	
		
 
        log.debug('checking %s %s %s', self.__class__.__name__,

			




	
	
	
		
 
                  self.required_perms, user)

			




	
	
	
		
 

			




	
	
	
		
 
        if self.check_permissions():

			




	
	
	
		
 
            log.debug('Permission granted %s @ %s', self.granted_for,

			




	
	
	
		
 
                      check_Location or 'unspecified location')

			




	
	
	
		
 
            return True

			




	
	
	
		
 

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            log.warning('Permission denied for %s @ %s', self.granted_for,

			




	
	
	
		
 
                        check_Location or 'unspecified location')

			




	
	
	
		
 
            return False

			




	
	
	
		
 

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        """Dummy function for overriding"""

			




	
	
	
		
 
        raise Exception('You have to write this function in child class')

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasPermissionAll(PermsFunction):

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        if self.required_perms.issubset(self.user_perms.get('global')):

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        return False

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasPermissionAny(PermsFunction):

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        if self.required_perms.intersection(self.user_perms.get('global')):

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        return False

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasRepoPermissionAll(PermsFunction):

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, repo_name=None, check_Location=''):

			




	
	
	
		
 
        self.repo_name = repo_name

			




	
	
	
		
 
        return super(HasRepoPermissionAll, self).__call__(check_Location)

			




	
	
	
		
 

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        if not self.repo_name:

			




	
	
	
		
 
            self.repo_name = get_repo_slug(request)

			




	
	
	
		
 

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            self.user_perms = set([self.user_perms['reposit'

			




	
	
	
		
 
                                                   'ories'][self.repo_name]])

			




	
	
	
		
 
        except KeyError:

			




	
	
	
		
 
            return False

			




	
	
	
		
 
        self.granted_for = self.repo_name

			




	
	
	
		
 
        if self.required_perms.issubset(self.user_perms):

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        return False

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
class HasRepoPermissionAny(PermsFunction):

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, repo_name=None, check_Location=''):

			




	
	
	
		
 
        self.repo_name = repo_name

			




	
	
	
		
 
        return super(HasRepoPermissionAny, self).__call__(check_Location)

			




	
	
	
		
 

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        if not self.repo_name:

			




	
	
	
		
 
            self.repo_name = get_repo_slug(request)

			




	
	
	
		
 

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            self.user_perms = set([self.user_perms['reposi'

			




	
	
	
		
 
                                                   'tories'][self.repo_name]])

			




	
	
	
		
 
        except KeyError:

			




	
	
	
		
 
            return False

			




	
	
	
		
 
        self.granted_for = self.repo_name

			




	
	
	
		
 
        if self.required_perms.intersection(self.user_perms):

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        return False

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 
# SPECIAL VERSION TO HANDLE MIDDLEWARE AUTH

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 
class HasPermissionAnyMiddleware(object):

			




	
	
	
		
 
    def __init__(self, *perms):

			




	
	
	
		
 
        self.required_perms = set(perms)

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, user, repo_name):

			




	
	
	
		
 
        usr = AuthUser(user.user_id)

			




	
	
	
		
 
        try:

			




	
	
	
		
 
            self.user_perms = set([usr.permissions['repositories'][repo_name]])

			




	
	
	
		
 
        except:

			




	
	
	
		
 
            self.user_perms = set()

			




	
	
	
		
 
        self.granted_for = ''

			




	
	
	
		
 
        self.username = user.username

			




	
	
	
		
 
        self.repo_name = repo_name

			




	
	
	
		
 
        return self.check_permissions()

			




	
	
	
		
 

			




	
	
	
		
 
    def check_permissions(self):

			




	
	
	
		
 
        log.debug('checking mercurial protocol '

			




	
	
	
		
 
                  'permissions %s for user:%s repository:%s', self.user_perms,

			




	
	
	
		
 
                                                self.username, self.repo_name)

			




	
	
	
		
 
        if self.required_perms.intersection(self.user_perms):

			




	
	
	
		
 
            log.debug('permission granted')

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        log.debug('permission denied')

			




	
	
	
		
 
        return False

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.