Changeset - ea02c8b2b529
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Søren Løvborg - 10 years ago 2016-04-19 17:58:21
sorenl@unity3d.com
auth: prevent misuse of PermFunction in bool context

Evaluating a PermFunction as a boolean, rather than calling it, is
almost certainly an error. If not, "pf is not None" can be used.
1 file changed with 7 insertions and 0 deletions:
kallithea/lib/auth.py
7
0 comments (0 inline, 0 general)
kallithea/lib/auth.py
Show inline comments
 
@@ -981,48 +981,55 @@ class HasUserGroupPermissionAnyDecorator
 
    def check_permissions(self):
 
        group_name = get_user_group_slug(request)
 
        try:
 
            user_perms = set([self.user_perms['user_groups'][group_name]])
 
        except KeyError:
 
            return False
 

			




	
	
	
		
 
        if self.required_perms.intersection(user_perms):

			




	
	
	
		
 
            return True

			




	
	
	
		
 
        return False

			




	
	
	
		
 

			




	
	
	
		
 

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 
# CHECK FUNCTIONS

			




	
	
	
		
 
#==============================================================================

			




	
	
	
		
 
class PermsFunction(object):

			




	
	
	
		
 
    """Base function for other check functions"""

			




	
	
	
		
 

			




	
	
	
		
 
    def __init__(self, *perms):

			




	
	
	
		
 
        self.required_perms = set(perms)

			




	
	
	
		
 
        self.user_perms = None

			




	
	
	
		
 
        self.repo_name = None

			




	
	
	
		
 
        self.group_name = None

			




	
	
	
		
 

			




	
	
	
		
 
    def __nonzero__(self):

			




	
	
	
		
 
        """ Defend against accidentally forgetting to call the object

			




	
	
	
		
 
            and instead evaluating it directly in a boolean context,

			




	
	
	
		
 
            which could have security implications.

			




	
	
	
		
 
        """

			




	
	
	
		
 
        raise AssertionError(self.__class__.__name__ + ' is not a bool and must be called!')

			




	
	
	
		
 

			




	
	
	
		
 
    def __call__(self, check_location='', user=None):

			




	
	
	
		
 
        if not user:

			




	
	
	
		
 
            #TODO: remove this someday,put as user as attribute here

			




	
	
	
		
 
            user = request.user

			




	
	
	
		
 

			




	
	
	
		
 
        # init auth user if not already given

			




	
	
	
		
 
        if not isinstance(user, AuthUser):

			




	
	
	
		
 
            user = AuthUser(user.user_id)

			




	
	
	
		
 

			




	
	
	
		
 
        cls_name = self.__class__.__name__

			




	
	
	
		
 
        check_scope = {

			




	
	
	
		
 
            'HasPermissionAll': '',

			




	
	
	
		
 
            'HasPermissionAny': '',

			




	
	
	
		
 
            'HasRepoPermissionAll': 'repo:%s' % self.repo_name,

			




	
	
	
		
 
            'HasRepoPermissionAny': 'repo:%s' % self.repo_name,

			




	
	
	
		
 
            'HasRepoGroupPermissionAll': 'group:%s' % self.group_name,

			




	
	
	
		
 
            'HasRepoGroupPermissionAny': 'group:%s' % self.group_name,

			




	
	
	
		
 
        }.get(cls_name, '?')

			




	
	
	
		
 
        log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,

			




	
	
	
		
 
                  self.required_perms, user, check_scope,

			




	
	
	
		
 
                  check_location or 'unspecified location')

			




	
	
	
		
 
        if not user:

			




	
	
	
		
 
            log.debug('Empty request user')

			




	
	
	
		
 
            return False

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.