kallithea Changeset - f103b1a2383b

Changeset - f103b1a2383b

Parent rev.

Child rev.

[Not reviewed]

default

0 5 0

Søren Løvborg - 10 years ago 2015-07-14 14:00:17
kwi@kwi.dk

BaseController: hide "Log out" link for external login sessions

If user is authorized by external means (API key or container auth),
Kallithea is not actually able to log the user out and should not show
the "Log out" link.

5 files changed with 29 insertions and 7 deletions:

kallithea/controllers/login.py

kallithea/lib/auth.py

kallithea/lib/base.py

kallithea/templates/base/base.html

kallithea/tests/functional/test_admin_auth_settings.py

0 comments (0 inline, 0 general)

kallithea/controllers/login.py

➞

Show inline comments

@@ @@ -113,13 +113,14 @@ class LoginController(BaseController): @@
                 # container auth or other auth functions that create users on
                 # the fly can throw this exception signaling that there's issue
                 # with user creation, explanation should be provided in
                 # Exception itself
                 h.flash(e, 'error')
             else:
                 log_in_user(user, c.form_result['remember'])
                 log_in_user(user, c.form_result['remember'],
                     is_external_auth=False)
                 return self._redirect_to_origin(c.came_from)
         return render('/login.html')
     @HasPermissionAnyDecorator('hg.admin', 'hg.register.auto_activate',
                                'hg.register.manual_activate')

kallithea/lib/auth.py

➞

Show inline comments

@@ @@ -473,25 +473,27 @@ class AuthUser(object): @@
     sets the `is_authenticated` field to False, except when falling back
     to the default anonymous user (if enabled). It's up to other parts
     of the code to check e.g. if a supplied password is correct, and if
     so, set `is_authenticated` to True.
     """
     def __init__(self, user_id=None, api_key=None, username=None):
     def __init__(self, user_id=None, api_key=None, username=None,
             is_external_auth=False):
         self.user_id = user_id
         self._api_key = api_key
         self.api_key = None
         self.username = username
         self.name = ''
         self.lastname = ''
         self.email = ''
         self.is_authenticated = False
         self.admin = False
         self.inherit_default_permissions = False
         self.is_external_auth = is_external_auth
         self.propagate_data()
         self._instance = None
     @LazyProperty
     def permissions(self):
@@ @@ -630,23 +632,25 @@ class AuthUser(object): @@
     def to_cookie(self):
         """ Serializes this login session to a cookie `dict`. """
         return {
             'user_id': self.user_id,
             'username': self.username,
             'is_authenticated': self.is_authenticated,
             'is_external_auth': self.is_external_auth,
+        }
     @staticmethod
     def from_cookie(cookie):
         """
         Deserializes an `AuthUser` from a cookie `dict`.
         """
         au = AuthUser(
             user_id=cookie.get('user_id'),
             username=cookie.get('username'),
             is_external_auth=cookie.get('is_external_auth', False),
+        )
         if not au.is_authenticated and au.user_id is not None:
             # user is not authenticated and not empty
             au.set_authenticated(cookie.get('is_authenticated'))
         return au

kallithea/lib/base.py

➞

Show inline comments

@@ @@ -101,24 +101,25 @@ def _get_access_path(environ): @@
     org_req = environ.get('pylons.original_request')
     if org_req:
         path = org_req.environ.get('PATH_INFO')
     return path
 def log_in_user(user, remember):
+def log_in_user(user, remember, is_external_auth):
     """
     Log a `User` in and update session and cookies. If `remember` is True,
     the session cookie is set to expire in a year; otherwise, it expires at
     the end of the browser session.
     Returns populated `AuthUser` object.
     """
     user.update_lastlogin()
     meta.Session().commit()
     auth_user = AuthUser(user_id=user.user_id)
     auth_user = AuthUser(user_id=user.user_id,
                          is_external_auth=is_external_auth)
     auth_user.set_authenticated()
     # Start new session to prevent session fixation attacks.
     session.invalidate()
     session['authuser'] = cookie = auth_user.to_cookie()
@@ @@ -381,13 +382,13 @@ class BaseController(WSGIController): @@
         API key (if any), and the authuser from the session.
         """
         # Authenticate by API key
         if api_key:
             # when using API_KEY we are sure user exists.
             return AuthUser(api_key=api_key)
+            return AuthUser(api_key=api_key, is_external_auth=True)
         # Authenticate by session cookie
         cookie = session.get('authuser')
         # In ancient login sessions, 'authuser' may not be a dict.
         # In that case, the user will have to log in again.
         if isinstance(cookie, dict):
@@ @@ -412,13 +413,14 @@ class BaseController(WSGIController): @@
                 from kallithea.lib import helpers as h
                 h.flash(e, 'error', logf=log.error)
             else:
                 if auth_info:
                     username = auth_info['username']
                     user = User.get_by_username(username, case_insensitive=True)
                     return log_in_user(user, remember=False)
                     return log_in_user(user, remember=False,
                                        is_external_auth=True)
         # User is anonymous
         return AuthUser()
     def __call__(self, environ, start_response):
         """Invoke the Controller"""

kallithea/templates/base/base.html

➞

Show inline comments

@@ @@ -345,13 +345,16 @@ @@
                 <div class="email">${c.authuser.email}</div>
             </div>
             <div class="links_right">
             <ol class="links">
               <li><a href="${h.url('notifications')}">${_('Notifications')}: ${c.unread_notifications}</a></li>
               <li>${h.link_to(_(u'My Account'),h.url('my_account'))}</li>
               <li class="logout">${h.link_to(_(u'Log Out'),h.url('logout_home'))}</li>
               %if not c.authuser.is_external_auth:
                 ## Cannot log out if using external (container) authentication.
                 <li class="logout">${h.link_to(_(u'Log Out'), h.url('logout_home'))}</li>
               %endif
             </ol>
             </div>
           %endif
         </div>
       </div>
     </li>

kallithea/tests/functional/test_admin_auth_settings.py

➞

Show inline comments

@@ @@ -172,6 +172,18 @@ class TestAuthSettingsController(TestCon @@
             auth_container_clean_username='True',
+        )
         self._container_auth_verify_login(
             extra_environ={'REMOTE_USER': r'example\jane'},
             resulting_username=r'jane',
+        )
     def test_container_auth_no_logout(self):
         self._container_auth_setup(
             auth_container_header='REMOTE_USER',
             auth_container_fallback_header='',
             auth_container_clean_username='True',
+        )
         response = self.app.get(
             url=url(controller='admin/my_account', action='my_account'),
             extra_environ={'REMOTE_USER': 'john'},
+        )
         self.assertNotIn('Log Out', response.normal_body)

0 comments (0 inline, 0 general)