Changeset - fffb4e73700e
Parent rev.
Child rev.
[Not reviewed]
default
0 1 0
Søren Løvborg - 9 years ago 2017-02-14 20:27:45
sorenl@unity3d.com
vcs: restructure authorization check

This is a pure refactoring, except for some changed debug log messages.

With this change, we simply return early if anonymous (= default user)
access is enabled, which should help overall readability.

(Diff becomes clearer if whitespace changes are ignored.)
1 file changed with 11 insertions and 17 deletions:
kallithea/lib/base.py
11
17
0 comments (0 inline, 0 general)
kallithea/lib/base.py
Show inline comments
 
@@ -194,59 +194,53 @@ class BaseVCSController(object):
 

			




	
	
	
		
 
    def _authorize(self, environ, start_response, action, repo_name, ip_addr):

			




	
	
	
		
 
        """Authenticate and authorize user.

			




	
	
	
		
 

			




	
	
	
		
 
        Since we're dealing with a VCS client and not a browser, we only

			




	
	
	
		
 
        support HTTP basic authentication, either directly via raw header

			




	
	
	
		
 
        inspection, or by using container authentication to delegate the

			




	
	
	
		
 
        authentication to the web server.

			




	
	
	
		
 

			




	
	
	
		
 
        Returns (user, None) on successful authentication and authorization.

			




	
	
	
		
 
        Returns (None, wsgi_app) to send the wsgi_app response to the client.

			




	
	
	
		
 
        """

			




	
	
	
		
 
        anonymous_user = User.get_default_user(cache=True)

			




	
	
	
		
 
        user = anonymous_user

			




	
	
	
		
 
        if anonymous_user.active:

			




	
	
	
		
 
            # ONLY check permissions if the user is activated

			




	
	
	
		
 
            anonymous_perm = self._check_permission(action, anonymous_user,

			




	
	
	
		
 
                                                    repo_name, ip_addr)

			




	
	
	
		
 
        # Check if anonymous access is allowed.

			




	
	
	
		
 
        default_user = User.get_default_user(cache=True)

			




	
	
	
		
 
        is_default_user_allowed = (default_user.active and

			




	
	
	
		
 
            self._check_permission(action, default_user, repo_name, ip_addr))

			




	
	
	
		
 
        if is_default_user_allowed:

			




	
	
	
		
 
            return default_user, None

			




	
	
	
		
 

			




	
	
	
		
 
        if not default_user.active:

			




	
	
	
		
 
            log.debug('Anonymous access is disabled')

			




	
	
	
		
 
        else:

			




	
	
	
		
 
            anonymous_perm = False

			




	
	
	
		
 

			




	
	
	
		
 
        if not anonymous_user.active or not anonymous_perm:

			




	
	
	
		
 
            if not anonymous_user.active:

			




	
	
	
		
 
                log.debug('Anonymous access is disabled, running '

			




	
	
	
		
 
                          'authentication')

			




	
	
	
		
 

			




	
	
	
		
 
            if not anonymous_perm:

			




	
	
	
		
 
                log.debug('Not enough credentials to access this '

			




	
	
	
		
 
            log.debug('Not authorized to access this '

			




	
	
	
		
 
                          'repository as anonymous user')

			




	
	
	
		
 

			




	
	
	
		
 
            username = None

			




	
	
	
		
 
            #==============================================================

			




	
	
	
		
 
            # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE

			




	
	
	
		
 
            # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS

			




	
	
	
		
 
            #==============================================================

			




	
	
	
		
 

			




	
	
	
		
 
            # try to auth based on environ, container auth methods

			




	
	
	
		
 
            log.debug('Running PRE-AUTH for container based authentication')

			




	
	
	
		
 
            pre_auth = auth_modules.authenticate('', '', environ)

			




	
	
	
		
 
            if pre_auth is not None and pre_auth.get('username'):

			




	
	
	
		
 
                username = pre_auth['username']

			




	
	
	
		
 
            log.debug('PRE-AUTH got %s as username', username)

			




	
	
	
		
 

			




	
	
	
		
 
            # If not authenticated by the container, running basic auth

			




	
	
	
		
 
            if not username:

			




	
	
	
		
 
                self.authenticate.realm = \

			




	
	
	
		
 
                    safe_str(self.config['realm'])

			




	
	
	
		
 
            self.authenticate.realm = safe_str(self.config['realm'])

			




	
	
	
		
 
                result = self.authenticate(environ)

			




	
	
	
		
 
                if isinstance(result, str):

			




	
	
	
		
 
                    paste.httpheaders.AUTH_TYPE.update(environ, 'basic')

			




	
	
	
		
 
                    paste.httpheaders.REMOTE_USER.update(environ, result)

			




	
	
	
		
 
                    username = result

			




	
	
	
		
 
                else:

			




	
	
	
		
 
                    return None, result.wsgi_application

			




	
	
	
		
 

			




	
	
	
		
 
            #==============================================================

			




	
	
	
		
 
            # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME

			




	
	
	
		
 
            #==============================================================

			




	
	
	
		
 
            try:

			




        

    



    


    



    



      

      





    
    0 comments (0 inline, 0 general)
    





    


  

  







  


    




    








    
        
    
    
        This site is powered by
            Kallithea 0.7.0,
        which is
        © 2010–2025 by various authors & licensed under GPLv3.