# HG changeset patch # User Mads Kiilerich # Date 1546474926 -3600 # Node ID 1e83cda8789930aa6f8f9a0f912b0d13fb81b34a # Parent 05dc948c978834e0479f1ea3ed119fd4badf405e auth: drop unused AuthUser.is_authenticated It seems like other ways of tracking authentication state are better. AuthUser is a *potentially* authenticated user. We prefer to keep it as that, without modifying the AuthUser object if the user actually should be authenticated. The primariy indicator that a user is authenticated is when the AuthUser is set as request.authuser . (Alternatively, we could create an AuthenticatedUser sub-class and move things like access control checks there. That would help ensuring it is used correctly, without having to check an is_authenticated flag.) diff -r 05dc948c9788 -r 1e83cda87899 kallithea/lib/auth.py --- a/kallithea/lib/auth.py Sun Apr 07 23:35:23 2019 +0200 +++ b/kallithea/lib/auth.py Thu Jan 03 01:22:06 2019 +0100 @@ -379,10 +379,9 @@ adding various non-persistent data. If lookup fails but anonymous access to Kallithea is enabled, the default user is loaded instead. - `AuthUser` does not by itself authenticate users and the constructor - sets the `is_authenticated` field to False. It's up to other parts - of the code to check e.g. if a supplied password is correct, and if - so, set `is_authenticated` to True. + `AuthUser` does not by itself authenticate users. It's up to other parts of + the code to check e.g. if a supplied password is correct, and if so, trust + the AuthUser object as an authenticated user. However, `AuthUser` does refuse to load a user that is not `active`. @@ -401,8 +400,6 @@ def __init__(self, user_id=None, dbuser=None, authenticating_api_key=None, is_external_auth=False): - - self.is_authenticated = False self.is_external_auth = is_external_auth self.authenticating_api_key = authenticating_api_key @@ -571,8 +568,7 @@ return False def __repr__(self): - return "" \ - % (self.user_id, self.username, (self.is_authenticated or self.is_default_user)) + return "" % (self.user_id, self.username) def to_cookie(self): """ Serializes this login session to a cookie `dict`. """ @@ -591,7 +587,6 @@ user_id=cookie.get('user_id'), is_external_auth=cookie.get('is_external_auth', False), ) - au.is_authenticated = True return au @classmethod diff -r 05dc948c9788 -r 1e83cda87899 kallithea/lib/base.py --- a/kallithea/lib/base.py Sun Apr 07 23:35:23 2019 +0200 +++ b/kallithea/lib/base.py Thu Jan 03 01:22:06 2019 +0100 @@ -124,7 +124,6 @@ is_external_auth=is_external_auth) # It should not be possible to explicitly log in as the default user. assert not auth_user.is_default_user - auth_user.is_authenticated = True # Start new session to prevent session fixation attacks. session.invalidate()