# HG changeset patch # User Søren Løvborg # Date 1483567511 -3600 # Node ID 5b40eb88a46dd1190c9462ac6aec10876dabf97e # Parent 2a7ab8d988249be0db8be24c3b2f644199180ec7 vcs: remove non-sensical conditional block __get_action can only return "pull" or "push"; any other value is an error on our end. And indeed, if not, the old code would crash further down in the function (under "CHECK LOCKING") because the "user" local variable was not assigned. This also corrects the comment that incorrectly suggests the perm check is only relevant for anonymous access. The relevant code is duplicated between Hg and Git... and thus also this change. (Diff becomes clearer if whitespace changes are ignored.) diff -r 2a7ab8d98824 -r 5b40eb88a46d kallithea/lib/middleware/simplegit.py --- a/kallithea/lib/middleware/simplegit.py Tue Feb 14 20:16:47 2017 +0100 +++ b/kallithea/lib/middleware/simplegit.py Wed Jan 04 23:05:11 2017 +0100 @@ -68,7 +68,6 @@ return self.application(environ, start_response) ip_addr = self._get_ip_addr(environ) - username = None self._git_first_op = False # skip passing error to error controller environ['pylons.status_code_redirect'] = True @@ -94,68 +93,67 @@ action = self.__get_action(environ) #====================================================================== - # CHECK ANONYMOUS PERMISSION + # CHECK PERMISSIONS #====================================================================== - if action in ['pull', 'push']: - anonymous_user = User.get_default_user(cache=True) - username = anonymous_user.username - if anonymous_user.active: - # ONLY check permissions if the user is activated - anonymous_perm = self._check_permission(action, anonymous_user, - repo_name, ip_addr) - else: - anonymous_perm = False + anonymous_user = User.get_default_user(cache=True) + username = anonymous_user.username + if anonymous_user.active: + # ONLY check permissions if the user is activated + anonymous_perm = self._check_permission(action, anonymous_user, + repo_name, ip_addr) + else: + anonymous_perm = False - if not anonymous_user.active or not anonymous_perm: - if not anonymous_user.active: - log.debug('Anonymous access is disabled, running ' - 'authentication') + if not anonymous_user.active or not anonymous_perm: + if not anonymous_user.active: + log.debug('Anonymous access is disabled, running ' + 'authentication') - if not anonymous_perm: - log.debug('Not enough credentials to access this ' - 'repository as anonymous user') + if not anonymous_perm: + log.debug('Not enough credentials to access this ' + 'repository as anonymous user') - username = None - #============================================================== - # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE - # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS - #============================================================== + username = None + #============================================================== + # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE + # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS + #============================================================== - # try to auth based on environ, container auth methods - log.debug('Running PRE-AUTH for container based authentication') - pre_auth = auth_modules.authenticate('', '', environ) - if pre_auth is not None and pre_auth.get('username'): - username = pre_auth['username'] - log.debug('PRE-AUTH got %s as username', username) + # try to auth based on environ, container auth methods + log.debug('Running PRE-AUTH for container based authentication') + pre_auth = auth_modules.authenticate('', '', environ) + if pre_auth is not None and pre_auth.get('username'): + username = pre_auth['username'] + log.debug('PRE-AUTH got %s as username', username) - # If not authenticated by the container, running basic auth - if not username: - self.authenticate.realm = \ - safe_str(self.config['realm']) - result = self.authenticate(environ) - if isinstance(result, str): - AUTH_TYPE.update(environ, 'basic') - REMOTE_USER.update(environ, result) - username = result - else: - return result.wsgi_application(environ, start_response) + # If not authenticated by the container, running basic auth + if not username: + self.authenticate.realm = \ + safe_str(self.config['realm']) + result = self.authenticate(environ) + if isinstance(result, str): + AUTH_TYPE.update(environ, 'basic') + REMOTE_USER.update(environ, result) + username = result + else: + return result.wsgi_application(environ, start_response) - #============================================================== - # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME - #============================================================== - try: - user = User.get_by_username_or_email(username) - if user is None or not user.active: - return HTTPForbidden()(environ, start_response) - username = user.username - except Exception: - log.error(traceback.format_exc()) - return HTTPInternalServerError()(environ, start_response) + #============================================================== + # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME + #============================================================== + try: + user = User.get_by_username_or_email(username) + if user is None or not user.active: + return HTTPForbidden()(environ, start_response) + username = user.username + except Exception: + log.error(traceback.format_exc()) + return HTTPInternalServerError()(environ, start_response) - #check permissions for this repository - perm = self._check_permission(action, user, repo_name, ip_addr) - if not perm: - return HTTPForbidden()(environ, start_response) + #check permissions for this repository + perm = self._check_permission(action, user, repo_name, ip_addr) + if not perm: + return HTTPForbidden()(environ, start_response) # extras are injected into UI object and later available # in hooks executed by kallithea diff -r 2a7ab8d98824 -r 5b40eb88a46d kallithea/lib/middleware/simplehg.py --- a/kallithea/lib/middleware/simplehg.py Tue Feb 14 20:16:47 2017 +0100 +++ b/kallithea/lib/middleware/simplehg.py Wed Jan 04 23:05:11 2017 +0100 @@ -72,7 +72,6 @@ return self.application(environ, start_response) ip_addr = self._get_ip_addr(environ) - username = None # skip passing error to error controller environ['pylons.status_code_redirect'] = True @@ -102,68 +101,67 @@ return e(environ, start_response) #====================================================================== - # CHECK ANONYMOUS PERMISSION + # CHECK PERMISSIONS #====================================================================== - if action in ['pull', 'push']: - anonymous_user = User.get_default_user(cache=True) - username = anonymous_user.username - if anonymous_user.active: - # ONLY check permissions if the user is activated - anonymous_perm = self._check_permission(action, anonymous_user, - repo_name, ip_addr) - else: - anonymous_perm = False + anonymous_user = User.get_default_user(cache=True) + username = anonymous_user.username + if anonymous_user.active: + # ONLY check permissions if the user is activated + anonymous_perm = self._check_permission(action, anonymous_user, + repo_name, ip_addr) + else: + anonymous_perm = False - if not anonymous_user.active or not anonymous_perm: - if not anonymous_user.active: - log.debug('Anonymous access is disabled, running ' - 'authentication') + if not anonymous_user.active or not anonymous_perm: + if not anonymous_user.active: + log.debug('Anonymous access is disabled, running ' + 'authentication') - if not anonymous_perm: - log.debug('Not enough credentials to access this ' - 'repository as anonymous user') + if not anonymous_perm: + log.debug('Not enough credentials to access this ' + 'repository as anonymous user') - username = None - #============================================================== - # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE - # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS - #============================================================== + username = None + #============================================================== + # DEFAULT PERM FAILED OR ANONYMOUS ACCESS IS DISABLED SO WE + # NEED TO AUTHENTICATE AND ASK FOR AUTH USER PERMISSIONS + #============================================================== - # try to auth based on environ, container auth methods - log.debug('Running PRE-AUTH for container based authentication') - pre_auth = auth_modules.authenticate('', '', environ) - if pre_auth is not None and pre_auth.get('username'): - username = pre_auth['username'] - log.debug('PRE-AUTH got %s as username', username) + # try to auth based on environ, container auth methods + log.debug('Running PRE-AUTH for container based authentication') + pre_auth = auth_modules.authenticate('', '', environ) + if pre_auth is not None and pre_auth.get('username'): + username = pre_auth['username'] + log.debug('PRE-AUTH got %s as username', username) - # If not authenticated by the container, running basic auth - if not username: - self.authenticate.realm = \ - safe_str(self.config['realm']) - result = self.authenticate(environ) - if isinstance(result, str): - AUTH_TYPE.update(environ, 'basic') - REMOTE_USER.update(environ, result) - username = result - else: - return result.wsgi_application(environ, start_response) + # If not authenticated by the container, running basic auth + if not username: + self.authenticate.realm = \ + safe_str(self.config['realm']) + result = self.authenticate(environ) + if isinstance(result, str): + AUTH_TYPE.update(environ, 'basic') + REMOTE_USER.update(environ, result) + username = result + else: + return result.wsgi_application(environ, start_response) - #============================================================== - # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME - #============================================================== - try: - user = User.get_by_username_or_email(username) - if user is None or not user.active: - return HTTPForbidden()(environ, start_response) - username = user.username - except Exception: - log.error(traceback.format_exc()) - return HTTPInternalServerError()(environ, start_response) + #============================================================== + # CHECK PERMISSIONS FOR THIS REQUEST USING GIVEN USERNAME + #============================================================== + try: + user = User.get_by_username_or_email(username) + if user is None or not user.active: + return HTTPForbidden()(environ, start_response) + username = user.username + except Exception: + log.error(traceback.format_exc()) + return HTTPInternalServerError()(environ, start_response) - #check permissions for this repository - perm = self._check_permission(action, user, repo_name, ip_addr) - if not perm: - return HTTPForbidden()(environ, start_response) + #check permissions for this repository + perm = self._check_permission(action, user, repo_name, ip_addr) + if not perm: + return HTTPForbidden()(environ, start_response) # extras are injected into mercurial UI object and later available # in hg hooks executed by kallithea