# HG changeset patch
# User Mads Kiilerich <mads@kiilerich.com>
# Date 1554675080 -7200
# Node ID 7977ca209b1dc60af4549ce80cc945d095f16274
# Parent  226893a56a8146ebe47ffd5f2961c4f2647f8dae
auth: make User.get_by_api_key more strict about only returning active non-default users

Thus drop some extra checks against default user.

diff -r 226893a56a81 -r 7977ca209b1d kallithea/lib/base.py
--- a/kallithea/lib/base.py	Thu Jan 03 01:22:56 2019 +0100
+++ b/kallithea/lib/base.py	Mon Apr 08 00:11:20 2019 +0200
@@ -393,11 +393,11 @@
         # Authenticate by API key
         if api_key is not None:
             dbuser = User.get_by_api_key(api_key)
-            au = AuthUser.make(dbuser=dbuser, authenticating_api_key=api_key, is_external_auth=True, ip_addr=ip_addr)
-            if au is None or au.is_anonymous:
-                log.warning('API key ****%s is NOT valid', api_key[-4:])
-                raise webob.exc.HTTPForbidden(_('Invalid API key'))
-            return au
+            if dbuser is None:
+                log.info('No db user found for authentication with API key ****%s from %s',
+                         api_key[-4:], ip_addr)
+                return None
+            return AuthUser.make(dbuser=dbuser, authenticating_api_key=api_key, is_external_auth=True, ip_addr=ip_addr)
 
         # Authenticate by session cookie
         # In ancient login sessions, 'authuser' may not be a dict.
diff -r 226893a56a81 -r 7977ca209b1d kallithea/model/db.py
--- a/kallithea/model/db.py	Thu Jan 03 01:22:56 2019 +0100
+++ b/kallithea/model/db.py	Mon Apr 08 00:11:20 2019 +0200
@@ -598,6 +598,8 @@
             _res = UserApiKeys.query().filter_by(api_key=api_key, is_expired=False).first()
             if _res:
                 res = _res.user
+        if res is None or not res.active or res.is_default_user:
+            return None
         return res
 
     @classmethod