# HG changeset patch # User Søren Løvborg # Date 1436875199 -7200 # Node ID ad70180effaf8b8e67f730a8261c18133c30493e # Parent d052078e0a16b7c9b3f4ebb075c738f763168f65 BaseController: refactor session cookie authentication Untangle session cookie authentication. If no session cookie is set, AuthUser constructor will be called with user_id set to None (the argument default value), and will never raise a UserCreationError. Thus that case can safely be moved to the end of _determine_auth_user and outside the try-except block. If a session cookie *is* set, but we get a UserCreationError, we fall through to the "no cookie" case, which is also effectively the same behavior as before. (Not sure what circumstances, if any, can actually trigger a UserCreationError here, since the user is already logged in and - presumably - created, plus the user is identified by the Kallithea database ID, not user name, which would make it difficult to create a new user... but judging from the existing code, it's possible.) diff -r d052078e0a16 -r ad70180effaf kallithea/lib/base.py --- a/kallithea/lib/base.py Tue Jul 14 13:59:59 2015 +0200 +++ b/kallithea/lib/base.py Tue Jul 14 13:59:59 2015 +0200 @@ -352,9 +352,9 @@ return AuthUser(api_key=api_key) # Authenticate by session cookie - if True: - cookie_store = CookieStoreWrapper(session_authuser) - user_id = cookie_store.get('user_id') + cookie_store = CookieStoreWrapper(session_authuser) + user_id = cookie_store.get('user_id') + if user_id is not None: try: auth_user = AuthUser(user_id=user_id) except UserCreationError as e: @@ -364,15 +364,17 @@ # exception object. from kallithea.lib import helpers as h h.flash(e, 'error') - auth_user = AuthUser() - - authenticated = cookie_store.get('is_authenticated') + else: + authenticated = cookie_store.get('is_authenticated') - if not auth_user.is_authenticated and auth_user.user_id is not None: - # user is not authenticated and not empty - auth_user.set_authenticated(authenticated) + if not auth_user.is_authenticated and auth_user.user_id is not None: + # user is not authenticated and not empty + auth_user.set_authenticated(authenticated) - return auth_user + return auth_user + + # User is anonymous + return AuthUser() def __call__(self, environ, start_response): """Invoke the Controller"""