Mercurial > kallithea

changeset 7694:1e83cda87899

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
auth: drop unused AuthUser.is_authenticated It seems like other ways of tracking authentication state are better. AuthUser is a *potentially* authenticated user. We prefer to keep it as that, without modifying the AuthUser object if the user actually should be authenticated. The primariy indicator that a user is authenticated is when the AuthUser is set as request.authuser . (Alternatively, we could create an AuthenticatedUser sub-class and move things like access control checks there. That would help ensuring it is used correctly, without having to check an is_authenticated flag.)
author Mads Kiilerich <mads@kiilerich.com>
date Thu, 03 Jan 2019 01:22:06 +0100
parents 05dc948c9788
children 31aa5b6c107d
files kallithea/lib/auth.py kallithea/lib/base.py
diffstat 2 files changed, 4 insertions(+), 10 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/lib/auth.py	Sun Apr 07 23:35:23 2019 +0200
+++ b/kallithea/lib/auth.py	Thu Jan 03 01:22:06 2019 +0100
@@ -379,10 +379,9 @@
     adding various non-persistent data. If lookup fails but anonymous
     access to Kallithea is enabled, the default user is loaded instead.
 
-    `AuthUser` does not by itself authenticate users and the constructor
-    sets the `is_authenticated` field to False. It's up to other parts
-    of the code to check e.g. if a supplied password is correct, and if
-    so, set `is_authenticated` to True.
+    `AuthUser` does not by itself authenticate users. It's up to other parts of
+    the code to check e.g. if a supplied password is correct, and if so, trust
+    the AuthUser object as an authenticated user.
 
     However, `AuthUser` does refuse to load a user that is not `active`.
 
@@ -401,8 +400,6 @@
 
     def __init__(self, user_id=None, dbuser=None, authenticating_api_key=None,
             is_external_auth=False):
-
-        self.is_authenticated = False
         self.is_external_auth = is_external_auth
         self.authenticating_api_key = authenticating_api_key
 
@@ -571,8 +568,7 @@
             return False
 
     def __repr__(self):
-        return "<AuthUser('id:%s[%s] auth:%s')>" \
-            % (self.user_id, self.username, (self.is_authenticated or self.is_default_user))
+        return "<AuthUser('id:%s[%s]')>" % (self.user_id, self.username)
 
     def to_cookie(self):
         """ Serializes this login session to a cookie `dict`. """
@@ -591,7 +587,6 @@
             user_id=cookie.get('user_id'),
             is_external_auth=cookie.get('is_external_auth', False),
         )
-        au.is_authenticated = True
         return au
 
     @classmethod
--- a/kallithea/lib/base.py	Sun Apr 07 23:35:23 2019 +0200
+++ b/kallithea/lib/base.py	Thu Jan 03 01:22:06 2019 +0100
@@ -124,7 +124,6 @@
                          is_external_auth=is_external_auth)
     # It should not be possible to explicitly log in as the default user.
     assert not auth_user.is_default_user
-    auth_user.is_authenticated = True
 
     # Start new session to prevent session fixation attacks.
     session.invalidate()