Mercurial > kallithea
changeset 7694:1e83cda87899
auth: drop unused AuthUser.is_authenticated
It seems like other ways of tracking authentication state are better. AuthUser
is a *potentially* authenticated user. We prefer to keep it as that, without
modifying the AuthUser object if the user actually should be authenticated.
The primariy indicator that a user is authenticated is when the AuthUser is set
as request.authuser .
(Alternatively, we could create an AuthenticatedUser sub-class and move things
like access control checks there. That would help ensuring it is used
correctly, without having to check an is_authenticated flag.)
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Thu, 03 Jan 2019 01:22:06 +0100 |
parents | 05dc948c9788 |
children | 31aa5b6c107d |
files | kallithea/lib/auth.py kallithea/lib/base.py |
diffstat | 2 files changed, 4 insertions(+), 10 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/lib/auth.py Sun Apr 07 23:35:23 2019 +0200 +++ b/kallithea/lib/auth.py Thu Jan 03 01:22:06 2019 +0100 @@ -379,10 +379,9 @@ adding various non-persistent data. If lookup fails but anonymous access to Kallithea is enabled, the default user is loaded instead. - `AuthUser` does not by itself authenticate users and the constructor - sets the `is_authenticated` field to False. It's up to other parts - of the code to check e.g. if a supplied password is correct, and if - so, set `is_authenticated` to True. + `AuthUser` does not by itself authenticate users. It's up to other parts of + the code to check e.g. if a supplied password is correct, and if so, trust + the AuthUser object as an authenticated user. However, `AuthUser` does refuse to load a user that is not `active`. @@ -401,8 +400,6 @@ def __init__(self, user_id=None, dbuser=None, authenticating_api_key=None, is_external_auth=False): - - self.is_authenticated = False self.is_external_auth = is_external_auth self.authenticating_api_key = authenticating_api_key @@ -571,8 +568,7 @@ return False def __repr__(self): - return "<AuthUser('id:%s[%s] auth:%s')>" \ - % (self.user_id, self.username, (self.is_authenticated or self.is_default_user)) + return "<AuthUser('id:%s[%s]')>" % (self.user_id, self.username) def to_cookie(self): """ Serializes this login session to a cookie `dict`. """ @@ -591,7 +587,6 @@ user_id=cookie.get('user_id'), is_external_auth=cookie.get('is_external_auth', False), ) - au.is_authenticated = True return au @classmethod
--- a/kallithea/lib/base.py Sun Apr 07 23:35:23 2019 +0200 +++ b/kallithea/lib/base.py Thu Jan 03 01:22:06 2019 +0100 @@ -124,7 +124,6 @@ is_external_auth=is_external_auth) # It should not be possible to explicitly log in as the default user. assert not auth_user.is_default_user - auth_user.is_authenticated = True # Start new session to prevent session fixation attacks. session.invalidate()