Mercurial > kallithea
changeset 5548:23a86f1c33a1
auth: note that we never emit authuser "cookies" for the default user
The only place where we set "authuser" in the session is in log_in_user,
which is called only by the internal auth system and by auth plugins.
The internal auth system cannot log a user in as the default user,
because the default user doesn't have a password (and cannot have a
password assigned). Auth plugins cannot log a user in as the default
user, because the user doesn't have the right extern_type. As such, it's
a bug if log_in_user is ever called with the default user (which this
commit documents with an assert).
This realization makes the is_authenticated field of the authuser cookie
redundant, as it's always True. It also emphasizes that is_default_user
and is_authenticated are mutually exclusive.
author | Søren Løvborg <sorenl@unity3d.com> |
---|---|
date | Tue, 08 Sep 2015 11:00:02 +0200 |
parents | c64c076b96c3 |
children | 18428eab23e1 |
files | kallithea/controllers/login.py kallithea/lib/auth.py kallithea/lib/base.py kallithea/tests/__init__.py |
diffstat | 4 files changed, 8 insertions(+), 9 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/controllers/login.py Tue Sep 08 11:09:00 2015 +0200 +++ b/kallithea/controllers/login.py Tue Sep 08 11:00:02 2015 +0200 @@ -81,7 +81,7 @@ ip_allowed = AuthUser.check_ip_allowed(self.authuser, self.ip_addr) # redirect if already logged in - if self.authuser.is_authenticated and not self.authuser.is_default_user and ip_allowed: + if self.authuser.is_authenticated and ip_allowed: raise HTTPFound(location=c.came_from) if request.POST:
--- a/kallithea/lib/auth.py Tue Sep 08 11:09:00 2015 +0200 +++ b/kallithea/lib/auth.py Tue Sep 08 11:00:02 2015 +0200 @@ -626,7 +626,6 @@ """ Serializes this login session to a cookie `dict`. """ return { 'user_id': self.user_id, - 'is_authenticated': self.is_authenticated or self.is_default_user, 'is_external_auth': self.is_external_auth, } @@ -640,9 +639,7 @@ user_id=cookie.get('user_id'), is_external_auth=cookie.get('is_external_auth', False), ) - if not au.is_default_user and au.user_id is not None: - # user is not authenticated and not empty - au.is_authenticated = cookie.get('is_authenticated') + au.is_authenticated = True return au @classmethod
--- a/kallithea/lib/base.py Tue Sep 08 11:09:00 2015 +0200 +++ b/kallithea/lib/base.py Tue Sep 08 11:00:02 2015 +0200 @@ -116,8 +116,9 @@ auth_user = AuthUser(dbuser=user, is_external_auth=is_external_auth) - if not auth_user.is_default_user: - auth_user.is_authenticated = True + # It should not be possible to explicitly log in as the default user. + assert not auth_user.is_default_user + auth_user.is_authenticated = True # Start new session to prevent session fixation attacks. session.invalidate() @@ -392,7 +393,9 @@ # Authenticate by session cookie # In ancient login sessions, 'authuser' may not be a dict. # In that case, the user will have to log in again. - if isinstance(session_authuser, dict): + # v0.3 and earlier included an 'is_authenticated' key; if present, + # this must be True. + if isinstance(session_authuser, dict) and session_authuser.get('is_authenticated', True): try: return AuthUser.from_cookie(session_authuser) except UserCreationError as e:
--- a/kallithea/tests/__init__.py Tue Sep 08 11:09:00 2015 +0200 +++ b/kallithea/tests/__init__.py Tue Sep 08 11:00:02 2015 +0200 @@ -220,7 +220,6 @@ user = user and User.get(user) user = user and user.username self.assertEqual(user, expected_username) - self.assertEqual(cookie.get('is_authenticated'), True) def authentication_token(self): return self.app.get(url('authentication_token')).body