Mercurial > kallithea
changeset 5472:3598e2a4e051
auth: remove redundant is_authenticated check
It turns out the user.is_authenticated check is redundant, since it's
True for both anonymous users and logged in users, and API key users
are handled prior to the check.
| author | Søren Løvborg <sorenl@unity3d.com> |
|---|---|
| date | Thu, 03 Sep 2015 17:08:19 +0200 |
| parents | a041321d2aa1 |
| children | d402d1e4aed4 |
| files | kallithea/lib/auth.py |
| diffstat | 1 files changed, 4 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/lib/auth.py Fri Sep 04 00:01:20 2015 +0200 +++ b/kallithea/lib/auth.py Thu Sep 03 17:08:19 2015 +0200 @@ -763,10 +763,10 @@ # CSRF protection: Whenever a request has ambient authority (whether # through a session cookie or its origin IP address), it must include # the correct token, unless the HTTP method is GET or HEAD (and thus - # guaranteed to be side effect free. - # Note that the 'is_authenticated' flag is True for anonymous users too, - # but not when the user is authenticated by API key. - if user.is_authenticated and request.method not in ['GET', 'HEAD']: + # guaranteed to be side effect free. In practice, the only situation + # where we allow side effects without ambient authority is when the + # authority comes from an API key; and that is handled above. + if request.method not in ['GET', 'HEAD']: token = request.POST.get(secure_form.token_key) if not token or token != secure_form.authentication_token(): log.error('CSRF check failed')