Mercurial > kallithea

--- a/kallithea/controllers/api/__init__.py	Mon Sep 12 17:41:19 2016 +0200
+++ b/kallithea/controllers/api/__init__.py	Mon Sep 12 17:41:19 2016 +0200
@@ -34,6 +34,7 @@

 from paste.response import replace_header
 from pylons.controllers import WSGIController
+from pylons import request

 from webob.exc import HTTPError

@@ -190,7 +191,7 @@
         # this is little trick to inject logged in user for
         # perms decorators to work they expect the controller class to have
         # authuser attribute set
-        self.authuser = auth_u
+        self.authuser = request.user = auth_u

         # This attribute will need to be first param of a method that uses
         # api_key, which is translated to instance of user at that name
--- a/kallithea/lib/auth.py	Mon Sep 12 17:41:19 2016 +0200
+++ b/kallithea/lib/auth.py	Mon Sep 12 17:41:19 2016 +0200
@@ -940,22 +940,18 @@
         raise AssertionError(self.__class__.__name__ + ' is not a bool and must be called!')

     def __call__(self, check_location='unspecified location', user=None):
-        if not user:
-            #TODO: remove this someday,put as user as attribute here
-            user = request.user
+        if user:
+            assert user.user_id == request.user.user_id, (user, request.user)

-        # init auth user if not already given
-        if not isinstance(user, AuthUser):
-            user = AuthUser(user.user_id)
+        user = request.user
+        assert user
+        assert isinstance(user, AuthUser), user

         cls_name = self.__class__.__name__
         check_scope = self._scope()
         log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name,
                   self.required_perms, user, check_scope,
                   check_location)
-        if not user:
-            log.debug('Empty request user')
-            return False
         self.user_perms = user.permissions

         result = self.check_permissions()
@@ -1081,6 +1077,13 @@

     def __call__(self, check_location=None, user=None, repo_name=None,
                  group_name=None):
+        assert user
+        assert user.user_id == request.user.user_id, (user, request.user)
+
+        user = request.user
+        assert user
+        assert isinstance(user, AuthUser), user
+
         cls_name = self.__class__.__name__
         check_scope = 'user:%s' % (user)
         if repo_name:
@@ -1091,13 +1094,8 @@

         log.debug('checking cls:%s %s %s @ %s',
                   cls_name, self.required_perms, check_scope, check_location)
-        if not user:
-            log.debug('Empty User passed into arguments')
-            return False

         ## process user
-        if not isinstance(user, AuthUser):
-            user = AuthUser(user.user_id)
         if not check_location:
             check_location = 'unspecified'
         if self.check_permissions(user.permissions, repo_name, group_name):