Mercurial > kallithea
changeset 6209:41e70d120a5e
api: set authuser in the thread global request instace - and temporarily verify that it matches what is passed explicitly to auth methods
This makes it more like what middleware / controllers do for "normal" HTTP requests.
author | Mads Kiilerich <madski@unity3d.com> |
---|---|
date | Mon, 12 Sep 2016 17:41:19 +0200 |
parents | f4d128af1a01 |
children | c96e05599877 |
files | kallithea/controllers/api/__init__.py kallithea/lib/auth.py |
diffstat | 2 files changed, 14 insertions(+), 15 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/controllers/api/__init__.py Mon Sep 12 17:41:19 2016 +0200 +++ b/kallithea/controllers/api/__init__.py Mon Sep 12 17:41:19 2016 +0200 @@ -34,6 +34,7 @@ from paste.response import replace_header from pylons.controllers import WSGIController +from pylons import request from webob.exc import HTTPError @@ -190,7 +191,7 @@ # this is little trick to inject logged in user for # perms decorators to work they expect the controller class to have # authuser attribute set - self.authuser = auth_u + self.authuser = request.user = auth_u # This attribute will need to be first param of a method that uses # api_key, which is translated to instance of user at that name
--- a/kallithea/lib/auth.py Mon Sep 12 17:41:19 2016 +0200 +++ b/kallithea/lib/auth.py Mon Sep 12 17:41:19 2016 +0200 @@ -940,22 +940,18 @@ raise AssertionError(self.__class__.__name__ + ' is not a bool and must be called!') def __call__(self, check_location='unspecified location', user=None): - if not user: - #TODO: remove this someday,put as user as attribute here - user = request.user + if user: + assert user.user_id == request.user.user_id, (user, request.user) - # init auth user if not already given - if not isinstance(user, AuthUser): - user = AuthUser(user.user_id) + user = request.user + assert user + assert isinstance(user, AuthUser), user cls_name = self.__class__.__name__ check_scope = self._scope() log.debug('checking cls:%s %s usr:%s %s @ %s', cls_name, self.required_perms, user, check_scope, check_location) - if not user: - log.debug('Empty request user') - return False self.user_perms = user.permissions result = self.check_permissions() @@ -1081,6 +1077,13 @@ def __call__(self, check_location=None, user=None, repo_name=None, group_name=None): + assert user + assert user.user_id == request.user.user_id, (user, request.user) + + user = request.user + assert user + assert isinstance(user, AuthUser), user + cls_name = self.__class__.__name__ check_scope = 'user:%s' % (user) if repo_name: @@ -1091,13 +1094,8 @@ log.debug('checking cls:%s %s %s @ %s', cls_name, self.required_perms, check_scope, check_location) - if not user: - log.debug('Empty User passed into arguments') - return False ## process user - if not isinstance(user, AuthUser): - user = AuthUser(user.user_id) if not check_location: check_location = 'unspecified' if self.check_permissions(user.permissions, repo_name, group_name):