Mercurial > kallithea
changeset 5115:4cad3a52e0ed
auth: return early in LoginRequired on invalid IP
Simplify the code of the LoginRequired decorator by returning early when an
unacceptable condition is met.
Note: the 'return' of redirect_to_login() is not strictly needed since we
should not return from that function (redirection occurs). Adding it,
however, is a security measure in case redirect_to_login does not do what it
should do.
author | Thomas De Schampheleire <thomas.de.schampheleire@gmail.com> |
---|---|
date | Wed, 25 Mar 2015 09:11:15 +0100 |
parents | 76abae776a3e |
children | e04106e46d6f |
files | kallithea/lib/auth.py |
diffstat | 1 files changed, 17 insertions(+), 28 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/lib/auth.py Sun May 10 21:40:12 2015 +0200 +++ b/kallithea/lib/auth.py Wed Mar 25 09:11:15 2015 +0100 @@ -719,6 +719,14 @@ #============================================================================== # CHECK DECORATORS #============================================================================== + +def redirect_to_login(message=None): + from kallithea.lib import helpers as h + p = url.current() + h.flash(h.literal(message), category='warning') + log.debug('Redirecting to login page, origin: %s' % p) + return redirect(url('login_home', came_from=p)) + class LoginRequired(object): """ Must be logged in to execute this function else @@ -738,14 +746,11 @@ cls = fargs[0] user = cls.authuser loc = "%s:%s" % (cls.__class__.__name__, func.__name__) + log.debug('Checking access for user %s @ %s' % (user, loc)) # check if our IP is allowed - ip_access_valid = True if not user.ip_allowed: - from kallithea.lib import helpers as h - h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))), - category='warning') - ip_access_valid = False + return redirect_to_login(_('IP %s not allowed' % (user.ip_addr))) # check if we used an APIKEY and it's a valid one # defined whitelist of controllers which API access will be enabled @@ -775,21 +780,17 @@ log.debug('Checking if %s is authenticated @ %s' % (user.username, loc)) reason = 'RegularAuth' if user.is_authenticated else 'APIAuth' - if ip_access_valid and (user.is_authenticated or api_access_valid): + if user.is_authenticated or api_access_valid: log.info('user %s authenticating with:%s IS authenticated on func %s ' % (user, reason, loc) ) return func(*fargs, **fkwargs) else: log.warning('user %s authenticating with:%s NOT authenticated on func: %s: ' - 'IP_ACCESS:%s API_ACCESS:%s' - % (user, reason, loc, ip_access_valid, api_access_valid) + 'API_ACCESS:%s' + % (user, reason, loc, api_access_valid) ) - p = url.current() - - log.debug('redirecting to login page with %s' % p) - return redirect(url('login_home', came_from=p)) - + return redirect_to_login() class NotAnonymous(object): """ @@ -808,13 +809,8 @@ anonymous = self.user.username == User.DEFAULT_USER if anonymous: - p = url.current() - - import kallithea.lib.helpers as h - h.flash(_('You need to be a registered user to ' - 'perform this action'), - category='warning') - return redirect(url('login_home', came_from=p)) + return redirect_to_login(_('You need to be a registered user to ' + 'perform this action')) else: return func(*fargs, **fkwargs) @@ -845,14 +841,7 @@ anonymous = self.user.username == User.DEFAULT_USER if anonymous: - p = url.current() - - import kallithea.lib.helpers as h - h.flash(_('You need to be signed in to ' - 'view this page'), - category='warning') - return redirect(url('login_home', came_from=p)) - + return redirect_to_login(_('You need to be signed in to view this page')) else: # redirect with forbidden ret code return abort(403)