Mercurial > kallithea

changeset 7698:7977ca209b1d

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
auth: make User.get_by_api_key more strict about only returning active non-default users Thus drop some extra checks against default user.
author Mads Kiilerich <mads@kiilerich.com>
date Mon, 08 Apr 2019 00:11:20 +0200
parents 226893a56a81
children 53a07d06344b
files kallithea/lib/base.py kallithea/model/db.py
diffstat 2 files changed, 7 insertions(+), 5 deletions(-) [+]
line wrap: on
line diff
--- a/kallithea/lib/base.py	Thu Jan 03 01:22:56 2019 +0100
+++ b/kallithea/lib/base.py	Mon Apr 08 00:11:20 2019 +0200
@@ -393,11 +393,11 @@
         # Authenticate by API key
         if api_key is not None:
             dbuser = User.get_by_api_key(api_key)
-            au = AuthUser.make(dbuser=dbuser, authenticating_api_key=api_key, is_external_auth=True, ip_addr=ip_addr)
-            if au is None or au.is_anonymous:
-                log.warning('API key ****%s is NOT valid', api_key[-4:])
-                raise webob.exc.HTTPForbidden(_('Invalid API key'))
-            return au
+            if dbuser is None:
+                log.info('No db user found for authentication with API key ****%s from %s',
+                         api_key[-4:], ip_addr)
+                return None
+            return AuthUser.make(dbuser=dbuser, authenticating_api_key=api_key, is_external_auth=True, ip_addr=ip_addr)
 
         # Authenticate by session cookie
         # In ancient login sessions, 'authuser' may not be a dict.
--- a/kallithea/model/db.py	Thu Jan 03 01:22:56 2019 +0100
+++ b/kallithea/model/db.py	Mon Apr 08 00:11:20 2019 +0200
@@ -598,6 +598,8 @@
             _res = UserApiKeys.query().filter_by(api_key=api_key, is_expired=False).first()
             if _res:
                 res = _res.user
+        if res is None or not res.active or res.is_default_user:
+            return None
         return res
 
     @classmethod