Mercurial > kallithea
changeset 7698:7977ca209b1d
auth: make User.get_by_api_key more strict about only returning active non-default users
Thus drop some extra checks against default user.
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Mon, 08 Apr 2019 00:11:20 +0200 |
parents | 226893a56a81 |
children | 53a07d06344b |
files | kallithea/lib/base.py kallithea/model/db.py |
diffstat | 2 files changed, 7 insertions(+), 5 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/lib/base.py Thu Jan 03 01:22:56 2019 +0100 +++ b/kallithea/lib/base.py Mon Apr 08 00:11:20 2019 +0200 @@ -393,11 +393,11 @@ # Authenticate by API key if api_key is not None: dbuser = User.get_by_api_key(api_key) - au = AuthUser.make(dbuser=dbuser, authenticating_api_key=api_key, is_external_auth=True, ip_addr=ip_addr) - if au is None or au.is_anonymous: - log.warning('API key ****%s is NOT valid', api_key[-4:]) - raise webob.exc.HTTPForbidden(_('Invalid API key')) - return au + if dbuser is None: + log.info('No db user found for authentication with API key ****%s from %s', + api_key[-4:], ip_addr) + return None + return AuthUser.make(dbuser=dbuser, authenticating_api_key=api_key, is_external_auth=True, ip_addr=ip_addr) # Authenticate by session cookie # In ancient login sessions, 'authuser' may not be a dict.
--- a/kallithea/model/db.py Thu Jan 03 01:22:56 2019 +0100 +++ b/kallithea/model/db.py Mon Apr 08 00:11:20 2019 +0200 @@ -598,6 +598,8 @@ _res = UserApiKeys.query().filter_by(api_key=api_key, is_expired=False).first() if _res: res = _res.user + if res is None or not res.active or res.is_default_user: + return None return res @classmethod