Mercurial > kallithea
changeset 7110:9f976d75b04c
auth: restore anonymous repository access
Dominik Ruf found that aa25ef34ebab introduced a regression in anonymous access
to repositories ... if that is enabled.
The refactoring was too strict when it missed that not all repo permission
checks require a logged in user. Read access can be granted to the default user
... but not write or admin.
Instead of the commands used in aa25ef34ebab, the following commands are used
to consistently also allow the default user in all decorators where we only need
repo read access:
# Introduce explicit allow_default_user=True - that was the default before aa25ef34ebab
sed -i 's/@LoginRequired()/@LoginRequired(allow_default_user=True)/g' `hg mani`
sed -i 's/@LoginRequired(\(..*\))/@LoginRequired(\1, allow_default_user=True)/g' `hg mani`
# The primary case: Replace @NotAnonymous with removal of allow_default_user=True
perl -0pi -e 's/\@LoginRequired\((?:(.*), )?allow_default_user=True\)\n\s*\@NotAnonymous\(\)/\@LoginRequired(\1)/g' `hg mani`
# If there is a global permission check, no anonymous is ever allowed
perl -0pi -e 's/\@LoginRequired\(allow_default_user=True\)(\n\s*\@HasPermission)/\@LoginRequired()\1/g' `hg mani`
# Repo access for write or admin also assume no default user
perl -0pi -e 's/\@LoginRequired\(allow_default_user=True\)(\n\s*\@HasRepoPermissionLevelDecorator\('"'(write|admin)'"'\))/\@LoginRequired()\1/g' `hg mani`
author | Mads Kiilerich <mads@kiilerich.com> |
---|---|
date | Tue, 06 Feb 2018 00:32:48 +0100 |
parents | 228dd29e79da |
children | 369a646638f3 |
files | kallithea/controllers/changelog.py kallithea/controllers/changeset.py kallithea/controllers/compare.py kallithea/controllers/feed.py kallithea/controllers/files.py kallithea/controllers/followers.py kallithea/controllers/forks.py kallithea/controllers/home.py kallithea/controllers/pullrequests.py kallithea/controllers/summary.py |
diffstat | 10 files changed, 28 insertions(+), 28 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/controllers/changelog.py Sat Oct 28 23:35:04 2017 +0200 +++ b/kallithea/controllers/changelog.py Tue Feb 06 00:32:48 2018 +0100 @@ -71,7 +71,7 @@ h.flash(safe_str(e), category='error') raise HTTPBadRequest() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def index(self, repo_name, revision=None, f_path=None): limit = 2000 @@ -149,7 +149,7 @@ c.first_revision = c.cs_pagination[0] # pagination is never empty here! return render('changelog/changelog.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def changelog_details(self, cs): if request.environ.get('HTTP_X_PARTIAL_XHR'):
--- a/kallithea/controllers/changeset.py Sat Oct 28 23:35:04 2017 +0200 +++ b/kallithea/controllers/changeset.py Tue Feb 06 00:32:48 2018 +0100 @@ -326,22 +326,22 @@ c.jsdata = graph_data(c.db_repo_scm_instance, revs) return render('changeset/changeset_range.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def index(self, revision, method='show'): return self._index(revision, method=method) - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def changeset_raw(self, revision): return self._index(revision, method='raw') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def changeset_patch(self, revision): return self._index(revision, method='patch') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def changeset_download(self, revision): return self._index(revision, method='download') @@ -412,7 +412,7 @@ else: raise HTTPForbidden() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') @jsonify def changeset_info(self, repo_name, revision): @@ -424,7 +424,7 @@ else: raise HTTPBadRequest() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') @jsonify def changeset_children(self, repo_name, revision): @@ -437,7 +437,7 @@ else: raise HTTPBadRequest() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') @jsonify def changeset_parents(self, repo_name, revision):
--- a/kallithea/controllers/compare.py Sat Oct 28 23:35:04 2017 +0200 +++ b/kallithea/controllers/compare.py Tue Feb 06 00:32:48 2018 +0100 @@ -165,14 +165,14 @@ return other_changesets, org_changesets, ancestors - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def index(self, repo_name): c.compare_home = True c.a_ref_name = c.cs_ref_name = None return render('compare/compare_diff.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def compare(self, repo_name, org_ref_type, org_ref_name, other_ref_type, other_ref_name): org_ref_name = org_ref_name.strip()
--- a/kallithea/controllers/feed.py Sat Oct 28 23:35:04 2017 +0200 +++ b/kallithea/controllers/feed.py Tue Feb 06 00:32:48 2018 +0100 @@ -51,7 +51,7 @@ class FeedController(BaseRepoController): - @LoginRequired(api_access=True) + @LoginRequired(api_access=True, allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def _before(self, *args, **kwargs): super(FeedController, self)._before(*args, **kwargs)
--- a/kallithea/controllers/files.py Sat Oct 28 23:35:04 2017 +0200 +++ b/kallithea/controllers/files.py Tue Feb 06 00:32:48 2018 +0100 @@ -123,7 +123,7 @@ return file_node - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def index(self, repo_name, revision, f_path, annotate=False): # redirect to given revision from form if given @@ -198,7 +198,7 @@ return render('files/files.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') @jsonify def history(self, repo_name, revision, f_path): @@ -220,7 +220,7 @@ } return data - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def authors(self, repo_name, revision, f_path): changeset = self.__get_cs(revision) @@ -232,7 +232,7 @@ c.authors.append((h.email(a), h.person(a))) return render('files/files_history_box.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def rawfile(self, repo_name, revision, f_path): cs = self.__get_cs(revision) @@ -244,7 +244,7 @@ response.content_type = file_node.mimetype return file_node.content - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def raw(self, repo_name, revision, f_path): cs = self.__get_cs(revision) @@ -497,7 +497,7 @@ return render('files/files_add.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def archivefile(self, repo_name, fname): fileformat = None @@ -583,7 +583,7 @@ response.content_type = str(content_type) return get_chunked_archive(archive_path) - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def diff(self, repo_name, f_path): ignore_whitespace = request.GET.get('ignorews') == '1' @@ -684,7 +684,7 @@ return render('files/file_diff.html') - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def diff_2way(self, repo_name, f_path): diff1 = request.GET.get('diff1', '') @@ -771,7 +771,7 @@ return hist_l, changesets - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') @jsonify def nodelist(self, repo_name, revision, f_path):
--- a/kallithea/controllers/followers.py Sat Oct 28 23:35:04 2017 +0200 +++ b/kallithea/controllers/followers.py Tue Feb 06 00:32:48 2018 +0100 @@ -40,7 +40,7 @@ class FollowersController(BaseRepoController): - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def followers(self, repo_name): p = safe_int(request.GET.get('page'), 1)
--- a/kallithea/controllers/forks.py Sat Oct 28 23:35:04 2017 +0200 +++ b/kallithea/controllers/forks.py Tue Feb 06 00:32:48 2018 +0100 @@ -105,7 +105,7 @@ return defaults - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def forks(self, repo_name): p = safe_int(request.GET.get('page'), 1)
--- a/kallithea/controllers/home.py Sat Oct 28 23:35:04 2017 +0200 +++ b/kallithea/controllers/home.py Tue Feb 06 00:32:48 2018 +0100 @@ -109,7 +109,7 @@ else: raise HTTPBadRequest() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') @jsonify def repo_refs_data(self, repo_name):
--- a/kallithea/controllers/pullrequests.py Sat Oct 28 23:35:04 2017 +0200 +++ b/kallithea/controllers/pullrequests.py Tue Feb 06 00:32:48 2018 +0100 @@ -198,7 +198,7 @@ return request.authuser.admin or owner or reviewer - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def show_all(self, repo_name): c.from_ = request.GET.get('from_') or '' @@ -447,7 +447,7 @@ raise HTTPFound(location=url('my_pullrequests')) raise HTTPForbidden() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def show(self, repo_name, pull_request_id, extra=None): repo_model = RepoModel()
--- a/kallithea/controllers/summary.py Sat Oct 28 23:35:04 2017 +0200 +++ b/kallithea/controllers/summary.py Tue Feb 06 00:32:48 2018 +0100 @@ -102,7 +102,7 @@ region_invalidate(_get_readme_from_cache, None, '_get_readme_from_cache', repo_name, kind) return _get_readme_from_cache(repo_name, kind) - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def index(self, repo_name): p = safe_int(request.GET.get('page'), 1) @@ -169,7 +169,7 @@ else: raise HTTPBadRequest() - @LoginRequired() + @LoginRequired(allow_default_user=True) @HasRepoPermissionLevelDecorator('read') def statistics(self, repo_name): if c.db_repo.enable_statistics: