Mercurial > kallithea
changeset 8301:afe30226491e
login: assert that the validated user actually is found
Due to another bug, it was possible that authentication succeeded but the user
object couldn't be obtained. This was for example noticed when the LDAP auth
module did not correctly parse the email attribute, and a login via email
was attempted. In this case, the user was retrieved from email address and LDAP
found the user, but the email attribute in the Kallithea database was then
changed incorrectly and a subsequent retrieval based on the same original email
address would not find the user.
Such problem would lead to an assert in Kallithea:
File ".../kallithea/controllers/login.py", line 104, in index
auth_user = log_in_user(user, c.form_result['remember'], is_external_auth=False, ip_addr=request.ip_addr)
File ".../kallithea/lib/base.py", line 122, in log_in_user
assert not user.is_default_user, user
AttributeError: 'NoneType' object has no attribute 'is_default_user'
This assert cought the problem but is not a spot-on indicator of the real
problem. Instead, we can catch this problem sooner by adding an assert already
in the login controller.
author | Thomas De Schampheleire <thomas.de_schampheleire@nokia.com> |
---|---|
date | Tue, 24 Mar 2020 11:24:05 +0100 |
parents | 9d3ac5963e4e |
children | 5b147d0f8927 |
files | kallithea/controllers/login.py |
diffstat | 1 files changed, 1 insertions(+), 0 deletions(-) [+] |
line wrap: on
line diff
--- a/kallithea/controllers/login.py Wed Mar 25 16:24:26 2020 +0100 +++ b/kallithea/controllers/login.py Tue Mar 24 11:24:05 2020 +0100 @@ -83,6 +83,7 @@ # form checks for username/password, now we're authenticated username = c.form_result['username'] user = User.get_by_username_or_email(username, case_insensitive=True) + assert user is not None # the same user get just passed in the form validation except formencode.Invalid as errors: defaults = errors.value # remove password from filling in form again