# HG changeset patch # User Thomas De Schampheleire <thomas.de.schamphele...@gmail.com> # Date 1427271075 -3600 # Wed Mar 25 09:11:15 2015 +0100 # Node ID 126d600ac54455fc07d40b65f511b73577090757 # Parent d43625532cf7059cf8f9647b008957f7b9c868d6 auth: return early in LoginRequired on invalid IP
Simplify the code of the LoginRequired decorator by returning early when an unacceptable condition is met. Note: the 'return' of redirect_to_login() is not strictly needed since we should not return from that function (redirection occurs). Adding it, however, is a security measure in case redirect_to_login does not do what it should do. diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py --- a/kallithea/lib/auth.py +++ b/kallithea/lib/auth.py @@ -719,6 +719,14 @@ def set_available_permissions(config): #============================================================================== # CHECK DECORATORS #============================================================================== + +def redirect_to_login(message=None): + from kallithea.lib import helpers as h + p = url.current() + h.flash(h.literal(message), category='warning') + log.debug('Redirecting to login page, origin: %s' % p) + return redirect(url('login_home', came_from=p)) + class LoginRequired(object): """ Must be logged in to execute this function else @@ -740,12 +748,8 @@ class LoginRequired(object): loc = "%s:%s" % (cls.__class__.__name__, func.__name__) # check if our IP is allowed - ip_access_valid = True if not user.ip_allowed: - from kallithea.lib import helpers as h - h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))), - category='warning') - ip_access_valid = False + return redirect_to_login(_('IP %s not allowed' % (user.ip_addr))) # check if we used an APIKEY and it's a valid one # defined whitelist of controllers which API access will be enabled @@ -775,21 +779,17 @@ class LoginRequired(object): log.debug('Checking if %s is authenticated @ %s' % (user.username, loc)) reason = 'RegularAuth' if user.is_authenticated else 'APIAuth' - if ip_access_valid and (user.is_authenticated or api_access_valid): + if user.is_authenticated or api_access_valid: log.info('user %s authenticating with:%s IS authenticated on func %s ' % (user, reason, loc) ) return func(*fargs, **fkwargs) else: log.warning('user %s authenticating with:%s NOT authenticated on func: %s: ' - 'IP_ACCESS:%s API_ACCESS:%s' - % (user, reason, loc, ip_access_valid, api_access_valid) + 'API_ACCESS:%s' + % (user, reason, loc, api_access_valid) ) - p = url.current() - - log.debug('redirecting to login page with %s' % p) - return redirect(url('login_home', came_from=p)) - + return redirect_to_login() class NotAnonymous(object): """ @@ -808,13 +808,8 @@ class NotAnonymous(object): anonymous = self.user.username == User.DEFAULT_USER if anonymous: - p = url.current() - - import kallithea.lib.helpers as h - h.flash(_('You need to be a registered user to ' - 'perform this action'), - category='warning') - return redirect(url('login_home', came_from=p)) + return redirect_to_login(_('You need to be a registered user to ' + 'perform this action')) else: return func(*fargs, **fkwargs) @@ -845,14 +840,7 @@ class PermsDecorator(object): anonymous = self.user.username == User.DEFAULT_USER if anonymous: - p = url.current() - - import kallithea.lib.helpers as h - h.flash(_('You need to be signed in to ' - 'view this page'), - category='warning') - return redirect(url('login_home', came_from=p)) - + return redirect_to_login(_('You need to be signed in to view this page')) else: # redirect with forbidden ret code return abort(403) _______________________________________________ kallithea-general mailing list kallithea-general@sfconservancy.org http://lists.sfconservancy.org/mailman/listinfo/kallithea-general