[PATCH 4 of 6 v2] auth: return early in LoginRequired on invalid IP
Thomas De Schampheleire
patrickdepinguin at gmail.com
Sun May 10 14:22:56 EDT 2015
# HG changeset patch
# User Thomas De Schampheleire <thomas.de.schampheleire at gmail.com>
# Date 1427271075 -3600
# Wed Mar 25 09:11:15 2015 +0100
# Node ID 126d600ac54455fc07d40b65f511b73577090757
# Parent d43625532cf7059cf8f9647b008957f7b9c868d6
auth: return early in LoginRequired on invalid IP
Simplify the code of the LoginRequired decorator by returning early when an
unacceptable condition is met.
Note: the 'return' of redirect_to_login() is not strictly needed since we
should not return from that function (redirection occurs). Adding it,
however, is a security measure in case redirect_to_login does not do what it
should do.
diff --git a/kallithea/lib/auth.py b/kallithea/lib/auth.py
--- a/kallithea/lib/auth.py
+++ b/kallithea/lib/auth.py
@@ -719,6 +719,14 @@ def set_available_permissions(config):
#==============================================================================
# CHECK DECORATORS
#==============================================================================
+
+def redirect_to_login(message=None):
+ from kallithea.lib import helpers as h
+ p = url.current()
+ h.flash(h.literal(message), category='warning')
+ log.debug('Redirecting to login page, origin: %s' % p)
+ return redirect(url('login_home', came_from=p))
+
class LoginRequired(object):
"""
Must be logged in to execute this function else
@@ -740,12 +748,8 @@ class LoginRequired(object):
loc = "%s:%s" % (cls.__class__.__name__, func.__name__)
# check if our IP is allowed
- ip_access_valid = True
if not user.ip_allowed:
- from kallithea.lib import helpers as h
- h.flash(h.literal(_('IP %s not allowed' % (user.ip_addr))),
- category='warning')
- ip_access_valid = False
+ return redirect_to_login(_('IP %s not allowed' % (user.ip_addr)))
# check if we used an APIKEY and it's a valid one
# defined whitelist of controllers which API access will be enabled
@@ -775,21 +779,17 @@ class LoginRequired(object):
log.debug('Checking if %s is authenticated @ %s' % (user.username, loc))
reason = 'RegularAuth' if user.is_authenticated else 'APIAuth'
- if ip_access_valid and (user.is_authenticated or api_access_valid):
+ if user.is_authenticated or api_access_valid:
log.info('user %s authenticating with:%s IS authenticated on func %s '
% (user, reason, loc)
)
return func(*fargs, **fkwargs)
else:
log.warning('user %s authenticating with:%s NOT authenticated on func: %s: '
- 'IP_ACCESS:%s API_ACCESS:%s'
- % (user, reason, loc, ip_access_valid, api_access_valid)
+ 'API_ACCESS:%s'
+ % (user, reason, loc, api_access_valid)
)
- p = url.current()
-
- log.debug('redirecting to login page with %s' % p)
- return redirect(url('login_home', came_from=p))
-
+ return redirect_to_login()
class NotAnonymous(object):
"""
@@ -808,13 +808,8 @@ class NotAnonymous(object):
anonymous = self.user.username == User.DEFAULT_USER
if anonymous:
- p = url.current()
-
- import kallithea.lib.helpers as h
- h.flash(_('You need to be a registered user to '
- 'perform this action'),
- category='warning')
- return redirect(url('login_home', came_from=p))
+ return redirect_to_login(_('You need to be a registered user to '
+ 'perform this action'))
else:
return func(*fargs, **fkwargs)
@@ -845,14 +840,7 @@ class PermsDecorator(object):
anonymous = self.user.username == User.DEFAULT_USER
if anonymous:
- p = url.current()
-
- import kallithea.lib.helpers as h
- h.flash(_('You need to be signed in to '
- 'view this page'),
- category='warning')
- return redirect(url('login_home', came_from=p))
-
+ return redirect_to_login(_('You need to be signed in to view this page'))
else:
# redirect with forbidden ret code
return abort(403)
More information about the kallithea-general
mailing list