Beispiel #1
0
def _store_user_in_session(session, username, remember=False):
    user = User.get_by_username(username, case_insensitive=True)
    auth_user = AuthUser(user.user_id)
    auth_user.set_authenticated()
    cs = auth_user.get_cookie_store()
    session['rhodecode_user'] = cs
    user.update_lastlogin()
    Session().commit()

    # If they want to be remembered, update the cookie
    if remember:
        _year = (datetime.datetime.now() +
                 datetime.timedelta(seconds=60 * 60 * 24 * 365))
        session._set_cookie_expires(_year)

    session.save()

    log.info('user %s is now authenticated and stored in '
             'session, session attrs %s', username, cs)

    # dumps session attrs back to cookie
    session._update_cookie_out()
    # we set new cookie
    headers = None
    if session.request['set_cookie']:
        # send set-cookie headers back to response to update cookie
        headers = [('Set-Cookie', session.request['cookie_out'])]
    return headers
Beispiel #2
0
    def index(self):
        # redirect if already logged in
        c.came_from = request.GET.get('came_from', None)

        if self.rhodecode_user.is_authenticated \
                            and self.rhodecode_user.username != 'default':

            return redirect(url('home'))

        if request.POST:
            # import Login Form validator class
            login_form = LoginForm()
            try:
                c.form_result = login_form.to_python(dict(request.POST))
                # form checks for username/password, now we're authenticated
                username = c.form_result['username']
                user = User.get_by_username(username, case_insensitive=True)
                auth_user = AuthUser(user.user_id)
                auth_user.set_authenticated()
                cs = auth_user.get_cookie_store()
                session['rhodecode_user'] = cs
                # If they want to be remembered, update the cookie
                if c.form_result['remember'] is not False:
                    session.cookie_expires = False
                session._set_cookie_values()
                session._update_cookie_out()
                session.save()

                log.info('user %s is now authenticated and stored in '
                         'session, session attrs %s' % (username, cs))
                user.update_lastlogin()
                Session.commit()

                if c.came_from:
                    return redirect(c.came_from)
                else:
                    return redirect(url('home'))

            except formencode.Invalid, errors:
                return htmlfill.render(
                    render('/login.html'),
                    defaults=errors.value,
                    errors=errors.error_dict or {},
                    prefix_error=False,
                    encoding="UTF-8")
Beispiel #3
0
    def index(self):
        # redirect if already logged in
        c.came_from = request.GET.get('came_from', None)

        if self.rhodecode_user.is_authenticated \
                            and self.rhodecode_user.username != 'default':

            return redirect(url('home'))

        if request.POST:
            # import Login Form validator class
            login_form = LoginForm()
            try:
                c.form_result = login_form.to_python(dict(request.POST))
                # form checks for username/password, now we're authenticated
                username = c.form_result['username']
                user = User.get_by_username(username, case_insensitive=True)
                auth_user = AuthUser(user.user_id)
                auth_user.set_authenticated()
                cs = auth_user.get_cookie_store()
                session['rhodecode_user'] = cs
                # If they want to be remembered, update the cookie
                if c.form_result['remember'] is not False:
                    session.cookie_expires = False
                session._set_cookie_values()
                session._update_cookie_out()
                session.save()

                log.info('user %s is now authenticated and stored in '
                         'session, session attrs %s' % (username, cs))
                user.update_lastlogin()
                Session.commit()

                if c.came_from:
                    return redirect(c.came_from)
                else:
                    return redirect(url('home'))

            except formencode.Invalid, errors:
                return htmlfill.render(render('/login.html'),
                                       defaults=errors.value,
                                       errors=errors.error_dict or {},
                                       prefix_error=False,
                                       encoding="UTF-8")
Beispiel #4
0
def get_auth_user(environ):
    ip_addr = get_ip_addr(environ)
    # make sure that we update permissions each time we call controller
    _auth_token = (request.GET.get('auth_token', '') or
                   request.GET.get('api_key', ''))

    if _auth_token:
        # when using API_KEY we are sure user exists.
        auth_user = AuthUser(api_key=_auth_token, ip_addr=ip_addr)
        authenticated = False
    else:
        cookie_store = CookieStoreWrapper(session.get('rhodecode_user'))
        try:
            auth_user = AuthUser(user_id=cookie_store.get('user_id', None),
                                 ip_addr=ip_addr)
        except UserCreationError as e:
            h.flash(e, 'error')
            # container auth or other auth functions that create users
            # on the fly can throw this exception signaling that there's
            # issue with user creation, explanation should be provided
            # in Exception itself. We then create a simple blank
            # AuthUser
            auth_user = AuthUser(ip_addr=ip_addr)

        if password_changed(auth_user, session):
            session.invalidate()
            cookie_store = CookieStoreWrapper(
                session.get('rhodecode_user'))
            auth_user = AuthUser(ip_addr=ip_addr)

        authenticated = cookie_store.get('is_authenticated')

    if not auth_user.is_authenticated and auth_user.is_user_object:
        # user is not authenticated and not empty
        auth_user.set_authenticated(authenticated)

    return auth_user
Beispiel #5
0
    def index(self):
        # redirect if already logged in
        c.came_from = request.GET.get("came_from", None)

        if self.rhodecode_user.is_authenticated and self.rhodecode_user.username != "default":

            return redirect(url("home"))

        if request.POST:
            # import Login Form validator class
            login_form = LoginForm()
            try:
                c.form_result = login_form.to_python(dict(request.POST))
                # form checks for username/password, now we're authenticated
                username = c.form_result["username"]
                user = User.get_by_username(username, case_insensitive=True)
                auth_user = AuthUser(user.user_id)
                auth_user.set_authenticated()
                session["rhodecode_user"] = auth_user
                session.save()

                log.info("user %s is now authenticated and stored in session", username)
                user.update_lastlogin()

                if c.came_from:
                    return redirect(c.came_from)
                else:
                    return redirect(url("home"))

            except formencode.Invalid, errors:
                return htmlfill.render(
                    render("/login.html"),
                    defaults=errors.value,
                    errors=errors.error_dict or {},
                    prefix_error=False,
                    encoding="UTF-8",
                )
Beispiel #6
0
    def index(self):
        # redirect if already logged in
        c.came_from = request.GET.get('came_from')
        not_default = self.rhodecode_user.username != 'default'
        ip_allowed = self.rhodecode_user.ip_allowed
        if self.rhodecode_user.is_authenticated and not_default and ip_allowed:
            return redirect(url('home'))

        if request.POST:
            # import Login Form validator class
            login_form = LoginForm()
            try:
                session.invalidate()
                c.form_result = login_form.to_python(dict(request.POST))
                # form checks for username/password, now we're authenticated
                username = c.form_result['username']
                user = User.get_by_username(username, case_insensitive=True)
                auth_user = AuthUser(user.user_id)
                auth_user.set_authenticated()
                cs = auth_user.get_cookie_store()
                session['rhodecode_user'] = cs
                user.update_lastlogin()
                Session().commit()

                # If they want to be remembered, update the cookie
                if c.form_result['remember']:
                    _year = (datetime.datetime.now() +
                             datetime.timedelta(seconds=60 * 60 * 24 * 365))
                    session._set_cookie_expires(_year)

                session.save()

                log.info('user %s is now authenticated and stored in '
                         'session, session attrs %s' % (username, cs))

                # dumps session attrs back to cookie
                session._update_cookie_out()

                # we set new cookie
                headers = None
                if session.request['set_cookie']:
                    # send set-cookie headers back to response to update cookie
                    headers = [('Set-Cookie', session.request['cookie_out'])]

                allowed_schemes = ['http', 'https']
                if c.came_from:
                    parsed = urlparse.urlparse(c.came_from)
                    server_parsed = urlparse.urlparse(url.current())
                    if parsed.scheme and parsed.scheme not in allowed_schemes:
                        log.error(
                            'Suspicious URL scheme detected %s for url %s' %
                            (parsed.scheme, parsed))
                        c.came_from = url('home')
                    elif server_parsed.netloc != parsed.netloc:
                        log.error('Suspicious NETLOC detected %s for url %s'
                                  'server url is: %s' %
                                  (parsed.netloc, parsed, server_parsed))
                        c.came_from = url('home')
                    raise HTTPFound(location=c.came_from, headers=headers)
                else:
                    raise HTTPFound(location=url('home'), headers=headers)

            except formencode.Invalid, errors:
                return htmlfill.render(
                    render('/login.html'),
                    defaults=errors.value,
                    errors=errors.error_dict or {},
                    prefix_error=False,
                    encoding="UTF-8")
Beispiel #7
0
    def index(self):
        # redirect if already logged in
        c.came_from = request.GET.get('came_from')
        not_default = self.rhodecode_user.username != 'default'
        ip_allowed = self.rhodecode_user.ip_allowed
        if self.rhodecode_user.is_authenticated and not_default and ip_allowed:
            return redirect(url('home'))

        if request.POST:
            # import Login Form validator class
            login_form = LoginForm()
            try:
                session.invalidate()
                c.form_result = login_form.to_python(dict(request.POST))
                # form checks for username/password, now we're authenticated
                username = c.form_result['username']
                user = User.get_by_username(username, case_insensitive=True)
                auth_user = AuthUser(user.user_id)
                auth_user.set_authenticated()
                cs = auth_user.get_cookie_store()
                session['rhodecode_user'] = cs
                user.update_lastlogin()
                Session().commit()

                # If they want to be remembered, update the cookie
                if c.form_result['remember']:
                    _year = (datetime.datetime.now() +
                             datetime.timedelta(seconds=60 * 60 * 24 * 365))
                    session._set_cookie_expires(_year)

                session.save()

                log.info('user %s is now authenticated and stored in '
                         'session, session attrs %s' % (username, cs))

                # dumps session attrs back to cookie
                session._update_cookie_out()

                # we set new cookie
                headers = None
                if session.request['set_cookie']:
                    # send set-cookie headers back to response to update cookie
                    headers = [('Set-Cookie', session.request['cookie_out'])]

                allowed_schemes = ['http', 'https']
                if c.came_from:
                    parsed = urlparse.urlparse(c.came_from)
                    server_parsed = urlparse.urlparse(url.current())
                    if parsed.scheme and parsed.scheme not in allowed_schemes:
                        log.error(
                            'Suspicious URL scheme detected %s for url %s' %
                            (parsed.scheme, parsed))
                        c.came_from = url('home')
                    elif server_parsed.netloc != parsed.netloc:
                        log.error('Suspicious NETLOC detected %s for url %s'
                                  'server url is: %s' %
                                  (parsed.netloc, parsed, server_parsed))
                        c.came_from = url('home')
                    raise HTTPFound(location=c.came_from, headers=headers)
                else:
                    raise HTTPFound(location=url('home'), headers=headers)

            except formencode.Invalid, errors:
                return htmlfill.render(
                    render('/login.html'),
                    defaults=errors.value,
                    errors=errors.error_dict or {},
                    prefix_error=False,
                    encoding="UTF-8")
            except UserCreationError, e:
                # container auth or other auth functions that create users on
                # the fly can throw this exception signaling that there's issue
                # with user creation, explanation should be provided in
                # Exception itself
                h.flash(e, 'error')