changeset 4530:0ac99fdbe65d

fixed suid functionality, compute cfg.auth_methods only once
author Thomas Waldmann <tw AT waldmann-edv DOT de>
date Mon, 02 Feb 2009 04:51:57 +0100
parents 002c21b10561
children 83666cc9dc31
files MoinMoin/auth/__init__.py MoinMoin/config/multiconfig.py MoinMoin/userprefs/suid.py MoinMoin/web/session.py MoinMoin/wsgiapp.py
diffstat 5 files changed, 28 insertions(+), 14 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/auth/__init__.py	Mon Feb 02 01:08:29 2009 +0100
+++ b/MoinMoin/auth/__init__.py	Mon Feb 02 04:51:57 2009 +0100
@@ -302,6 +302,12 @@
 
 def handle_logout(request, userobj):
     """ Logout the passed user from every configured authentication method. """
+    if userobj.auth_method == 'setuid':
+        # we have no authmethod object for setuid
+        userobj = request._setuid_real_user
+        del request._setuid_real_user
+        return userobj
+
     for authmethod in request.cfg.auth:
         userobj, cont = authmethod.logout(request, userobj, cookie=request.cookies)
         if not cont:
@@ -331,6 +337,7 @@
         uid = request.session['setuid']
         userobj = user.User(request, uid, auth_method='setuid')
         userobj.valid = True
+    logging.debug("setup_suid returns %r, %r" % (userobj, old_user))
     return (userobj, old_user)
 
 def setup_from_session(request, session):
@@ -339,10 +346,12 @@
         auth_userid = session['user.id']
         auth_method = session['user.auth_method']
         auth_attrs = session['user.auth_attribs']
-        if auth_method and auth_method in \
-                [auth.name for auth in request.cfg.auth]:
+        logging.debug("got from session: %r %r" % (auth_userid, auth_method))
+        logging.debug("current auth methods: %r" % request.cfg.auth_methods)
+        if auth_method and auth_method in request.cfg.auth_methods:
             userobj = user.User(request, id=auth_userid,
                                 auth_method=auth_method,
                                 auth_attribs=auth_attrs)
     logging.debug("session started for user %r", userobj)
     return userobj
+
--- a/MoinMoin/config/multiconfig.py	Mon Feb 02 01:08:29 2009 +0100
+++ b/MoinMoin/config/multiconfig.py	Mon Feb 02 04:51:57 2009 +0100
@@ -319,6 +319,7 @@
                 if not input in self.auth_login_inputs:
                     self.auth_login_inputs.append(input)
         self.auth_have_login = len(self.auth_login_inputs) > 0
+        self.auth_methods = found_names
 
         # internal dict for plugin `modules' lists
         self._site_plugin_lists = {}
--- a/MoinMoin/userprefs/suid.py	Mon Feb 02 01:08:29 2009 +0100
+++ b/MoinMoin/userprefs/suid.py	Mon Feb 02 04:51:57 2009 +0100
@@ -49,7 +49,6 @@
             # set valid to True so superusers can even switch
             # to disable accounts
             theuser.valid = True
-            self.request.session['setuid'] = uid
             self.request._setuid_real_user = self.request.user
             # now continue as the other user
             self.request.user = theuser
--- a/MoinMoin/web/session.py	Mon Feb 02 01:08:29 2009 +0100
+++ b/MoinMoin/web/session.py	Mon Feb 02 04:51:57 2009 +0100
@@ -72,13 +72,21 @@
         self.store.delete(session)
 
     def finalize(self, request, session):
-        userobj = request.user
+        if request.user.auth_method == 'setuid':
+            userobj = request._setuid_real_user
+            setuid = request.user.id
+        else:
+            userobj = request.user
+            setuid = None
+        logging.debug("finalize userobj = %r, setuid = %r" % (userobj, setuid))
         if userobj and userobj.valid:
-            if 'user.id' in session and session['user.id'] != userobj.id:
-                request.cfg.session_service.delete(session)
             session['user.id'] = userobj.id
             session['user.auth_method'] = userobj.auth_method
             session['user.auth_attribs'] = userobj.auth_attribs
+            if setuid:
+                session['setuid'] = setuid
+            elif 'setuid' in session:
+                del session['setuid']
             logging.debug("after auth: storing valid user into session: %r" % userobj.name)
         else:
             if 'user.id' in session:
--- a/MoinMoin/wsgiapp.py	Mon Feb 02 01:08:29 2009 +0100
+++ b/MoinMoin/wsgiapp.py	Mon Feb 02 04:51:57 2009 +0100
@@ -34,14 +34,7 @@
 
     context.session = context.cfg.session_service.get_session(request)
 
-    userobj = setup_user(context, context.session)
-    userobj, olduser = auth.setup_setuid(context, userobj)
-
-    if not userobj:
-        userobj = user.User(context, auth_method='request:invalid')
-
-    context.user = userobj
-    context._setuid_realuser = olduser
+    context.user = setup_user(context, context.session)
 
     context.lang = setup_i18n_postauth(context)
 
@@ -184,6 +177,10 @@
     either through the session or through a login. """
     # first try setting up from session
     userobj = auth.setup_from_session(context, session)
+    userobj, olduser = auth.setup_setuid(context, userobj)
+    context._setuid_real_user = olduser
+    if not userobj:
+        userobj = user.User(context, auth_method='invalid')
 
     # then handle login/logout forms
     form = context.request.values