changeset 2020:1b0629547090

introduce cfg.trusted_auth_methods
author Johannes Berg <johannes AT sipsolutions DOT net>
date Sat, 21 Apr 2007 15:23:53 +0200
parents 149573c7ecaf
children 927e97ed7d7c
files MoinMoin/config/multiconfig.py MoinMoin/security/__init__.py MoinMoin/user.py MoinMoin/xmlrpc/UpdateGroup.py MoinMoin/xmlrpc/WhoAmI.py MoinMoin/xmlrpc/__init__.py
diffstat 6 files changed, 17 insertions(+), 14 deletions(-) [+]
line wrap: on
line diff
--- a/MoinMoin/config/multiconfig.py	Sat Apr 21 14:06:22 2007 +0200
+++ b/MoinMoin/config/multiconfig.py	Sat Apr 21 15:23:53 2007 +0200
@@ -218,6 +218,10 @@
     antispam_master_url = "http://moinmaster.wikiwikiweb.de:8000/?action=xmlrpc2"
     attachments = None # {'dir': path, 'url': url-prefix}
     auth = [authmodule.MoinLogin()]
+    # default to http and xmlrpc_applytoken to get old semantics
+    # xmlrpc_applytoken shall be removed once that code is changed
+    # to have proper session handling and use request.handle_auth()
+    trusted_auth_methods = ['xmlrpc_applytoken']
     session_handler = session.DefaultSessionHandler()
 
     backup_compression = 'gz'
@@ -565,7 +569,7 @@
     user_form_remove = []
 
     # attributes we do NOT save to the userpref file
-    user_transient_fields = ['id', 'valid', 'may', 'auth_username', 'trusted', 'password', 'password2', 'auth_method', 'auth_attribs', ]
+    user_transient_fields = ['id', 'valid', 'may', 'auth_username', 'password', 'password2', 'auth_method', 'auth_attribs', ]
 
     user_homewiki = 'Self' # interwiki name for where user homepages are located
 
--- a/MoinMoin/security/__init__.py	Sat Apr 21 14:06:22 2007 +0200
+++ b/MoinMoin/security/__init__.py	Sat Apr 21 15:23:53 2007 +0200
@@ -277,11 +277,13 @@
         return None
 
     def _special_Trusted(self, request, name, dowhat, rightsdict):
-        """ check if user <name> is known AND even has logged in using a password.
-            does not work for subsription emails that should be sent to <user>,
+        """ check if user <name> is known AND has logged in using a trusted
+            authentication method.
+            Does not work for subsription emails that should be sent to <user>,
             as he is not logged in in that case.
         """
-        if request.user.trusted and name == request.user.name:
+        if (request.user.name == name and
+            request.user.auth_method in request.cfg.trusted_auth_methods):
             return rightsdict.get(dowhat)
         return None
 
--- a/MoinMoin/user.py	Sat Apr 21 14:06:22 2007 +0200
+++ b/MoinMoin/user.py	Sat Apr 21 15:23:53 2007 +0200
@@ -270,7 +270,6 @@
         """
         self._cfg = request.cfg
         self.valid = 0
-        self.trusted = 0
         self.id = id
         self.auth_username = auth_username
         self.auth_method = kw.get('auth_method', 'internal')
@@ -323,8 +322,6 @@
                 check_pass = 1
         if self.id:
             self.load_from_id(check_pass)
-            if self.name == self.auth_username:
-                self.trusted = 1
         elif self.name:
             self.id = getUserId(self._request, self.name)
             if self.id:
@@ -433,8 +430,6 @@
             valid, changed = self._validatePassword(user_data)
             if not valid:
                 return
-            else:
-                self.trusted = 1
 
         # Remove ignored checkbox values from user data
         for key, label in self._cfg.user_checkbox_fields:
--- a/MoinMoin/xmlrpc/UpdateGroup.py	Sat Apr 21 14:06:22 2007 +0200
+++ b/MoinMoin/xmlrpc/UpdateGroup.py	Sat Apr 21 15:23:53 2007 +0200
@@ -34,7 +34,8 @@
     # and make very very sure that nobody untrusted can access your wiki
     # via network or somebody will raid your wiki some day!
 
-    if self.request.cfg.xmlrpc_putpage_trusted_only and not self.request.user.trusted:
+    if (self.request.cfg.xmlrpc_putpage_trusted_only and
+        not self.request.user.auth_method in self.request.cfg.trusted_auth_methods):
         return xmlrpclib.Fault(1, "You are not allowed to edit this page")
 
     # also check ACLs
--- a/MoinMoin/xmlrpc/WhoAmI.py	Sat Apr 21 14:06:22 2007 +0200
+++ b/MoinMoin/xmlrpc/WhoAmI.py	Sat Apr 21 15:23:53 2007 +0200
@@ -12,7 +12,6 @@
     if not username:
         username = "<unknown user>"
     valid = request.user.valid
-    trusted = request.user.trusted
-    result = "You are %s. valid=%d, trusted=%d." % (username.encode("utf-8"), valid, trusted)
+    result = "You are %s. valid=%d." % (username.encode("utf-8"), valid)
     return xmlrpcobj._outstr(result)
 
--- a/MoinMoin/xmlrpc/__init__.py	Sat Apr 21 14:06:22 2007 +0200
+++ b/MoinMoin/xmlrpc/__init__.py	Sat Apr 21 15:23:53 2007 +0200
@@ -522,7 +522,8 @@
         # and make very very sure that nobody untrusted can access your wiki
         # via network or somebody will raid your wiki some day!
 
-        if self.request.cfg.xmlrpc_putpage_trusted_only and not self.request.user.trusted:
+        if (self.request.cfg.xmlrpc_putpage_trusted_only and 
+            not self.request.user.auth_method in self.request.cfg.trusted_auth_methods):
             return xmlrpclib.Fault(1, "You are not allowed to edit this page")
 
         # also check ACLs
@@ -847,7 +848,8 @@
 
         if not self.request.cfg.xmlrpc_putpage_enabled:
             return xmlrpclib.Boolean(0)
-        if self.request.cfg.xmlrpc_putpage_trusted_only and not self.request.user.trusted:
+        if (self.request.cfg.xmlrpc_putpage_trusted_only and 
+            not self.request.user.auth_method in self.request.cfg.trusted_auth_methods):
             return xmlrpclib.Fault(1, "You are not allowed to edit this page")
         # also check ACLs
         if not self.request.user.may.write(pagename):