vbatts/quay
Archived
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Make sure if we are going to treat the cookie as valid, it's actually a user id of the proper type.

Browse source
This commit is contained in:
Jake Moshenko 2014-11-21 10:28:50 -05:00
parent 60e45f700f
commit f9b8319835
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
auth/auth.py
View file

@ -1,6 +1,7 @@
import logging import logging
from functools import wraps from functools import wraps
from uuid import UUID
from datetime import datetime from datetime import datetime
from flask import request, session from flask import request, session
from flask.ext.principal import identity_changed, Identity from flask.ext.principal import identity_changed, Identity
@ -23,6 +24,12 @@ logger = logging.getLogger(__name__)
def _load_user_from_cookie(): def _load_user_from_cookie():
if not current_user.is_anonymous(): if not current_user.is_anonymous():
try:
# Attempt to parse the user uuid to make sure the cookie has the right value type
UUID(current_user.get_id())
except ValueError:
return None
logger.debug('Loading user from cookie: %s', current_user.get_id()) logger.debug('Loading user from cookie: %s', current_user.get_id())
set_authenticated_user_deferred(current_user.get_id()) set_authenticated_user_deferred(current_user.get_id())
loaded = QuayDeferredPermissionUser(current_user.get_id(), 'user_uuid', {scopes.DIRECT_LOGIN}) loaded = QuayDeferredPermissionUser(current_user.get_id(), 'user_uuid', {scopes.DIRECT_LOGIN})