diff --git a/pillar/api/utils/authentication.py b/pillar/api/utils/authentication.py index 1fdd59fe..1ef46546 100644 --- a/pillar/api/utils/authentication.py +++ b/pillar/api/utils/authentication.py @@ -15,17 +15,9 @@ from flask import g from flask import request from flask import current_app -from pillar.auth import UserClass - log = logging.getLogger(__name__) -CLI_USER = UserClass.construct('CLI', { - '_id': 'CLI', - 'groups': [], - 'roles': {'admin'}, - 'email': 'local@nowhere', - 'username': 'CLI', -}) +CLI_USER = ... def force_cli_user(): @@ -34,7 +26,22 @@ def force_cli_user(): This is used as a marker to avoid authorization checks and just allow everything. """ - log.warning('Logging in as CLI_USER, circumventing authentication.') + global CLI_USER + + from pillar.auth import UserClass + + if CLI_USER is ...: + CLI_USER = UserClass.construct('CLI', { + '_id': 'CLI', + 'groups': [], + 'roles': {'admin'}, + 'email': 'local@nowhere', + 'username': 'CLI', + }) + log.warning('CONSTRUCTED CLI USER %s of type %s', id(CLI_USER), id(type(CLI_USER))) + + log.warning('Logging in as CLI_USER (%s) of type %s, circumventing authentication.', + id(CLI_USER), id(type(CLI_USER))) g.current_user = CLI_USER diff --git a/pillar/api/utils/authorization.py b/pillar/api/utils/authorization.py index 8d5555da..78a23d51 100644 --- a/pillar/api/utils/authorization.py +++ b/pillar/api/utils/authorization.py @@ -7,8 +7,6 @@ from flask import abort from flask import current_app from werkzeug.exceptions import Forbidden -from pillar.auth import UserClass - CHECK_PERMISSIONS_IMPLEMENTED_FOR = {'projects', 'nodes', 'flamenco_jobs'} log = logging.getLogger(__name__) @@ -355,9 +353,11 @@ def ab_testing(require_roles=set(), return decorator -def user_has_role(role, user: UserClass=None): +def user_has_role(role, user=None): """Returns True iff the user is logged in and has the given role.""" + from pillar.auth import UserClass + if user is None: user = g.get('current_user') if user is not None and not isinstance(user, UserClass): @@ -371,9 +371,11 @@ def user_has_role(role, user: UserClass=None): return user.has_role(role) -def user_has_cap(capability: str, user: UserClass=None) -> bool: +def user_has_cap(capability: str, user=None) -> bool: """Returns True iff the user is logged in and has the given capability.""" + from pillar.auth import UserClass + assert capability if user is None: @@ -400,6 +402,8 @@ def user_matches_roles(require_roles=set(), returning True. """ + from pillar.auth import UserClass + current_user: UserClass = g.get('current_user') if current_user is None: return False diff --git a/pillar/auth/__init__.py b/pillar/auth/__init__.py index e2b02a9b..23afb8b7 100644 --- a/pillar/auth/__init__.py +++ b/pillar/auth/__init__.py @@ -61,6 +61,9 @@ class UserClass(flask_login.UserMixin): return user + def __str__(self): + return f'UserClass(user_id={self.user_id})' + def __getitem__(self, item): """Compatibility layer with old dict-based g.current_user object."""