search

wainuiomata / sambal

Experimental web admin for Samba and Active Directory domains
https://wainuiomata.com
GNU General Public License v3.0
1 stars 1 forks source link

request.user property should use request.unauthenticated_userid #6

Closed robvdl closed 9 months ago

robvdl commented 9 months ago

The request.user property was rushed, it isn't done properly.

It should be done more like this (using request.unauthenticated_userid):

def get_current_user(request):
    account_name = request.unauthenticated_userid
    if account_name is not None:
        return User.get(request.samdb, account_name=account_name)

Note that userid is username in pyramid (account_name on Windows).

But also we are doing things slightly differently with each requerst authenticating with the Samba host, so needs some thought how to work that in.

robvdl commented 9 months ago

I thought about keeping the samdb connection alive between requests but that gets messy, and I have no idea how a SamDB object is going behave when pickled/unpickled into the user session.

Therefore we store credentials in the session (after a successful login only), but this means the session must be a backend session that is properly secured.

The user session serializer is set to json anyway, it's NOT using pickle.

SETTINGS = {
    "redis.sessions.url": os.getenv("SAMBAL_REDIS_URL"),
    "redis.sessions.secret": os.getenv("SAMBAL_SESSION_SECRET"),
    "redis.sessions.serialize": lambda s: json.dumps(s).encode("utf-8"),
    "redis.sessions.deserialize": lambda s: json.loads(s.decode("utf-8")),
}

Anyway I think it still should be using the request.unauthenticated_userid property from Pyramid.

robvdl commented 9 months ago

Actually when upgrading to Pyramid 2.0 this deprecated this and replaces it with one object: SecurityPolicy instead of AuthenticationPolicy + AuthorizationPolicy like before.

So when #7 lands it automatically should cover this.

robvdl commented 9 months ago

Closed via #8