Skip to content

Commit

Permalink
Move session cookie check to views module.
Browse files Browse the repository at this point in the history 
Used by both base.py and Flask after_request handler.
  • Loading branch information
@brew
brew committed Jun 15, 2016
1 parent 549eb6f commit dab0fc8
Show file tree
Hide file tree
Showing 3 changed files with 42 additions and 28 deletions.
7 changes: 5 additions & 2 deletions ckan/config/middleware/flask_app.py
View file
Expand Up @@ -27,7 +27,9 @@
from ckan.common import c
from ckan.plugins import PluginImplementations
from ckan.plugins.interfaces import IBlueprint
from ckan.views import identify_user, set_cors_headers_for_response
from ckan.views import (identify_user,
set_cors_headers_for_response,
check_session_cookie)

from ckan.config.middleware import common_middleware

Expand Down Expand Up @@ -102,7 +104,8 @@ def ckan_before_request():

@app.after_request
def ckan_after_request(response):
set_cors_headers_for_response(response)
response = check_session_cookie(response)
response = set_cors_headers_for_response(response)

# log time between before and after view
r_time = time.time() - c._request_timer
Expand Down
29 changes: 4 additions & 25 deletions ckan/lib/base.py
View file
Expand Up @@ -26,7 +26,9 @@
import ckan.plugins as p
import ckan.model as model
import ckan.lib.maintain as maintain
from ckan.views import identify_user, set_cors_headers_for_response
from ckan.views import (identify_user,
set_cors_headers_for_response,
check_session_cookie)

# These imports are for legacy usages and will be removed soon these should
# be imported directly from ckan.common for internal ckan code and via the
Expand Down Expand Up @@ -246,30 +248,7 @@ def __call__(self, environ, start_response):
finally:
model.Session.remove()

for cookie in request.cookies:
# Remove the ckan session cookie if not used e.g. logged out
if cookie == 'ckan' and not c.user:
# Check session for valid data (including flash messages)
# (DGU also uses session for a shopping basket-type behaviour)
is_valid_cookie_data = False
for key, value in session.items():
if not key.startswith('_') and value:
is_valid_cookie_data = True
break
if not is_valid_cookie_data:
if session.id:
if not session.get('lang'):
self.log.debug('No session data any more - '
'deleting session')
self.log.debug('Session: %r', session.items())
session.delete()
else:
response.delete_cookie(cookie)
self.log.debug('No session data any more - '
'deleting session cookie')
# Remove auth_tkt repoze.who cookie if user not logged in.
elif cookie == 'auth_tkt' and not session.id:
response.delete_cookie(cookie)
check_session_cookie(response)

return res

Expand Down
34 changes: 33 additions & 1 deletion ckan/views/__init__.py
View file
Expand Up @@ -5,7 +5,7 @@
from paste.deploy.converters import asbool

import ckan.model as model
from ckan.common import c, request
from ckan.common import c, request, session
import ckan.plugins as p

import logging
Expand All @@ -15,6 +15,36 @@
APIKEY_HEADER_NAME_DEFAULT = 'X-CKAN-API-Key'


def check_session_cookie(response):
'''
The cookies for auth (auth_tkt) and session (ckan) are separate. This
checks whether a user is logged in, and determines the validity of the
session cookie, removing it if necessary.
'''
for cookie in request.cookies:
# Remove the ckan session cookie if logged out.
if cookie == 'ckan' and not c.user:
# Check session for valid data (including flash messages)
is_valid_cookie_data = False
for key, value in session.items():
if not key.startswith('_') and value:
is_valid_cookie_data = True
break
if not is_valid_cookie_data:
if session.id:
log.debug('No valid session data - deleting session')
log.debug('Session: %r', session.items())
session.delete()
else:
log.debug('No session id - deleting session cookie')
response.delete_cookie(cookie)
# Remove auth_tkt repoze.who cookie if user not logged in.
elif cookie == 'auth_tkt' and not session.id:
response.delete_cookie(cookie)

return response


def set_cors_headers_for_response(response):
'''
Set up Access Control Allow headers if either origin_allow_all is True, or
Expand All @@ -40,6 +70,8 @@ def set_cors_headers_for_response(response):
response.headers['Access-Control-Allow-Headers'] = \
"X-CKAN-API-KEY, Authorization, Content-Type"

return response


def identify_user():
'''Try to identify the user
Expand Down

0 comments on commit dab0fc8

Please sign in to comment.