Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix bug: anonymous user should not get guillotina.Authenticated #744

merged 6 commits into from Nov 27, 2019
Changes from all commits
File filter...
Filter file types
Jump to…
Jump to file or symbol
Failed to load files and symbols.


Just for now

@@ -4,6 +4,9 @@ CHANGELOG
5.1.19 (unreleased)

- Fix security bug: anonymous users were being granted
guillotina.Authenticated [lferran]

- Update default zope.interface to 4.7.1

@@ -59,3 +59,8 @@ def __init__(self):
super().__init__() = ANONYMOUS_USER_ID
self._roles["guillotina.Anonymous"] = Allow

def roles(self):
# This prevents roles from being modified for anonymous user
return self._roles.copy()
@@ -3,6 +3,7 @@
from guillotina import task_vars
from guillotina._settings import app_settings
from guillotina.auth import groups # noqa
from guillotina.auth.users import AnonymousUser
from guillotina.auth.users import ROOT_USER_ID
from guillotina.component import get_utility
from guillotina.interfaces import IApplication
@@ -31,7 +32,7 @@

def set_authenticated_user(user):
if user is not None:
This conversation was marked as resolved by lferran

This comment has been minimized.

Copy link

vangheem Nov 27, 2019


Instead of removing this and hardcoding guillotina.Authenticated into the anon user object, can we just make the roles not editable on the anon user object?

This comment has been minimized.

Copy link

lferran Nov 27, 2019

Author Contributor


if user is not None and not isinstance(user, AnonymousUser):
policy = get_security_policy(user)
if hasattr(user, "roles") and "guillotina.Authenticated" not in user.roles:
@@ -198,6 +198,18 @@ def sync_foobar_sub(ob, evt):
raise HTTPUnprocessableEntity()

# Create a new permission and grant it to authenticated users only
configure.permission("example.EndpointPermission", "example permission")
configure.grant(permission="example.EndpointPermission", role="guillotina.Authenticated")

context=IApplication, method="GET", permission="example.EndpointPermission", name="@myEndpoint"
async def my_endpoint(context, request):
return {"foo": "bar"}

class ITestAsyncUtility(IAsyncUtility):

@@ -645,6 +645,13 @@ def uninstall(cls, container, request):
assert status == 422

async def test_anonymous_user_does_not_get_authenticated_role(container_requester):
async with container_requester as requester:
# Make call as anonymous user
_, status = await requester("GET", "/@myEndpoint", auth_type="Bearer", token="foo")
assert status == 401

async def test_addable_types(container_requester):
async with container_requester as requester:
response, status = await requester("GET", "/db/guillotina/@addable-types")
ProTip! Use n and p to navigate between commits in a pull request.
You can’t perform that action at this time.