details: http://www.bx.psu.edu/hg/galaxy/rev/e76a153769d4 changeset: 1712:e76a153769d4 user: Nate Coraor <nate@bx.psu.edu> date: Mon Jan 19 11:47:29 2009 -0500 description: Flush newly created users directly in __get_or_create_remote_user, solves the new user creation when using remote_user bug found by Ross Lazarus. Also, external users get a random password now (makes the secret key safer if a bad guy gets the database). 1 file(s) affected in this change: lib/galaxy/web/framework/__init__.py diffs (41 lines): diff -r 2a36ccdb2a38 -r e76a153769d4 lib/galaxy/web/framework/__init__.py --- a/lib/galaxy/web/framework/__init__.py Fri Jan 16 13:30:01 2009 -0500 +++ b/lib/galaxy/web/framework/__init__.py Mon Jan 19 11:47:29 2009 -0500 @@ -4,7 +4,7 @@ import pkg_resources -import os, sys, time +import os, sys, time, random, string pkg_resources.require( "Cheetah" ) from Cheetah.Template import Template import base @@ -229,6 +229,9 @@ user_for_new_session = self.__get_or_create_remote_user( remote_user_email ) log.warning( "User logged in as '%s' externally, but has a cookie as '%s' invalidating session", remote_user_email, prev_galaxy_session.user.email ) + else: + # No session exists, get/create user for new session + user_for_new_session = self.__get_or_create_remote_user( remote_user_email ) else: if galaxy_session is not None and galaxy_session.user and galaxy_session.user.external: # Remote user support is not enabled, but there is an existing @@ -282,15 +285,15 @@ def __get_or_create_remote_user( self, remote_user_email ): """ Return the user in $HTTP_REMOTE_USER and create if necessary - - Caller is responsible for flushing the returned user. """ # remote_user middleware ensures HTTP_REMOTE_USER exists user = self.app.model.User.filter_by( email=remote_user_email ).first() if user is None: + random.seed() user = self.app.model.User( email=remote_user_email ) - user.set_password_cleartext( 'external' ) + user.set_password_cleartext( ''.join( random.sample( string.letters + string.digits, 12 ) ) ) user.external = True + user.flush() #self.log_event( "Automatically created account '%s'", user.email ) return user def __update_session_cookie( self, name='galaxysession' ):