Salastil/odysseus
1
0
Fork 0
mirror of https://github.com/pewdiepie-archdaemon/odysseus.git synced 2026-06-17 02:05:22 -04:00
Code Issues Packages Projects Releases Wiki Activity

allow user who disable auth to use chat (#2548)

Browse Source 
* allow user who disable auth to use chat

* only check non user on verify session owner

* fix import source

* rollback 401 to 403 for unauthorized error due to unit test

* change unauthenticated http code error to 401 and fix unit tests
This commit is contained in:
Fijar Lazuardy
2026-06-06 03:54:19 +07:00
committed by GitHub
parent fb3e89b011
commit 66599b02a2
4 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
routes/session_routes.py
+3 -3
View File
@@ -11,7 +11,7 @@ from core.session_manager import SessionManager
from core.models import ChatMessage from core.models import ChatMessage
from src.request_models import SessionResponse from src.request_models import SessionResponse
from core.database import Session as DbSession, SessionLocal, Document, GalleryImage from core.database import Session as DbSession, SessionLocal, Document, GalleryImage
from src.auth_helpers import get_current_user, effective_user from src.auth_helpers import get_current_user, effective_user, _auth_disabled
def _sanitize_export_filename(name: str) -> str: def _sanitize_export_filename(name: str) -> str:
@@ -106,8 +106,8 @@ def _verify_session_owner(request: Request, session_id: str, session_manager=Non
that only care about persisted sessions keep their exact prior behavior. that only care about persisted sessions keep their exact prior behavior.
""" """
user = effective_user(request) user = effective_user(request)
if not user: if not user and not _auth_disabled():
raise HTTPException(403, "Authentication required") raise HTTPException(401, "Authentication required")
db = SessionLocal() db = SessionLocal()
try: try:
row = db.query(DbSession.owner).filter(DbSession.id == session_id).first() row = db.query(DbSession.owner).filter(DbSession.id == session_id).first()
src/auth_helpers.py
+1 -1
View File
@@ -10,7 +10,7 @@ def get_current_user(request: Request) -> Optional[str]:
return getattr(request.state, 'current_user', None) return getattr(request.state, 'current_user', None)
def effective_user(request: Request): def effective_user(request: Request) -> Optional[str]:
"""The real human behind the request, for ownership/attribution. """The real human behind the request, for ownership/attribution.
Cookie sessions resolve to the logged-in username. Bearer ``ody_`` callers Cookie sessions resolve to the logged-in username. Bearer ``ody_`` callers
tests/test_session_ghost_delete.py
+1 -1
View File
@@ -109,7 +109,7 @@ def test_unauthenticated_still_403(monkeypatch):
sm = SimpleNamespace(sessions={"ghost": SimpleNamespace(owner=None)}) sm = SimpleNamespace(sessions={"ghost": SimpleNamespace(owner=None)})
with pytest.raises(HTTPException) as exc: with pytest.raises(HTTPException) as exc:
SR._verify_session_owner(_req(api_token=False, current_user=None), "ghost", sm) SR._verify_session_owner(_req(api_token=False, current_user=None), "ghost", sm)
assert exc.value.status_code == 403 assert exc.value.status_code == 401
# --- manager layer: delete_session clears memory-only ghosts --------------- # --- manager layer: delete_session clears memory-only ghosts ---------------
tests/test_session_owner_attribution.py
+1 -1
View File
@@ -136,4 +136,4 @@ def test_unauthenticated_caller_rejected(monkeypatch):
req = _req(api_token=False, current_user=None) req = _req(api_token=False, current_user=None)
with pytest.raises(HTTPException) as exc: with pytest.raises(HTTPException) as exc:
SR._verify_session_owner(req, "sid") SR._verify_session_owner(req, "sid")
assert exc.value.status_code == 403 assert exc.value.status_code == 401