From 44158ded730957ea29280793c841b61ae67d1976 Mon Sep 17 00:00:00 2001
From: Pierre-Yves Chibon <pingou@pingoured.fr>
Date: Jun 14 2018 08:09:20 +0000
Subject: Move earlier in the stack the methods used to authenticate with local accounts


Without this change, too much of the requests had gone through before the
methods checking if the user is authenticated were called and thus a number
of actions requiring the user to be authenticated were not available.

Fixes https://pagure.io/pagure/issue/3290

Signed-off-by: Pierre-Yves Chibon <pingou@pingoured.fr>

---

diff --git a/pagure/flask_app.py b/pagure/flask_app.py
index 7d8f484..ef29267 100644
--- a/pagure/flask_app.py
+++ b/pagure/flask_app.py
@@ -121,6 +121,11 @@ def create_app(config=None):
         from pagure.ui.oidc_login import oidc, fas_user_from_oidc
         oidc.init_app(app)
         app.before_request(fas_user_from_oidc)
+    if auth == 'local':
+        # Only import the login controller if the app is set up for local login
+        import pagure.ui.login as login
+        app.before_request(login._check_session_cookie)
+        app.after_request(login._send_session_cookie)
 
     # Report error by email
     if not app.debug and not pagure_config.get('DEBUG', False):
@@ -153,12 +158,6 @@ def create_app(config=None):
     app.before_request(set_request)
     app.teardown_request(end_request)
 
-    # Only import the login controller if the app is set up for local login
-    if pagure_config.get('PAGURE_AUTH', None) == 'local':
-        import pagure.ui.login as login
-        app.before_request(login._check_session_cookie)
-        app.after_request(login._send_session_cookie)
-
     if perfrepo:
         # Do this at the very end, so that this after_request comes last.
         app.after_request(perfrepo.print_stats)
@@ -223,8 +222,9 @@ def logout():
 def set_request():
     """ Prepare every request. """
     flask.session.permanent = True
-    flask.g.session = pagure.lib.create_session(
-        flask.current_app.config['DB_URL'])
+    if not hasattr(flask.g, 'session') or not flask.g.session:
+        flask.g.session = pagure.lib.create_session(
+            flask.current_app.config['DB_URL'])
 
     flask.g.version = pagure.__version__
     flask.g.confirmationform = pagure.forms.ConfirmationForm()
diff --git a/pagure/ui/login.py b/pagure/ui/login.py
index 89f6c64..591a658 100644
--- a/pagure/ui/login.py
+++ b/pagure/ui/login.py
@@ -413,6 +413,10 @@ def logout():
 def _check_session_cookie():
     """ Set the user into flask.g if the user is logged in.
     """
+    if not hasattr(flask.g, 'session') or not flask.g.session:
+        flask.g.session = pagure.lib.create_session(
+            flask.current_app.config['DB_URL'])
+
     cookie_name = pagure.config.config.get('SESSION_COOKIE_NAME', 'pagure')
     cookie_name = '%s_local_cookie' % cookie_name
     session_id = None