# HG changeset patch
# User Marcin Kuzminski <marcin@rhodecode.com>
# Date 2017-02-27 10:45:30
# Node ID 9f5f9c338607f382c6bb41e91d009d25a28f6497
# Parent  93b1bbd9faac5ebd41a2409cdcf7a4dac1f87cba

auth-tokens: disable authenticating by builtin token.

diff --git a/rhodecode/api/__init__.py b/rhodecode/api/__init__.py
--- a/rhodecode/api/__init__.py
+++ b/rhodecode/api/__init__.py
@@ -211,7 +211,7 @@ def request_view(request):
         # now check if token is valid for API
         auth_token = request.rpc_api_key
         token_match = api_user.authenticate_by_token(
-            auth_token, roles=[UserApiKeys.ROLE_API], include_builtin_token=True)
+            auth_token, roles=[UserApiKeys.ROLE_API])
         invalid_token = not token_match
 
         log.debug('Checking if API KEY is valid with proper role')
diff --git a/rhodecode/lib/auth.py b/rhodecode/lib/auth.py
--- a/rhodecode/lib/auth.py
+++ b/rhodecode/lib/auth.py
@@ -1218,7 +1218,7 @@ class LoginRequired(object):
                 else:
                     roles = [UserApiKeys.ROLE_HTTP]
                 token_match = db_user.authenticate_by_token(
-                    _auth_token, roles=roles, include_builtin_token=True)
+                    _auth_token, roles=roles)
             else:
                 log.debug('Unable to fetch db instance for auth user: %s', user)
                 token_match = False
diff --git a/rhodecode/model/db.py b/rhodecode/model/db.py
--- a/rhodecode/model/db.py
+++ b/rhodecode/model/db.py
@@ -603,8 +603,7 @@ class User(Base, BaseModel):
                                        UserApiKeys.role == UserApiKeys.ROLE_ALL))
         return tokens.all()
 
-    def authenticate_by_token(self, auth_token, roles=None,
-                              include_builtin_token=False):
+    def authenticate_by_token(self, auth_token, roles=None):
         from rhodecode.lib import auth
 
         log.debug('Trying to authenticate user: %s via auth-token, '
@@ -623,14 +622,10 @@ class User(Base, BaseModel):
 
         tokens_q = tokens_q.filter(UserApiKeys.role.in_(roles))
 
-        maybe_builtin = []
-        if include_builtin_token:
-            maybe_builtin = [AttributeDict({'api_key': self.api_key})]
-
         plain_tokens = []
         hash_tokens = []
 
-        for token in tokens_q.all() + maybe_builtin:
+        for token in tokens_q.all():
             if token.api_key.startswith(crypto_backend.ENC_PREF):
                 hash_tokens.append(token.api_key)
             else:
diff --git a/rhodecode/tests/lib/test_auth.py b/rhodecode/tests/lib/test_auth.py
--- a/rhodecode/tests/lib/test_auth.py
+++ b/rhodecode/tests/lib/test_auth.py
@@ -605,4 +605,4 @@ def test_auth_by_token(test_token, test_
         new_token.api_key = token  # inject known name for testing...
 
     assert auth_result == user.authenticate_by_token(
-        test_token, roles=test_roles, include_builtin_token=True)
+        test_token, roles=test_roles)