Add extra check

Author: facutuesca

tests/unit/macaroons/test_caveats.py

@@ -271,14 +271,25 @@ def test_verify_no_identity(self):
 
         assert result == Failure("token with user restriction without a user")
 
-    def test_verify_invalid_identity(self):
+    def test_verify_invalid_identity_no_user(self):
         caveat = RequestUser(user_id="invalid")
         result = caveat.verify(
             pretend.stub(identity=pretend.stub()), pretend.stub(), pretend.stub()
         )
 
         assert result == Failure("token with user restriction without a user")
 
+    def test_verify_invalid_identity_no_macaroon(self, db_request):
+        user = UserFactory.create()
+        user_context = UserContext(user, None)
+
+        caveat = RequestUser(user_id=str(user.id))
+        result = caveat.verify(
+            pretend.stub(identity=user_context), pretend.stub(), pretend.stub()
+        )
+
+        assert result == Failure("token with user restriction without a macaroon")
+
     def test_verify_invalid_user_id(self, db_request):
         user = UserFactory.create()
         user_context = UserContext(user, pretend.stub())

warehouse/macaroons/caveats/__init__.py

@@ -107,6 +107,9 @@ def verify(self, request: Request, context: Any, permission: str) -> Result:
         if not isinstance(request.identity, UserContext):
             return Failure("token with user restriction without a user")
 
+        if request.identity.macaroon is None:
+            return Failure("token with user restriction without a macaroon")
+
         if str(request.identity.user.id) != self.user_id:
             return Failure("current user does not match user restriction in token")