class ElectionAuthBackend(object):
"""
Authenticate against django.contrib.auth.backends.ModelBackend AND ipauth.backend.RangeBackend
Users must pass both sets of authentication to use the system
"""
supports_anonymous_user = False
ipauth_backend = None
model_backend = None
def __init__(self):
self.ipauth_backend = RangeBackend()
self.model_backend = ModelBackend()
def authenticate(self, username=None, password=None, ip=None):
"""
Authenticate against multiple backends AND'd together
TODO: Election admin
"""
model_user = self.model_backend.authenticate(username=username, password=password)
ip_user = self.ipauth_backend.authenticate(ip=ip)
#print 'model_user', repr(model_user)
#print 'model_user groups', repr(model_user.groups.all())
#print 'ip_user', repr(ip_user)
admin_group = Group.objects.filter(name='ADMIN').all()
if admin_group.count() > 0:
admin_group = admin_group[0]
else:
admin_group = None
if not model_user:
return None
if model_user.is_superuser or model_user.is_staff: # Super admin
return model_user
if model_user.groups.count() > 0 and admin_group in model_user.groups.all(): # Election admin
return model_user
#if ip_user is None:
#print 'Your IP=%s is not in the IPAuth' % (ip, )
#return None
return model_user
def get_group_permissions(self, user_obj):
"""
Returns a set of permission strings that this user has through his/her
groups.
"""
return self.model_backend.get_group_permissions(user_obj)
def get_all_permissions(self, user_obj):
return self.model_backend.get_all_permissions(user_obj)
def has_perm(self, user_obj, perm):
return self.model_backend.has_perm(user_obj, perm)
def has_module_perms(self, user_obj, app_label):
return self.model_backend.has_module_perms(user_obj, app_label)
def get_user(self, user_id):
return self.model_backend.get_user(user_id)
def has_perm(self, user_obj, perm, obj=None):
if obj is None:
# fallback to Django default permission backend
return ModelBackend.has_perm(self, user_obj, perm)
else:
# in case the user is the owner, he/she has always permissions,
# otherwise we need to check
if hasattr(obj, 'owner') and user_obj == obj.owner:
return True
else:
return perm in self.get_all_permissions(user_obj, obj=obj)
def has_permission(user, permission_codename, obj=None, canedit = False):
from djpcms.models import Page, BlockContent, ObjectPermission
if not obj:
back = ModelBackend()
if permission_codename[-4:] == 'view':
return True
if not user.is_active:
return False
if user.is_superuser:
return True
return back.has_perm(user, permission_codename)
else:
anony = user.is_anonymous()
opts = obj._meta
viewperm = get_view_permission(obj) == permission_codename
changeperm = opts.app_label + '.' + opts.get_change_permission() == permission_codename
# Do Page and BlockContent first
if isinstance(obj,Page):
if anony and obj.requires_login:
return False
if changeperm and obj.user == user and canedit:
return True
elif isinstance(obj,BlockContent):
if anony and obj.requires_login:
return False
if changeperm and obj.page.user == user and canedit:
return True
if viewperm and not anony and obj.for_not_authenticated:
return False
if user.is_superuser:
return True
perms = ObjectPermission.objects.for_object(obj, permission_codename)
if perms:
for perm in perms:
if perm.has_perm(user):
return True
return False
# Fall back to permission without object
return has_permission(user, permission_codename)
def has_perm(self, user_obj, perm, obj=None):
"""
It is assumed that perm will be one of the Django default perm codes
like 'delete_comment' or 'change_comment'. The default users, however,
will not have the default privileges for the delete and change verbs.
Instead, they will have '_own' versions of the verbs:
'change_comment_own', 'delete_comment_own'
The first step is to call has_perm w/o the object to use standard
permission checking (do this on purpose). If the user has the
permission, return True.
"""
# print "ModelBackendPlus.has_perm()"
allowed = ModelBackend.has_perm(self, user_obj, perm)
if allowed:
return True
# The majority of users will fail this check because only non-default
# auth_groups will have any of the default permissions for the create
# and delete verbs
#
# If an obj is not None, however, we have the chance to check the
# business rule for the "_own" extension of the perm verb, namely, that
# the object was created by the user.
#
# The idea is that in a conventional RBAC scheme, we would always have
# a task, i.e., "read" as the lowest child and it would have a parent
# "read_own" that would need a business rule of "the session user
# created this model"
#
# All of the "_own" permissions verbs would be put into the default
# auth_group
if obj is not None:
# print "ModelBackendPlus.has_perm() obj is not None"
# Make sure obj has a user property. If it does not, return
# False. Again, we will call ModelBackend.has_perm without the
# object parameter so that we bypass the built-in object workflow,
# which is incomplete
if hasattr(obj, "user"):
#print "ModelBackendPlus.has_perm() obj has user property"
# DEBUG
#a = ModelBackend.has_perm(self, user_obj, perm + '_own')
#b = obj.user == user_obj
#
#print "ModelBackendPlus.has_perm() _own:" + \
# "true" if a else "false"
#print "ModelBackendPlus.has_perm() obj.user = user: "******"true" if b else "false"
return (ModelBackend.has_perm(self, user_obj, perm + '_own') and
obj.user == user_obj)
else:
return False
else:
return False
