def openid_decide(request):
"""
The page that asks the user if they really want to sign in to the site, and
lets them add the consumer to their trusted whitelist.
# If user is logged in, ask if they want to trust this trust_root
# If they are NOT logged in, show the landing page
"""
orequest = request.session.get('OPENID_REQUEST')
# No request ? Failure..
if not orequest:
logger.warning('OpenID decide view failed, \
because no OpenID request is saved')
return HttpResponseRedirect('/')
sreg_request = SRegRequest.fromOpenIDRequest(orequest)
logger.debug('SREG request: %s' % sreg_request.__dict__)
if not request.user.is_authenticated():
# Not authenticated ? Authenticate and go back to the server endpoint
return redirect_to_login(request, next=reverse(openid_server),
nonce='1')
if request.method == 'POST':
if 'cancel' in request.POST:
# User refused
logger.info('OpenID decide canceled')
return HttpResponseRedirect('%s?cancel' % reverse(openid_server))
else:
form = DecideForm(sreg_request=sreg_request, data=request.POST)
if form.is_valid():
data = form.cleaned_data
# Remember the choice
t, created = models.TrustedRoot.objects.get_or_create(
user=request.user.id, trust_root=orequest.trust_root)
t.choices = sreg_request.required \
+ [ field for field in data if data[field] ]
t.save()
logger.debug('OpenID decide, user choice:%s' % data)
return HttpResponseRedirect(reverse('openid-provider-root'))
else:
form = DecideForm(sreg_request=sreg_request)
logger.info('OpenID device view, orequest:%s' % orequest)
# verify return_to of trust_root
try:
trust_root_valid = verifyReturnTo(orequest.trust_root,
orequest.return_to) and "Valid" or "Invalid"
except HTTPFetchingError:
trust_root_valid = "Unreachable"
except DiscoveryFailure:
trust_root_valid = "DISCOVERY_FAILED"
return render_to_response('idp/openid/decide.html', {
'title': _('Trust this site?'),
'required': sreg_request.required,
'optional': sreg_request.optional,
'trust_root_valid': trust_root_valid,
'form': form,
}, context_instance=RequestContext(request))
logger.debug('SREG request: %s' % sreg_request.__dict__)
if orequest.mode in ("checkid_immediate", "checkid_setup"):
# User is not logged
if not request.user.is_authenticated():
# Site does not want interaction
if orequest.immediate:
logger.debug('User not logged and checkid immediate request, \
returning OpenID failure')
return oresponse_to_response(server, orequest.answer(False))
else:
# Try to login
request.session['OPENID_REQUEST'] = orequest
logger.debug('User not logged and checkid request, \
redirecting to login page')
return redirect_to_login(request, nonce='1')
else:
identity = orequest.identity
if identity != IDENTIFIER_SELECT:
exploded = urlparse.urlparse(identity)
# Allows only /openid/<user_id>
if check_exploded(exploded, request):
# We only support directed identity
logger.debug('Invalid OpenID identity %s' % identity)
return oresponse_to_response(server, orequest.answer(False))
if getattr(settings, 'RESTRICT_OPENID_RP', None):
logger.debug('RP restriction is activated')
if orequest.trust_root in getattr(settings, 'RESTRICT_OPENID_RP'):
logger.debug('The RP %s is authorized' % orequest.trust_root)
else:
logger.debug('The RP %s is not authorized, return 404.' \
