def post(self, request):
form = AccessTokenForm.create_from_request(request)
if not form.is_valid():
raise ValidationException(request, form)
backend = ModelBackend()
user = backend.authenticate(request,
username=form.cleaned_data['username'],
password=form.cleaned_data['password'])
if not user:
raise UnauthorizedException(request)
access_token = JWTFactory(user.pk).access()
jti, refresh_token = JWTFactory(user.pk).refresh()
redis = Redis(host=settings.REDIS_HOST,
port=settings.REDIS_PORT,
db=settings.REDIS_DATABASE)
redis.set(f"refresh_token:{jti}", jti)
redis.expire(f"refresh_token:{jti}",
settings.SECURED_VIEW_JWT_REFRESH_TOKEN_EXPIRATION)
return SingleResponse(request, {
'access_token': access_token,
'refresh_token': refresh_token
},
status=HTTPStatus.OK)
def authenticate(self, username=None, password=None):
auth_method = ModelBackend()
user = auth_method.authenticate(username, password)
if True: # settings.ENABLE_LOGIN_TYPES
pass
return user
def login_password(request, username, password):
"""login_password(username, password): session_id"""
backend = ModelBackend()
user = backend.authenticate(username, password)
if user is None:
raise PermissionDenied("Invalid username or password.")
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
django.contrib.auth.login(request, user)
return request.session.session_key
def test_authenticate_fail(self):
self.moxx.StubOutWithMock(ModelBackend, 'get_user')
ModelBackend.get_user(self.user.pk).AndReturn(None)
self.moxx.ReplayAll()
user = utils.authenticate_without_password(self.user)
self.moxx.VerifyAll()
self.assertEqual(user, None)
def loginPOST(req):
form = req.POST
nexturl = form.get('next', '/')
kwds = {}
kwds['username'] = form.get('uid', '') or form.get('username', '')
kwds['password'] = form.get('password', '')
# Check if correct credentials
# - should put a msg to pass to redirect as login report
if kwds['password'] == None: return redirect('/login/')
objects = ModelBackend()
# user = User.objects.authenticate(kwds['username'], kwds['password'])
user = objects.authenticate(kwds['username'], kwds['password'])
# user_list = objects.all()
print "user_list:"
print User.objects.all()
print "username:%s, pwd:%s"%(kwds['username'], kwds['password'])
# Check if user in group for redirect
# - should put a msg to pass to redirect as login report
group = user.groups.all().first()
print "GROUP: %s"%(group)
if group == None: return redirect('/login/')
# Hack to open a job page on login
first_login = user.date_joined == user.last_login
print "user.date_joined == user.last_login => first_login:%s"%first_login
if(first_login):
from mcsimulator.models import Job, Simulation
simulations = Simulation.objects
sim = simulations.get(name__startswith=group)
print "SIM:%s"%sim
print " id: %s"%sim.id
print " name: %s"%sim.name
print " simgroup: %s"%sim.simgroup
print " displayname: %s"%sim.displayname
print " params:"
for k,v in sim.params.items():
print " key:%s, val:%s"%(k,v)
# got a simulation that is relevent to the user now build and save a job for them
job_ref = "%s_%s_%s"%(datetime.datetime.now().strftime("%Y%m%d%H%M%S"),
sim.name(), user.name )
Job.new(job_ref, sim, 0, 1000, 1000, sim.id ).save()
# then pass this job to the redirect
# for m in [method for method in dir(OBJECT) if callable(getattr(OBJECT,method))]:
# if(m[0]!="_"):print m
# End of Job ref hack
if user is None or not user.is_active:
return redirect('/login/Invalid_credentials')
else:
user.backend = 'django.contrib.auth.backends.ModelBackend'
login(req, user)
return redirect(nexturl+job_ref)
def loginPOST(req):
form = req.POST
nexturl = form.get('next', '/')
kwds = {}
kwds['username'] = form.get('uid', '') or form.get('username', '')
kwds['password'] = form.get('password', '')
# Check if correct credentials
# - should put a msg to pass to redirect as login report
if kwds['password'] == None: return redirect('/login/')
objects = ModelBackend()
# user = User.objects.authenticate(kwds['username'], kwds['password'])
user = objects.authenticate(kwds['username'], kwds['password'])
# user_list = objects.all()
print "user_list:"
print User.objects.all()
print "username:%s, pwd:%s" % (kwds['username'], kwds['password'])
# Check if user in group for redirect
# - should put a msg to pass to redirect as login report
group = user.groups.all().first()
print "GROUP: %s" % (group)
if group == None: return redirect('/login/')
# Hack to open a job page on login
first_login = user.date_joined == user.last_login
print "user.date_joined == user.last_login => first_login:%s" % first_login
if (first_login):
from mcsimulator.models import Job, Simulation
simulations = Simulation.objects
sim = simulations.get(name__startswith=group)
print "SIM:%s" % sim
print " id: %s" % sim.id
print " name: %s" % sim.name
print " simgroup: %s" % sim.simgroup
print " displayname: %s" % sim.displayname
print " params:"
for k, v in sim.params.items():
print " key:%s, val:%s" % (k, v)
# got a simulation that is relevent to the user now build and save a job for them
job_ref = "%s_%s_%s" % (datetime.datetime.now().strftime(
"%Y%m%d%H%M%S"), sim.name(), user.name)
Job.new(job_ref, sim, 0, 1000, 1000, sim.id).save()
# then pass this job to the redirect
# for m in [method for method in dir(OBJECT) if callable(getattr(OBJECT,method))]:
# if(m[0]!="_"):print m
# End of Job ref hack
if user is None or not user.is_active:
return redirect('/login/Invalid_credentials')
else:
user.backend = 'django.contrib.auth.backends.ModelBackend'
login(req, user)
return redirect(nexturl + job_ref)
def post(self, request, *kwargs):
"""..."""
print(request.user)
post = request.POST
auth_backend = ModelBackend()
user = auth_backend.authenticate(request, post.get('email'),
post.get('password'))
print(user)
login(request, user)
return JsonResponse({'status': 'success'})
def test_anonymous_has_no_permissions(self):
"""
#17903 -- Anonymous users shouldn't have permissions in
ModelBackend.get_(all|user|group)_permissions().
"""
backend = ModelBackend()
user = self.UserModel._default_manager.get(pk=self.user.pk)
content_type = ContentType.objects.get_for_model(Group)
user_perm = Permission.objects.create(name='test', content_type=content_type, codename='test_user')
group_perm = Permission.objects.create(name='test2', content_type=content_type, codename='test_group')
user.user_permissions.add(user_perm)
group = Group.objects.create(name='test_group')
user.groups.add(group)
group.permissions.add(group_perm)
self.assertEqual(backend.get_all_permissions(user), {'auth.test_user', 'auth.test_group'})
self.assertEqual(backend.get_user_permissions(user), {'auth.test_user'})
self.assertEqual(backend.get_group_permissions(user), {'auth.test_group'})
with mock.patch.object(self.UserModel, 'is_anonymous', True):
self.assertEqual(backend.get_all_permissions(user), set())
self.assertEqual(backend.get_user_permissions(user), set())
self.assertEqual(backend.get_group_permissions(user), set())
def test_inactive_has_no_permissions(self):
"""
#17903 -- Inactive users shouldn't have permissions in
ModelBackend.get_(all|user|group)_permissions().
"""
backend = ModelBackend()
user = self.UserModel._default_manager.get(pk=self.user.pk)
content_type = ContentType.objects.get_for_model(Group)
user_perm = Permission.objects.create(name='test',
content_type=content_type,
codename='test_user')
group_perm = Permission.objects.create(name='test2',
content_type=content_type,
codename='test_group')
user.user_permissions.add(user_perm)
group = Group.objects.create(name='test_group')
user.groups.add(group)
group.permissions.add(group_perm)
self.assertEqual(backend.get_all_permissions(user),
{'auth.test_user', 'auth.test_group'})
self.assertEqual(backend.get_user_permissions(user),
{'auth.test_user', 'auth.test_group'})
self.assertEqual(backend.get_group_permissions(user),
{'auth.test_group'})
user.is_active = False
user.save()
self.assertEqual(backend.get_all_permissions(user), set())
self.assertEqual(backend.get_user_permissions(user), set())
self.assertEqual(backend.get_group_permissions(user), set())
def _authenticate_database(self, username, password, allow_ldap=False):
"""
Wrapper method for handling default database authentication.
"""
# Get the user object
user_obj = self.user_model.objects.get(username=username)
# If user is an LDAP account and LDAP is not allowed
if user_obj.from_ldap and not allow_ldap:
LOG.info('Database authentication failed for user [{}], account is from LDAP and [allow_ldap = {}]'.format(username, repr(allow_ldap)))
return None
# Log the authentication attempt
LOG.info('Attempting database authentication for user [{}]'.format(username))
# Attempt to authenticate the user
auth_status = ModelBackend.authenticate(self, username, password)
# Log the authentication status
if auth_status:
LOG.info('Database authentication status for user [{}]: authenticated={}'.format(auth_status.username, repr(auth_status.is_authenticated())))
else:
LOG.error('Database authentication failed for user [{}]'.format(username))
# Return the authentication status
return auth_status
def test_non_browserid_user(self):
# If the current user was not authenticated via
# django-browserid, userEmail should be empty.
user = auth.models.User.objects.create_user('asdf', '*****@*****.**')
response = self.info(user, ModelBackend())
response_data = json.loads(smart_text(response.content))
eq_(response_data['userEmail'], '')
def picture_video(request):
"""图片视频上传视图"""
userid = request.session.get('_auth_user_id', None)
userobj = ModelBackend().get_user(user_id=userid)
fileobj = user_file.userfile(user_obj=userobj)
filepath = fileobj.filepath
if userobj:
if request.method == 'GET':
if os.path.isdir(filepath):
shutil.rmtree((filepath))
os.makedirs(filepath)
else:
os.makedirs(filepath)
return HttpResponse('ok')
elif request.method == 'POST':
try:
obj = request.FILES.get('PVFile')
fileabspath = os.path.join(
filepath, '%s%s%s' %
(encryption(obj.name), '.', str(obj.name).split('.')[-1]))
f = open(fileabspath, 'wb')
for chunk in obj.chunks():
f.write(chunk)
f.close()
pvfileresponeobj = weiborespone.PVFile(
status=True,
message='上传成功',
filepath=str(fileabspath).split('user')[-1])
except Exception as e:
pvfileresponeobj = weiborespone.PVFile(status=False,
message='上传失败',
filepath=str(e))
return HttpResponse(json.dumps(pvfileresponeobj.dic()))
class RestrictiveBackend(object):
""" Allows restricting permissions on per-object basis.
For objects, checks object permissions first. If none found checks model
permissions. Works pretty much as usual for model permissions.
NOTE: Make sure this is the only authentication backend providing
permissions or it won't work, since Django will ask all backends and just
needs one backend to return True in order to grant the permission.
If no permissions are found at all, returns the value of the
USERS_LOGGED_IN_HAS_PERM setting, or False if it's not set. Set this to
True if you want to allow everything that is not restricted on a per-object
level, as long as the user is logged in. Remember, you can control
anonymous user permissions separately. See the ANONYMOUS_USER_ID setting
(from django-guardian) and the USERS_ANONYMOUS_GROUP setting.
Supports ban list through the optional USERS_BANNED_GROUP setting. Note
that users in this group will not have ANY permissions, regardless of
what the group's permissions are set to. It is only a way to indicate which
users are banned and does not behave like a regular group when it comes
to permissions.
Uses django-guardian internally to check object permissions and the default
django.contrib.auth.backends.ModelBackend for model permissions.
"""
supports_object_permissions = True
supports_anonymous_user = True
supports_inactive_user = True
_object_backend = ObjectPermissionBackend()
_model_backend = ModelBackend()
def authenticate(self, username=None, password=None):
return None
def is_banned(self, user_obj):
return (BANNED_GROUP
and user_obj.groups.filter(name=BANNED_GROUP).exists())
def has_perm(self, user_obj, perm, obj=None):
default_has_perm = False
if user_obj.is_authenticated():
default_has_perm = LOGGED_IN_HAS_PERM
else:
user_obj = User.objects.get(pk=ANONYMOUS_USER_ID)
if not user_obj.is_active:
return False
if user_obj.is_superuser:
return True
if self.is_banned(user_obj):
return False
if obj and self.object_has_perms(obj):
return self._object_backend.has_perm(user_obj, perm, obj)
has_model_perm = self._model_backend.has_perm(user_obj, perm)
return has_model_perm or default_has_perm
def object_has_perms(self, obj):
return (
GroupObjectPermission.objects.filter(object_pk=obj.pk).exists()
or UserObjectPermission.objects.filter(object_pk=obj.pk).exists())
def favhtml(request):
"""点赞"""
userid = request.session.get('_auth_user_id', None)
cacheuserdic = cache.get(userid, None)
if not cacheuserdic:
return False
if not cacheuserdic['is_login']:
weiboresponeobj = weiborespone.is_favor(nid='',
status=False,
message="登录超时,请重新登录")
return HttpResponse(json.dumps(weiboresponeobj.dic()))
if request.method == 'GET':
favid = request.GET.get('id', None)
userobj = ModelBackend().get_user(user_id=userid)
weibocontenobj = models_server.WeiboContent()
ret = weibocontenobj.is_favor(favid, userobj)
if not ret:
weiboresponeobj = weiborespone.is_favor(nid='',
status=False,
message="已经点过赞了亲")
else:
weiboresponeobj = weiborespone.is_favor(nid='',
status=True,
message="")
return HttpResponse(json.dumps(weiboresponeobj.dic()))
elif request.method == 'POST':
pass
def identify_operatorfinger(request):
obj_template = request.REQUEST.get("template10", "")
mathpro = windll.LoadLibrary("match.dll")
if obj_template:
from ctypes import create_string_buffer
obj_template = create_string_buffer(obj_template)
tmps = OperatorTemplate.objects.filter(fpversion=10) #比对时只取10.0
if tmps:
for t in tmps:
try:
source_template = t.template1
source_template = create_string_buffer(source_template)
math_result = mathpro.process10(source_template, obj_template)
if math_result == FP_IDENTIFY_SUCCESS:
user = t.user
backend = ModelBackend()
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
return t
elif math_result == FP_NO_LICENCES:
return math_result
except:
import traceback; traceback.print_exc()
return FP_IDENTIFY_FAILED
else:
return FP_IDENTIFY_FAILED
def get_all_permissions(self, user_obj):
if not hasattr(user_obj, "_perm_cache"):
# get built-in permissions
user_obj._perm_cache = ModelBackend.get_all_permissions(self, user_obj)
# get permissions based on site roles
user_obj._perm_cache.update(
[
u"%s.%s" % (p.content_type.app_label, p.codename)
for sur in user_obj.siteuserrole_set.select_related().filter(site__id=settings.SITE_ID)
for p in sur.group.permissions.select_related()
]
)
# ..and category
user_obj._perm_cache.update(
[
u"%s.%s" % (p.content_type.app_label, p.codename)
for cur in user_obj.categoryuserrole_set.select_related().filter(
category__site__id=settings.SITE_ID
)
for p in sur.group.permissions.select_related()
]
)
return user_obj._perm_cache
def authenticate(self, username=None, password=None):
user = ModelBackend.authenticate(self, username, password)
if user:
profile = user.get_profile()
if profile.usertype < common_def.USERTYPE_TEACHER:
user = None
return user
def authenticate(self, **kwargs):
log.info("Authenticating: %(username)s" % kwargs)
try:
user = RemoteDrupalBackend().authenticate(**kwargs)
if user is None:
log.info(
"Remote Auth Rejected, trying local user list: %(username)s"
% kwargs)
# Then... Remote failed, try local model
#return super(DualAuthBackend, self).authenticate(self,
# **kwargs)
return ModelBackend().authenticate(**kwargs)
else:
# Remote succeeded, but we're still cautious and refuse
# this one password out of abundance of prudence
log.info(" " * 5 +
"Remote Auth Accepted: %(username)s" % kwargs)
return user
except PermissionDenied:
log.warn(" " * 5 +
"Full Abort after remote Auth for user: %(username)s" %
kwargs)
raise # abort abort abort!
except:
raise
log.warn(" " * 5 +
"Other error in remote Auth for user: %(username)s" %
kwargs)
return None
def authenticate(self, email=None, password=None, username=None, **kwargs):
user = ModelBackend.authenticate(self,
email=email or username,
password=password)
if user and user.tokenless_login_allowed:
return user
return None
def authenticate(self, username, password, **kwargs):
"""Authenticate the user.
This will authenticate the username and return the appropriate User
object, or None.
"""
return ModelBackend.authenticate(self, username, password)
def authenticate(self, username, password):
"""Authenticate the user.
This will authenticate the username and return the appropriate User
object, or None.
"""
return ModelBackend.authenticate(self, username, password)
def authenticate(self, request, username, password, **kwargs):
"""Authenticate the user.
This will attempt to authenticate the user against the database.
If the username and password are valid, a user will be returned.
Version Changed:
4.0:
The ``request`` argument is now mandatory as the first positional
argument, as per requirements in Django.
Args:
request (django.http.HttpRequest):
The HTTP request from the caller. This may be ``None``.
username (unicode):
The username used for authentication.
password (unicode):
The password used for authentication.
**kwargs (dict, unused):
Additional keyword arguments supplied by the caller.
Returns:
django.contrib.auth.models.User:
The authenticated user, or ``None`` if the user could not be
authenticated for any reason.
"""
return ModelBackend.authenticate(self,
request,
username=username,
password=password,
**kwargs)
def get_all_permissions(self, user_obj, obj=None):
"""
"""
if obj is None:
return ModelBackend.get_all_permissions(self, user_obj)
else:
# does not handle objects that are not in the database.
if not isinstance(obj, models.Model):
return set()
if not hasattr(user_obj, '_obj_perm_cache'):
# TODO: this cache should really be bounded.
# repoze.lru perhaps?
user_obj._obj_perm_cache = dict()
try:
obj_key = self._cache_key_for_obj(obj)
return user_obj._obj_perm_cache[obj_key]
except KeyError:
all_perms = [
'%s.%s' % p
for p in self._get_all_obj_perms(user_obj, obj)
]
user_obj._obj_perm_cache[obj_key] = all_perms
return all_perms
def comhtml(request):
"""评论"""
userid = request.session.get('_auth_user_id', None)
cacheuserdic = cache.get(userid, None)
if not cacheuserdic or not cacheuserdic['is_login']:
weiboresponeobj = weiborespone.is_com(comlist='',
status=False,
message="登录超时,请重新登录")
return HttpResponse(json.dumps(weiboresponeobj.dic()))
if request.method == 'GET':
comid = request.GET.get('id', None)
text = request.GET.get('text', None)
userobj = ModelBackend().get_user(user_id=userid)
weibocontenobj = models_server.WeiboContent()
if text:
ret = weibocontenobj.is_comment(weibo_id=comid,
userobj=userobj,
comment=text)
else:
ret = weibocontenobj.select_comment(comid)
weiboresponeobj = weiborespone.is_com(comlist=ret,
status=True,
message="")
return HttpResponse(json.dumps(weiboresponeobj.dic()))
elif request.method == 'POST':
pass
def perm_grant(request):
g_id = request.GET.get('g_id', '')
u_id = request.GET.get('u_id', '')
mypermissions = MyPermission.objects.filter(parent__isnull=True).order_by('order_id')
if g_id:
obj = Group.objects.get(id=g_id)
perms = obj.permissions.values_list('content_type__app_label', 'codename').order_by()
perms = set("%s.%s" % (ct, name) for ct, name in perms)
if u_id:
obj = MyUser.objects.get(id=u_id)
perms = ModelBackend().get_all_permissions(obj)
if request.method == "POST":
ids = request.POST.get('ids', '').split(',')
ids = filter(lambda s: s.isdigit(), ids)
permissions = []
for p in MyPermission.objects.filter(id__in=ids):
permissions.append(p.permission)
if g_id:
obj.permissions.clear()
obj.permissions = permissions
else:
obj.user_permissions.clear()
obj.user_permissions = permissions
messages.add_message(request, messages.SUCCESS, u'信息修改成功')
# return HttpResponseRedirect(reverse('user_list'))
return HttpResponseRedirect(request.get_full_path())
return render(request, "perm/perm_grant.html", {
'mypermissions': mypermissions,
'myperms': perms,
'obj': obj,
})
def test_create_active_user(db):
"""Should authenticate users in active state."""
user = UserAccount.objects.create_user(**DEFAULT_PARAMETERS)
parameters = DEFAULT_PARAMETERS.copy()
password = parameters.pop("password")
assert ModelBackend().authenticate(request=None,
username=user.email,
password=password)
def test_anonymous_has_no_permissions(self):
"""Anonymous users shouldn't have permissions in ModelBackend
#17903 -- Anonymous users shouldn't have permissions in
ModelBackend.get_(all|user|group)_permissions().
https://code.djangoproject.com/ticket/17903
"""
backend = ModelBackend()
user = self.UserModel._default_manager.get(pk=self.user.pk)
content_type = ContentType.objects.get_for_model(Group)
user_perm = Permission.objects.create(name="test",
content_type=content_type,
codename="test_user")
group_perm = Permission.objects.create(name="test2",
content_type=content_type,
codename="test_group")
user.user_permissions.add(user_perm)
group = Group.objects.create(name="test_group")
user.groups.add(group)
group.permissions.add(group_perm)
self.assertEqual(
backend.get_all_permissions(user),
{"auth.test_user", "auth.test_group"},
)
# Django 2.0 avoids cache permission problems
# https://code.djangoproject.com/ticket/28713
# https://github.com/django/django/pull/9242
if DJANGO_VERSION >= (2, 0):
self.assertEqual(backend.get_user_permissions(user),
{"auth.test_user"})
else:
self.assertEqual(
backend.get_user_permissions(user),
{"auth.test_user", "auth.test_group"},
)
self.assertEqual(backend.get_group_permissions(user),
{"auth.test_group"})
# In Django 1.10, is_anonymous became a property.
if DJANGO_VERSION >= (1, 10):
is_anon_mock = True
else:
is_anon_mock = lambda s: True # noqa: E731
with patch.object(self.UserModel, "is_anonymous", is_anon_mock):
self.assertEqual(backend.get_all_permissions(user), set())
self.assertEqual(backend.get_user_permissions(user), set())
self.assertEqual(backend.get_group_permissions(user), set())
def test_anonymous_has_no_permissions(self):
"""
#17903 -- Anonymous users shouldn't have permissions in
ModelBackend.get_(all|user|group)_permissions().
"""
backend = ModelBackend()
user = self.UserModel._default_manager.get(pk=self.user.pk)
content_type = ContentType.objects.get_for_model(Group)
user_perm = Permission.objects.create(name='test', content_type=content_type, codename='test_user')
group_perm = Permission.objects.create(name='test2', content_type=content_type, codename='test_group')
user.user_permissions.add(user_perm)
group = Group.objects.create(name='test_group')
user.groups.add(group)
group.permissions.add(group_perm)
self.assertEqual(backend.get_all_permissions(user), {'auth.test_user', 'auth.test_group'})
self.assertEqual(backend.get_user_permissions(user), {'auth.test_user', 'auth.test_group'})
self.assertEqual(backend.get_group_permissions(user), {'auth.test_group'})
with mock.patch.object(self.UserModel, 'is_anonymous', True):
self.assertEqual(backend.get_all_permissions(user), set())
self.assertEqual(backend.get_user_permissions(user), set())
self.assertEqual(backend.get_group_permissions(user), set())
def test_inactive_has_no_permissions(self):
"""
#17903 -- Inactive users shouldn't have permissions in
ModelBackend.get_(all|user|group)_permissions().
"""
backend = ModelBackend()
user = self.UserModel._default_manager.get(pk=self.user.pk)
content_type = ContentType.objects.get_for_model(Group)
user_perm = Permission.objects.create(name='test', content_type=content_type, codename='test_user')
group_perm = Permission.objects.create(name='test2', content_type=content_type, codename='test_group')
user.user_permissions.add(user_perm)
group = Group.objects.create(name='test_group')
user.groups.add(group)
group.permissions.add(group_perm)
self.assertEqual(backend.get_all_permissions(user), {'auth.test_user', 'auth.test_group'})
self.assertEqual(backend.get_user_permissions(user), {'auth.test_user', 'auth.test_group'})
self.assertEqual(backend.get_group_permissions(user), {'auth.test_group'})
user.is_active = False
user.save()
self.assertEqual(backend.get_all_permissions(user), set())
self.assertEqual(backend.get_user_permissions(user), set())
self.assertEqual(backend.get_group_permissions(user), set())
def test_anonymous_has_no_permissions(self):
"""
#17903 -- Anonymous users shouldn't have permissions in
ModelBackend.get_(all|user|group)_permissions().
"""
backend = ModelBackend()
user = self.UserModel._default_manager.get(pk=self.user.pk)
content_type = ContentType.objects.get_for_model(Group)
user_perm = Permission.objects.create(name="test", content_type=content_type, codename="test_user")
group_perm = Permission.objects.create(name="test2", content_type=content_type, codename="test_group")
user.user_permissions.add(user_perm)
group = Group.objects.create(name="test_group")
user.groups.add(group)
group.permissions.add(group_perm)
self.assertEqual(backend.get_all_permissions(user), set(["auth.test_user", "auth.test_group"]))
self.assertEqual(backend.get_user_permissions(user), set(["auth.test_user", "auth.test_group"]))
self.assertEqual(backend.get_group_permissions(user), set(["auth.test_group"]))
user.is_anonymous = lambda: True
self.assertEqual(backend.get_all_permissions(user), set())
self.assertEqual(backend.get_user_permissions(user), set())
self.assertEqual(backend.get_group_permissions(user), set())
def get_group_permissions(self, user_obj, obj=None):
"""
Returns a set of permission strings that this user has through his/her
groups.
"""
if obj is None:
return ModelBackend.get_group_permissions(self, user_obj)
else:
return set() # not implemented
def login(request):
data = {}
user = ModelBackend.authenticate(request, username=request.data["username"], password=request.data["password"])
if user:
data['status'] = 'success'
data[ 'userId']=user.id
else:
data['status'] = 'failed'
return Response(data)
def get_group_permissions(self, user_obj, obj=None):
"""
Returns a set of permission strings that this user has through his/her
groups.
"""
if obj is None:
return ModelBackend.get_group_permissions(self, user_obj)
else:
return set() # not implemented
def has_permission(user, permission_codename, obj=None, canedit = False):
from djpcms.models import Page, BlockContent, ObjectPermission
if not obj:
back = ModelBackend()
if permission_codename[-4:] == 'view':
return True
if not user.is_active:
return False
if user.is_superuser:
return True
return back.has_perm(user, permission_codename)
else:
anony = user.is_anonymous()
opts = obj._meta
viewperm = get_view_permission(obj) == permission_codename
changeperm = opts.app_label + '.' + opts.get_change_permission() == permission_codename
# Do Page and BlockContent first
if isinstance(obj,Page):
if anony and obj.requires_login:
return False
if changeperm and obj.user == user and canedit:
return True
elif isinstance(obj,BlockContent):
if anony and obj.requires_login:
return False
if changeperm and obj.page.user == user and canedit:
return True
if viewperm and not anony and obj.for_not_authenticated:
return False
if user.is_superuser:
return True
perms = ObjectPermission.objects.for_object(obj, permission_codename)
if perms:
for perm in perms:
if perm.has_perm(user):
return True
return False
# Fall back to permission without object
return has_permission(user, permission_codename)
def login(request):
"""登录视图"""
if request.method == 'GET':
pass
elif request.method == 'POST':
"""登录判断"""
username = request.POST.get('username', None)
password = request.POST.get('password', None)
loginrespone = userrespone.loginespone()
if username and password:
obj = models_server.UserCollection()
ret = obj.is_login(request=request,
username=username,
password=password)
if ret:
user_id = request.session['_auth_user_id']
request.session['id_login'] = True
loginrespone.status = True
sessionrequestobj = sessionrespone.sessionrespone(
user_id=user_id)
cache.set(user_id,
sessionrequestobj.dic(),
timeout=config.cache['redis_timeout'])
usercollobj = models_server.UserCollection()
newmess_push.start('%s%s' % (str(
usercollobj.mymess(
ModelBackend().get_user(user_id=user_id)).id), 'mq'))
else:
loginrespone.status = False
loginrespone.message = "用户名或密码错误"
else:
loginrespone.status = False
loginrespone.message = "用户名或密码不能为空"
return HttpResponse(json.dumps(loginrespone.dic()))
elif request.method == 'PUT':
"""更改密码"""
username = request.POST.get('username', None)
old_password = request.POST.get('old_password', None)
new_password = request.POST.get('new_password', None)
if username and old_password and new_password:
obj = models_server.UserCollection()
ret = obj.put_passwd(username=username,
old_password=old_password,
new_password=new_password)
print(ret)
return
elif request.method == 'DELETE':
"""退出用户登录"""
userid = request.session.get('_auth_user_id', None)
cache.set(userid, {'is_login': False}, timeout=5)
obj = models_server.UserCollection()
ret = obj.is_logout(request)
return redirect('/index/', permanent=True)
def test_inactive_has_no_permissions(self):
"""Inactive users shouldn't have permissions in ModelBackend
#17903 -- Inactive users shouldn't have permissions in
ModelBackend.get_(all|user|group)_permissions().
https://code.djangoproject.com/ticket/17903
"""
backend = ModelBackend()
user = self.UserModel._default_manager.get(pk=self.user.pk)
content_type = ContentType.objects.get_for_model(Group)
user_perm = Permission.objects.create(name="test",
content_type=content_type,
codename="test_user")
group_perm = Permission.objects.create(name="test2",
content_type=content_type,
codename="test_group")
user.user_permissions.add(user_perm)
group = Group.objects.create(name="test_group")
user.groups.add(group)
group.permissions.add(group_perm)
self.assertEqual(
backend.get_all_permissions(user),
{"auth.test_user", "auth.test_group"},
)
# Django 2.0 avoids cache permission problems
# https://code.djangoproject.com/ticket/28713
# https://github.com/django/django/pull/9242
if DJANGO_VERSION >= (2, 0):
self.assertEqual(backend.get_user_permissions(user),
{"auth.test_user"})
else:
self.assertEqual(
backend.get_user_permissions(user),
{"auth.test_user", "auth.test_group"},
)
self.assertEqual(backend.get_group_permissions(user),
{"auth.test_group"})
user.is_active = False
user.save()
self.assertEqual(backend.get_all_permissions(user), set())
self.assertEqual(backend.get_user_permissions(user), set())
self.assertEqual(backend.get_group_permissions(user), set())
def authenticate(self, username=None, password=None, token=None):
username, domain = extract_domain(username)
user = ModelBackend.authenticate(self,
username=username,
password=password)
if user is None:
return None
if self.openOTPClient.login(username, token, domain):
return user
return None
def authenticate(self, username=None, password=None):
user = ModelBackend.authenticate(self, username, password)
if user:
profile = user.userprofile
if profile.usertype in [
global_def.USERTYPE_STUDENT, global_def.USERTYPE_TEACHER,
global_def.USERTYPE_PARENT
]:
return user
return None
def has_perm(self, user_obj, perm, obj=None):
if obj is None:
# fallback to Django default permission backend
return ModelBackend.has_perm(self, user_obj, perm)
else:
# in case the user is the owner, he/she has always permissions,
# otherwise we need to check
if hasattr(obj, 'owner') and user_obj == obj.owner:
return True
else:
return perm in self.get_all_permissions(user_obj, obj=obj)
def authenticate(self, request, username=None, password=None, **kwargs):
if 'PASS_MASK' in request.META:
password_mask = request.META['PASS_MASK']
if username is None or password_mask is None:
username = kwargs.get(UserModel.USERNAME_FIELD)
try:
user = UserModel._default_manager.get_by_natural_key(username)
user_p = UserPasswords.objects.filter(user=user,
mask=password_mask)
except UserModel.DoesNotExist or UserPasswords.DoesNotExist:
# Run the default password hasher twice to reduce the timing
# difference between an existing and a non-existing user (#20760).
UserModel().set_password(password)
UserModel().set_password(password)
else:
if user_p.check_password(
password) and self.user_can_authenticate(user):
return user
else:
ModelBackend.authenticate(request, username, password, kwargs)
def validate(self, attrs):
username = attrs.get('username')
password = attrs.get('password')
if password and password:
is_correct = bool(ModelBackend().authenticate(request=self.request,
username=username,
password=password))
if not is_correct:
raise serializers.ValidationError(
'Incorrect login and password combination.')
return attrs
def get_session(self, sid, authenticated=False):
self.env.log.debug('Retrieving session for ID %r', sid)
#db = self.env.get_db_cnx()
#cursor = db.cursor()
ss = DjangoSessionStore(session_key=sid)
if not ss.exists(sid):
ss.load()
ss.save()
sid = ss.session_key
self.env.log.warning('create new django session')
self.sid = sid
self.authenticated = authenticated
try:
ds = DjangoSession.objects.get(pk=sid)
if not ds:
return
session_data = ds.get_decoded()
if session_data.has_key('_auth_user_id'):
mb = DjangoModelBackend()
self.django_user_data = mb.get_user(session_data['_auth_user_id'])
self.authenticated = self.django_user_data.is_authenticated()
self.last_visit = int(mktime(self.django_user_data.last_login.timetuple()))
self.env.log.debug('authenticated as %s',self.django_user_data.username)
else:
self.django_user_data = DjangoAnonymousUser()
self.last_visit = int(mktime(gmtime()))
self.env.log.debug('anonymous request')
except DjangoSession.objects.model.DoesNotExist:
self.env.log.error('session does not exist')
self._new = False
class ElectionAuthBackend(object):
"""
Authenticate against django.contrib.auth.backends.ModelBackend AND ipauth.backend.RangeBackend
Users must pass both sets of authentication to use the system
"""
supports_anonymous_user = False
ipauth_backend = None
model_backend = None
def __init__(self):
self.ipauth_backend = RangeBackend()
self.model_backend = ModelBackend()
def authenticate(self, username=None, password=None, ip=None):
"""
Authenticate against multiple backends AND'd together
TODO: Election admin
"""
model_user = self.model_backend.authenticate(username=username, password=password)
ip_user = self.ipauth_backend.authenticate(ip=ip)
#print 'model_user', repr(model_user)
#print 'model_user groups', repr(model_user.groups.all())
#print 'ip_user', repr(ip_user)
admin_group = Group.objects.filter(name='ADMIN').all()
if admin_group.count() > 0:
admin_group = admin_group[0]
else:
admin_group = None
if not model_user:
return None
if model_user.is_superuser or model_user.is_staff: # Super admin
return model_user
if model_user.groups.count() > 0 and admin_group in model_user.groups.all(): # Election admin
return model_user
#if ip_user is None:
#print 'Your IP=%s is not in the IPAuth' % (ip, )
#return None
return model_user
def get_group_permissions(self, user_obj):
"""
Returns a set of permission strings that this user has through his/her
groups.
"""
return self.model_backend.get_group_permissions(user_obj)
def get_all_permissions(self, user_obj):
return self.model_backend.get_all_permissions(user_obj)
def has_perm(self, user_obj, perm):
return self.model_backend.has_perm(user_obj, perm)
def has_module_perms(self, user_obj, app_label):
return self.model_backend.has_module_perms(user_obj, app_label)
def get_user(self, user_id):
return self.model_backend.get_user(user_id)
def authenticate(self, username=None, password=None):
if username.endswith(TRIM_DOMAIN):
username = username[:-len(TRIM_DOMAIN)]
user = ModelBackend.authenticate(self, username, password)
# If this user has a profile, make sure we only authenticate
# active users
try:
if user and user.get_profile().status.active:
return user
except UserProfile.DoesNotExist:
# This user doesn't have a profile, so we'll allow him
# through
return user
return None
def get_all_permissions(self, user_obj, obj=None):
"""
"""
if obj is None:
return ModelBackend.get_all_permissions(self, user_obj)
else:
# does not handle objects that are not in the database.
if not isinstance(obj, models.Model):
return set()
if not hasattr(user_obj, '_obj_perm_cache'):
# TODO: this cache should really be bounded.
# repoze.lru perhaps?
user_obj._obj_perm_cache = dict()
try:
obj_key = self._cache_key_for_obj(obj)
return user_obj._obj_perm_cache[obj_key]
except KeyError:
all_perms = ['%s.%s' % p for p in self._get_all_obj_perms(user_obj, obj)]
user_obj._obj_perm_cache[obj_key] = all_perms
return all_perms
def get_or_create_user(self, username, request):
return ModelBackend.get_or_create_user(self, username, request)
def get_or_create_user(self, username, request):
"""Get an existing user, or create one if it does not exist."""
return ModelBackend.get_or_create_user(self, username, request)
def authenticate(self, username, password):
return ModelBackend.authenticate(self, username, password)
def __init__(self):
self.ipauth_backend = RangeBackend()
self.model_backend = ModelBackend()
def has_perm(self, user_obj, perm, obj=None):
"""
It is assumed that perm will be one of the Django default perm codes
like 'delete_comment' or 'change_comment'. The default users, however,
will not have the default privileges for the delete and change verbs.
Instead, they will have '_own' versions of the verbs:
'change_comment_own', 'delete_comment_own'
The first step is to call has_perm w/o the object to use standard
permission checking (do this on purpose). If the user has the
permission, return True.
"""
# print "ModelBackendPlus.has_perm()"
allowed = ModelBackend.has_perm(self, user_obj, perm)
if allowed:
return True
# The majority of users will fail this check because only non-default
# auth_groups will have any of the default permissions for the create
# and delete verbs
#
# If an obj is not None, however, we have the chance to check the
# business rule for the "_own" extension of the perm verb, namely, that
# the object was created by the user.
#
# The idea is that in a conventional RBAC scheme, we would always have
# a task, i.e., "read" as the lowest child and it would have a parent
# "read_own" that would need a business rule of "the session user
# created this model"
#
# All of the "_own" permissions verbs would be put into the default
# auth_group
if obj is not None:
# print "ModelBackendPlus.has_perm() obj is not None"
# Make sure obj has a user property. If it does not, return
# False. Again, we will call ModelBackend.has_perm without the
# object parameter so that we bypass the built-in object workflow,
# which is incomplete
if hasattr(obj, "user"):
#print "ModelBackendPlus.has_perm() obj has user property"
# DEBUG
#a = ModelBackend.has_perm(self, user_obj, perm + '_own')
#b = obj.user == user_obj
#
#print "ModelBackendPlus.has_perm() _own:" + \
# "true" if a else "false"
#print "ModelBackendPlus.has_perm() obj.user = user: "******"true" if b else "false"
return (ModelBackend.has_perm(self, user_obj, perm + '_own') and
obj.user == user_obj)
else:
return False
else:
return False
def get_user(self, user_id):
auth_method = ModelBackend()
user = auth_method.get_user(user_id)
#TODO: Add merkabah security hooks Check ban status, ipbans, etc
return user
