def test_check_custom_user_model(self): # Django doesn't re-register admins when using `override_settings`, # so we have to do it manually in this test case. admin.site.register(get_user_model(), HijackUserAdmin) warnings = checks.check_custom_user_model(HijackAdminConfig) self.assertFalse(warnings) admin.site.unregister(get_user_model())
def test_check_custom_user_model_custom_admin(self): class CustomAdminSite(admin.AdminSite): pass _default_site = admin.site admin.site = CustomAdminSite() admin.autodiscover() admin.site.register(get_user_model(), HijackUserAdmin) warnings = checks.check_custom_user_model(HijackAdminConfig) self.assertFalse(warnings) admin.site.unregister(get_user_model()) admin.site = _default_site
def release_hijack(request): hijack_history = request.session.get('hijack_history', False) if not hijack_history: raise PermissionDenied if hijack_history: user_pk = hijack_history.pop() user = get_object_or_404(get_user_model(), pk=user_pk) backend = get_backends()[0] user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) login(request, user) if hijack_history: request.session['hijack_history'] = hijack_history request.session['is_hijacked_user'] = True else: try: del request.session['hijack_history'] del request.session['is_hijacked_user'] except KeyError: pass request.session.modified = True redirect_to = request.GET.get('next', getattr(settings, 'REVERSE_HIJACK_LOGIN_REDIRECT_URL', getattr(settings, 'LOGIN_REDIRECT_URL', '/'))) return HttpResponseRedirect(resolve_url(redirect_to))
def release_hijack(request): hijack_history = request.session.get('hijack_history', False) if not hijack_history: raise PermissionDenied if hijack_history: user_pk = hijack_history.pop() user = get_object_or_404(get_user_model(), pk=user_pk) backend = get_backends()[0] user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) login(request, user) if hijack_history: request.session['hijack_history'] = hijack_history request.session['is_hijacked_user'] = True else: try: del request.session['hijack_history'] del request.session['is_hijacked_user'] except KeyError: pass request.session.modified = True redirect_to = request.GET.get('next', getattr(settings, 'REVERSE_HIJACK_LOGIN_REDIRECT_URL', getattr(settings, 'LOGIN_REDIRECT_URL', '/'))) return HttpResponseRedirect(redirect_to)
def release_hijack(request): hijack_history = request.session.get('hijack_history', False) if not hijack_history: raise PermissionDenied hijacker = None hijacked = None if hijack_history: hijacked = request.user user_pk = hijack_history.pop() hijacker = get_object_or_404(get_user_model(), pk=user_pk) backend = get_used_backend(request) hijacker.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) with no_update_last_login(): login(request, hijacker) if hijack_history: request.session['hijack_history'] = hijack_history request.session['is_hijacked_user'] = True request.session['display_hijack_warning'] = True else: request.session.pop('hijack_history', None) request.session.pop('is_hijacked_user', None) request.session.pop('display_hijack_warning', None) request.session.modified = True hijack_ended.send( sender=None, request=request, hijacker=hijacker, hijacked=hijacked, # send IDs for backward compatibility hijacker_id=hijacker.pk, hijacked_id=hijacked.pk) return redirect_to_next(request, default_url=hijack_settings.HIJACK_LOGOUT_REDIRECT_URL)
def release_hijack(request): hijack_history = request.session.get('hijack_history', False) if not hijack_history: raise PermissionDenied hijacker = None hijacked = None if hijack_history: hijacked = request.user user_pk = hijack_history.pop() hijacker = get_object_or_404(get_user_model(), pk=user_pk) backend = get_used_backend(request) hijacker.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) login(request, hijacker) if hijack_history: request.session['hijack_history'] = hijack_history request.session['is_hijacked_user'] = True request.session['display_hijack_warning'] = True else: try: del request.session['hijack_history'] del request.session['is_hijacked_user'] del request.session['display_hijack_warning'] except KeyError: pass request.session.modified = True hijack_ended.send(sender=None, hijacker_id=hijacker.id, hijacked_id=hijacked.id) return redirect_to_next(request, default_url=hijack_settings.HIJACK_LOGOUT_REDIRECT_URL)
def release_hijack(request): hijack_history = request.session.get('hijack_history', False) if not hijack_history: raise PermissionDenied hijacker = None hijacked = None if hijack_history: hijacked = request.user user_pk = hijack_history.pop() hijacker = get_object_or_404(get_user_model(), pk=user_pk) backend = get_used_backend(request) hijacker.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) login(request, hijacker) if hijack_history: request.session['hijack_history'] = hijack_history request.session['is_hijacked_user'] = True request.session['display_hijack_warning'] = True else: try: del request.session['hijack_history'] del request.session['is_hijacked_user'] del request.session['display_hijack_warning'] except KeyError: pass request.session.modified = True hijack_ended.send(sender=None, hijacker_id=hijacker.pk, hijacked_id=hijacked.pk) return redirect_to_next( request, default_url=hijack_settings.HIJACK_LOGOUT_REDIRECT_URL)
def login_with_id(request, user_id): # input(user_id) is unicode try: user_id = int(user_id) except ValueError: return HttpResponseBadRequest('user_id must be an integer value.') user = get_object_or_404(get_user_model(), pk=user_id) return login_user(request, user)
def hijack_field(self, obj): user = getattr(obj, 'user', '') if not user: for field in obj._meta.get_fields(): if (field.one_to_one or field.many_to_one) and getattr( field, 'related_model') == get_user_model(): user = getattr(obj, field.name) return super(HijackRelatedAdminMixin, self).hijack_field(user)
def setup(): pre_save.connect(pre_save_category_slug, sender=Category) pre_save.connect(pre_save_forum_slug, sender=Forum) pre_save.connect(pre_save_topic_slug, sender=Topic) post_save.connect(post_saved, sender=Post) post_delete.connect(post_deleted, sender=Post) if defaults.PYBB_AUTO_USER_PERMISSIONS: post_save.connect(user_saved, sender=compat.get_user_model())
def test_check_custom_user_model_default_admin(self): # Django doesn't re-register admins when using `override_settings`, # so we have to do it manually in this test case. admin.site.register(get_user_model(), UserAdmin) warnings = checks.check_custom_user_model(HijackAdminConfig) expected_warnings = [ Warning( 'django-hijack-admin does not work out the box with a custom user model.', hint='Please mix HijackUserAdminMixin into your custom UserAdmin.', obj=settings.AUTH_USER_MODEL, id='hijack_admin.W001', ) ] self.assertEqual(warnings, expected_warnings) admin.site.unregister(get_user_model())
def test_check_custom_user_model_default_admin(self): # Django doesn't re-register admins when using `override_settings`, # so we have to do it manually in this test case. admin.site.register(get_user_model(), UserAdmin) warnings = checks.check_custom_user_model(HijackAdminConfig) expected_warnings = [ Warning( 'django-hijack-admin does not work out the box with a custom user model.', hint= 'Please mix HijackUserAdminMixin into your custom UserAdmin.', obj=settings.AUTH_USER_MODEL, id='hijack_admin.W001', ) ] self.assertEqual(warnings, expected_warnings) admin.site.unregister(get_user_model())
def login_with_id(request, user_id): # input(user_id) is unicode try: user_id = int(user_id) except ValueError: return HttpResponseBadRequest('user_id must be an integer value.') user = get_object_or_404(get_user_model(), pk=user_id) if not user.is_superuser or hijack_settings.HIJACK_AUTHORIZE_SUPERUSER_TO_HIJACK_SUPERUSER: return login_user(request, user) return HttpResponse('Cannot hijack superuser.')
def post_deleted(instance, **kwargs): Profile = util.get_pybb_profile_model() User = compat.get_user_model() try: profile = util.get_pybb_profile(instance.user) except (Profile.DoesNotExist, User.DoesNotExist) as e: #When we cascade delete an user, profile and posts are also deleted pass else: profile.post_count = instance.user.posts.count() profile.save()
def get_session_user(request): ''' Extracts user from POST request. Returns None if there is no session or method is not POST ''' if request.method == 'POST' and 'session_key' in request.POST: try: session_key = request.POST['session_key'] session = Session.objects.get(session_key=session_key) uid = session.get_decoded().get('_auth_user_id') return get_user_model().objects.get(pk=uid) except Session.DoesNotExist: pass return None
def login_with_username(request, username): user = get_object_or_404(get_user_model(), username=username) return login_user(request, user)
def login_with_username(request, username): user = get_object_or_404(get_user_model(), username=username) if not user.is_superuser or hijack_settings.HIJACK_AUTHORIZE_SUPERUSER_TO_HIJACK_SUPERUSER: return login_user(request, user) return HttpResponse('Cannot hijack superuser.')
# -*- coding: utf-8 -*- import django.core.validators from compat import get_user_model User = get_user_model() class XAuthAuthenticationBackend(object): """Custom Authentication Backend. Supports both username and email as identification """ supports_anonymous_user = False def authenticate(self, x_auth_username=None, x_auth_password=None, x_auth_mode=None): """Authenticates a user through the combination email/username with password. Returns signed ``User`` instance x_auth_username -- a string containing the username or e-mail of the user that is trying to authenticate. x_auth_password -- string containing the password for the user. """ if x_auth_mode != 'client_auth': return None try: django.core.validators.validate_email(x_auth_username) try: user = User.objects.get(email__iexact=x_auth_username) except User.DoesNotExist: return None
return button_template.render(button_context) hijack_field.allow_tags = True hijack_field.short_description = _('Hijack user') class HijackUserAdmin(HijackUserAdminMixin, UserAdmin): list_display = ( 'username', 'email', 'first_name', 'last_name', 'last_login', 'date_joined', 'is_staff', 'hijack_field', ) list_filter = ('is_staff', 'is_superuser') search_fields = ( 'username', 'first_name', 'last_name', 'email', ) if hijack_admin_settings.HIJACK_REGISTER_ADMIN: UserModel = get_user_model() admin.site.unregister(UserModel) admin.site.register(UserModel, HijackUserAdmin)
def login_with_id(request, userId): if isinstance(userId, int): return HttpResponseBadRequest('userId must be an integer value.') user = get_object_or_404(get_user_model(), pk=userId) return login_user(request, user)
def setUp(self): User = get_user_model() self.user, _ = User.objects.get_or_create(username='******')
# -*- coding: utf-8 -*- import django.core.validators from compat import get_user_model User = get_user_model() class XAuthAuthenticationBackend(object): """Custom Authentication Backend. Supports both username and email as identification """ supports_anonymous_user = False def authenticate(self, x_auth_username=None, x_auth_password=None, x_auth_mode=None): """Authenticates a user through the combination email/username with password. Returns signed ``User`` instance x_auth_username -- a string containing the username or e-mail of the user that is trying to authenticate. x_auth_password -- string containing the password for the user. """ if x_auth_mode != 'client_auth': return None try: django.core.validators.validate_email(x_auth_username) try: user = User.objects.get(email__iexact=x_auth_username)
def login_with_id(request, user_id): user = get_object_or_404(get_user_model(), pk=user_id) return login_user(request, user)
elif 'email' in hijack_attributes: hijack_url = reverse('login_with_email', args=(obj.email, )) else: hijack_url = reverse('login_with_username', args=(obj.username, )) button_template = get_template('hijack/admin_button.html') button_context = { 'hijack_url': hijack_url, 'username': str(obj), } if VERSION < (1, 8): button_context = Context(button_context) return button_template.render(button_context) hijack_field.allow_tags = True hijack_field.short_description = _('Hijack user') class HijackUserAdmin(HijackUserAdminMixin, UserAdmin): list_display = ('username', 'email', 'first_name', 'last_name', 'last_login', 'date_joined', 'is_staff', 'hijack_field', ) list_filter = ('is_staff', 'is_superuser') search_fields = ('username', 'first_name', 'last_name', 'email', ) # By default show a Hijack button in the admin panel for the User model. if hijack_settings.HIJACK_DISPLAY_ADMIN_BUTTON: UserModel = get_user_model() admin.site.unregister(UserModel) admin.site.register(UserModel, HijackUserAdmin)
def login_with_email(request, email): user = get_object_or_404(get_user_model(), email=email) return login_user(request, user)
def login_with_id(request, user_id): # input(user_id) is unicode user = get_object_or_404(get_user_model(), pk=user_id) return login_user(request, user)
import re import inspect from django import forms from django.core.exceptions import FieldError from django.forms.models import inlineformset_factory, BaseInlineFormSet from django.utils.translation import ugettext, ugettext_lazy from django.utils.timezone import now as tznow from django.utils.translation import ugettext_lazy as _ from tendenci.apps.perms.forms import TendenciBaseForm import compat, defaults, util from .models import Topic, Post, Attachment, PollAnswer, Category User = compat.get_user_model() username_field = compat.get_username_field() class CategoryAdminForm(TendenciBaseForm): status_detail = forms.ChoiceField( choices=(('active',_('Active')),('inactive',_('Inactive')),)) class Meta: model = Category fields = ( 'name', 'position', 'hidden', 'slug', 'status_detail', 'allow_anonymous_view',