def render(self, context): user = AnonymousUser() if 'user' in context: if isinstance(context['user'], User): user = context['user'] try: pk = Variable(self.pk) pk = pk.resolve(context) except: pk = self.pk try: filters = get_query_filters(user, 'boxes.view_box') box = Box.objects.filter(filters).filter(pk=pk) if user.is_authenticated(): if not user.profile.is_superuser: box = box.distinct() context['box'] = box[0] template = get_template('boxes/edit-link.html') output = '<div id="box-%s" class="boxes">%s %s</div>' % ( box[0].pk, box[0].content, template.render(context), ) return output except: return unicode()
class ProfileEditPermissionTestCase(TestCase): def setUp(self): self.user = PersonaFactory() self.anonymous = AnonymousUser() self.profile = ProfileFactory() def test_owner_can_change_profile(self): '''Tests owner has change permission of Profile''' self.assertTrue(self.profile.user.has_perm('profiles.change_profile', obj=self.profile)) def test_others_cannot_change_profile(self): '''Tests others don't have change permission of Profile''' self.assertFalse(self.user.has_perm('profiles.change_profile', obj=self.profile)) def test_anonymous_cannot_change_profile(self): '''Tests anonymous don't have change permission of Profile''' self.assertFalse(self.anonymous.has_perm('profiles.change_profile', obj=self.profile)) def test_owner_cannot_delete_profile(self): '''Tests owner don't have delete permission of Profile''' self.assertFalse(self.profile.user.has_perm('profiles.delete_profile', obj=self.profile)) def test_others_cannot_delete_profile(self): '''Tests others don't have delete permission of Profile''' self.assertFalse(self.user.has_perm('profiles.delete_profile', obj=self.profile)) def test_anonymous_cannot_delete_profile(self): '''Tests anonymous don't have delete permission of Profile''' self.assertFalse(self.anonymous.has_perm('profiles.delete_profile', obj=self.profile))
class NoAnonymousUserBackendTest(TestCase): """ Tests that AnonymousUser does not delegate to backend if it has 'supports_anonymous_user' = False """ backend = 'django.contrib.auth.tests.auth_backends.NoAnonymousUserBackend' def setUp(self): self.curr_auth = settings.AUTHENTICATION_BACKENDS settings.AUTHENTICATION_BACKENDS = tuple(self.curr_auth) + (self.backend,) self.user1 = AnonymousUser() def tearDown(self): settings.AUTHENTICATION_BACKENDS = self.curr_auth def test_has_perm(self): self.assertEqual(self.user1.has_perm('perm', TestObj()), False) self.assertEqual(self.user1.has_perm('anon', TestObj()), False) def test_has_perms(self): self.assertEqual(self.user1.has_perms(['anon'], TestObj()), False) def test_has_module_perms(self): self.assertEqual(self.user1.has_module_perms("app1"), False) self.assertEqual(self.user1.has_module_perms("app2"), False) def test_get_all_permissions(self): self.assertEqual(self.user1.get_all_permissions(TestObj()), set())
def test_clean_overwrite_url(self): user = AnonymousUser() user.is_superuser = True user.pk = 1 request = type('Request', (object,), {'user': user}) with SettingsOverride(): data = { 'title': 'TestPage', 'slug': 'test-page', 'language': 'en', 'overwrite_url': '/overwrite/url/', 'site': Site.objects.get_current().pk, 'template': get_cms_setting('TEMPLATES')[0][0], 'published': True } form = PageForm(data) self.assertTrue(form.is_valid(), form.errors.as_text()) # WTF? WHY DOES form.save() not handle this stuff??? instance = form.save() instance.permission_user_cache = user instance.permission_advanced_settings_cache = True Title.objects.set_or_create(request, instance, form, 'en') form = PageForm(data, instance=instance) self.assertTrue(form.is_valid(), form.errors.as_text())
def test_custom_perms(self): user = self.UserModel.objects.get(pk=self.user.pk) user.user_permissions = ['auth.test'] user.save() # reloading user to purge the _perm_cache user = self.UserModel.objects.get(pk=self.user.pk) self.assertEqual(user.get_all_permissions() == set(['auth.test']), True) self.assertEqual(user.get_group_permissions(), set([])) self.assertEqual(user.has_module_perms('Group'), False) self.assertEqual(user.has_module_perms('auth'), True) user.user_permissions.extend(['auth.test2', 'auth.test3']) user.save() user = self.UserModel.objects.get(pk=self.user.pk) self.assertEqual(user.get_all_permissions(), set(['auth.test2', 'auth.test', 'auth.test3'])) self.assertEqual(user.has_perm('test'), False) self.assertEqual(user.has_perm('auth.test'), True) self.assertEqual(user.has_perms(['auth.test2', 'auth.test3']), True) group = Group.objects.create(name='test_group') group.permissions = ['auth.test_group'] group.save() user.groups = [group] user.save() user = self.UserModel.objects.get(pk=self.user.pk) exp = set(['auth.test2', 'auth.test', 'auth.test3', 'auth.test_group']) self.assertEqual(user.get_all_permissions(), exp) self.assertEqual(user.get_group_permissions(), set(['auth.test_group'])) self.assertEqual(user.has_perms(['auth.test3', 'auth.test_group']), True) user = AnonymousUser() self.assertEqual(user.has_perm('test'), False) self.assertEqual(user.has_perms(['auth.test2', 'auth.test3']), False)
class AnonymousUserBackendTest(TestCase): """ Tests for AnonymousUser delegating to backend. """ backend = 'django.contrib.auth.tests.auth_backends.SimpleRowlevelBackend' def setUp(self): self.curr_auth = settings.AUTHENTICATION_BACKENDS settings.AUTHENTICATION_BACKENDS = (self.backend,) self.user1 = AnonymousUser() def tearDown(self): settings.AUTHENTICATION_BACKENDS = self.curr_auth def test_has_perm(self): self.assertEqual(self.user1.has_perm('perm', TestObj()), False) self.assertEqual(self.user1.has_perm('anon', TestObj()), True) def test_has_perms(self): self.assertEqual(self.user1.has_perms(['anon'], TestObj()), True) self.assertEqual(self.user1.has_perms(['anon', 'perm'], TestObj()), False) def test_has_module_perms(self): self.assertEqual(self.user1.has_module_perms("app1"), True) self.assertEqual(self.user1.has_module_perms("app2"), False) def test_get_all_permissions(self): self.assertEqual(self.user1.get_all_permissions(TestObj()), set(['anon']))
class BackendTestAnonymousUser(RubberStampTestCase): fixtures = ['users.json', 'objects.json', 'permissions.json', 'assigned.json', 'assigned_object.json'] def setUp(self): self.anon = AnonymousUser() self.user = User.objects.get(pk=2) self.object = TestModel.objects.get(pk=1) def test_no_type_or_object(self): self.assertFalse(self.anon.has_perm('testapp.use')) def test_with_type(self): self.assertFalse(self.anon.has_perm('testapp.use.testapp.testmodel')) def test_with_object(self): self.assertFalse(self.anon.has_perm('testapp.use', obj=self.object)) def test_with_both(self): self.assertFalse(self.anon.has_perm('testapp.use.testapp.testmodel', obj=self.object)) def test_with_both_mismatched(self): self.assertFalse(self.anon.has_perm('testapp.use.auth.user', obj=self.object)) self.assertFalse(self.anon.has_perm('testapp.use.testapp.testmodel', obj=self.user)) def test_has_module_perms(self): self.assertFalse(self.anon.has_module_perms('testapp')) def test_get_all(self): self.assertEqual(len(self.anon.get_all_permissions()), 0) self.assertEqual(len(self.anon.get_all_permissions(obj=self.object)), 0) self.assertEqual(len(self.anon.get_all_permissions(obj=self.user)), 0)
class AccountEditPermissionTestCase(TestCase): def setUp(self): self.user = PersonaFactory() self.anonymous = AnonymousUser() self.account = AccountFactory() def test_owner_cannot_change_account(self): '''Tests owners don't have change permission of Account''' self.assertFalse(self.account.user.has_perm('profiles.change_account', obj=self.account)) def test_others_cannot_change_account(self): '''Tests others don't have change permission of Account''' self.assertFalse(self.user.has_perm('profiles.change_account', obj=self.account)) def test_anonymous_cannot_change_account(self): '''Tests anonymous don't have change permission of Account''' self.assertFalse(self.anonymous.has_perm('profiles.change_account', obj=self.account)) def test_owner_can_delete_account(self): '''Tests owners have delete permission of Account''' self.assertTrue(self.account.user.has_perm('profiles.delete_account', obj=self.account)) def test_others_cannot_delete_account(self): '''Tests others don't have delete permission of Account''' self.assertFalse(self.user.has_perm('profiles.delete_account', obj=self.account)) def test_anonymous_cannot_delete_account(self): '''Tests anonymous don't have delete permission of Account''' self.assertFalse(self.anonymous.has_perm('profiles.delete_account', obj=self.account))
def render(self, context): user_obj = template.resolve_variable('user', context) obj = template.resolve_variable(self.objname, context) if not user_obj.is_authenticated: user_obj = AnonymousUser() context[self.varname] = user_obj.has_perm(self.codename, obj) return ''
class GroupObjectPermBackendTest(TestCase): def setUp(self): self.james = User.objects.create_user('james', '*****@*****.**', 'james') self.emily = User.objects.create_user('emily', '*****@*****.**', 'emily') self.peter = User.objects.create_user('peter', '*****@*****.**', 'peter') self.fread = AnonymousUser() self.manager = Group.objects.create(name='manager') self.editor = Group.objects.create(name='editor') self.james.groups.add(self.manager) self.james.groups.add(self.editor) self.emily.groups.add(self.editor) self.page = FlatPage.objects.create(url='/test/', title='test', content='James can see this content but emily.') # for checking permission for all authenticated user ObjectPermissionMediator.viewer(self.page, None) # for checking permission for particular group ObjectPermissionMediator.manager(self.page, self.manager) ObjectPermissionMediator.editor(self.page, self.editor) def test_permission(self): # James has view, change, delete self.assertTrue(self.james.has_perm('flatpages.view_flatpage', self.page)) self.assertTrue(self.james.has_perm('flatpages.change_flatpage', self.page)) self.assertTrue(self.james.has_perm('flatpages.delete_flatpage', self.page)) # Emliy has view, change but delete self.assertTrue(self.emily.has_perm('flatpages.view_flatpage', self.page)) self.assertTrue(self.emily.has_perm('flatpages.change_flatpage', self.page)) self.assertTrue(not self.emily.has_perm('flatpages.delete_flatpage', self.page)) # Peter has view self.assertTrue(self.peter.has_perm('flatpages.view_flatpage', self.page)) self.assertTrue(not self.peter.has_perm('flatpages.change_flatpage', self.page)) self.assertTrue(not self.peter.has_perm('flatpages.delete_flatpage', self.page)) # Fread never has any permission because he is not authenticated self.assertTrue(not self.fread.has_perm('flatpages.view_flatpage', self.page)) self.assertTrue(not self.fread.has_perm('flatpages.change_flatpage', self.page)) self.assertTrue(not self.fread.has_perm('flatpages.delete_flatpage', self.page))
def get_cached_user(request): from django.contrib.auth.models import AnonymousUser if not hasattr(request, '_cached_user'): try: key = CACHE_KEY % request.session[SESSION_KEY] user = cache.cache.get(key) except KeyError: user = AnonymousUser() else: if user is None: user = get_user(request) # Try to populate profile cache if profile is installed if profile_model: try: user.get_profile() # Handle exception for user with no profile and AnonymousUser except (profile_model.DoesNotExist, AttributeError): pass cache.cache.set(key, user) request._cached_user = user return request._cached_user
def read_detail( self, object_detail, bundle ): logged_in_user = bundle.request.user user = bundle.request.GET.get( 'user', None ) if object_detail.is_public: return True # Case 1: There is no logged in user and no user query provided. We don't # know what to query if logged_in_user.is_anonymous() and user is None: return False # Case 2: There *is* a logged in user and no user query. Query repos # that only belong to the currently logged in user if user is None and logged_in_user.is_authenticated(): public = AnonymousUser() return public.has_perm( 'view_repository', object_detail ) or logged_in_user.has_perm( 'view_repository', object_detail ) # Case 3: User query is provided. Check whether the public or the user has access # to this data. if user is not None: public = AnonymousUser() user = User.objects.get( username=user ) return public.has_perm( 'view_repository', object_detail ) or user.has_perm( 'view_repository', object_detail ) return False
def is_worker(request): json_data = json.loads(request.raw_post_data, strict=False) engine = import_module(settings.SESSION_ENGINE) try: session = engine.SessionStore(json_data['session_key']) except KeyError: json_response = json.dumps({"success": "false", "type": "badRequest"}) return HttpResponse(json_response, mimetype='application/json') try: worker = session[SESSION_KEY] sample_path = session[BACKEND_SESSION_KEY] sample = load_backend(sample_path) user = sample.get_user(worker) or AnonymousUser() except KeyError: user = AnonymousUser() if user.is_authenticated(): try: if user.worker: json_data['worker'] = user.worker return json_data except: return False
def get_user(request): def get_response(data): return HttpResponse(json.dumps(data), content_type="application/json") response_data = { 'errors': [], } try: session_key = request.GET['session_key'] except KeyError: response_data['errors'].append('Session key (session_key) not provided') return get_response(response_data) response_data['isAnonymous'] = True response_data['isSuperuser'] = False try: session = Session.objects.get(session_key=session_key) uid = session.get_decoded()['_auth_user_id'] user = User.objects.get(id=uid) except Session.DoesNotExist: response_data['errors'].append('Invalid session key') user = AnonymousUser() return get_response(response_data) response_data['isSuperuser'] = user.is_superuser response_data['isAnonymous'] = user.is_anonymous() if not user.is_anonymous(): response_data['userId'] = user.id return get_response(response_data)
def navigation(context, nav_id): """ Renders the nav and its nav items. This will call nav_item that will call itself recursively nesting the subnavs """ user = AnonymousUser() if 'user' in context: if isinstance(context['user'], User): user = context['user'] try: nav_id = Variable(nav_id) nav_id = nav_id.resolve(context) except: pass try: filters = get_query_filters(user, 'navs.view_nav') navs = Nav.objects.filter(filters).filter(id=nav_id) if user.is_authenticated(): if not user.profile.is_superuser: navs = navs.distinct() nav = navs[0] except: return None context.update({ "nav": nav, "items": nav.top_items, }) return context
def authenticate(self, token=None, request=None): """ Reads in a Facebook code and asks Facebook if it's valid and what user it points to. """ args = { 'client_id': settings.FACEBOOK_APP_ID, 'client_secret': settings.FACEBOOK_APP_SECRET, 'redirect_uri': request.build_absolute_uri( reverse('facebook_callback')), 'code': token, } # Get a legit access token target = urllib.urlopen( 'https://graph.facebook.com/oauth/access_token?' + urllib.urlencode(args)).read() response = cgi.parse_qs(target) access_token = response['access_token'][-1] # Read the user's profile information fb_profile = urllib.urlopen( 'https://graph.facebook.com/me?access_token=%s' % access_token) fb_profile = json.load(fb_profile) try: # Try and find existing user fb_user = UserProfile.objects.get(facebook_id=fb_profile['id']) user = fb_user.user # Update access_token fb_user.access_token = access_token fb_user.save() except UserProfile.DoesNotExist: # No existing user if getattr(settings, 'FACEBOOK_FORCE_SIGNUP', False): # No existing user, use anonymous user = AnonymousUser() user.username = username user.first_name = fb_profile['first_name'] user.last_name = fb_profile['last_name'] fb_user = UserProfile( facebook_id=fb_profile['id'], access_token=access_token ) user.facebookprofile = fb_user else: # No existing user, create one user = User.objects.create_user(fb_profile['id'], fb_profile['email']) user.first_name = fb_profile['first_name'] user.last_name = fb_profile['last_name'] # with django-primate User has one field called 'name' instead # of first_name and last_name user.name = u'%s %s' % (user.first_name, user.last_name) user.save() # Create the UserProfile fb_user = UserProfile(user=user, facebook_id=fb_profile['id'], access_token=access_token) fb_user.save() return user
class AnonymousUserBackendTest(TestCase): """ Tests for AnonymousUser delegating to backend if it has 'supports_anonymous_user' = True """ backend = "django.contrib.auth.tests.auth_backends.AnonymousUserBackend" def setUp(self): self.curr_auth = settings.AUTHENTICATION_BACKENDS settings.AUTHENTICATION_BACKENDS = (self.backend,) self.user1 = AnonymousUser() def tearDown(self): settings.AUTHENTICATION_BACKENDS = self.curr_auth def test_has_perm(self): self.assertEqual(self.user1.has_perm("perm", TestObj()), False) self.assertEqual(self.user1.has_perm("anon", TestObj()), True) def test_has_perms(self): self.assertEqual(self.user1.has_perms(["anon"], TestObj()), True) self.assertEqual(self.user1.has_perms(["anon", "perm"], TestObj()), False) def test_has_module_perms(self): self.assertEqual(self.user1.has_module_perms("app1"), True) self.assertEqual(self.user1.has_module_perms("app2"), False) def test_get_all_permissions(self): self.assertEqual(self.user1.get_all_permissions(TestObj()), set(["anon"]))
class RowlevelBackendTest(TestCase): backend = 'django.contrib.auth.tests.auth_backends.SimpleRowlevelBackend' def setUp(self): self.curr_auth = settings.AUTHENTICATION_BACKENDS settings.AUTHENTICATION_BACKENDS = self.curr_auth + (self.backend,) self.user1 = User.objects.create_user('test', '*****@*****.**', 'test') self.user2 = User.objects.create_user('test2', '*****@*****.**', 'test') self.user3 = AnonymousUser() self.user4 = User.objects.create_user('test4', '*****@*****.**', 'test') def tearDown(self): settings.AUTHENTICATION_BACKENDS = self.curr_auth def test_has_perm(self): self.assertEqual(self.user1.has_perm('perm', TestObj()), False) self.assertEqual(self.user2.has_perm('perm', TestObj()), True) self.assertEqual(self.user2.has_perm('perm'), False) self.assertEqual(self.user2.has_perms(['simple', 'advanced'], TestObj()), True) self.assertEqual(self.user3.has_perm('perm', TestObj()), False) self.assertEqual(self.user3.has_perm('anon', TestObj()), False) self.assertEqual(self.user3.has_perms(['simple', 'advanced'], TestObj()), False) def test_get_all_permissions(self): self.assertEqual(self.user1.get_all_permissions(TestObj()), set(['simple'])) self.assertEqual(self.user2.get_all_permissions(TestObj()), set(['simple', 'advanced'])) self.assertEqual(self.user2.get_all_permissions(), set([])) def test_get_group_permissions(self): content_type=ContentType.objects.get_for_model(Group) group = Group.objects.create(name='test_group') self.user4.groups.add(group) self.assertEqual(self.user4.get_group_permissions(TestObj()), set(['group_perm']))
def render(self, context): user = AnonymousUser() if 'user' in context: if isinstance(context['user'], User): user = context['user'] try: pk = Variable(self.pk) pk = pk.resolve(context) except: pk = self.pk try: filters = get_query_filters(user, 'navs.view_nav') nav = Nav.objects.filter(filters).filter(pk=pk) if user.is_authenticated(): if not user.profile.is_superuser: nav = nav.distinct() context[self.context_var] = nav[0] except: pass return unicode()
def nav(context, nav_id): """ Renders the nav from cache if not will use the navigation tag for rendering the nav """ user = AnonymousUser() if 'user' in context: if isinstance(context['user'], User): user = context['user'] try: filters = get_query_filters(user, 'navs.view_nav') navs = Nav.objects.filter(filters).filter(id=nav_id) if user.is_authenticated(): if not user.profile.is_superuser: navs = navs.distinct() nav_object = navs[0] nav = get_nav(nav_object.pk) if not nav: cache_nav(nav_object) except: return None context.update({ "cached": nav, "nav_id": nav_id, }) return context
class RowlevelBackendTest(TestCase): backend = "django.contrib.auth.tests.auth_backends.SimpleRowlevelBackend" def setUp(self): self.curr_auth = settings.AUTHENTICATION_BACKENDS settings.AUTHENTICATION_BACKENDS = self.curr_auth + (self.backend,) self.user1 = User.objects.create_user("test", "*****@*****.**", "test") self.user2 = User.objects.create_user("test2", "*****@*****.**", "test") self.user3 = AnonymousUser() self.user4 = User.objects.create_user("test4", "*****@*****.**", "test") def tearDown(self): settings.AUTHENTICATION_BACKENDS = self.curr_auth def test_has_perm(self): self.assertEqual(self.user1.has_perm("perm", TestObj()), False) self.assertEqual(self.user2.has_perm("perm", TestObj()), True) self.assertEqual(self.user2.has_perm("perm"), False) self.assertEqual(self.user2.has_perms(["simple", "advanced"], TestObj()), True) self.assertEqual(self.user3.has_perm("perm", TestObj()), False) self.assertEqual(self.user3.has_perm("anon", TestObj()), False) self.assertEqual(self.user3.has_perms(["simple", "advanced"], TestObj()), False) def test_get_all_permissions(self): self.assertEqual(self.user1.get_all_permissions(TestObj()), set(["simple"])) self.assertEqual(self.user2.get_all_permissions(TestObj()), set(["simple", "advanced"])) self.assertEqual(self.user2.get_all_permissions(), set([])) def test_get_group_permissions(self): content_type = ContentType.objects.get_for_model(Group) group = Group.objects.create(name="test_group") self.user4.groups.add(group) self.assertEqual(self.user4.get_group_permissions(TestObj()), set(["group_perm"]))
class ProductQuitPermissionTestCase(TestCase): def setUp(self): self.product = ProductFactory() self.user = PersonaFactory() self.wille = PersonaFactory(role='wille') self.anonymous = AnonymousUser() def test_anonymous_dont_have_quit_permission(self): ''' Test anonymous users do not have quit from product permission ''' self.assertFalse(self.anonymous.has_perm('products.quit_product')) def test_wille_dont_have_quit_permission(self): ''' Test wille users do not have quit from product permission ''' self.assertFalse(self.wille.has_perm('products.quit_product')) def test_general_user_have_quit_permission(self): ''' Test general user have quit from product permission ''' self.assertTrue(self.user.has_perm('products.quit_product')) def test_anonymous_dont_have_quit_permission_with_object(self): ''' Test anonymous users do not have quit from product permission ''' self.assertFalse(self.anonymous.has_perm('products.quit_product', self.product)) def test_wille_dont_have_quit_permission_with_object(self): ''' Test wille users do not have quit from product permission ''' self.assertFalse(self.wille.has_perm('products.quit_product', self.product)) def test_other_user_dont_have_quit_permission_with_object(self): ''' Test other user don't have quit from product permission ''' self.assertFalse(self.user.has_perm('products.quit_product', self.product)) def test_last_administrators_dont_have_quit_permission_with_object(self): ''' Test last_administrators don't have quit from product permission ''' self.product.administrators.add(self.user) self.assertEqual(self.product.administrators.count(), 1) self.assertFalse(self.user.has_perm('products.quit_product', self.product)) def test_administrators_have_quit_permission_with_object(self): ''' Test last_administrators have quit from product permission ''' other = PersonaFactory() self.product.administrators.add(self.user) self.product.administrators.add(other) self.assertTrue(self.user.has_perm('products.quit_product', self.product))
def get_user(request): from django.contrib.auth.models import AnonymousUser user = authenticate(request=request) if user is None: user = AnonymousUser() user.email, user.first_name = request["From"] return user
def test_loop_page_with_anonymous_user(self): """ Should redirect. """ hostname = Site.objects.filter(site_name='Loop')[0].hostname user = AnonymousUser() user.client = Client() response = user.client.get('/groups/web-content-group/', HTTP_HOST=hostname) self.assertEqual(response.status_code, 302)
def get_course_lti_endpoints(request, course_id): """ View that, given a course_id, returns the a JSON object that enumerates all of the LTI endpoints for that course. The LTI 2.0 result service spec at http://www.imsglobal.org/lti/ltiv2p0/uml/purl.imsglobal.org/vocab/lis/v2/outcomes/Result/service.html says "This specification document does not prescribe a method for discovering the endpoint URLs." This view function implements one way of discovering these endpoints, returning a JSON array when accessed. Arguments: request (django request object): the HTTP request object that triggered this view function course_id (unicode): id associated with the course Returns: (django response object): HTTP response. 404 if course is not found, otherwise 200 with JSON body. """ try: course_key = SlashSeparatedCourseKey.from_deprecated_string(course_id) except InvalidKeyError: return HttpResponse(status=404) try: course = get_course(course_key, depth=2) except ValueError: return HttpResponse(status=404) anonymous_user = AnonymousUser() anonymous_user.known = False # make these "noauth" requests like module_render.handle_xblock_callback_noauth lti_descriptors = modulestore().get_items(course.id, qualifiers={'category': 'lti'}) lti_noauth_modules = [ get_module_for_descriptor( anonymous_user, request, descriptor, FieldDataCache.cache_for_descriptor_descendents( course_key, anonymous_user, descriptor ), course_key ) for descriptor in lti_descriptors ] endpoints = [ { 'display_name': module.display_name, 'lti_2_0_result_service_json_endpoint': module.get_outcome_service_url( service_name='lti_2_0_result_rest_handler') + "/user/{anon_user_id}", 'lti_1_1_result_service_xml_endpoint': module.get_outcome_service_url( service_name='grade_handler'), } for module in lti_noauth_modules ] return HttpResponse(json.dumps(endpoints), content_type='application/json')
def test_anonymous_user(self): "Check the properties of the anonymous user" a = AnonymousUser() self.assertFalse(a.is_authenticated()) self.assertFalse(a.is_staff) self.assertFalse(a.is_active) self.assertFalse(a.is_superuser) self.assertEqual(a.groups.all().count(), 0) self.assertEqual(a.user_permissions.all().count(), 0)
def read_detail( self, object_detail, bundle ): logged_in_user = bundle.request.user if logged_in_user.is_anonymous(): return object_detail.is_public or logged_in_user.has_perm( 'view_data', object_detail ) if logged_in_user.is_authenticated(): public = AnonymousUser() return public.has_perm( 'view_data', object_detail ) or logged_in_user.has_perm( 'view_data', object_detail )
def update_hitcount(session_key, ip_address, user_agent, username, app_label, model, object_id): try: user = User.objects.get(username=username) except ObjectDoesNotExist: user = AnonymousUser() ctype = ContentType.objects.get(app_label=app_label, model=model) hitcount, created = HitCount.objects.get_or_create( content_type=ctype, object_pk=object_id) hits_per_ip_limit = getattr(settings, 'HITCOUNT_HITS_PER_IP_LIMIT', 0) exclude_user_group = getattr(settings, 'HITCOUNT_EXCLUDE_USER_GROUP', None) # first, check our request against the blacklists before continuing if BlacklistIP.objects.filter(ip__exact=ip_address) or \ BlacklistUserAgent.objects.filter(user_agent__exact=user_agent): return False # second, see if we are excluding a specific user group or not if exclude_user_group and user.is_authenticated(): if user.groups.filter(name__in=exclude_user_group): return False # start with a fresh active query set (HITCOUNT_KEEP_HIT_ACTIVE ) qs = Hit.objects.filter_active() # check limit on hits from a unique ip address (HITCOUNT_HITS_PER_IP_LIMIT) if hits_per_ip_limit: if qs.filter(ip__exact=ip_address).count() > hits_per_ip_limit: return False # create a generic Hit object with request data hit = Hit(session=session_key, hitcount=hitcount, ip=ip_address, user_agent=user_agent) # first, use a user's authentication to see if they made an earlier hit if user.is_authenticated(): if not qs.filter(user=user, hitcount=hitcount): hit.user = user # associate this hit with a user hit.save() return True # if not authenticated, see if we have a repeat session else: if not qs.filter(session=session_key, hitcount=hitcount): hit.save() return True return False
def authenticate(self, token=None, request=None): """ Reads in a Facebook code and asks Facebook if it's valid and what user it points to. """ args = { "client_id": settings.FACEBOOK_APP_ID, "client_secret": settings.FACEBOOK_APP_SECRET, "redirect_uri": request.build_absolute_uri("/facebook/authentication_callback"), "code": token, } # Get a legit access token target = urllib.urlopen("https://graph.facebook.com/oauth/access_token?" + urllib.urlencode(args)).read() response = cgi.parse_qs(target) access_token = response["access_token"][-1] # Read the user's profile information fb_profile = urllib.urlopen("https://graph.facebook.com/me?access_token=%s" % access_token) fb_profile = json.load(fb_profile) try: # Try and find existing user fb_user = FacebookProfile.objects.get(facebook_id=fb_profile["id"]) user = fb_user.user # Update access_token fb_user.access_token = access_token fb_user.save() except FacebookProfile.DoesNotExist: # No existing user # Not all users have usernames username = fb_profile.get("username", fb_profile["id"]) if getattr(settings, "FACEBOOK_FORCE_SIGNUP", False): # No existing user, use anonymous user = AnonymousUser() user.username = username user.first_name = fb_profile["first_name"] user.last_name = fb_profile["last_name"] fb_user = FacebookProfile(facebook_id=fb_profile["id"], access_token=access_token) user.facebookprofile = fb_user else: # No existing user, create one try: user = User.objects.create_user(username, fb_profile["email"]) except IntegrityError: # Username already exists, make it unique user = User.objects.create_user(username + fb_profile["id"], fb_profile["email"]) user.first_name = fb_profile["first_name"] user.last_name = fb_profile["last_name"] user.save() # Create the FacebookProfile fb_user = FacebookProfile(user=user, facebook_id=fb_profile["id"], access_token=access_token) fb_user.save() return user
def has_perm(self, user_obj, perm, obj=None): ''' main method, calls other methods based on permission type queried ''' if not user_obj.is_authenticated(): allowed_tokens = getattr(user_obj, 'allowed_tokens', []) user_obj = AnonymousUser() user_obj.allowed_tokens = allowed_tokens if obj is None: return False try: perm_label, perm_type = perm.split('.') perm_action, perm_ct = perm_type.split('_') except: return False if perm_label != self.app_label: return False ct = ContentType.objects.get_for_model(obj) if ct.name != perm_ct: return False method_name = '_has_%s_perm' % perm_action # run any custom perms per model, continue if not None # allows complete overriding of standard authorisation, eg for public # experiments model_spec_perm = getattr(obj, method_name, lambda *args, **kwargs: None)(user_obj) if type(model_spec_perm) == bool: return model_spec_perm #get_acls obj_acls = ObjectACL.objects.filter( content_type=ct, object_id=obj.id).filter( self.get_perm_bool(perm_action)).filter( ObjectACL.get_effective_query()) query = Q(pluginId='django_user', entityId=str(user_obj.id)) if user_obj.is_authenticated(): for name, group in user_obj.get_profile().ext_groups: query |= Q(pluginId=name, entityId=str(group)) else: # the only authorisation available for anonymous users is tokenauth tgp = TokenGroupProvider() for name, group in tgp.getGroups(user_obj): query |= Q(pluginId=name, entityId=str(group)) return obj_acls.filter(query).count() > 0
def test_get_contents_for_unauthenticated_user(self): user = AnonymousUser() contents = Content.get_contents_for_user(self.ids, user) self.assertEqual(set(contents), {self.public_content})
def test_register_unauthenticated(self): path = reverse('register') request = self.factory.get(path) request.user = AnonymousUser() response = register(request) assert response.status_code == 200
def anonymous_user(): return AnonymousUser()
def test_logged_out_default(self): request = self.rf.get('/foo') request.user = AnonymousUser() view = permission_required('perm')(simple_view) response = view(request) eq_(302, response.status_code)
def test_csrf_rotation(self): info_mock = self.info(AnonymousUser()) decorators.csrf_rotation(lambda cls, root, info, *args, **kwargs: None, )(self, None, info_mock) self.assertTrue(info_mock.context.csrf_cookie_needs_reset)
def setUp(self): # This is run before every test self.admin_user = f.AdminUserFactory.create() self.anon_user = AnonymousUser() self.permission_view = 'view_accountsubscriptionpause' self.permission_add = 'add_accountsubscriptionpause' self.permission_change = 'change_accountsubscriptionpause' self.permission_delete = 'delete_accountsubscriptionpause' self.variables_create = { "input": { "dateStart": "2019-01-01", "dateEnd": "2019-01-31", "description": "Test description" } } self.variables_update = { "input": { "dateStart": "2019-01-01", "dateEnd": "2019-01-31", "description": "Test description" } } self.subscription_pauses_query = ''' query AccountSubscriptionPauses($before: String, $after: String, $accountSubscription: ID!) { accountSubscriptionPauses(first: 20, before: $before, after: $after, accountSubscription: $accountSubscription) { pageInfo { hasNextPage hasPreviousPage startCursor endCursor } edges { node { id accountSubscription { id } dateStart dateEnd description createdAt } } } } ''' self.subscription_pause_query = ''' query AccountSubscriptionPause($id: ID!) { accountSubscriptionPause(id:$id) { id accountSubscription { id } dateStart dateEnd description } } ''' self.subscription_pause_create_mutation = ''' mutation CreateAccountSubscriptionPause($input:CreateAccountSubscriptionPauseInput!) { createAccountSubscriptionPause(input: $input) { accountSubscriptionPause { id accountSubscription { id } dateStart dateEnd description } } } ''' self.subscription_pause_update_mutation = ''' mutation UpdateAccountSubscriptionPause($input:UpdateAccountSubscriptionPauseInput!) { updateAccountSubscriptionPause(input: $input) { accountSubscriptionPause { id accountSubscription { id } dateStart dateEnd description } } } ''' self.subscription_pause_delete_mutation = '''
def __call__(self, request): try: x_forwarded_for = request.META['HTTP_X_FORWARDED_FOR'] request_ip = x_forwarded_for.split(',')[-1].strip() except: request_ip = request.META['REMOTE_ADDR'] banned_ip = BannedIP.objects.filter(ip=request_ip) if banned_ip.exists(): if time() - banned_ip[0].time_banned > settings.BANNED_IP_EXPIRE_TIME: banned_ip.delete() else: return HttpResponseForbidden('%s %s' % (banned_ip[0].log, 'please wait {} seconds.'.format(settings.BANNED_IP_EXPIRE_TIME-int(time()-banned_ip[0].time_banned)))) user_agent = request.META['HTTP_USER_AGENT'] user = request.user session_key = request.session.session_key if user == AnonymousUser(): user = None request_data = RequestData(ip=request_ip, user_agent=user_agent, user=user, session_key=session_key, time=time()) request_data.save() if user and user.is_authenticated: same_user_visitors = RequestData.objects.filter(user=user).exclude(ip=request_ip) if same_user_visitors.count() > 0: Session.objects.filter(session_key__in=same_user_visitors.values_list('session_key', flat=True)).delete() same_user_visitors.delete() N = settings.REQUEST_LIMIT_NUMBER H = settings.REQUEST_LIMIT_TIME request_queryset = RequestData.objects.filter(ip=request_ip).order_by('time') requests = list(request_queryset) delete_early_requests = False if len(requests) >= N: time_spread = requests[-1].time - requests[0].time if (time_spread < H): BannedIP.objects.create(ip=request_ip, time_banned=time(), log='sent {} requests in {} seconds.'.format(len(requests), time_spread)) request_queryset.delete() else: delete_early_requests = True response = self.get_response(request) if response.status_code == 401 or response.status_code == 403: request_data.authorized = False request_data.save() request_queryset = RequestData.objects.filter(ip=request_ip).order_by('time') requests = list(request_queryset) for i in range(len(requests)): n = 0 while i < len(requests) and not requests[i].authorized: n += 1 i += 1 if n >= N: BannedIP.objects.create(ip=request_ip, time_banned=time(), log='sent {} consecutive unauthorized requests.'.format(n)) request_queryset.delete() delete_early_requests = False if delete_early_requests: for i in range(0, len(requests)-N+1): request_queryset[0].delete() return response
def test_get_loginview(auth_source, rf): request = rf.get('/login') request.user = AnonymousUser() response = views.MPASSLoginView.as_view()(request) assert response.status_code == 200 response.render()
monkeypatch.setattr(Checkout, 'shipping_method', shipping_method_mock) checkout = Checkout( cart, AnonymousUser(), 'tracking_code') deliveries = list(checkout.deliveries) assert deliveries[0][1] == Price( shipping_cost, currency=settings.DEFAULT_CURRENCY) assert deliveries[0][2] == Price( items_cost + shipping_cost, currency=settings.DEFAULT_CURRENCY) assert deliveries[0][0][0][0] == partition @pytest.mark.parametrize('user, shipping', [ (Mock(default_shipping_address='user_shipping'), 'user_shipping'), (AnonymousUser(), None)]) def test_checkout_shipping_address_with_anonymous_user(user, shipping): checkout = Checkout(Mock(), user, 'tracking_code') assert checkout._shipping_address is None assert checkout.shipping_address == shipping assert checkout._shipping_address == shipping @pytest.mark.parametrize('address_objects, shipping', [ (Mock(get=Mock(return_value='shipping')), 'shipping'), (Mock(get=Mock(side_effect=Address.DoesNotExist)), None)]) def test_checkout_shipping_address_with_storage( address_objects, shipping, monkeypatch): monkeypatch.setattr( 'saleor.checkout.core.Address.objects', address_objects) checkout = Checkout(Mock(), AnonymousUser(), 'tracking_code')
def test_checkout_version(): checkout = Checkout(Mock(), AnonymousUser(), 'tracking_code') storage = checkout.for_storage() assert storage['version'] == Checkout.VERSION
def test_index_view_unauthenticated(self): request = self.factory.get('/index.html') request.user = AnonymousUser() response = index(request) self.assertEqual(response.status_code, 200)
def test_checkout_is_shipping_required(): cart = Mock(is_shipping_required=Mock(return_value=True)) checkout = Checkout(cart, AnonymousUser(), 'tracking_code') assert checkout.is_shipping_required is True
def test_checkout_discount(request_cart, sale, product_in_stock): variant = product_in_stock.variants.get() request_cart.add(variant, 1) checkout = Checkout(request_cart, AnonymousUser(), 'tracking_code') assert checkout.get_total() == Price(currency="USD", net=5)
def test_checkout_version_with_from_storage(storage_data, expected_storage): checkout = Checkout.from_storage( storage_data, Mock(), AnonymousUser(), 'tracking_code') storage = checkout.for_storage() assert storage == expected_storage
def test_delete_view_redirects(self, foe: Foe, rf: RequestFactory): request = rf.get(reverse("foes:delete", kwargs={"uuid": foe.uuid})) request.user = AnonymousUser() response = foe_delete_view(request, uuid=foe.uuid) assert response.status_code == 302 assert response.url == f"/accounts/login/?next=/foes/{foe.uuid}/delete/"
def test_display_profile_not_ok(self): request = self.factory.get(reverse("profile")) request.user = AnonymousUser() response = profile(request) self.assertEqual(response.status_code, 302)
def setUp(self): """ """ session = SessionStore() rf = RequestFactory() self.request = rf.get('/') self.request.session = session self.request.user = AnonymousUser() tax = Tax.objects.create(rate=19) discount = Discount.objects.create(name="Summer", value=10.0, type=0, tax=tax) shipping_method = ShippingMethod.objects.create(name="Standard", active=True, price=1.0, tax=tax) payment_method = PaymentMethod.objects.create( name="Direct Debit", active=True, tax=tax, ) us = Country.objects.get(code="us") address1 = Address.objects.create( firstname="John", lastname="Doe", company_name="Doe Ltd.", line1="Street 42", city="Gotham City", zip_code="2342", country=us, phone="555-111111", email="*****@*****.**", ) self.customer = Customer.objects.create( session=session.session_key, selected_shipping_method=shipping_method, selected_payment_method=payment_method, selected_shipping_address=address1, selected_invoice_address=address1, ) self.p1 = Product.objects.create( name="Product 1", slug="product-1", sku="sku-1", price=1.1, tax=tax, active=True, ) self.p2 = Product.objects.create( name="Product 2", slug="product-2", sku="sku-2", price=2.2, tax=tax, active=True, ) cart = Cart.objects.create(session=session.session_key) item = CartItem.objects.create( cart=cart, product=self.p1, amount=2, ) item = CartItem.objects.create( cart=cart, product=self.p2, amount=3, )
def collection_data(collection): request = RequestFactory().get('/') request.user = AnonymousUser() request.REGION = RESTOFWORLD return ShortAppsCollectionSerializer(collection, context={'request': request}).data
def has_access(user, action, obj, course_key=None): """ Check whether a user has the access to do action on obj. Handles any magic switching based on various settings. Things this module understands: - start dates for modules - visible_to_staff_only for modules - DISABLE_START_DATES - different access for instructor, staff, course staff, and students. user: a Django user object. May be anonymous. If none is passed, anonymous is assumed obj: The object to check access for. A module, descriptor, location, or certain special strings (e.g. 'global') action: A string specifying the action that the client is trying to perform. actions depend on the obj type, but include e.g. 'enroll' for courses. See the type-specific functions below for the known actions for that type. course_key: A course_key specifying which course run this access is for. Required when accessing anything other than a CourseDescriptor, 'global', or a location with category 'course' Returns a bool. It is up to the caller to actually deny access in a way that makes sense in context. """ # Just in case user is passed in as None, make them anonymous if not user: user = AnonymousUser() # delegate the work to type-specific functions. # (start with more specific types, then get more general) if isinstance(obj, CourseDescriptor): return _has_access_course_desc(user, action, obj) if isinstance(obj, ErrorDescriptor): return _has_access_error_desc(user, action, obj, course_key) if isinstance(obj, XModule): return _has_access_xmodule(user, action, obj, course_key) # NOTE: any descriptor access checkers need to go above this if isinstance(obj, XBlock): return _has_access_descriptor(user, action, obj, course_key) if isinstance(obj, CourseKey): return _has_access_course_key(user, action, obj) if isinstance(obj, UsageKey): return _has_access_location(user, action, obj, course_key) if isinstance(obj, basestring): return _has_access_string(user, action, obj, course_key) # Passing an unknown object here is a coding error, so rather than # returning a default, complain. raise TypeError("Unknown object type in has_access(): '{0}'".format( type(obj)))
def get_user(request): if hasattr(request, 'user') and request.user.__class__ != AnonymousUser: return request.user else: return AnonymousUser()
def test_permission_denied(self): func = decorators.login_required(lambda info: None) with self.assertRaises(exceptions.PermissionDenied): func(self.info(AnonymousUser()))
def test_anonymous(self): self.request.user = AnonymousUser() self.client.logout() assert not check_addon_ownership(self.request, self.addon)
def test_logged_out_default(self): request = self.rf.get('/foo') request.user = AnonymousUser() view = logout_required(simple_view) response = view(request) eq_(200, response.status_code)
def anonymous_checkout(): return Checkout(Mock(), AnonymousUser(), 'tracking_code')
def test_profile_unauthenticated(self): path = reverse('profile') request = self.factory.get(path) request.user = AnonymousUser() response = profile(request) assert 'login' in response.url
def create_anonymous(**kwargs): from django.contrib.auth.models import AnonymousUser return AnonymousUser(**kwargs)
def setUp(self): super(TestRebindModule, self).setUp() self.homework = self.add_graded_section_to_course('homework') self.lti = ItemFactory.create(category='lti', parent=self.homework) self.user = UserFactory.create() self.anon_user = AnonymousUser()
def test_create_view_redirects(self, rf: RequestFactory): request = rf.get(reverse("foes:create")) request.user = AnonymousUser() response = foe_create_view(request) assert response.status_code == 302 assert response.url == "/accounts/login/?next=/foes/create/"
def test_checkout_clear_storage(): checkout = Checkout(Mock(), AnonymousUser(), 'tracking_code') checkout.storage['new'] = 1 checkout.clear_storage() assert checkout.storage is None assert checkout.modified is True
def test_note_form(note_value): checkout = Checkout(Mock(), AnonymousUser(), 'tracking_code') form = NoteForm({'note': note_value}, checkout=checkout) form.is_valid() form.set_checkout_note() assert checkout.note == note_value.strip()