def get_queryset(self): if valid_app_key_on_request(self.request): # Special case for app context to return usernames for # the list display return FacilityUser.objects.all() return FacilityUser.objects.filter( dataset__learner_can_login_with_no_password=True, roles=None ).filter( Q(devicepermissions__is_superuser=False) | Q(devicepermissions__isnull=True) )
def get_session_response(self, request): user = request.user session_key = "current" server_time = now() session = user.session_data session.update( { "id": session_key, "server_time": server_time, "app_context": valid_app_key_on_request(request), } ) visitor_cookie_expiry = datetime.utcnow() + timedelta(days=365) if isinstance(user, AnonymousUser): response = Response(session) if not request.COOKIES.get("visitor_id"): visitor_id = str(uuid4().hex) response.set_cookie( "visitor_id", visitor_id, expires=visitor_cookie_expiry ) else: response.set_cookie( "visitor_id", request.COOKIES.get("visitor_id"), expires=visitor_cookie_expiry, ) return response # Set last activity on session to the current time to prevent session timeout # Only do this for logged in users, as anonymous users cannot get logged out! request.session["last_session_request"] = int(time.time()) # Default to active, only assume not active when explicitly set. active = True if request.GET.get("active", "true") == "true" else False # Can only record user session log data for FacilityUsers. if active and isinstance(user, FacilityUser): user_agent = request.META.get("HTTP_USER_AGENT", "") UserSessionLog.update_log(user, user_agent) response = Response(session) return response
def create(self, request): username = request.data.get("username", "") password = request.data.get("password", "") facility_id = request.data.get("facility", None) # Only enforce this when running in an app if ( interface.enabled and not allow_other_browsers_to_connect() and not valid_app_key_on_request(request) ): return Response( [{"id": error_constants.INVALID_CREDENTIALS, "metadata": {}}], status=status.HTTP_401_UNAUTHORIZED, ) # Find the FacilityUser we're looking for use later on try: unauthenticated_user = FacilityUser.objects.get( username__iexact=username, facility=facility_id ) except ObjectDoesNotExist: unauthenticated_user = None user = authenticate(username=username, password=password, facility=facility_id) if user is not None and user.is_active: # Correct password, and the user is marked "active" login(request, user) # Success! return self.get_session_response(request) elif ( unauthenticated_user is not None and unauthenticated_user.password == "NOT_SPECIFIED" ): # Here - we have a Learner whose password is "NOT_SPECIFIED" because they were created # while the "Require learners to log in with password" setting was disabled - but now # it is enabled again. return Response( [ { "id": error_constants.PASSWORD_NOT_SPECIFIED, "metadata": { "field": "password", "message": "Username is valid, but password needs to be set before login.", }, } ], status=status.HTTP_400_BAD_REQUEST, ) elif ( not password and FacilityUser.objects.filter( username__iexact=username, facility=facility_id ).exists() ): # Password was missing, but username is valid, prompt to give password return Response( [ { "id": error_constants.MISSING_PASSWORD, "metadata": { "field": "password", "message": "Username is valid, but password is missing.", }, } ], status=status.HTTP_400_BAD_REQUEST, ) else: # Respond with error return Response( [{"id": error_constants.INVALID_CREDENTIALS, "metadata": {}}], status=status.HTTP_401_UNAUTHORIZED, )
def has_permission(self, request, view): return valid_app_key_on_request(request)