def authenticate(self, remote_user, shib_meta):
"""
The username passed as ``remote_user`` is considered trusted. This
method simply returns the ``User`` object with the given username,
creating a new ``User`` object if ``create_unknown_user`` is ``True``.
Returns None if ``create_unknown_user`` is ``False`` and a ``User``
object with the given username is not found in the database.
"""
if not remote_user:
return
username = self.clean_username(remote_user)
local_ccnet_users = ccnet_api.search_emailusers('DB', username, -1, -1)
if not local_ccnet_users:
local_ccnet_users = ccnet_api.search_emailusers(
'LDAP', username, -1, -1)
if not local_ccnet_users:
if self.create_unknown_user:
user = User.objects.create_user(
email=username, is_active=self.activate_after_creation)
if user and self.activate_after_creation is False:
notify_admins_on_activate_request(user.email)
# Do not send follwing registration finished email (if any)
# which will cause confusion.
return user
if user and settings.NOTIFY_ADMIN_AFTER_REGISTRATION is True:
notify_admins_on_register_complete(user.email)
else:
user = None
return user
def authenticate(self, remote_user):
"""
The username passed as ``remote_user`` is considered trusted. This
method simply returns the ``User`` object with the given username,
creating a new ``User`` object if ``create_unknown_user`` is ``True``.
Returns None if ``create_unknown_user`` is ``False`` and a ``User``
object with the given username is not found in the database.
"""
if not remote_user:
return
username = self.clean_username(remote_user)
try:
user = User.objects.get(email=username)
except User.DoesNotExist:
if self.create_unknown_user:
user = User.objects.create_user(
email=username, is_active=self.activate_after_creation)
if user and self.activate_after_creation is False:
notify_admins_on_activate_request(user.email)
if user and settings.NOTIFY_ADMIN_AFTER_REGISTRATION is True:
notify_admins_on_register_complete(user.email)
else:
user = None
return user
def token_view(request, token):
"""Show form to let user set password.
"""
i = get_object_or_404(Invitation, token=token)
if i.is_expired():
raise Http404
if request.method == 'GET':
try:
user = User.objects.get(email=i.accepter)
if user.is_active is True:
# user is active return exist
messages.error(request, _('A user with this email already exists.'))
except User.DoesNotExist:
pass
return render(request, 'invitations/token_view.html', {'iv': i, })
if request.method == 'POST':
passwd = request.POST.get('password', '')
if not passwd:
return HttpResponseRedirect(request.META.get('HTTP_REFERER'))
try:
user = User.objects.get(email=i.accepter)
if user.is_active is True:
# user is active return exist
messages.error(request, _('A user with this email already exists.'))
return render(request, 'invitations/token_view.html', {'iv': i, })
else:
# user is inactive then set active and new password
user.set_password(passwd)
user.is_active = True
user.save()
user = authenticate(username=user.username, password=passwd)
except User.DoesNotExist:
# Create user, set that user as guest.
user = User.objects.create_user(
email=i.accepter, password=passwd, is_active=True)
User.objects.update_role(user.username, GUEST_USER)
for backend in get_backends():
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
# Update invitation accept time.
i.accept()
# login
auth_login(request, user)
# send signal to notify inviter
accept_guest_invitation_successful.send(
sender=None, invitation_obj=i)
# send email to notify admin
if NOTIFY_ADMIN_AFTER_REGISTRATION:
notify_admins_on_register_complete(user.email)
return HttpResponseRedirect(SITE_ROOT)
def authenticate(self, request=None, remote_user=None):
"""
The username passed as ``remote_user`` is considered trusted. This
method simply returns the ``User`` object with the given username,
creating a new ``User`` object if ``create_unknown_user`` is ``True``.
Returns None if ``create_unknown_user`` is ``False`` and a ``User``
object with the given username is not found in the database.
"""
if not remote_user or not request:
return None
username = self.clean_username(remote_user)
# get user from ccnet
user = self.get_user(username)
if not user:
# when user doesn't exist
if not self.create_unknown_user:
logger.error('User %s not found.' % username)
return None
try:
user = User.objects.create_user(email=username,
is_active=self.auto_activate)
if not self.auto_activate:
notify_admins_on_activate_request(username)
elif settings.NOTIFY_ADMIN_AFTER_REGISTRATION:
notify_admins_on_register_complete(username)
except Exception as e:
logger.error(e)
return None
if not self.user_can_authenticate(user):
logger.error('User %s is not active' % username)
return None
# update user info after authenticated
try:
self.configure_user(request, user)
except Exception as e:
logger.error(e)
return None
# get user again with updated extra info after configure
return self.get_user(username)
def token_view(request, token):
"""Show form to let user set password.
"""
i = get_object_or_404(Invitation, token=token)
if i.is_expired():
raise Http404
if request.method == 'POST':
passwd = request.POST.get('password', '')
if not passwd:
return HttpResponseRedirect(request.META.get('HTTP_REFERER'))
try:
User.objects.get(email=i.accepter)
messages.error(request, _('A user with this email already exists.'))
except User.DoesNotExist:
# Create user, set that user as guest, and log user in.
u = User.objects.create_user(email=i.accepter, password=passwd,
is_active=True)
User.objects.update_role(u.username, GUEST_USER)
i.accept() # Update invitaion accept time.
for backend in get_backends():
u.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
auth_login(request, u)
# send signal to notify inviter
accept_guest_invitation_successful.send(
sender=None, invitation_obj=i)
# send email to notify admin
if NOTIFY_ADMIN_AFTER_REGISTRATION:
notify_admins_on_register_complete(u.email)
return HttpResponseRedirect(SITE_ROOT)
return render(request, 'invitations/token_view.html', {
'iv': i,
})
def token_view(request, token):
"""Show form to let user set password.
"""
i = get_object_or_404(Invitation, token=token)
if i.is_expired():
raise Http404
if request.method == 'GET':
try:
user = User.objects.get(email=i.accepter)
if user.is_active is True:
# user is active return exist
messages.error(request,
_('A user with this email already exists.'))
except User.DoesNotExist:
pass
return render(request, 'invitations/token_view.html', {
'iv': i,
})
if request.method == 'POST':
passwd = request.POST.get('password', '')
if not passwd:
return HttpResponseRedirect(request.META.get('HTTP_REFERER'))
try:
user = User.objects.get(email=i.accepter)
if user.is_active is True:
# user is active return exist
messages.error(request,
_('A user with this email already exists.'))
return render(request, 'invitations/token_view.html', {
'iv': i,
})
else:
# user is inactive then set active and new password
user.set_password(passwd)
user.is_active = True
user.save()
user = authenticate(username=user.username, password=passwd)
except User.DoesNotExist:
# Create user, set that user as guest.
user = User.objects.create_user(email=i.accepter,
password=passwd,
is_active=True)
User.objects.update_role(user.username, GUEST_USER)
for backend in get_backends():
user.backend = "%s.%s" % (backend.__module__,
backend.__class__.__name__)
# Update invitation accept time.
i.accept()
# login
auth_login(request, user)
# send signal to notify inviter
accept_guest_invitation_successful.send(sender=None, invitation_obj=i)
# send email to notify admin
if NOTIFY_ADMIN_AFTER_REGISTRATION:
notify_admins_on_register_complete(user.email)
# repo share invitation
try:
shared_queryset = RepoShareInvitation.objects.list_by_invitation(
invitation=i)
accepter = i.accepter
for shared_obj in shared_queryset:
repo_id = shared_obj.repo_id
path = shared_obj.path
permission = shared_obj.permission
inviter = shared_obj.invitation.inviter
# recourse check
repo = seafile_api.get_repo(repo_id)
if not repo:
logger.warning(
'[ %s ] repo not found when [ %s ] accepts the invitation to share repo'
) % (repo_id, accepter)
continue
if seafile_api.get_dir_id_by_path(repo.id, path) is None:
logger.warning(
'[ %s ][ %s ] dir not found when [ %s ] accepts the invitation to share repo'
) % (repo_id, path, accepter)
continue
repo_owner = seafile_api.get_repo_owner(repo_id)
share_dir_to_user(repo, path, repo_owner, inviter, accepter,
permission, None)
send_perm_audit_msg('modify-repo-perm', inviter, accepter,
repo_id, path, permission)
# delete
shared_queryset.delete()
except Exception as e:
logger.error(e)
return HttpResponseRedirect(SITE_ROOT)
def authenticate(self,
session_info=None,
attribute_mapping=None,
create_unknown_user=True,
**kwargs):
if session_info is None or attribute_mapping is None:
logger.error('Session info or attribute mapping are None')
return None
if 'ava' not in session_info:
logger.error('"ava" key not found in session_info')
return None
attributes = session_info['ava']
if not attributes:
logger.error('The attributes dictionary is empty')
use_name_id_as_username = getattr(settings,
'SAML_USE_NAME_ID_AS_USERNAME',
False)
django_user_main_attribute = getattr(
settings, 'SAML_DJANGO_USER_MAIN_ATTRIBUTE', 'username')
django_user_main_attribute_lookup = getattr(
settings, 'SAML_DJANGO_USER_MAIN_ATTRIBUTE_LOOKUP', '')
logger.debug('attributes: %s', attributes)
saml_user = None
if use_name_id_as_username:
if 'name_id' in session_info:
logger.debug('name_id: %s', session_info['name_id'])
saml_user = session_info['name_id'].text
else:
logger.error(
'The nameid is not available. Cannot find user without a nameid.'
)
else:
logger.debug('attribute_mapping: %s', attribute_mapping)
for saml_attr, django_fields in list(attribute_mapping.items()):
if (django_user_main_attribute in django_fields
and saml_attr in attributes):
saml_user = attributes[saml_attr][0]
if saml_user is None:
logger.error('Could not find saml_user value')
return None
if not self.is_authorized(attributes, attribute_mapping):
return None
main_attribute = self.clean_user_main_attribute(saml_user)
user_query_args = {
django_user_main_attribute + django_user_main_attribute_lookup:
main_attribute
}
user_create_defaults = {django_user_main_attribute: main_attribute}
# Note that this could be accomplished in one try-except clause, but
# instead we use get_or_create when creating unknown users since it has
# built-in safeguards for multiple threads.
# check if user exist in local ccnet db/ldapimport database
username = main_attribute
local_ccnet_users = ccnet_api.search_emailusers('DB', username, -1, -1)
if not local_ccnet_users:
local_ccnet_users = ccnet_api.search_emailusers(
'LDAP', username, -1, -1)
if not local_ccnet_users:
if create_unknown_user:
activate_after_creation = getattr(
settings, 'SAML_ACTIVATE_USER_AFTER_CREATION', True)
user = User.objects.create_user(
email=username, is_active=activate_after_creation)
if not activate_after_creation:
notify_admins_on_activate_request(username)
elif settings.NOTIFY_ADMIN_AFTER_REGISTRATION:
notify_admins_on_register_complete(username)
else:
user = None
else:
user = User.objects.get(email=username)
if user:
self.make_profile(user, attributes, attribute_mapping)
return user