def access_token(request): oauth_request = get_oauth_request(request) if oauth_request is None: return INVALID_PARAMS_RESPONSE missing_params = require_params(oauth_request, ("oauth_token", "oauth_verifier")) if missing_params is not None: return missing_params try: request_token = store.get_request_token(request, oauth_request, oauth_request["oauth_token"]) except InvalidTokenError: return HttpResponseBadRequest("Invalid request token.") try: consumer = store.get_consumer(request, oauth_request, oauth_request["oauth_consumer_key"]) except InvalidConsumerError: return HttpResponseBadRequest("Invalid consumer.") if not verify_oauth_request(request, oauth_request, consumer, request_token): return HttpResponseBadRequest("Could not verify OAuth request.") if oauth_request.get("oauth_verifier", None) != request_token.verifier: return HttpResponseBadRequest("Invalid OAuth verifier.") if not request_token.is_approved: return HttpResponseBadRequest("Request Token not approved by the user.") access_token = store.create_access_token(request, oauth_request, consumer, request_token) ret = urlencode({"oauth_token": access_token.key, "oauth_token_secret": access_token.secret}) return HttpResponse(ret, content_type="application/x-www-form-urlencoded")
def user_authorization(request, form_class=AuthorizeRequestTokenForm): if 'oauth_token' not in request.REQUEST: return HttpResponseBadRequest('No request token specified.') oauth_request = get_oauth_request(request) try: request_token = store.get_request_token(request, oauth_request, request.REQUEST['oauth_token']) except InvalidTokenError: logging.info('Oauth error: could not authorize user %s with token %s' % (request.user, request.REQUEST['oauth_token'])) return HttpResponseBadRequest('Invalid request token.') consumer = store.get_consumer_for_request_token(request, oauth_request, request_token) if request.method == 'POST': form = form_class(request.POST) if request.session.get('oauth', '') == request_token.key and form.is_valid(): request.session['oauth'] = '' if form.cleaned_data['authorize_access']: request_token = store.authorize_request_token( request, oauth_request, request_token) args = {'oauth_token': request_token.key} else: args = {'error': _('Access not granted by user.')} if request_token.callback is not None and request_token.callback != OUT_OF_BAND: response = HttpResponseRedirect( '%s&%s' % (request_token.get_callback_url(), urlencode(args))) else: # try to get custom callback view callback_view_str = getattr( settings, OAUTH_CALLBACK_VIEW, 'oauth_provider.views.fake_callback_view') try: callback_view = get_callable(callback_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % callback_view_str response = callback_view(request, **args) else: response = send_oauth_error(oauth.Error(_('Action not allowed.'))) else: # try to get custom authorize view authorize_view_str = getattr( settings, OAUTH_AUTHORIZE_VIEW, 'oauth_provider.views.default_authorize_view') try: authorize_view = get_callable(authorize_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % authorize_view_str params = oauth_request.get_normalized_parameters() # set the oauth flag request.session['oauth'] = request_token.key response = authorize_view(request, request_token, request_token.get_callback_url(), params) return response
def access_token(request): oauth_request = get_oauth_request(request) if oauth_request is None: return INVALID_PARAMS_RESPONSE missing_params = require_params(oauth_request, ('oauth_token', 'oauth_verifier')) if missing_params is not None: return missing_params try: request_token = store.get_request_token(request, oauth_request, oauth_request['oauth_token']) except InvalidTokenError: return HttpResponseBadRequest('Invalid request token.') try: consumer = store.get_consumer(request, oauth_request, oauth_request['oauth_consumer_key']) except InvalidConsumerError: return HttpResponseBadRequest('Invalid consumer.') if not verify_oauth_request(request, oauth_request, consumer, request_token): return HttpResponseBadRequest('Could not verify OAuth request.') if oauth_request.get('oauth_verifier', None) != request_token.verifier: return HttpResponseBadRequest('Invalid OAuth verifier.') if not request_token.is_approved: return HttpResponseBadRequest('Request Token not approved by the user.') access_token = store.create_access_token(request, oauth_request, consumer, request_token) ret = urlencode({ 'oauth_token': access_token.key, 'oauth_token_secret': access_token.secret }) return HttpResponse(ret, content_type='application/x-www-form-urlencoded')
def access_token(request): oauth_request = get_oauth_request(request) missing_params = require_params(oauth_request, ('oauth_token', 'oauth_verifier')) if missing_params is not None: return missing_params try: request_token = store.get_request_token(request, oauth_request, oauth_request['oauth_token']) except InvalidTokenError: return HttpResponseBadRequest('Invalid request token.') try: consumer = store.get_consumer(request, oauth_request, oauth_request['oauth_consumer_key']) except InvalidConsumerError: return HttpResponseBadRequest('Invalid consumer.') if not verify_oauth_request(request, oauth_request, consumer, request_token): return HttpResponseBadRequest('Could not verify OAuth request.') if oauth_request.get('oauth_verifier', None) != request_token.verifier: return HttpResponseBadRequest('Invalid OAuth verifier.') if not request_token.is_approved: return HttpResponseBadRequest('Request Token not approved by the user.') access_token = store.create_access_token(request, oauth_request, consumer, request_token) ret = urlencode({ 'oauth_token': access_token.key, 'oauth_token_secret': access_token.secret }) return HttpResponse(ret, content_type='application/x-www-form-urlencoded')
def user_authorization(request, form_class=AuthorizeRequestTokenForm): if 'oauth_token' not in request.REQUEST: return oauth_error_response('No request token specified.', status_code=httplib.BAD_REQUEST) oauth_request = get_oauth_request(request) try: request_token = store.get_request_token(request, oauth_request, request.REQUEST['oauth_token']) except InvalidTokenError: return oauth_error_response('Invalid request token.', status_code=httplib.BAD_REQUEST) consumer = store.get_consumer_for_request_token(request, oauth_request, request_token) if request.method == 'POST': form = form_class(request.POST) if request.session.get('oauth', '') == request_token.key and form.is_valid(): request.session['oauth'] = '' if form.cleaned_data['authorize_access']: request_token.name = form.cleaned_data.get("client_name", getattr(settings, "OAUTH_PROVIDER_TOKEN_DEFAULT_NAME", "Unnamed")) request_token = store.authorize_request_token(request, oauth_request, request_token) args = { 'oauth_token': request_token.key } else: args = { 'error': _('Access not granted by user.') } if request_token.callback is not None and request_token.callback != OUT_OF_BAND: response = HttpResponseRedirect('%s&%s' % (request_token.get_callback_url(), urlencode(args))) else: # try to get custom callback view if request_token.callback == OUT_OF_BAND: callback_view_str = getattr(settings, OAUTH_PROVIDER_OUT_OF_BAND_CALLBACK_VIEW, 'oauth_provider.views.fake_out_of_band_callback_view') else: # try to get custom callback view callback_view_str = getattr(settings, OAUTH_PROVIDER_CALLBACK_VIEW, 'oauth_provider.views.fake_callback_view') try: callback_view = get_callable(callback_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % callback_view_str response = callback_view(request, request_token, **args) else: response = oauth_error_response(oauth.Error(_('Action not allowed.'))) else: # try to get custom authorize view authorize_view_str = getattr(settings, OAUTH_PROVIDER_AUTHORIZE_VIEW, 'oauth_provider.views.default_authorize_view') try: authorize_view = get_callable(authorize_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % authorize_view_str params = oauth_request.get_normalized_parameters() # set the oauth flag request.session['oauth'] = request_token.key response = authorize_view(request, request_token, request_token.get_callback_url(), params) return response
def user_authorization(request, form_class=AuthorizeRequestTokenForm): if 'oauth_token' not in request.REQUEST: return HttpResponseBadRequest('No request token specified.') oauth_request = get_oauth_request(request) try: request_token = store.get_request_token(request, oauth_request, request.REQUEST['oauth_token']) except InvalidTokenError: return HttpResponseBadRequest('Invalid request token.') consumer = store.get_consumer_for_request_token(request, oauth_request, request_token) if request.method == 'POST': form = form_class(request.POST) if request.session.get('oauth', '') == request_token.key and form.is_valid(): request.session['oauth'] = '' if form.cleaned_data['authorize_access']: request_token = store.authorize_request_token(request, oauth_request, request_token) args = { 'oauth_token': request_token } else: args = { 'error': _('Access not granted by user.') } if request_token.callback is not None and request_token.callback != OUT_OF_BAND: response = HttpResponseRedirect(request_token.get_callback_url(args)) else: # try to get custom callback view callback_view_str = getattr(settings, OAUTH_CALLBACK_VIEW, 'oauth_provider.views.fake_callback_view') try: callback_view = get_callable(callback_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % callback_view_str response = callback_view(request, **args) else: response = send_oauth_error(oauth.Error(_('Action not allowed.'))) else: # try to get custom authorize view authorize_view_str = getattr(settings, OAUTH_AUTHORIZE_VIEW, 'oauth_provider.views.fake_authorize_view') try: authorize_view = get_callable(authorize_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % authorize_view_str params = oauth_request.get_normalized_parameters() # set the oauth flag request.session['oauth'] = request_token.key response = authorize_view(request, request_token, request_token.get_callback_url(), params) return response
def user_authorization(request, form_class=AuthorizeRequestTokenForm): if "oauth_token" not in request.REQUEST: return HttpResponseBadRequest("No request token specified.") oauth_request = get_oauth_request(request) try: request_token = store.get_request_token(request, oauth_request, request.REQUEST["oauth_token"]) except InvalidTokenError: return HttpResponseBadRequest("Invalid request token.") consumer = store.get_consumer_for_request_token(request, oauth_request, request_token) if request.method == "POST": form = form_class(request.POST) if request.session.get("oauth", "") == request_token.key and form.is_valid(): request.session["oauth"] = "" if form.cleaned_data["authorize_access"]: request_token = store.authorize_request_token(request, oauth_request, request_token) args = {"oauth_token": request_token.key} else: args = {"error": _("Access not granted by user.")} if request_token.callback is not None and request_token.callback != OUT_OF_BAND: response = HttpResponseRedirect("%s&%s" % (request_token.get_callback_url(), urlencode(args))) else: # try to get custom callback view callback_view_str = getattr(settings, OAUTH_CALLBACK_VIEW, "oauth_provider.views.fake_callback_view") try: callback_view = get_callable(callback_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % callback_view_str response = callback_view(request, **args) else: response = send_oauth_error(oauth.Error(_("Action not allowed."))) else: # try to get custom authorize view authorize_view_str = getattr(settings, OAUTH_AUTHORIZE_VIEW, "oauth_provider.views.fake_authorize_view") try: authorize_view = get_callable(authorize_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % authorize_view_str params = oauth_request.get_normalized_parameters() # set the oauth flag request.session["oauth"] = request_token.key response = authorize_view(request, request_token, request_token.get_callback_url(), params) return response
def user_authorization(request, form_class=AuthorizeRequestTokenForm): if 'oauth_token' not in request.REQUEST: return HttpResponseBadRequest('No request token specified.') oauth_request = get_oauth_request(request) try: request_token = store.get_request_token(request, oauth_request, request.REQUEST['oauth_token']) except InvalidTokenError: return HttpResponse('Invalid request token: %s' % request.REQUEST['oauth_token'], status=401) consumer = store.get_consumer_for_request_token(request, oauth_request, request_token) # LRS CHANGE - MAKE SURE LOGGED IN USER OWNS THIS CONSUMER if request.user != consumer.user: return HttpResponseForbidden('Invalid user for this client.') if request.method == 'POST': form = form_class(request.POST) if request.session.get('oauth', '') == request_token.key and form.is_valid(): request.session['oauth'] = '' if form.cleaned_data['authorize_access']: request_token = store.authorize_request_token( request, oauth_request, request_token) args = {'oauth_token': request_token.key} else: args = {'error': _('Access not granted by user.')} if request_token.callback is not None and request_token.callback != OUT_OF_BAND: callback_url = request_token.get_callback_url(args) if UNSAFE_REDIRECTS: response = UnsafeRedirect(callback_url) else: response = HttpResponseRedirect(callback_url) else: # try to get custom callback view callback_view_str = getattr( settings, OAUTH_CALLBACK_VIEW, 'oauth_provider.views.fake_callback_view') try: view_callable = get_callable(callback_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % callback_view_str # try to treat it as Class Based View (CBV) try: callback_view = view_callable.as_view() except AttributeError: # if it appears not to be CBV treat it like FBV callback_view = view_callable response = callback_view(request, **args) else: response = send_oauth_error(oauth.Error(_('Action not allowed.'))) else: # try to get custom authorize view authorize_view_str = getattr( settings, OAUTH_AUTHORIZE_VIEW, 'oauth_provider.views.fake_authorize_view') try: view_callable = get_callable(authorize_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % authorize_view_str # try to treat it as Class Based View (CBV) try: authorize_view = view_callable.as_view() except AttributeError: # if it appears not to be CBV treat it like FBV authorize_view = view_callable params = oauth_request.get_normalized_parameters() # set the oauth flag request.session['oauth'] = request_token.key response = authorize_view(request, request_token, request_token.get_callback_url(), params) return response
def access_token(request): oauth_request = get_oauth_request(request) if oauth_request is None: return HttpResponseBadRequest('Invalid request parameters.') # Consumer try: consumer = store.get_consumer(request, oauth_request, oauth_request['oauth_consumer_key']) except InvalidConsumerError: return HttpResponseBadRequest('Invalid consumer.') is_xauth = is_xauth_request(oauth_request) if not is_xauth: # Check Parameters missing_params = require_params(oauth_request, ('oauth_token', 'oauth_verifier')) if missing_params is not None: return missing_params # Check Request Token try: request_token = store.get_request_token( request, oauth_request, oauth_request['oauth_token']) except InvalidTokenError: return HttpResponse('Invalid request token: %s' % oauth_request['oauth_token'], status=401) if not request_token.is_approved: return HttpResponse('Request Token not approved by the user.', status=401) # Verify Signature if not verify_oauth_request(request, oauth_request, consumer, request_token): return HttpResponseBadRequest('Could not verify OAuth request.') # Check Verifier if oauth_request.get('oauth_verifier', None) != request_token.verifier: return HttpResponseBadRequest('Invalid OAuth verifier.') else: # xAuth # Check Parameters missing_params = require_params( oauth_request, ('x_auth_username', 'x_auth_password', 'x_auth_mode')) if missing_params is not None: return missing_params # Check if Consumer allows xAuth if not consumer.xauth_allowed: return HttpResponseBadRequest('xAuth not allowed for this method') # Check Signature if not verify_oauth_request(request, oauth_request, consumer): return HttpResponseBadRequest('Could not verify xAuth request.') user = authenticate( x_auth_username=oauth_request.get_parameter('x_auth_username'), x_auth_password=oauth_request.get_parameter('x_auth_password'), x_auth_mode=oauth_request.get_parameter('x_auth_mode')) if not user: return HttpResponseBadRequest( 'xAuth username or password is not valid') else: request.user = user # Handle Request Token try: #request_token = store.create_request_token(request, oauth_request, consumer, oauth_request.get('oauth_callback')) request_token = store.create_request_token(request, oauth_request, consumer, OUT_OF_BAND) request_token = store.authorize_request_token( request, oauth_request, request_token) except oauth.Error, err: return send_oauth_error(err)
def access_token(request): oauth_request = get_oauth_request(request) if oauth_request is None: return INVALID_PARAMS_RESPONSE # Consumer try: consumer = store.get_consumer(request, oauth_request, oauth_request['oauth_consumer_key']) except InvalidConsumerError: return HttpResponseBadRequest('Invalid consumer.') is_xauth = is_xauth_request(oauth_request) if not is_xauth: # Check Parameters missing_params = require_params(oauth_request, ('oauth_token', 'oauth_verifier')) if missing_params is not None: return missing_params # Check Request Token try: request_token = store.get_request_token(request, oauth_request, oauth_request['oauth_token']) except InvalidTokenError: return HttpResponseBadRequest('Invalid request token.') if not request_token.is_approved: return HttpResponseBadRequest('Request Token not approved by the user.') # Verify Signature if not verify_oauth_request(request, oauth_request, consumer, request_token): return HttpResponseBadRequest('Could not verify OAuth request.') # Check Verifier if oauth_request.get('oauth_verifier', None) != request_token.verifier: return HttpResponseBadRequest('Invalid OAuth verifier.') else: # xAuth # Check Parameters missing_params = require_params(oauth_request, ('x_auth_username', 'x_auth_password', 'x_auth_mode')) if missing_params is not None: return missing_params # Check if Consumer allows xAuth if not consumer.xauth_allowed: return HttpResponseBadRequest('xAuth not allowed for this method') # Check Signature if not verify_oauth_request(request, oauth_request, consumer): return HttpResponseBadRequest('Could not verify xAuth request.') # Check Username/Password if is_xauth and not verify_xauth_request(request, oauth_request): return HttpResponseBadRequest('xAuth username or password is not valid') # Handle Request Token try: #request_token = store.create_request_token(request, oauth_request, consumer, oauth_request.get('oauth_callback')) request_token = store.create_request_token(request, oauth_request, consumer, OUT_OF_BAND) request_token = store.authorize_request_token(request, oauth_request, request_token) except oauth.Error, err: return send_oauth_error(err)
def user_authorization(request, form_class=AuthorizeRequestTokenForm): if 'oauth_token' not in request.REQUEST: return oauth_error_response('No request token specified.', status_code=httplib.BAD_REQUEST) oauth_request = get_oauth_request(request) try: request_token = store.get_request_token(request, oauth_request, request.REQUEST['oauth_token']) except InvalidTokenError: return oauth_error_response('Invalid request token.', status_code=httplib.BAD_REQUEST) consumer = store.get_consumer_for_request_token(request, oauth_request, request_token) if request.method == 'POST': form = form_class(request.POST) if request.session.get('oauth', '') == request_token.key and form.is_valid(): request.session['oauth'] = '' if form.cleaned_data['authorize_access']: request_token.name = form.cleaned_data.get( "client_name", getattr(settings, "OAUTH_PROVIDER_TOKEN_DEFAULT_NAME", "Unnamed")) request_token = store.authorize_request_token( request, oauth_request, request_token) args = {'oauth_token': request_token.key} else: args = {'error': _('Access not granted by user.')} if request_token.callback is not None and request_token.callback != OUT_OF_BAND: response = HttpResponseRedirect( '%s&%s' % (request_token.get_callback_url(), urlencode(args))) else: # try to get custom callback view if request_token.callback == OUT_OF_BAND: callback_view_str = getattr( settings, OAUTH_PROVIDER_OUT_OF_BAND_CALLBACK_VIEW, 'oauth_provider.views.fake_out_of_band_callback_view') else: # try to get custom callback view callback_view_str = getattr( settings, OAUTH_PROVIDER_CALLBACK_VIEW, 'oauth_provider.views.fake_callback_view') try: callback_view = get_callable(callback_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % callback_view_str response = callback_view(request, request_token, **args) else: response = oauth_error_response( oauth.Error(_('Action not allowed.'))) else: # try to get custom authorize view authorize_view_str = getattr( settings, OAUTH_PROVIDER_AUTHORIZE_VIEW, 'oauth_provider.views.default_authorize_view') try: authorize_view = get_callable(authorize_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % authorize_view_str params = oauth_request.get_normalized_parameters() # set the oauth flag request.session['oauth'] = request_token.key response = authorize_view(request, request_token, request_token.get_callback_url(), params) return response
def user_authorization(request, form_class=AuthorizeRequestTokenForm): if request.method.lower() == "get": if "oauth_token" not in request.GET: return HttpResponseBadRequest("No request token specified.") incoming_token = request.GET["oauth_token"] elif request.method.lower() == "post": if "oauth_token" not in request.POST: return HttpResponseBadRequest("No request token specified.") incoming_token = request.POST["oauth_token"] oauth_request = get_oauth_request(request) try: request_token = store.get_request_token(request, oauth_request, incoming_token) except InvalidTokenError: return HttpResponse("Invalid request token: %s" % incoming_token, status=401) consumer = store.get_consumer_for_request_token(request, oauth_request, request_token) # LRS CHANGE - MAKE SURE LOGGED IN USER OWNS THIS CONSUMER if request.user != consumer.user: return HttpResponseForbidden("Invalid user for this client.") if request.method == "POST": form = form_class(request.POST) if request.session.get("oauth", "") == request_token.key and form.is_valid(): request.session["oauth"] = "" if form.cleaned_data["authorize_access"]: request_token = store.authorize_request_token(request, oauth_request, request_token) args = {"oauth_token": request_token.key} else: args = {"error": _("Access not granted by user.")} if request_token.callback is not None and request_token.callback != OUT_OF_BAND: callback_url = request_token.get_callback_url(args) if UNSAFE_REDIRECTS: response = UnsafeRedirect(callback_url) else: response = HttpResponseRedirect(callback_url) else: # try to get custom callback view callback_view_str = getattr(settings, OAUTH_CALLBACK_VIEW, "oauth_provider.views.fake_callback_view") try: view_callable = get_callable(callback_view_str) except AttributeError: raise Exception("%s view doesn't exist." % callback_view_str) # try to treat it as Class Based View (CBV) try: callback_view = view_callable.as_view() except AttributeError: # if it appears not to be CBV treat it like FBV callback_view = view_callable response = callback_view(request, **args) else: response = send_oauth_error( "https" if request.is_secure() else "http", get_current_site(request).domain, oauth.Error(_("Action not allowed.")), ) else: # try to get custom authorize view authorize_view_str = getattr(settings, OAUTH_AUTHORIZE_VIEW, "oauth_provider.views.fake_authorize_view") try: view_callable = get_callable(authorize_view_str) except AttributeError: raise Exception("%s view doesn't exist." % authorize_view_str) # try to treat it as Class Based View (CBV) try: authorize_view = view_callable.as_view() except AttributeError: # if it appears not to be CBV treat it like FBV authorize_view = view_callable params = oauth_request.get_normalized_parameters() # set the oauth flag request.session["oauth"] = request_token.key response = authorize_view(request, request_token, request_token.get_callback_url(), params) return response
def access_token(request): oauth_request = get_oauth_request(request) if oauth_request is None: return HttpResponseBadRequest("Invalid request parameters.") # Consumer try: consumer = store.get_consumer(request, oauth_request, oauth_request["oauth_consumer_key"]) except InvalidConsumerError: return HttpResponseBadRequest("Invalid consumer.") is_xauth = is_xauth_request(oauth_request) if not is_xauth: # Check Parameters missing_params = require_params(oauth_request, ("oauth_token", "oauth_verifier")) if missing_params is not None: return missing_params # Check Request Token try: request_token = store.get_request_token(request, oauth_request, oauth_request["oauth_token"]) except InvalidTokenError: return HttpResponse("Invalid request token: %s" % oauth_request["oauth_token"], status=401) if not request_token.is_approved: return HttpResponse("Request Token not approved by the user.", status=401) # Verify Signature if not verify_oauth_request(request, oauth_request, consumer, request_token): return HttpResponseBadRequest("Could not verify OAuth request.") # Check Verifier if oauth_request.get("oauth_verifier", None) != request_token.verifier: return HttpResponseBadRequest("Invalid OAuth verifier.") else: # xAuth # Check Parameters missing_params = require_params(oauth_request, ("x_auth_username", "x_auth_password", "x_auth_mode")) if missing_params is not None: return missing_params # Check if Consumer allows xAuth if not consumer.xauth_allowed: return HttpResponseBadRequest("xAuth not allowed for this method") # Check Signature if not verify_oauth_request(request, oauth_request, consumer): return HttpResponseBadRequest("Could not verify xAuth request.") user = authenticate( x_auth_username=oauth_request.get_parameter("x_auth_username"), x_auth_password=oauth_request.get_parameter("x_auth_password"), x_auth_mode=oauth_request.get_parameter("x_auth_mode"), ) if not user: return HttpResponseBadRequest("xAuth username or password is not valid") else: request.user = user # Handle Request Token try: # request_token = store.create_request_token(request, oauth_request, consumer, oauth_request.get('oauth_callback')) request_token = store.create_request_token(request, oauth_request, consumer, OUT_OF_BAND) request_token = store.authorize_request_token(request, oauth_request, request_token) except oauth.Error as err: return send_oauth_error("https" if request.is_secure() else "http", get_current_site(request).domain, err) access_token = store.create_access_token(request, oauth_request, consumer, request_token) ret = urlencode({"oauth_token": access_token.key, "oauth_token_secret": access_token.secret}) return HttpResponse(ret, content_type="application/x-www-form-urlencoded")
def user_authorization(request, form_class=AuthClientForm): if 'oauth_token' not in request.REQUEST: return HttpResponseBadRequest('No request token specified.') oauth_request = get_oauth_request(request) try: request_token = store.get_request_token(request, oauth_request, request.REQUEST['oauth_token']) except InvalidTokenError: return HttpResponse('Invalid request token: %s' % request.REQUEST['oauth_token'], status=401) consumer = store.get_consumer_for_request_token(request, oauth_request, request_token) # LRS CHANGE - MAKE SURE LOGGED IN USER OWNS THIS CONSUMER if request.user != consumer.user: return HttpResponseForbidden('Invalid user for this client.') if request.method == 'POST': form = form_class(request.POST) if request.session.get('oauth', '') == request_token.key and form.is_valid(): request.session['oauth'] = '' if form.cleaned_data['authorize_access']: request_token = store.authorize_request_token(request, oauth_request, request_token) args = { 'oauth_token': request_token.key } else: args = { 'error': _('Access not granted by user.') } if request_token.callback is not None and request_token.callback != OUT_OF_BAND: callback_url = request_token.get_callback_url(args) if UNSAFE_REDIRECTS: response = UnsafeRedirect(callback_url) else: response = HttpResponseRedirect(callback_url) else: # try to get custom callback view callback_view_str = getattr(settings, OAUTH_CALLBACK_VIEW, 'oauth_provider.views.fake_callback_view') try: view_callable = get_callable(callback_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % callback_view_str # try to treat it as Class Based View (CBV) try: callback_view = view_callable.as_view() except AttributeError: # if it appears not to be CBV treat it like FBV callback_view = view_callable response = callback_view(request, **args) else: response = send_oauth_error(oauth.Error(_('Action not allowed.'))) else: # try to get custom authorize view authorize_view_str = getattr(settings, OAUTH_AUTHORIZE_VIEW, 'oauth_provider.views.fake_authorize_view') try: view_callable = get_callable(authorize_view_str) except AttributeError: raise Exception, "%s view doesn't exist." % authorize_view_str # try to treat it as Class Based View (CBV) try: authorize_view = view_callable.as_view() except AttributeError: # if it appears not to be CBV treat it like FBV authorize_view = view_callable params = oauth_request.get_normalized_parameters() # set the oauth flag request.session['oauth'] = request_token.key response = authorize_view(request, request_token, request_token.get_callback_url(), params) return response
def user_authorization(request, form_class=AuthorizeRequestTokenForm): if request.method.lower() == 'get': if 'oauth_token' not in request.GET: return HttpResponseBadRequest('No request token specified.') incoming_token = request.GET['oauth_token'] elif request.method.lower() == 'post': if 'oauth_token' not in request.POST: return HttpResponseBadRequest('No request token specified.') incoming_token = request.POST['oauth_token'] oauth_request = get_oauth_request(request) try: request_token = store.get_request_token(request, oauth_request, incoming_token) except InvalidTokenError: return HttpResponse('Invalid request token: %s' % incoming_token, status=401) consumer = store.get_consumer_for_request_token(request, oauth_request, request_token) # LRS CHANGE - MAKE SURE LOGGED IN USER OWNS THIS CONSUMER # CLATOOLKIT CHANGE - MULTIPLE USERS CAN HAVE MULTIPLE CONSUMERS if not consumer.attached_to_user(request.user): return HttpResponseForbidden('Invalid user for this client.') if request.method == 'POST': form = form_class(request.POST) print 'request.session.oauth == request_token.key? %s' % ( request.session.get('oauth', '') == request_token.key) print 'session: %s and request_token: %s' % (request.session.get( 'oauth', ''), request_token.key) print 'form valid? %s' % form.is_valid() if not form.is_valid(): print 'form errors: %s' % form.errors if request.session.get('oauth', '') == request_token.key and form.is_valid(): request.session['oauth'] = '' if form.cleaned_data['authorize_access']: request_token = store.authorize_request_token( request, oauth_request, request_token) args = { 'oauth_token': request_token.key, 'user': request.GET.get('clau', None) } else: args = {'error': _('Access not granted by user.')} print 'callback url: %s' % (request_token.callback) # print 'new callback url: %s' % (request_token.callback) if request_token.callback is not None and request_token.callback != OUT_OF_BAND: callback_url = request_token.get_callback_url(args) #cla-user = request.GET.get('clau', None) #print 'got CLA user: %s' % (cla-user) if UNSAFE_REDIRECTS: response = UnsafeRedirect( callback_url) #+'?user=%s' % cla-user) else: response = HttpResponseRedirect( callback_url) #+'?user=%s' % cla-user) else: print "We're in here..." # try to get custom callback view callback_view_str = getattr( settings, OAUTH_CALLBACK_VIEW, 'oauth_provider.views.fake_callback_view') try: view_callable = get_callable(callback_view_str) except AttributeError: raise Exception("%s view doesn't exist." % callback_view_str) # try to treat it as Class Based View (CBV) try: callback_view = view_callable.as_view() except AttributeError: # if it appears not to be CBV treat it like FBV callback_view = view_callable response = callback_view(request, **args) else: response = send_oauth_error( 'https' if request.is_secure() else 'http', get_current_site(request).domain, oauth.Error(_('Action not allowed.'))) else: # try to get custom authorize view authorize_view_str = getattr( settings, OAUTH_AUTHORIZE_VIEW, 'oauth_provider.views.fake_authorize_view') try: view_callable = get_callable(authorize_view_str) except AttributeError: raise Exception("%s view doesn't exist." % authorize_view_str) # try to treat it as Class Based View (CBV) try: authorize_view = view_callable.as_view() except AttributeError: # if it appears not to be CBV treat it like FBV authorize_view = view_callable params = oauth_request.get_normalized_parameters() # set the oauth flag request.session['oauth'] = request_token.key response = authorize_view(request, request_token, request_token.get_callback_url(), params) return response