def identify(self):
# Skip if user is already logged in
if pylons.session.get("ckanext-ldap-user"):
return
header_name = CONFIG.get("ckanext.cfpb_sso.http_header", "From")
username = tk.request.headers.get(header_name)
if username:
# Create the user record in CKAN if it doesn't exist (if this is the first time ever that the user is visiting the Data Catalog.)
try:
from ckanext.ldap.controllers.user import _find_ldap_user, _get_or_create_ldap_user
_get_or_create_ldap_user(_find_ldap_user(username))
except ImportError, err:
logging.warning(
"Single sign-on plugin could not import ckanext-ldap. Plugin may not function properly."
)
pass
try:
tk.get_action("user_show")({}, {"id": username})
# Mark the user as logged in, both for the ckanext-ldap plugin and for CKAN itself.
pylons.session["ckanext-ldap-user"] = username
tk.c.user = username
except NotFound:
# If the user does not exist in CKAN, the above code failed.
# Fall back to the normal login method.
pass
def user_create(context, data_dict=None):
if data_dict and 'name' in data_dict:
ldap_user_dict = _find_ldap_user(data_dict['name'])
if ldap_user_dict:
return {'success': False, 'msg': _('An LDAP user by that name already exists')}
return ckan_user_create(context, data_dict)
def user_create(context, data_dict=None):
if data_dict and 'name' in data_dict:
ldap_user_dict = _find_ldap_user(data_dict['name'])
if ldap_user_dict:
return {
'success': False,
'msg': _('An LDAP user by that name already exists')
}
return ckan_user_create(context, data_dict)
def user_ldap_groups(self, username):
"""Lookup a user and get their LDAP groups and the corresponding datasets"""
c.is_sysadmin = False
if c.user.lower() != username.lower():
try:
check_access("sysadmin", context())
c.is_sysadmin = True
except NotAuthorized:
abort(
403,
"You can only view your own user page unless you're a sysadmin"
)
base_dns = config.get("ckanext.cfpb_ldap_query.base_dns").split("|")
with _get_ldap_connection() as connection:
cns = get_user_group_cns(username, base_dns, connection)
roles = make_roles(cns)
#Make sure the ckan user exists
ldap_user = _find_ldap_user(username)
if not ldap_user:
abort(404, "User not found in LDAP")
try:
_get_or_create_ldap_user(ldap_user)
except:
abort(500, "could not create CKAN user")
try:
user_dict = get_action("user_show")(context(), {
"id": username,
"user_obj": c.userobj,
"include_datasets": True,
"include_num_followers": True
})
except ObjectNotFound:
abort(404, "User not found")
except NotAuthorized:
abort(403, "Not authorized to see this page")
c.is_myself = username == c.user
c.user_dict = user_dict
c.about_formatted = h["render_markdown"](user_dict["about"])
extra = {
"username": username,
"cns": cns,
"roles": roles,
}
return render('ckanext/cfpb-extrafields/ldap_user.html',
extra_vars=extra)
def user_update(context, data_dict):
"""Ensure LDAP users cannot be edited, and name clash with ldap users"""
user_obj = None
try:
user_obj = ckan.logic.auth.get_user_object(context, data_dict)
except ckan.logic.NotFound:
pass
# Prevent edition of LDAP users (if so configured)
if config['ldap.prevent_edits'] and user_obj and LdapUser.by_user_id(user_obj.id):
return {'success': False, 'msg': _('Cannot edit LDAP users')}
# Prevent name clashes!
if 'name' in data_dict and user_obj and user_obj.name != data_dict['name']:
ldap_user_dict = _find_ldap_user(data_dict['name'])
if ldap_user_dict:
if len(user_obj.ldap_user) == 0 or user_obj.ldap_user[0].ldap_id != ldap_user_dict['ldap_id']:
return {'success': False, 'msg': _('An LDAP user by that name already exists')}
return ckan_user_update(context, data_dict)
def user_create(context, data_dict=None):
# Anja 2.10.2018 - no longer used - compare plugin.py
# FIXME: Is this ok also for the mail option?
if data_dict and 'name' in data_dict:
# Modification Anja, 23.6.17
# We should not walk into this path
# as automatic user creation by first login of the user does not have data_dict
# thus we enter this path only - as it looks so far - if there was an authentication problem
# with the API KEY for the api function
# Hence we simply return at this point
#return {'success': False, 'msg': _('Some problem ... please verify according to error type ... :-)')}
# :-) Unfortunately we end up here when someone registers ... therefore we have to live with the error message (see above)
# at least so far
ldap_user_dict = _find_ldap_user(data_dict['name'].encode('utf-8'))
if ldap_user_dict:
return {
'success': False,
'msg': _('An LDAP user by that name already exists')
}
return ckan_user_create(context, data_dict)