def get_queryset(self):
if valid_app_key_on_request(self.request):
# Special case for app context to return usernames for
# the list display
return FacilityUser.objects.all()
return FacilityUser.objects.filter(
dataset__learner_can_login_with_no_password=True, roles=None
).filter(
Q(devicepermissions__is_superuser=False) | Q(devicepermissions__isnull=True)
)
def get_session_response(self, request):
user = request.user
session_key = "current"
server_time = now()
session = user.session_data
session.update(
{
"id": session_key,
"server_time": server_time,
"app_context": valid_app_key_on_request(request),
}
)
visitor_cookie_expiry = datetime.utcnow() + timedelta(days=365)
if isinstance(user, AnonymousUser):
response = Response(session)
if not request.COOKIES.get("visitor_id"):
visitor_id = str(uuid4().hex)
response.set_cookie(
"visitor_id", visitor_id, expires=visitor_cookie_expiry
)
else:
response.set_cookie(
"visitor_id",
request.COOKIES.get("visitor_id"),
expires=visitor_cookie_expiry,
)
return response
# Set last activity on session to the current time to prevent session timeout
# Only do this for logged in users, as anonymous users cannot get logged out!
request.session["last_session_request"] = int(time.time())
# Default to active, only assume not active when explicitly set.
active = True if request.GET.get("active", "true") == "true" else False
# Can only record user session log data for FacilityUsers.
if active and isinstance(user, FacilityUser):
user_agent = request.META.get("HTTP_USER_AGENT", "")
UserSessionLog.update_log(user, user_agent)
response = Response(session)
return response
def create(self, request):
username = request.data.get("username", "")
password = request.data.get("password", "")
facility_id = request.data.get("facility", None)
# Only enforce this when running in an app
if (
interface.enabled
and not allow_other_browsers_to_connect()
and not valid_app_key_on_request(request)
):
return Response(
[{"id": error_constants.INVALID_CREDENTIALS, "metadata": {}}],
status=status.HTTP_401_UNAUTHORIZED,
)
# Find the FacilityUser we're looking for use later on
try:
unauthenticated_user = FacilityUser.objects.get(
username__iexact=username, facility=facility_id
)
except ObjectDoesNotExist:
unauthenticated_user = None
user = authenticate(username=username, password=password, facility=facility_id)
if user is not None and user.is_active:
# Correct password, and the user is marked "active"
login(request, user)
# Success!
return self.get_session_response(request)
elif (
unauthenticated_user is not None
and unauthenticated_user.password == "NOT_SPECIFIED"
):
# Here - we have a Learner whose password is "NOT_SPECIFIED" because they were created
# while the "Require learners to log in with password" setting was disabled - but now
# it is enabled again.
return Response(
[
{
"id": error_constants.PASSWORD_NOT_SPECIFIED,
"metadata": {
"field": "password",
"message": "Username is valid, but password needs to be set before login.",
},
}
],
status=status.HTTP_400_BAD_REQUEST,
)
elif (
not password
and FacilityUser.objects.filter(
username__iexact=username, facility=facility_id
).exists()
):
# Password was missing, but username is valid, prompt to give password
return Response(
[
{
"id": error_constants.MISSING_PASSWORD,
"metadata": {
"field": "password",
"message": "Username is valid, but password is missing.",
},
}
],
status=status.HTTP_400_BAD_REQUEST,
)
else:
# Respond with error
return Response(
[{"id": error_constants.INVALID_CREDENTIALS, "metadata": {}}],
status=status.HTTP_401_UNAUTHORIZED,
)
def has_permission(self, request, view):
return valid_app_key_on_request(request)
