def dispatch(self, request, *args, **kwargs): request.credentials = None if request.user.is_authenticated: return super().dispatch(request, *args, **kwargs) ip_addr = self._get_client_ip_address(request) logger.info("Package request from %s", ip_addr) access_key, secret_key = get_basic_auth_data(request) if not (access_key and secret_key) and request.method == 'POST': # post means register or upload, # distutils for register do not sent the auth by default # so force it to send HTTP_AUTHORIZATION header return HttpResponseUnauthorized() if access_key and secret_key: is_authenticated = self._validate_credentials( request, access_key, secret_key) if not is_authenticated: return HttpResponseUnauthorized() if self._allow_request(request, ip_addr): return super().dispatch(request, *args, **kwargs) else: logger.info("Denied upload to %s from %s with access key %s", request.path, ip_addr, access_key) return HttpResponseUnauthorized("No permission")
def decorator(request, *args, **kwargs): if settings.LOCALSHOP_USE_PROXIED_IP: try: ip_addr = request.META['HTTP_X_FORWARDED_FOR'] except KeyError: return HttpResponseForbidden('No permission') else: # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs. # The client's IP will be the first one. ip_addr = ip_addr.split(",")[0].strip() else: ip_addr = request.META['REMOTE_ADDR'] if CIDR.objects.has_access(ip_addr, with_credentials=False): return view_func(request, *args, **kwargs) if not CIDR.objects.has_access(ip_addr, with_credentials=True): return HttpResponseForbidden('No permission') # Just return the original view because already logged in if request.user.is_authenticated: return view_func(request, *args, **kwargs) user = authenticate_user(request) if user is not None: login(request, user) return view_func(request, *args, **kwargs) return HttpResponseUnauthorized(content='Authorization Required')
def dispatch(self, request, *args, **kwargs): # TODO: Should be handled in middleware if settings.LOCALSHOP_USE_PROXIED_IP: try: ip_addr = request.META['HTTP_X_FORWARDED_FOR'] except KeyError: return HttpResponseForbidden('No permission') else: # HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs. # The client's IP will be the first one. ip_addr = ip_addr.split(",")[0].strip() else: ip_addr = request.META['REMOTE_ADDR'] logger.info("Package request from %s", ip_addr) # Check repository based credentials, move to middleware ? request.credentials = None key, secret = get_basic_auth_data(request) if not (key and secret) and request.method == 'POST': # post means register or upload, # distutils for register do not sent the auth by default # so force it to send HTTP_AUTHORIZATION header return HttpResponseUnauthorized() if key and secret: credential = self.repository.credentials.authenticate(key, secret) if credential: request.credentials = credential else: # Might be a regular django user, this should be deprecated as # it is just not secure enough. We need to start using user # credentials for this. user = authenticate_user(request) if user: login(request, user) else: return HttpResponseUnauthorized() if self._allow_request(request, ip_addr): return super(RepositoryAccessMixin, self).dispatch(request, *args, **kwargs) return HttpResponseUnauthorized("No permission")
def decorator(request, *args, **kwargs): ip_addr = request.META['REMOTE_ADDR'] if CIDR.objects.has_access(ip_addr, with_credentials=False): return view_func(request, *args, **kwargs) if not CIDR.objects.has_access(ip_addr, with_credentials=True): return HttpResponseForbidden('No permission') # Just return the original view because already logged in if request.user.is_authenticated(): return view_func(request, *args, **kwargs) user = authenticate_user(request) if user is not None: login(request, user) return view_func(request, *args, **kwargs) return HttpResponseUnauthorized(content='Authorization Required')
def post(self, request): parse_distutils_request(request) # XXX: Auth is currently a bit of a hack method, identity = split_auth(request) if not method: return HttpResponseUnauthorized(content='Missing auth header') user = authenticate_user(request) if not user: return HttpResponse('Invalid username/password', status=401) actions = { 'submit': handle_register_or_upload, 'file_upload': handle_register_or_upload, } handler = actions.get(request.POST.get(':action')) if not handler: raise Http404('Unknown action') return handler(request.POST, request.FILES, user)