def is_unprivileged_query(self, request, identifier):
"""
Return True if a non-superuser requests information about another user.
Params must be a dict that includes only one of 'username' or 'email'
"""
if identifier.kind not in self.identifier_kinds:
# This is already checked before we get here, so raise a 500 error
# if the check fails.
raise ValueError(u"Identifier kind {} not in {}".format(identifier.kind, self.identifier_kinds))
self_request = False
if identifier == self.identifier('username', request.user.username):
self_request = True
elif identifier.kind == 'email' and getattr(identifier, 'value', object()) == request.user.email:
# AnonymousUser does not have an email attribute, so fall back to
# something that will never compare equal to the provided email.
self_request = True
if self_request:
# We can always ask for our own provider
return False
# We are querying permissions for a user other than the current user.
if not request.user.is_superuser and not ApiKeyHeaderPermission().has_permission(request, self):
# The user does not have elevated permissions.
return True
return False
def has_api_key_permissions(self, request):
"""
Checks to see if the request was made by a server with an API key.
Args:
request (Request): the request being made into the view
Return:
True if the request has been made with a valid API key
False otherwise
"""
return ApiKeyHeaderPermission().has_permission(request, self)
def is_unprivileged_query(self, request, username):
"""
Return True if a non-superuser requests information about another user.
"""
# AnonymousUser does not have an email attribute, so fall back to something
# that will never compare equal to username.
if username not in {request.user.username, getattr(request.user, 'email', object())}:
# We are querying permissions for a user other than the current user.
if not request.user.is_superuser and not ApiKeyHeaderPermission().has_permission(request, self):
# The user does not have elevated permissions.
return True
return False
def get_queryset(self):
provider_id = self.kwargs.get('provider_id')
# permission checking. We allow both API_KEY access and OAuth2 client credential access
if not (self.request.user.is_superuser
or ApiKeyHeaderPermission().has_permission(self.request, self)
or ThirdPartyAuthProviderApiPermission(
provider_id).has_permission(self.request, self)):
raise exceptions.PermissionDenied()
# provider existence checking
self.provider = Registry.get(provider_id)
if not self.provider:
raise Http404
query_set = UserSocialAuth.objects.select_related('user').filter(
provider=self.provider.backend_name)
# build our query filters
# When using multi-IdP backend, we only retrieve the ones that are for current IdP.
# test if the current provider has a slug
uid = self.provider.get_social_auth_uid('uid')
if uid != 'uid':
# if yes, we add a filter for the slug on uid column
query_set = query_set.filter(uid__startswith=uid[:-3])
query = Q()
usernames = self.request.query_params.getlist('username', None)
remote_ids = self.request.query_params.getlist('remote_id', None)
if usernames:
usernames = ','.join(usernames)
usernames = set(usernames.split(',')) if usernames else set()
if usernames:
query = query | Q(user__username__in=usernames)
if remote_ids:
remote_ids = ','.join(remote_ids)
remote_ids = set(remote_ids.split(',')) if remote_ids else set()
if remote_ids:
query = query | Q(uid__in=[
self.provider.get_social_auth_uid(remote_id)
for remote_id in remote_ids
])
return query_set.filter(query)
def is_unprivileged_query(self, request, identifier):
"""
Return True if a non-superuser requests information about another user.
Params must be a dict that includes only one of 'username' or 'email'
"""
if identifier.kind not in self.identifier_kinds:
# This is already checked before we get here, so raise a 500 error
# if the check fails.
raise ValueError("Identifier kind {} not in {}".format(identifier.kind, self.identifier_kinds))
# Custom change to support username and email from superuser.
if self.kwargs[u'username'] not in {request.user.username, getattr(request.user, 'email', object())}:
if not request.user.is_superuser and not ApiKeyHeaderPermission().has_permission(request, self):
# The user does not have elevated permissions.
return True
return False
def get(self, request, username):
"""Create, read, or update enrollment information for a user.
HTTP Endpoint for all CRUD operations for a user course enrollment. Allows creation, reading, and
updates of the current enrollment for a particular course.
Args:
request (Request): The HTTP GET request
username (str): Fetch the list of providers linked to this user
Return:
JSON serialized list of the providers linked to this user.
"""
if request.user.username != username:
# We are querying permissions for a user other than the current user.
if not request.user.is_superuser and not ApiKeyHeaderPermission().has_permission(request, self):
# Return a 403 (Unauthorized) without validating 'username', so that we
# do not let users probe the existence of other user accounts.
return Response(status=status.HTTP_403_FORBIDDEN)
try:
user = User.objects.get(username=username)
except User.DoesNotExist:
return Response(status=status.HTTP_404_NOT_FOUND)
providers = pipeline.get_provider_user_states(user)
active_providers = [
{
"provider_id": assoc.provider.provider_id,
"name": assoc.provider.name,
"remote_id": assoc.remote_id,
}
for assoc in providers if assoc.has_account
]
# In the future this can be trivially modified to return the inactive/disconnected providers as well.
return Response({
"active": active_providers
})
def has_permission(self, request, view):
return ApiKeyHeaderPermission().has_permission(request, view) or DjangoModelPermissions().has_permission(
request, view)
