def _sync_user(self, request, user):
"""
Called after a user is fetched/created and syncs any additional properties
from the JWT's payload to the user object. Set staff and superuser flags
if authorizations are valid.
"""
# Do normal sync first
super(DBMIModelAuthenticationBackend, self)._sync_user(request, user)
is_admin = False
try:
# Check if admin
is_admin = authz.is_admin(request, user.email)
if is_admin:
logger.debug(f"User: {user.email} has been granted admin/superuser privileges")
# Ensure the model is updated
user.is_staff = is_admin
user.is_superuser = is_admin
user.save()
except Exception as e:
logger.exception(
"Superuser syncing error: {}".format(e),
exc_info=True,
extra={
"request": request,
"user": user,
"username": user.username,
"email": user.email,
"is_admin": is_admin,
},
)
def _should_create_user(self, request, email):
"""
This method inspects the proposed user and returns whether they should be created or not.
Typically, before a user is rejected due to a missing permission, their record will have
already been created in the Django model. This method allows subclassing backends to do
a check of the proposed user before the creation step, thus avoiding User entries that
would never be able to log in anyways. The default implementation checks for a single
'admin' permission on the current application.
:param request: The current request
:type request: HttpRequest
:param email: The email of the requesting user
:type email: str
:return: Whether the user should be created or not
:rtype: bool
"""
return authz.is_admin(request, email)
def _sync_user(self, request, user):
"""
Called after a user is fetched/created and syncs any additional properties
from the JWT's payload to the user object.
"""
# All sync admin/superuser status
try:
# Check if admin/superuser
if authz.is_admin(request, user.email):
user.is_staff = True
user.is_superuser = True
else:
user.is_staff = False
user.is_superuser = False
except Exception as e:
logger.exception(
"User syncing error: {}".format(e), exc_info=True, extra={"user": user, "request": request}
)
def has_object_permission(self, request, view, obj):
# Get the email of the authenticated user
if not hasattr(request, 'user'):
logger.warning('No \'user\' attribute on request')
raise PermissionDenied
# Check claims first for membership in the admin group
if is_admin(request, request.user):
return True
# Check if owner
if _ppm_id_for_email(request, request.user) == obj:
return True
# Possibly store these elsewhere for records
logger.info('{} Failed MANAGE or owner permission for PPM'.format(
request.user))
raise PermissionDenied
def _sync_user(self, request, user, is_admin=None):
"""
Called after a user is fetched/created and syncs any additional properties
from the JWT's payload to the user object. Set staff and superuser flags
if authorizations are valid.
"""
# Do normal sync first
super(DBMISuperuserModelAuthenticationBackend, self)._sync_user(request, user)
try:
# Check if admin
if is_admin is None:
is_admin = authz.is_admin(request, user.email)
# Ensure the model is updated
user.is_staff = is_admin
user.is_superuser = is_admin
user.save()
# If not admin (indicates they used to be), save and raise exception
if not is_admin:
logger.debug("User was superuser, but is now missing authz, booting them: {}".format(user.username))
raise PermissionDenied
except Exception as e:
logger.exception(
"Superuser syncing error: {}".format(e),
exc_info=True,
extra={
"request": request,
"user": user,
"username": user.username,
"email": user.email,
"is_admin": is_admin,
},
)
logger.debug("Encountered an issue and could not check admin/superuser status: defaulting to access denied")
raise PermissionDenied