def _sync_user(self, request, user): """ Called after a user is fetched/created and syncs any additional properties from the JWT's payload to the user object. Set staff and superuser flags if authorizations are valid. """ # Do normal sync first super(DBMIModelAuthenticationBackend, self)._sync_user(request, user) is_admin = False try: # Check if admin is_admin = authz.is_admin(request, user.email) if is_admin: logger.debug(f"User: {user.email} has been granted admin/superuser privileges") # Ensure the model is updated user.is_staff = is_admin user.is_superuser = is_admin user.save() except Exception as e: logger.exception( "Superuser syncing error: {}".format(e), exc_info=True, extra={ "request": request, "user": user, "username": user.username, "email": user.email, "is_admin": is_admin, }, )
def _should_create_user(self, request, email): """ This method inspects the proposed user and returns whether they should be created or not. Typically, before a user is rejected due to a missing permission, their record will have already been created in the Django model. This method allows subclassing backends to do a check of the proposed user before the creation step, thus avoiding User entries that would never be able to log in anyways. The default implementation checks for a single 'admin' permission on the current application. :param request: The current request :type request: HttpRequest :param email: The email of the requesting user :type email: str :return: Whether the user should be created or not :rtype: bool """ return authz.is_admin(request, email)
def _sync_user(self, request, user): """ Called after a user is fetched/created and syncs any additional properties from the JWT's payload to the user object. """ # All sync admin/superuser status try: # Check if admin/superuser if authz.is_admin(request, user.email): user.is_staff = True user.is_superuser = True else: user.is_staff = False user.is_superuser = False except Exception as e: logger.exception( "User syncing error: {}".format(e), exc_info=True, extra={"user": user, "request": request} )
def has_object_permission(self, request, view, obj): # Get the email of the authenticated user if not hasattr(request, 'user'): logger.warning('No \'user\' attribute on request') raise PermissionDenied # Check claims first for membership in the admin group if is_admin(request, request.user): return True # Check if owner if _ppm_id_for_email(request, request.user) == obj: return True # Possibly store these elsewhere for records logger.info('{} Failed MANAGE or owner permission for PPM'.format( request.user)) raise PermissionDenied
def _sync_user(self, request, user, is_admin=None): """ Called after a user is fetched/created and syncs any additional properties from the JWT's payload to the user object. Set staff and superuser flags if authorizations are valid. """ # Do normal sync first super(DBMISuperuserModelAuthenticationBackend, self)._sync_user(request, user) try: # Check if admin if is_admin is None: is_admin = authz.is_admin(request, user.email) # Ensure the model is updated user.is_staff = is_admin user.is_superuser = is_admin user.save() # If not admin (indicates they used to be), save and raise exception if not is_admin: logger.debug("User was superuser, but is now missing authz, booting them: {}".format(user.username)) raise PermissionDenied except Exception as e: logger.exception( "Superuser syncing error: {}".format(e), exc_info=True, extra={ "request": request, "user": user, "username": user.username, "email": user.email, "is_admin": is_admin, }, ) logger.debug("Encountered an issue and could not check admin/superuser status: defaulting to access denied") raise PermissionDenied