def wrapped(request, *args, **kwargs): assert hasattr(request, 'session'), ("You need to have the session " "app intsalled") if getattr(settings, 'LAZYSIGNUP_ENABLE', True): # If the user agent is one we ignore, bail early ignore = False request_user_agent = request.META.get('HTTP_USER_AGENT', '') for user_agent in USER_AGENT_BLACKLIST: if user_agent.search(request_user_agent): ignore = True break # If there's already a key in the session for a valid user, then we don't # need to do anything. If the user isn't valid, then get_user will return # an anonymous user if get_user(request).is_anonymous() and not ignore: # If not, then we have to create a user, and log them in. from lazysignup.models import LazyUser username = username_from_session(request.session.session_key) user = LazyUser.objects.create_lazy_user(username) request.user = None user = authenticate(username=username) assert user, ("Lazy user creation and authentication " "failed. Have you got " "lazysignup.backends.LazySignupBackend in " "AUTHENTICATION_BACKENDS?") # Set the user id in the session here to prevent the login # call cycling the session key. request.session[SESSION_KEY] = user.id login(request, user) return func(request, *args, **kwargs)
def testUsernameNotBasedOnSessionKey(self): # The generated username should not look like the session key. While doing # so isn't a security problem in itself, any client software that blindly # displays the logged-in user's username risks showing most of the session # key to the world. fake_session_key = 'a' * 32 username = username_from_session(fake_session_key) self.failIf(fake_session_key.startswith(username))
def testCreateLazyUser(self, mock_resolve): # If there isn't a setup session, then this middleware should create a user # with the same name as the session key, and an unusable password. f = allow_lazy_user(lambda request: 1) mock_resolve.return_value = (f, None, None) f(self.request) self.assertEqual(username_from_session(self.request.session.session_key), self.request.user.username) self.assertEqual(False, self.request.user.has_usable_password())
def testUsernameNotBasedOnSessionKey(self): # The generated username should not look like the session key. While doing # so isn't a security problem in itself, any client software that blindly # displays the logged-in user's username risks showing most of the session # key to the world. fake_session_key = "a" * 32 username = username_from_session(fake_session_key) self.failIf(fake_session_key.startswith(username))
def testBadSessionAlreadyExists(self, mock_resolve): # If the user id is already in the session, but the user doesn't exist, # then a user should be created f = allow_lazy_user(lambda request: 1) self.request.session[SESSION_KEY] = 1000 mock_resolve.return_value = (f, None, None) f(self.request) self.assertEqual(username_from_session(self.request.session.session_key), self.request.user.username) self.assertEqual(False, self.request.user.has_usable_password())
def testRemoveExpiredUsers(self): # Users wihout usable passwords who don't have a current session record should be removed. u1 = User.objects.create_user(username_from_session("dummy"), "") u2 = User.objects.create_user("dummy2", "") s = Session(session_key="dummy", session_data="", expire_date=datetime.datetime.now() + datetime.timedelta(1)) s.save() c = remove_expired_users.Command() c.handle() users = User.objects.all() self.assertEqual(1, len(users)) self.assertEqual(u1, users[0])
def handle_noargs(self, **options): usernames = [username_from_session(sk) for sk in Session.objects.all().values_list('session_key', flat=True)] # Find all the users who have an unusable password, whose usernames # aren't in the list of valid sessions: session_users = User.objects.filter( password=UNUSABLE_PASSWORD ).exclude( username__in=usernames ) # Delete each of these users. We don't use the queryset delete() because # we want cascades to work. for user in session_users: user.delete()
def handle_noargs(self, **options): usernames = [ username_from_session(sk) for sk in Session.objects.all().values_list('session_key', flat=True) ] # Find all the users who have an unusable password, whose usernames # aren't in the list of valid sessions: session_users = User.objects.filter( password=UNUSABLE_PASSWORD).exclude(username__in=usernames) # Delete each of these users. We don't use the queryset delete() because # we want cascades to work. for user in session_users: user.delete()
def testRemoveExpiredUsers(self): # Users wihout usable passwords who don't have a current session record should be removed. u1 = User.objects.create_user(username_from_session('dummy'), '') u2 = User.objects.create_user('dummy2', '') s = Session( session_key='dummy', session_data='', expire_date=datetime.datetime.now() + datetime.timedelta(1) ) s.save() c = remove_expired_users.Command() c.handle() users = User.objects.all() self.assertEqual(1, len(users)) self.assertEqual(u1, users[0])
def get_username(self, session_key, username_length=None): return username_from_session(session_key, username_length)