def dispatch(self, request, *args, **kwargs):
request.credentials = None
if request.user.is_authenticated:
return super().dispatch(request, *args, **kwargs)
ip_addr = self._get_client_ip_address(request)
logger.info("Package request from %s", ip_addr)
access_key, secret_key = get_basic_auth_data(request)
if not (access_key and secret_key) and request.method == 'POST':
# post means register or upload,
# distutils for register do not sent the auth by default
# so force it to send HTTP_AUTHORIZATION header
return HttpResponseUnauthorized()
if access_key and secret_key:
is_authenticated = self._validate_credentials(
request, access_key, secret_key)
if not is_authenticated:
return HttpResponseUnauthorized()
if self._allow_request(request, ip_addr):
return super().dispatch(request, *args, **kwargs)
else:
logger.info("Denied upload to %s from %s with access key %s",
request.path, ip_addr, access_key)
return HttpResponseUnauthorized("No permission")
def decorator(request, *args, **kwargs):
if settings.LOCALSHOP_USE_PROXIED_IP:
try:
ip_addr = request.META['HTTP_X_FORWARDED_FOR']
except KeyError:
return HttpResponseForbidden('No permission')
else:
# HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs.
# The client's IP will be the first one.
ip_addr = ip_addr.split(",")[0].strip()
else:
ip_addr = request.META['REMOTE_ADDR']
if CIDR.objects.has_access(ip_addr, with_credentials=False):
return view_func(request, *args, **kwargs)
if not CIDR.objects.has_access(ip_addr, with_credentials=True):
return HttpResponseForbidden('No permission')
# Just return the original view because already logged in
if request.user.is_authenticated:
return view_func(request, *args, **kwargs)
user = authenticate_user(request)
if user is not None:
login(request, user)
return view_func(request, *args, **kwargs)
return HttpResponseUnauthorized(content='Authorization Required')
def dispatch(self, request, *args, **kwargs):
# TODO: Should be handled in middleware
if settings.LOCALSHOP_USE_PROXIED_IP:
try:
ip_addr = request.META['HTTP_X_FORWARDED_FOR']
except KeyError:
return HttpResponseForbidden('No permission')
else:
# HTTP_X_FORWARDED_FOR can be a comma-separated list of IPs.
# The client's IP will be the first one.
ip_addr = ip_addr.split(",")[0].strip()
else:
ip_addr = request.META['REMOTE_ADDR']
logger.info("Package request from %s", ip_addr)
# Check repository based credentials, move to middleware ?
request.credentials = None
key, secret = get_basic_auth_data(request)
if not (key and secret) and request.method == 'POST':
# post means register or upload,
# distutils for register do not sent the auth by default
# so force it to send HTTP_AUTHORIZATION header
return HttpResponseUnauthorized()
if key and secret:
credential = self.repository.credentials.authenticate(key, secret)
if credential:
request.credentials = credential
else:
# Might be a regular django user, this should be deprecated as
# it is just not secure enough. We need to start using user
# credentials for this.
user = authenticate_user(request)
if user:
login(request, user)
else:
return HttpResponseUnauthorized()
if self._allow_request(request, ip_addr):
return super(RepositoryAccessMixin,
self).dispatch(request, *args, **kwargs)
return HttpResponseUnauthorized("No permission")
def decorator(request, *args, **kwargs):
ip_addr = request.META['REMOTE_ADDR']
if CIDR.objects.has_access(ip_addr, with_credentials=False):
return view_func(request, *args, **kwargs)
if not CIDR.objects.has_access(ip_addr, with_credentials=True):
return HttpResponseForbidden('No permission')
# Just return the original view because already logged in
if request.user.is_authenticated():
return view_func(request, *args, **kwargs)
user = authenticate_user(request)
if user is not None:
login(request, user)
return view_func(request, *args, **kwargs)
return HttpResponseUnauthorized(content='Authorization Required')
def post(self, request):
parse_distutils_request(request)
# XXX: Auth is currently a bit of a hack
method, identity = split_auth(request)
if not method:
return HttpResponseUnauthorized(content='Missing auth header')
user = authenticate_user(request)
if not user:
return HttpResponse('Invalid username/password', status=401)
actions = {
'submit': handle_register_or_upload,
'file_upload': handle_register_or_upload,
}
handler = actions.get(request.POST.get(':action'))
if not handler:
raise Http404('Unknown action')
return handler(request.POST, request.FILES, user)