def done(self, form_list, **kwargs): """ Login the user and redirect to the desired page. """ redirect_to = self.request.session.get(SESSION_KEY_TWO_FACTOR_REDIRECT_URL, '') \ or self.request.GET.get(self.redirect_field_name, '') auth_login(self.request, self.user) self.reset_two_factor_session() if not is_safe_url(url=redirect_to, host=self.request.get_host()): redirect_to = str(settings.LOGIN_REDIRECT_URL) res = HttpResponseRedirect(redirect_to) if form_list[0].is_valid(): remember_me = form_list[0].cleaned_data['remember_me'] if remember_me: s = remember_device(self.user.username) res.set_cookie( 'S2FA', s.session_key, max_age=settings.TWO_FACTOR_DEVICE_REMEMBER_DAYS * 24 * 60 * 60, domain=settings.SESSION_COOKIE_DOMAIN, path=settings.SESSION_COOKIE_PATH, secure=settings.SESSION_COOKIE_SECURE or None, httponly=settings.SESSION_COOKIE_HTTPONLY or None) return res
def token_view(request, token): """Show form to let user set password. """ i = get_object_or_404(Invitation, token=token) if i.is_expired(): raise Http404 if request.method == 'POST': passwd = request.POST.get('password', '') if not passwd: return HttpResponseRedirect(request.META.get('HTTP_REFERER')) try: User.objects.get(email=i.accepter) messages.error(request, _('A user with this email already exists.')) except User.DoesNotExist: # Create user, set that user as guest, and log user in. u = User.objects.create_user(email=i.accepter, password=passwd, is_active=True) User.objects.update_role(u.username, GUEST_USER) i.accept() # Update invitaion accept time. for backend in get_backends(): u.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) auth_login(request, u) return HttpResponseRedirect(SITE_ROOT) return render_to_response('invitations/token_view.html', { 'iv': i, }, context_instance=RequestContext(request))
def login_simple_check(request): """A simple check for login called by thirdpart systems(OA, etc). Token generation: MD5(secret_key + [email protected] + 2014-1-1).hexdigest() Token length: 32 hexadecimal digits. """ username = request.REQUEST.get('user', '') random_key = request.REQUEST.get('token', '') if not username or not random_key: raise Http404 today = datetime.now().strftime('%Y-%m-%d') expect = hashlib.md5(settings.SECRET_KEY+username+today).hexdigest() if expect == random_key: try: user = User.objects.get(email=username) except User.DoesNotExist: raise Http404 for backend in get_backends(): user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) auth_login(request, user) return HttpResponseRedirect(settings.SITE_ROOT) else: raise Http404
def client_token_login(request): """Login from desktop client with a generated token. """ tokenstr = request.GET.get('token', '') user = None if len(tokenstr) == 32: try: username = ClientLoginToken.objects.get_username(tokenstr) except ClientLoginToken.DoesNotExist: pass else: try: user = User.objects.get(email=username) for backend in get_backends(): user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) except User.DoesNotExist: pass if user: if request.user.is_authenticated() and request.user.username == user.username: pass else: request.client_token_login = True auth_login(request, user) return HttpResponseRedirect(request.GET.get("next", reverse('libraries')))
def login_simple_check(request): """A simple check for login called by thirdpart systems(OA, etc). Token generation: MD5(secret_key + [email protected] + 2014-1-1).hexdigest() Token length: 32 hexadecimal digits. """ username = request.REQUEST.get('user', '') random_key = request.REQUEST.get('token', '') if not username or not random_key: raise Http404 today = datetime.now().strftime('%Y-%m-%d') expect = hashlib.md5(settings.SECRET_KEY + username + today).hexdigest() if expect == random_key: try: user = User.objects.get(email=username) except User.DoesNotExist: raise Http404 for backend in get_backends(): user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) auth_login(request, user) return HttpResponseRedirect(settings.SITE_ROOT) else: raise Http404
def token_view(request, token): """Show form to let user set password. """ i = get_object_or_404(Invitation, token=token) if i.is_expired(): raise Http404 if request.method == 'POST': passwd = request.POST.get('password', '') if not passwd: return HttpResponseRedirect(request.META.get('HTTP_REFERER')) try: User.objects.get(email=i.accepter) messages.error(request, _('A user with this email already exists.')) except User.DoesNotExist: # Create user, set that user as guest, and log user in. u = User.objects.create_user(email=i.accepter, password=passwd, is_active=True) u.role = GUEST_USER u.save() i.accept() # Update invitaion accept time. for backend in get_backends(): u.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) auth_login(request, u) return HttpResponseRedirect(SITE_ROOT) return render_to_response('invitations/token_view.html', { 'iv': i, }, context_instance=RequestContext(request))
def client_token_login(request): """Login from desktop client with a generated token. """ tokenstr = request.GET.get('token', '') user = None if len(tokenstr) == 32: try: username = ClientLoginToken.objects.get_username(tokenstr) except ClientLoginToken.DoesNotExist: pass else: try: user = User.objects.get(email=username) for backend in get_backends(): user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) except User.DoesNotExist: pass if user: if request.user.is_authenticated( ) and request.user.username == user.username: pass else: request.client_token_login = True auth_login(request, user) return HttpResponseRedirect(request.GET.get("next", reverse('libraries')))
def token_view(request, token): """Show form to let user set password. """ i = get_object_or_404(Invitation, token=token) if i.is_expired(): raise Http404 if request.method == 'GET': try: user = User.objects.get(email=i.accepter) if user.is_active is True: # user is active return exist messages.error(request, _('A user with this email already exists.')) except User.DoesNotExist: pass return render(request, 'invitations/token_view.html', {'iv': i, }) if request.method == 'POST': passwd = request.POST.get('password', '') if not passwd: return HttpResponseRedirect(request.META.get('HTTP_REFERER')) try: user = User.objects.get(email=i.accepter) if user.is_active is True: # user is active return exist messages.error(request, _('A user with this email already exists.')) return render(request, 'invitations/token_view.html', {'iv': i, }) else: # user is inactive then set active and new password user.set_password(passwd) user.is_active = True user.save() user = authenticate(username=user.username, password=passwd) except User.DoesNotExist: # Create user, set that user as guest. user = User.objects.create_user( email=i.accepter, password=passwd, is_active=True) User.objects.update_role(user.username, GUEST_USER) for backend in get_backends(): user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) # Update invitation accept time. i.accept() # login auth_login(request, user) # send signal to notify inviter accept_guest_invitation_successful.send( sender=None, invitation_obj=i) # send email to notify admin if NOTIFY_ADMIN_AFTER_REGISTRATION: notify_admins_on_register_complete(user.email) return HttpResponseRedirect(SITE_ROOT)
def demo(request): """ Login as demo account. """ user = User.objects.get(email=settings.CLOUD_DEMO_USER) for backend in get_backends(): user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) auth_login(request, user) redirect_to = settings.SITE_ROOT return HttpResponseRedirect(redirect_to)
def login(request, template_name='registration/login.html', redirect_if_logged_in=None, redirect_field_name=REDIRECT_FIELD_NAME, authentication_form=AuthenticationForm): """Displays the login form and handles the login action.""" if request.user.is_authenticated() and redirect_if_logged_in: return HttpResponseRedirect(reverse(redirect_if_logged_in)) redirect_to = request.REQUEST.get(redirect_field_name, '') if request.method == "POST": form = authentication_form(data=request.POST) if form.is_valid(): # Light security check -- make sure redirect_to isn't garbage. if not redirect_to or ' ' in redirect_to: redirect_to = settings.LOGIN_REDIRECT_URL # Heavier security check -- redirects to http://example.com should # not be allowed, but things like /view/?param=http://example.com # should be allowed. This regex checks if there is a '//' *before* a # question mark. elif '//' in redirect_to and re.match(r'[^\?]*//', redirect_to): redirect_to = settings.LOGIN_REDIRECT_URL # Okay, security checks complete. Log the user in. auth_login(request, form.get_user()) if request.session.test_cookie_worked(): request.session.delete_test_cookie() return HttpResponseRedirect(redirect_to) else: form = authentication_form(request) request.session.set_test_cookie() if Site._meta.installed: current_site = Site.objects.get_current() else: current_site = RequestSite(request) return render_to_response(template_name, { 'form': form, redirect_field_name: redirect_to, 'site': current_site, 'site_name': current_site.name, }, context_instance=RequestContext(request))
def login( request, template_name="registration/login.html", redirect_if_logged_in=None, redirect_field_name=REDIRECT_FIELD_NAME, authentication_form=AuthenticationForm, ): """Displays the login form and handles the login action.""" if request.user.is_authenticated() and redirect_if_logged_in: return HttpResponseRedirect(reverse(redirect_if_logged_in)) redirect_to = request.REQUEST.get(redirect_field_name, "") if request.method == "POST": form = authentication_form(data=request.POST) if form.is_valid(): # Light security check -- make sure redirect_to isn't garbage. if not redirect_to or " " in redirect_to: redirect_to = settings.LOGIN_REDIRECT_URL # Heavier security check -- redirects to http://example.com should # not be allowed, but things like /view/?param=http://example.com # should be allowed. This regex checks if there is a '//' *before* a # question mark. elif "//" in redirect_to and re.match(r"[^\?]*//", redirect_to): redirect_to = settings.LOGIN_REDIRECT_URL # Okay, security checks complete. Log the user in. auth_login(request, form.get_user()) if request.session.test_cookie_worked(): request.session.delete_test_cookie() return HttpResponseRedirect(redirect_to) else: form = authentication_form(request) request.session.set_test_cookie() if Site._meta.installed: current_site = Site.objects.get_current() else: current_site = RequestSite(request) return render_to_response( template_name, {"form": form, redirect_field_name: redirect_to, "site": current_site, "site_name": current_site.name}, context_instance=RequestContext(request), )
def log_user_in(request, user, redirect_to): # Ensure the user-originating redirection url is safe. if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = settings.LOGIN_REDIRECT_URL # Okay, security checks complete. Log the user in. auth_login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() _clear_login_failed_attempts(request) return HttpResponseRedirect(redirect_to)
def done(self, form_list, **kwargs): """ Login the user and redirect to the desired page. """ redirect_to = self.request.session.get(SESSION_KEY_TWO_FACTOR_REDIRECT_URL, '') \ or self.request.GET.get(self.redirect_field_name, '') auth_login(self.request, self.user) self.reset_two_factor_session() if not is_safe_url(url=redirect_to, host=self.request.get_host()): redirect_to = str(settings.LOGIN_REDIRECT_URL) return redirect(redirect_to)
def log_user_in(request, user, redirect_to): # Ensure the user-originating redirection url is safe. if not is_safe_url(url=redirect_to, host=request.get_host()): redirect_to = settings.LOGIN_REDIRECT_URL if request.session.test_cookie_worked(): request.session.delete_test_cookie() clear_login_failed_attempts(request, user.username) if two_factor_auth_enabled(user) and \ not is_device_remembered(request.COOKIES.get('S2FA', ''), user): return handle_two_factor_auth(request, user, redirect_to) # Okay, security checks complete. Log the user in. auth_login(request, user) return HttpResponseRedirect(redirect_to)
def demo(request): """ Login as demo account. """ try: user = User.objects.get(email=settings.CLOUD_DEMO_USER) except User.DoesNotExist: user = User.objects.create_user(settings.CLOUD_DEMO_USER, is_active=True) user.set_unusable_password() user.save() for backend in get_backends(): user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) auth_login(request, user) redirect_to = settings.SITE_ROOT return HttpResponseRedirect(redirect_to)
def log_user_in(request, user, redirect_to): # Light security check -- make sure redirect_to isn't garbage. if not redirect_to or ' ' in redirect_to: redirect_to = settings.LOGIN_REDIRECT_URL # Heavier security check -- redirects to http://example.com should # not be allowed, but things like /view/?param=http://example.com # should be allowed. This regex checks if there is a '//' *before* a # question mark. elif '//' in redirect_to and re.match(r'[^\?]*//', redirect_to): redirect_to = settings.LOGIN_REDIRECT_URL # Okay, security checks complete. Log the user in. auth_login(request, user) if request.session.test_cookie_worked(): request.session.delete_test_cookie() cache.delete(LOGIN_ATTEMPT_PREFIX+user.username) return HttpResponseRedirect(redirect_to)
def demo(request): """ Login as demo account. """ from django.conf import settings as dj_settings if not dj_settings.ENABLE_DEMO_USER: raise Http404 try: user = User.objects.get(email=settings.CLOUD_DEMO_USER) except User.DoesNotExist: logger.warn('CLOUD_DEMO_USER: %s does not exist.' % settings.CLOUD_DEMO_USER) raise Http404 for backend in get_backends(): user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) auth_login(request, user) redirect_to = settings.SITE_ROOT return HttpResponseRedirect(redirect_to)
def token_view(request, token): """Show form to let user set password. """ i = get_object_or_404(Invitation, token=token) if i.is_expired(): raise Http404 if request.method == 'POST': passwd = request.POST.get('password', '') if not passwd: return HttpResponseRedirect(request.META.get('HTTP_REFERER')) try: User.objects.get(email=i.accepter) messages.error(request, _('A user with this email already exists.')) except User.DoesNotExist: # Create user, set that user as guest, and log user in. u = User.objects.create_user(email=i.accepter, password=passwd, is_active=True) User.objects.update_role(u.username, GUEST_USER) i.accept() # Update invitaion accept time. for backend in get_backends(): u.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) auth_login(request, u) # send signal to notify inviter accept_guest_invitation_successful.send( sender=None, invitation_obj=i) # send email to notify admin if NOTIFY_ADMIN_AFTER_REGISTRATION: notify_admins_on_register_complete(u.email) return HttpResponseRedirect(SITE_ROOT) return render(request, 'invitations/token_view.html', { 'iv': i, })
def login_simple_check(request): """A simple check for login called by thirdpart systems(OA, etc). Token generation: MD5(secret_key + [email protected] + 2014-1-1).hexdigest() Token length: 32 hexadecimal digits. """ username = request.GET.get('user', '') random_key = request.GET.get('token', '') if not username or not random_key: raise Http404 today = datetime.now().strftime('%Y-%m-%d') expect = hashlib.md5( (settings.SECRET_KEY + username + today).encode('utf-8')).hexdigest() if expect == random_key: try: user = User.objects.get(email=username) except User.DoesNotExist: raise Http404 for backend in get_backends(): user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) auth_login(request, user) # Ensure the user-originating redirection url is safe. if REDIRECT_FIELD_NAME in request.GET: next_page = request.GET[REDIRECT_FIELD_NAME] if not is_safe_url(url=next_page, allowed_hosts=request.get_host()): next_page = settings.LOGIN_REDIRECT_URL else: next_page = settings.SITE_ROOT return HttpResponseRedirect(next_page) else: raise Http404
def assertion_consumer_service(request, config_loader_path=None, attribute_mapping=None, create_unknown_user=None): """SAML Authorization Response endpoint The IdP will send its response to this view, which will process it with pysaml2 help and log the user in using the custom Authorization backend djangosaml2.backends.Saml2Backend that should be enabled in the settings.py """ attribute_mapping = attribute_mapping or get_custom_setting( 'SAML_ATTRIBUTE_MAPPING', {'uid': ('username', )}) create_unknown_user = create_unknown_user or get_custom_setting( 'SAML_CREATE_UNKNOWN_USER', True) logger.debug('Assertion Consumer Service started') conf = get_config(config_loader_path, request) if 'SAMLResponse' not in request.POST: return HttpResponseBadRequest( 'Couldn\'t find "SAMLResponse" in POST data.') xmlstr = request.POST['SAMLResponse'] client = Saml2Client(conf, identity_cache=IdentityCache(request.session)) oq_cache = OutstandingQueriesCache(request.session) outstanding_queries = oq_cache.outstanding_queries() try: response = client.parse_authn_request_response(xmlstr, BINDING_HTTP_POST, outstanding_queries) except MissingKey: logger.error('MissingKey error in ACS') return HttpResponseForbidden( "The Identity Provider is not configured correctly: " "the certificate key is missing") if response is None: logger.error('SAML response is None') return HttpResponseBadRequest( "SAML response has errors. Please check the logs") session_id = response.session_id() oq_cache.delete(session_id) # authenticate the remote user session_info = response.session_info() if callable(attribute_mapping): attribute_mapping = attribute_mapping() if callable(create_unknown_user): create_unknown_user = create_unknown_user() logger.debug('Trying to authenticate the user') user = auth.authenticate(session_info=session_info, attribute_mapping=attribute_mapping, create_unknown_user=create_unknown_user) if user is None: logger.error('The user is None') return HttpResponseForbidden("Permission denied") if not user.is_active: logger.error('The user is inactive') return HttpResponseForbidden("Permission denied") auth_login(request, user) _set_subject_id(request.session, session_info['name_id']) logger.debug('Sending the post_authenticated signal') post_authenticated.send_robust(sender=user, session_info=session_info) # redirect the user to the view where he came from default_relay_state = get_custom_setting('ACS_DEFAULT_REDIRECT_URL', settings.LOGIN_REDIRECT_URL) relay_state = request.POST.get('RelayState', default_relay_state) if not relay_state: logger.warning('The RelayState parameter exists but is empty') relay_state = default_relay_state logger.debug('Redirecting to the RelayState: %s', relay_state) return HttpResponseRedirect(relay_state)
def token_view(request, token): """Show form to let user set password. """ i = get_object_or_404(Invitation, token=token) if i.is_expired(): raise Http404 if request.method == 'GET': try: user = User.objects.get(email=i.accepter) if user.is_active is True: # user is active return exist messages.error(request, _('A user with this email already exists.')) except User.DoesNotExist: pass return render(request, 'invitations/token_view.html', { 'iv': i, }) if request.method == 'POST': passwd = request.POST.get('password', '') if not passwd: return HttpResponseRedirect(request.META.get('HTTP_REFERER')) try: user = User.objects.get(email=i.accepter) if user.is_active is True: # user is active return exist messages.error(request, _('A user with this email already exists.')) return render(request, 'invitations/token_view.html', { 'iv': i, }) else: # user is inactive then set active and new password user.set_password(passwd) user.is_active = True user.save() user = authenticate(username=user.username, password=passwd) except User.DoesNotExist: # Create user, set that user as guest. user = User.objects.create_user(email=i.accepter, password=passwd, is_active=True) User.objects.update_role(user.username, GUEST_USER) for backend in get_backends(): user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__) # Update invitation accept time. i.accept() # login auth_login(request, user) # send signal to notify inviter accept_guest_invitation_successful.send(sender=None, invitation_obj=i) # send email to notify admin if NOTIFY_ADMIN_AFTER_REGISTRATION: notify_admins_on_register_complete(user.email) # repo share invitation try: shared_queryset = RepoShareInvitation.objects.list_by_invitation( invitation=i) accepter = i.accepter for shared_obj in shared_queryset: repo_id = shared_obj.repo_id path = shared_obj.path permission = shared_obj.permission inviter = shared_obj.invitation.inviter # recourse check repo = seafile_api.get_repo(repo_id) if not repo: logger.warning( '[ %s ] repo not found when [ %s ] accepts the invitation to share repo' ) % (repo_id, accepter) continue if seafile_api.get_dir_id_by_path(repo.id, path) is None: logger.warning( '[ %s ][ %s ] dir not found when [ %s ] accepts the invitation to share repo' ) % (repo_id, path, accepter) continue repo_owner = seafile_api.get_repo_owner(repo_id) share_dir_to_user(repo, path, repo_owner, inviter, accepter, permission, None) send_perm_audit_msg('modify-repo-perm', inviter, accepter, repo_id, path, permission) # delete shared_queryset.delete() except Exception as e: logger.error(e) return HttpResponseRedirect(SITE_ROOT)
def login(request, next_page=None, required=False): """Forwards to CAS login URL or verifies CAS ticket""" service_url = get_service_url(request, next_page) client = get_cas_client(service_url=service_url, request=request) if not next_page and settings.CAS_STORE_NEXT and 'CASNEXT' in request.session: next_page = request.session['CASNEXT'] del request.session['CASNEXT'] if not next_page: next_page = get_redirect_url(request) if request.method == 'POST' and request.POST.get('logoutRequest'): clean_sessions(client, request) return HttpResponseRedirect(next_page) # backward compability for django < 2.0 is_user_authenticated = False if sys.version_info >= (3, 0): bool_type = bool else: bool_type = types.BooleanType if isinstance(request.user.is_authenticated, bool_type): is_user_authenticated = request.user.is_authenticated else: is_user_authenticated = request.user.is_authenticated() if is_user_authenticated: if settings.CAS_LOGGED_MSG is not None: message = settings.CAS_LOGGED_MSG % request.user.get_username() messages.success(request, message) return HttpResponseRedirect(next_page) ticket = request.GET.get('ticket') if ticket: user = authenticate(ticket=ticket, service=service_url, request=request) pgtiou = request.session.get("pgtiou") if user is not None: if not request.session.exists(request.session.session_key): request.session.create() auth_login(request, user) SessionTicket.objects.create( session_key=request.session.session_key, ticket=ticket) if pgtiou and settings.CAS_PROXY_CALLBACK: # Delete old PGT ProxyGrantingTicket.objects.filter( user=user, session_key=request.session.session_key).delete() # Set new PGT ticket try: pgt = ProxyGrantingTicket.objects.get(pgtiou=pgtiou) pgt.user = user pgt.session_key = request.session.session_key pgt.save() except ProxyGrantingTicket.DoesNotExist: pass if settings.CAS_LOGIN_MSG is not None: name = user.get_username() message = settings.CAS_LOGIN_MSG % name messages.success(request, message) return HttpResponseRedirect(next_page) elif settings.CAS_RETRY_LOGIN or required: return HttpResponseRedirect(client.get_login_url()) else: raise PermissionDenied(_('Login failed.')) else: if settings.CAS_STORE_NEXT: request.session['CASNEXT'] = next_page return HttpResponseRedirect(client.get_login_url())