def test_anonymous_user(self):
user = self.create_user()
anon_user = AnonymousUser()
organization = self.create_organization(owner=user)
result = access.from_user(anon_user, organization)
assert not result.is_active
def get_default_context(request, existing_context=None, team=None):
from sentry.plugins import plugins
context = {
'EVENTS_PER_PAGE': EVENTS_PER_PAGE,
'URL_PREFIX': settings.SENTRY_URL_PREFIX,
'SINGLE_ORGANIZATION': settings.SENTRY_SINGLE_ORGANIZATION,
'PLUGINS': plugins,
'ALLOWED_HOSTS': settings.ALLOWED_HOSTS,
'SENTRY_RAVEN_JS_URL': settings.SENTRY_RAVEN_JS_URL,
}
if existing_context:
if team is None and 'team' in existing_context:
team = existing_context['team']
if 'project' in existing_context:
project = existing_context['project']
else:
project = None
else:
project = None
if team:
organization = team.organization
elif project:
organization = project.organization
else:
organization = None
if request:
context.update({
'request': request,
})
if (not existing_context or 'TEAM_LIST' not in existing_context) and team:
context['TEAM_LIST'] = Team.objects.get_for_user(
organization=team.organization,
user=request.user,
with_projects=True,
)
user = request.user
else:
user = AnonymousUser()
if organization:
context['selectedOrganization'] = serialize(organization, user)
if team:
context['selectedTeam'] = serialize(team, user)
if project:
context['selectedProject'] = serialize(project, user)
if not existing_context or 'ACCESS' not in existing_context:
context['ACCESS'] = access.from_user(
user=user,
organization=organization,
).to_django_context()
return context
def delete(self, request, *args, **kwargs):
"""
Logout the Authenticated User
`````````````````````````````
Deauthenticate the currently active session.
"""
logout(request._request)
request.user = AnonymousUser()
return Response(status=204)
def authenticate_credentials(self, userid, password):
try:
pk = ProjectKey.objects.get_from_cache(public_key=userid)
except ProjectKey.DoesNotExist:
return None
if not constant_time_compare(pk.secret_key, password):
return None
if not pk.is_active:
raise AuthenticationFailed('Key is disabled')
if not pk.roles.api:
raise AuthenticationFailed('Key does not allow API access')
return (AnonymousUser(), pk)
def authenticate_credentials(self, userid, password):
if password:
return
try:
key = ApiKey.objects.get_from_cache(key=userid)
except ApiKey.DoesNotExist:
return None
if not key.is_active:
raise AuthenticationFailed('Key is disabled')
raven.tags_context({
'api_key': userid,
})
return (AnonymousUser(), key)
def _dispatch(self,
request,
helper,
project_id=None,
origin=None,
*args,
**kwargs):
# NOTE: We need to override the auth flow for a CSP report!
# A CSP report is sent as a POST request with no Origin or Referer
# header. What we're left with is a 'document-uri' key which is
# inside of the JSON body of the request. This 'document-uri' value
# should be treated as an origin check since it refers to the page
# that triggered the report. The Content-Type is supposed to be
# `application/csp-report`, but FireFox sends it as `application/json`.
if request.method != 'POST':
return HttpResponseNotAllowed(['POST'])
if request.META.get('CONTENT_TYPE') not in self.content_types:
raise APIError('Invalid Content-Type')
request.user = AnonymousUser()
project = self._get_project_from_id(project_id)
helper.context.bind_project(project)
Raven.tags_context(helper.context.get_tags_context())
# This is yanking the auth from the querystring since it's not
# in the POST body. This means we expect a `sentry_key` and
# `sentry_version` to be set in querystring
auth = self._parse_header(request, helper, project)
project_ = helper.project_from_auth(auth)
if project_ != project:
raise APIError('Two different project were specified')
helper.context.bind_auth(auth)
Raven.tags_context(helper.context.get_tags_context())
return super(APIView, self).dispatch(request=request,
project=project,
auth=auth,
helper=helper,
**kwargs)
def serialize(objects, user=None, serializer=None):
if user is None:
user = AnonymousUser()
if not objects:
return objects
elif not isinstance(objects, (list, tuple)):
return serialize([objects], user=user, serializer=serializer)[0]
# elif isinstance(obj, dict):
# return dict((k, serialize(v, request=request)) for k, v in obj.iteritems())
if serializer is None:
try:
serializer = registry[type(objects[0])]
except KeyError:
return objects
attrs = serializer.get_attrs(item_list=objects, user=user)
return [serializer(o, attrs=attrs.get(o, {}), user=user) for o in objects]
def _dispatch(self, request, helper, project_id=None, origin=None,
*args, **kwargs):
request.user = AnonymousUser()
project = self._get_project_from_id(project_id)
if project:
helper.context.bind_project(project)
Raven.tags_context(helper.context.get_tags_context())
if origin is not None:
# This check is specific for clients who need CORS support
if not project:
raise APIError('Client must be upgraded for CORS support')
if not is_valid_origin(origin, project):
raise APIForbidden('Invalid origin: %s' % (origin,))
# XXX: It seems that the OPTIONS call does not always include custom headers
if request.method == 'OPTIONS':
response = self.options(request, project)
else:
auth = self._parse_header(request, helper, project)
project_ = helper.project_from_auth(auth)
# Legacy API was /api/store/ and the project ID was only available elsewhere
if not project:
if not project_:
raise APIError('Unable to identify project')
project = project_
elif project_ != project:
raise APIError('Two different project were specified')
helper.context.bind_auth(auth)
Raven.tags_context(helper.context.get_tags_context())
if auth.version != '2.0':
if request.method == 'GET':
# GET only requires an Origin/Referer check
# If an Origin isn't passed, it's possible that the project allows no origin,
# so we need to explicitly check for that here. If Origin is not None,
# it can be safely assumed that it was checked previously and it's ok.
if origin is None and not is_valid_origin(origin, project):
# Special case an error message for a None origin when None wasn't allowed
raise APIForbidden('Missing required Origin or Referer header')
else:
# Version 3 enforces secret key for server side requests
if not auth.secret_key:
raise APIForbidden('Missing required attribute in authentication header: sentry_secret')
response = super(APIView, self).dispatch(
request=request,
project=project,
auth=auth,
helper=helper,
**kwargs
)
if origin:
response['Access-Control-Allow-Origin'] = origin
return response
def handle(self, request):
logout(request)
request.user = AnonymousUser()
return self.redirect(reverse('sentry'))
def test_anonymous_user(self, get_project_list):
get_project_list.return_value = []
self.group.is_public = True
result = group_is_public(self.group, AnonymousUser())
assert result is True
def process_request(self, request):
super(AuthenticationMiddleware, self).process_request(request)
if not request.user.is_authenticated():
# swap in our custom class
request.user = AnonymousUser()
def handle(self, request):
rv = get_login_redirect(request)
logout(request)
request.user = AnonymousUser()
return self.redirect(rv)