def authenticate(self, request):
self.request = request
token = self.get_head("Authorization")
if not token:
raise NotAuthenticated('未通过认证')
# 验证请求头token是否过期
try:
payload = self.jwt_decode_token(token)
except jwt.ExpiredSignature:
raise AuthenticationFailed('签名过期')
except jwt.DecodeError:
raise AuthenticationFailed('解码失败')
except jwt.InvalidTokenError:
raise AuthenticationFailed('非法用户')
user = self.authenticate_credentials(payload)
# 连接redis,判断是否存在对应KEY
redis = get_redis_connection('default')
if redis.exists(token) == 0:
raise AuthenticationFailed('签名过期')
return user, token
def validate_and_prepare_peer_sync_job(request, **kwargs):
# validate the baseurl
try:
address = request.data.get("baseurl")
if not address:
raise KeyError()
baseurl = NetworkClient(address=address).base_url
except KeyError:
raise ParseError("Missing `baseurl` parameter")
except URLParseError:
raise ParseError("Invalid URL")
except NetworkLocationNotFound:
raise ResourceGoneError()
job_data = validate_prepare_sync_job(request, baseurl=baseurl, **kwargs)
facility_id = job_data.get("facility")
username = request.data.get("username", None)
password = request.data.get("password", None)
controller = MorangoProfileController(PROFILE_FACILITY_DATA)
network_connection = controller.create_network_connection(baseurl)
# try to get the certificate, which will save it if successful
try:
# username and password are not required for this to succeed unless there is no cert
get_client_and_server_certs(username,
password,
facility_id,
network_connection,
noninteractive=True)
except CommandError as e:
if not username and not password:
raise NotAuthenticated()
else:
raise AuthenticationFailed(e)
return job_data
def create(self, request):
# Get Twitch ID from jwt in request cookies
try:
twitch_id = get_id_from_request(request)
except:
raise NotAuthenticated()
# Get User object from id
twitch_user = Twitch_User.objects.get(pk=twitch_id)
# Extract input and output from POST request data
input = request.data['input']
output = request.data['output']
# Validate data and create return response, else raise BadRequest exception
serializer = ChatResponseSerializer(data={'input': input, 'output': output, 'twitch_user': twitch_user})
if serializer.is_valid():
chat_response = ChatResponse(input=input, output=output, twitch_user=twitch_user)
chat_response.save()
return Response(serializer.data)
else:
raise ValidationError()
def get_queryset(self, *args, **kwargs):
user = self.request.user
params = self.request.query_params
if user.is_anonymous():
raise NotAuthenticated('You need authenticated')
queryset = Document.objects.all()
if 'collection_pk' in self.kwargs:
collection_pk = self.kwargs['collection_pk']
queryset = queryset.filter(collection__pk=collection_pk)
print('params {}'.format(params))
type = params.get('type', None)
limit = params.get('limit', None)
if type is not None:
if type == 'viewed':
queryset = queryset.order_by('updated_at').all()
if type == 'edited':
queryset = queryset.order_by('created_at').all()
return queryset
def build_query_from_field(self, field_name, operation):
if field_name == 'permissions':
if operation['op'] != 'eq':
raise InvalidFilterOperator(value=operation['op'],
valid_operators=['eq'])
auth = get_user_auth(self.request)
auth_user = getattr(auth, 'user', None)
if not auth_user:
raise NotAuthenticated()
value = operation['value'].lstrip('[').rstrip(']')
permissions = [v.strip() for v in value.split(',')]
perm_options = [perm[0] for perm in REVIEW_PERMISSIONS]
if not set(permissions).issubset(set(perm_options)):
valid_permissions = ', '.join(perm_options)
raise InvalidFilterValue(
'Invalid permission! Valid values are: {}'.format(
valid_permissions))
return Q(id__in=get_objects_for_user(
auth_user, permissions, PreprintProvider, any_perm=True))
return super(PreprintProviderList,
self).build_query_from_field(field_name, operation)
def check_permissions(self, request):
"""
Check that the authenticated user can access this view.
Ensure that the user has all of the permissions specified in
`permission_required` granted on the object returned by
`get_permission_objects`. If not, an HTTP 403 (or, HTTP 404 if
`raise_404_if_unauthorized` is True) is raised.
Overrides APIView.check_permissions.
"""
if not request.user.is_authenticated:
raise NotAuthenticated()
if self.staff_only and not request.user.is_staff:
self.add_tracking_data(failure='user_is_not_staff')
self._unauthorized_response()
required = self.get_required_permissions(request)
missing_global_permissions = {
perm
for perm in required if not perm.global_check(request.user)
}
objects = self.get_permission_objects()
if not missing_global_permissions:
missing_permissions = set()
elif objects:
missing_permissions = {
perm
for perm in required if not AuthMixin._has_permission_on_any(
request.user, perm, objects)
}
else:
missing_permissions = missing_global_permissions # pragma: no cover
if missing_permissions:
self.add_tracking_data(
missing_permissions=list(missing_permissions))
self._unauthorized_response()
def post(self, request, *args, **kwargs):
"""
:param request: request.data =
{
'payment_method': PAYMENT_METHODS,
'billing_address_id': Address.id,
'shipping_address_id': Address.id
}
"""
if not request.user.is_authenticated:
print(request.user)
raise NotAuthenticated()
serializer = self.InputSerializer(data=request.data)
serializer.is_valid(raise_exception=True)
payment_method = request.data.get('payment_method')
billing_address = get_object_or_404(
Address, id=request.data.get('billing_address_id'))
shipping_address = get_object_or_404(
Address, id=request.data.get('shipping_address_id'))
try:
order = Order.objects.get(user=self.request.user, ordered=False)
order.billing_address = billing_address
order.shipping_address = shipping_address
order.save()
checkout(order=order, payment_method=payment_method)
except ObjectDoesNotExist:
raise Http404("You do not have an active order")
except Exception as e:
print(e)
raise APIException(
'Something went wrong. Please try again. '
'Ensure the billing information you provided is correct')
else:
return Response(status=HTTP_200_OK)
def OutlookCompleteView(request):
if request.user and request.user.is_authenticated():
user_profile = UserProfile.objects.get(user=request.user)
if 'code' in request.GET:
code = request.GET.get('code')
access_resp = get_oauth_token(code)
if access_resp.status_code == 200:
access_token_object = access_resp.json()
user_profile.outlook = True
user_profile.external_email = False
user_profile.gmail = False
'''
access_resp:
{u'access_token': u'NydGZ6oZFsnKLY8bSsrxOX16A6ffB3',
u'token_type': u'bearer', u'email_address': u'*****@*****.**',
u'account_id': u'5k3rl5bw4elb4n3gb2xayo2m8',
u'provider': u'namecheap'}
'''
print access_token_object
user_profile.outlook_username = access_token_object[
'email_address']
user_profile.outlook_token_type = access_token_object[
'token_type']
user_profile.outlook_access_token = access_token_object[
'access_token']
user_profile.outlook_microsoft_code = access_token_object[
'account_id']
user_profile.outlook_email_provider = access_token_object[
'provider']
user_profile.save()
return redirect(product_site_url(request))
return redirect(generate_site_url(request))
raise NotAuthenticated()
def has_object_permission(self, request, view, organization):
if request.user and request.user.is_authenticated() and request.auth:
request.access = access.from_request(
request, organization, scopes=request.auth.get_scopes(),
)
elif request.auth:
if request.auth is ROOT_KEY:
return True
return request.auth.organization_id == organization.id
else:
request.access = access.from_request(request, organization)
# session auth needs to confirm various permissions
if request.user.is_authenticated() and self.needs_sso(request, organization):
logger.info('access.must-sso', extra={
'organization_id': organization.id,
'user_id': request.user.id,
})
raise NotAuthenticated(detail='Must login via SSO')
allowed_scopes = set(self.scope_map.get(request.method, []))
return any(request.access.has_scope(s) for s in allowed_scopes)
def post(self, request, *args, **kwargs):
from poll.models import AnswerRate
if not self.request.user.is_authenticated():
raise NotAuthenticated()
profile = self.request.user.profile
self.object = self.get_object()
already_liked = profile.answer_rates.filter(
answer=self.object, rate=AnswerRate.LIKE
).exists()
if not already_liked:
message = ('You cant deslike a answer that you never liked.')
return Response(
{'detail': message}, status=status.HTTP_400_BAD_REQUEST)
try:
profile.deslike_answer(self.object)
return Response({}, status=status.HTTP_201_CREATED)
except:
return Response({}, status=status.HTTP_400_BAD_REQUEST)
def wrapper(parent, info, *args, **kwargs):
if isinstance(info.context, HttpRequest):
authenticator = JWTAuthentication()
auth_result = authenticator.authenticate(info.context)
if auth_result is None:
raise PermissionDenied()
user, _ = auth_result
if not user.is_authenticated:
raise NotAuthenticated()
if with_policies is not None and len(with_policies) > 0:
is_allowed_request = PermissionService.check_policies(info.context, user, with_policies)
if not is_allowed_request:
raise PermissionDenied()
kwargs["current_user"] = user
resolved = resolver(parent, info, *args, **kwargs)
return resolved
def _radius_token_authenticate(self, request):
# cached_orgid exists only for users authenticated
# successfully in past 24 hours
username = request.data.get('username') or request.query_params.get(
'username')
cached_orgid = cache.get(f'rt-{username}')
if cached_orgid:
return self._check_client_ip_and_return(request, cached_orgid)
else:
try:
radtoken = RadiusToken.objects.get(user__username=username)
except RadiusToken.DoesNotExist:
if username:
message = _(
'Radius token does not exist. Obtain a new radius token '
'or provide the organization UUID and API token.')
else:
message = _('username field is required.')
logger.warning(message)
raise NotAuthenticated(message)
org_uuid = str(radtoken.organization_id)
cache.set(f'rt-{username}', org_uuid, 86400)
return self._check_client_ip_and_return(request, org_uuid)
def api_add_user_site(request):
if not request.user.is_authenticated:
raise NotAuthenticated(detail='请先登录')
try:
if Site.objects.filter(owner=request.user).count() > 1000:
raise OperateError('用户自定义网址数量已达上限')
ser = SiteSerializer(data=dict(name=request.data['name'],
url=request.data['url'],
category=Site.PERSONAL,
owner=request.user.id))
if ser.is_valid():
ser.save()
return Response(data=ser.data)
raise OperateError(detail='参数错误,请检查。注意网址的格式是否正确。')
except KeyError:
raise OperateError(detail='参数错误,请检查')
except APIException as e:
raise e
except Exception as e:
print_err(e)
raise APIException(detail='服务器出错')
def get(self, request):
bid = request.GET.get('bucket_id', None)
try:
b = Buckets.objects.get(bucket_id=int(bid))
self.queryset = self.model.objects.select_related(
'user').select_related('bucket').filter(bucket=b).values(
'user__first_name', 'user__username', 'bucket__name',
'permission', 'acl_bid')
except Buckets.DoesNotExist:
raise ParseError('not found this bucket')
except self.model.DoesNotExist:
raise ParseError('not found resource')
except TypeError:
raise ParseError('arg acl_bid is not a number')
if b.user != request.user:
raise NotAuthenticated('user and bucket__user not match')
return Response({
'code': 0,
'msg': 'success',
'data': list(self.queryset)
})
def limits(self, request):
if request.user and request.user.is_authenticated():
# Use email model manager
emails = Email.objects.emails_by_user_today(request.user)
print emails
# Setup emails
sendgrid = 0
outlook = 0
gmail = 0
smtp = 0
# Loop through emails
for email in emails:
if email.method == 'sendgrid':
sendgrid += 1
elif email.method == 'outlook':
outlook += 1
elif email.method == 'gmail':
gmail += 1
elif email.method == 'smtp':
smtp += 1
data = {
'sendgrid': sendgrid,
'sendgridLimits': 2500,
'outlook': outlook,
'outlookLimits': 500,
'gmail': gmail,
'gmailLimits': 500,
'smtp': smtp,
'smtpLimits': 2000
}
return Response(data, {})
raise NotAuthenticated()
def has_object_permission(self, request, view, organization):
if request.user and request.user.is_authenticated() and request.auth:
request.access = access.from_request(
request,
organization,
scopes=request.auth.get_scopes(),
)
elif request.auth:
return request.auth.organization_id == organization.id
else:
request.access = access.from_request(request, organization)
if auth.is_user_signed_request(request):
# if the user comes from a signed request
# we let them pass if sso is enabled
logger.info(
'access.signed-sso-passthrough',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
}
)
elif request.user.is_authenticated() and self.needs_sso(request, organization):
# session auth needs to confirm various permissions
logger.info(
'access.must-sso',
extra={
'organization_id': organization.id,
'user_id': request.user.id,
}
)
raise NotAuthenticated(detail='Must login via SSO')
allowed_scopes = set(self.scope_map.get(request.method, []))
return any(request.access.has_scope(s) for s in allowed_scopes)
def _get_token_info(self, request):
""" Decode token """
# Options check token
options = {"verify_signature": True, "verify_aud": False, "exp": True}
# JWT not found
if 'HTTP_AUTHORIZATION' not in request.META:
raise NotAuthenticated("HTTP_AUTHORIZATION not found in the request")
jwt = request.META.get('HTTP_AUTHORIZATION')
try:
token_info = self._keycloak.decode_token(jwt, key=self._client_public_key, options=options)
except ExpiredSignatureError:
options["verify_exp"] = False
token_info = self._keycloak.decode_token(jwt, key=self._client_public_key, options=options)
if "offline_access" in token_info['realm_access']['roles']:
return token_info
else:
raise ExpiredSignatureError("Login expired")
return token_info
def user_delete_endpoint(request):
"""
删除指定的用户,该超作只允许超级管理员执行
:param request:
:return:
"""
# if not request.user.is_superuser:
# raise NotAuthenticated(detail='permission denied!')
fields = (('*username', str, verify_username), ('*user_id', int, None))
data = validate_post_data(request.body, fields)
try:
u = User.objects.get(pk=data['user_id'])
except User.DoesNotExist:
raise NotFound(detail='not found this user')
if not request.user.is_superuser and u != request.user:
raise NotAuthenticated(detail='permission denied')
if u.username != data['username']:
raise ParseError(detail='username and user_id not match')
if u.profile.phone_verify:
region = BucketRegion.objects.all()
# 递归删除所有区域集群上的用户
for i in region:
rgw = rgw_client(i.reg_id)
try:
rgw.get_user(uid=u.keys.ceph_uid, stats=True)
except NoSuchUser:
continue
else:
rgw.remove_user(uid=u.keys.ceph_uid, purge_data=True)
u.delete()
return Response({'code': 0, 'msg': 'success'})
def post(self, request, *args, **kwargs):
# Create OrderItems
if not request.user.is_authenticated:
raise NotAuthenticated()
# get Item Using slug
slug = request.data.get('slug', None)
if slug is None:
return Response({"message": "Invalid request"}, status=HTTP_400_BAD_REQUEST)
item = get_object_or_404(Item, slug=slug)
# verify number of variations
variations = request.data.get('variations', [])
minimum_variation_count = Variation.objects.filter(item=item).count()
if len(variations) < minimum_variation_count:
return Response({"message": "Please specify the required variation types"}, status=HTTP_400_BAD_REQUEST)
try:
add_to_cart(item=item, variations=variations, user=request.user)
except Exception as e:
raise APIException(e)
else:
return Response(status=HTTP_200_OK)
def authenticate(self, request):
token = self.get_jwt_value(request)
if token is None:
raise NotAuthenticated()
return self.authenticate_credentials(token)
def get_key(key, user):
try:
return key.objects.get(owner=user)
except Exception, e:
raise NotAuthenticated()
def post(self, request, *args, **kwargs):
if not IsAuthenticated().has_permission(request, self):
raise NotAuthenticated()
return super(TreeView, self).post(request, *args, **kwargs)
This validation uses a User PAT OR Django's regular User auth.
"""
if auth_header := request.headers.get("Authorization"):
username, _, token = auth_header.partition(":")
user = User.objects.filter(username=username).first()
if user is None:
raise NotAuthenticated("Invalid user")
if not user.has_valid_pat(token):
raise PermissionDenied
return
if request.user.is_anonymous:
raise NotAuthenticated("Invalid user or token")
if not has_permission(
request.user, "release_file_view", project=workspace.project):
raise NotAuthenticated(
f"Invalid user or token for workspace {workspace.name}")
def validate_snapshot_access(request, snapshot):
"""
Validate this request can access this snapshot.
This validation uses Django's regular User auth.
"""
if snapshot.published_at:
return
def retrieve(self, request, pk=None):
if request.user and request.user.is_authenticated():
email = self.get_email_by_pk(request, pk)
serializer = EmailSerializer(email)
return Response(serializer.data, {})
raise NotAuthenticated()
def get_email_by_pk(self, request, pk):
if self.request.user and self.request.user.is_authenticated():
queryset = Email.objects.filter(created_by=request.user)
email = get_object_or_404(queryset, pk=pk)
return email
raise NotAuthenticated()
def get(self, request):
if request.user.is_authenticated:
return Response(UserSerializer(request.user).data)
raise NotAuthenticated('로그인을 먼저 해주세요')
def create(self, request, *args, **kwargs):
if not request.user.is_authenticated():
raise NotAuthenticated()
resource_create_request_validator = serializers.ResourceCreateRequestValidator(
data=request.data)
if not resource_create_request_validator.is_valid():
raise ValidationError(
detail=resource_create_request_validator.errors)
validated_request_data = resource_create_request_validator.validated_data
resource_type = validated_request_data['resource_type']
res_title = validated_request_data.get('title', 'Untitled resource')
keywords = validated_request_data.get('keywords', None)
abstract = validated_request_data.get('abstract', None)
metadata = validated_request_data.get('metadata', None)
extra_metadata = validated_request_data.get('extra_metadata', None)
num_files = len(request.FILES)
# TODO: (Couch) reconsider whether multiple file upload should be
# supported when multipart bug fixed.
if num_files > 0:
if num_files > 1:
raise ValidationError(
detail={
'file':
'Multiple file upload is not allowed on '
'resource creation. Add additional files '
'after the resource is created.'
})
# Place files into format expected by hydroshare.utils.resource_pre_create_actions and
# hydroshare.create_resource, i.e. a tuple of
# django.core.files.uploadedfile.TemporaryUploadedFile objects.
files = [
request.FILES['file'],
]
else:
files = []
if metadata is not None:
metadata = json.loads(metadata)
_validate_metadata(metadata)
if extra_metadata is not None:
extra_metadata = json.loads(extra_metadata)
# TODO: validate extra metadata here
try:
_, res_title, metadata, _ = hydroshare.utils.resource_pre_create_actions(
resource_type=resource_type,
resource_title=res_title,
page_redirect_url_key=None,
files=files,
metadata=metadata,
**kwargs)
except Exception as ex:
error_msg = {
'resource': "Resource creation failed. %s" % ex.message
}
raise ValidationError(detail=error_msg)
try:
resource = hydroshare.create_resource(
resource_type=resource_type,
owner=request.user,
title=res_title,
edit_users=validated_request_data.get('edit_users', None),
view_users=validated_request_data.get('view_users', None),
edit_groups=validated_request_data.get('edit_groups', None),
view_groups=validated_request_data.get('view_groups', None),
keywords=keywords,
metadata=metadata,
extra_metadata=extra_metadata,
files=files)
if abstract:
resource.metadata.create_element('description',
abstract=abstract)
except Exception as ex:
error_msg = {
'resource': "Resource creation failed. %s" % ex.message
}
raise ValidationError(detail=error_msg)
post_creation_error_msg = ''
try:
hydroshare.utils.resource_post_create_actions(request=request,
resource=resource,
user=request.user,
metadata=metadata,
**kwargs)
except (hydroshare.utils.ResourceFileValidationException,
Exception) as ex:
post_creation_error_msg = ex.message
response_data = {
'resource_type': resource_type,
'resource_id': resource.short_id,
'message': post_creation_error_msg
}
return Response(data=response_data, status=status.HTTP_201_CREATED)
def drop_session(cls, refresh_token):
try:
RefreshToken(refresh_token).blacklist()
except TokenError:
raise NotAuthenticated(**INVALID_REFRESH_TOKEN)
def get_by_id(self, pk, user):
todo = super().get_queryset().get(pk=pk)
if todo.owner == user:
return todo
else:
raise NotAuthenticated()
def get(self, request):
if request.user.is_authenticated():
logout(request)
return Response(status=status.HTTP_200_OK)
else:
raise NotAuthenticated('Please login.')