Пример #1
0
 def connect(self):
     if not openid_login_allowed() and "facebook" not in allowed_login_types():
         ret_abort(_("Connection not allowed, single sign-on has been " "disabled on this installation"), code=403)
     require.user.edit(c.user)
     if not c.user:
         h.flash(_("No OpenID was entered."), "warning")
         redirect("/login")
     return render("/openid/connect.html")
Пример #2
0
    def request_auth(self):
        if 'shibboleth' not in allowed_login_types():
            ret_abort(_("Shibboleth authentication not enabled"), code=403)

        came_from = request.GET.get('came_from', '/')

        came_from_qs = urlencode({'came_from': came_from})
        shib_qs = urlencode(
            {'target': '/shibboleth/post_auth?%s' % came_from_qs})

        redirect('/Shibboleth.sso/Login?%s' % shib_qs)
Пример #3
0
    def request_auth(self):
        if 'shibboleth' not in allowed_login_types():
            ret_abort(_("Shibboleth authentication not enabled"), code=403)

        came_from = request.GET.get('came_from', '/')

        came_from_qs = urlencode({'came_from': came_from})
        shib_qs = urlencode(
            {'target': '/shibboleth/post_auth?%s' % came_from_qs})

        redirect('/Shibboleth.sso/Login?%s' % shib_qs)
Пример #4
0
 def connect(self):
     if (not openid_login_allowed()
             and 'facebook' not in allowed_login_types()):
         ret_abort(_("Connection not allowed, single sign-on has been "
                     "disabled on this installation"),
                   code=403)
     require.user.edit(c.user)
     if not c.user:
         h.flash(_("No OpenID was entered."), 'warning')
         redirect("/login")
     return render("/openid/connect.html")
Пример #5
0
    def post_auth(self):
        """
        This controller is called after successful Shibboleth authentication.
        It checks whether the authenticated user already exists. If yes, the
        corresponding Adhocracy user is logged in. If no, an intermediate step
        querying the user for additional information is performed and a new
        Adhocracy user is registered.

        In any case the Shibboleth headers are only used once for logging in
        and immediatly removed afterwards. The reason for this design decision
        is that Single-Sign-Off isn't recommended by Shibboleth as it is either
        very complicated or even impossible.

        NOTE: There isn't one clear way on how to deal with user deletion in
        environments with external user management. We now implemented the
        following:
        If a user logs in into a deleted account, this account is undeleted
        on the fly.
        """
        if 'shibboleth' not in allowed_login_types():
            ret_abort(_("Shibboleth authentication not enabled"), code=403)

        persistent_id = self._get_persistent_id()
        if persistent_id is None:
            ret_abort(_("This URL shouldn't be called directly"), code=403)

        user = User.find_by_shibboleth(persistent_id, include_deleted=True)

        if user is not None:
            if user.is_deleted():
                user.undelete()
                meta.Session.commit()
                h.flash(
                    _("User %s has been undeleted") % user.user_name,
                    'success')
            return self._login(user, h.user.post_login_url(user))
        else:
            return self._register(persistent_id)
Пример #6
0
    def post_auth(self):
        """
        This controller is called after successful Shibboleth authentication.
        It checks whether the authenticated user already exists. If yes, the
        corresponding Adhocracy user is logged in. If no, an intermediate step
        querying the user for additional information is performed and a new
        Adhocracy user is registered.

        In any case the Shibboleth headers are only used once for logging in
        and immediatly removed afterwards. The reason for this design decision
        is that Single-Sign-Off isn't recommended by Shibboleth as it is either
        very complicated or even impossible.

        NOTE: There isn't one clear way on how to deal with user deletion in
        environments with external user management. We now implemented the
        following:
        If a user logs in into a deleted account, this account is undeleted
        on the fly.
        """
        if 'shibboleth' not in allowed_login_types():
            ret_abort(_("Shibboleth authentication not enabled"), code=403)

        persistent_id = self._get_persistent_id()
        if persistent_id is None:
            ret_abort(_("This URL shouldn't be called directly"), code=403)

        user = User.find_by_shibboleth(persistent_id, include_deleted=True)

        if user is not None:
            if user.is_deleted():
                user.undelete()
                meta.Session.commit()
                h.flash(_("User %s has been undeleted") % user.user_name,
                        'success')
            return self._login(user, h.user.post_login_url(user))
        else:
            return self._register(persistent_id)
Пример #7
0
    def logged_in(self):
        """
        Recieves authentication messages from the velruse service.
        It will log in users or connect their adhocracy account
        to an existing velruse account.
        It also creates adhocracy accounts if it thinks the user has none.
        We expect the ssi service to provide a *verified* email address.
        If none is provided, this function will crash.
        """

        redirect_url = session.get('came_from', h.base_url('/login'))

        token = request.params['token']
        payload = {'format': 'json', 'token': token}
        rsp = get(h.velruse_url('/auth_info'),
                  params=payload,
                  timeout=1,
                  verify=config.get_bool('velruse.verify_ssl'))
        if rsp.status_code >= 400:
            return self._failure(_('Internal server error:'
                                 'velruse service not available.'),
                                 redirect_url=redirect_url)

        auth_info = loads(rsp.content)
        log.debug('received auth_info from velruse:\n' +
                  '<pre>' + dumps(auth_info, indent=4) + '</pre>')

        if 'error' in auth_info:
            error = auth_info['error']
            if error == 'user_denied':
                return self._failure(_('Login failed: ') +
                                     _('You have to give Adhocracy permission '
                                       'to connect to your Facebook account.'),
                                     auth_info,
                                     redirect_url=redirect_url)
            else:
                return self._failure(_('Login failed: ') + auth_info['error'],
                                     auth_info, redirect_url=redirect_url)

        provider_name = auth_info['provider_name']

        if provider_name not in allowed_login_types():
            self._failure(_("Logging in with %s "
                          "is not allowed on this installation.")
                          % provider_name.capitalize(),
                          auth_info, redirect_url=redirect_url)
        else:
            try:
                profile = auth_info['profile']
                email = profile['verifiedEmail']  # FIXME: this is not always available.  we should catch that earlier above.
                display_name = profile['displayName']
                preferred_name = profile['preferredUsername'].replace('.', '_')
                user_name = unused_user_name(preferred_name)
                accounts = profile['accounts']
            except KeyError:
                log.error('could not parse velruse response:\n' +
                          '<pre>' + dumps(auth_info, indent=4) + '</pre>')
                self._failure(_("Error"))

            if c.user is not None:
                adhocracy_user = c.user
                velruse_user = Velruse.by_user_and_domain_first(
                    adhocracy_user,
                    accounts[0]['domain'])

                if velruse_user is not None:
                    self._failure(_("This %(provider)s account"
                                    " is already connected.")
                                  % {'provider': provider_name.capitalize()},
                                  redirect_url=redirect_url)
            else:
                velruse_user = Velruse.find_any(accounts)

                if velruse_user is not None:
                    adhocracy_user = velruse_user.user
                else:
                    adhocracy_user = None

            if velruse_user is not None:
                domain = velruse_user.domain
                domain_user = velruse_user.domain_user
            else:
                domain = accounts[0]['domain']
                domain_user = accounts[0]['userid']  # FIXME: this is not always available.  we should catch that earlier above.

            if not domain or not domain_user:
                log.error('domain and/or domain_user not found:\n' +
                          '<pre>\n' +
                          str(domain, domain_user) + '\n' +
                          dumps(auth_info, indent=4) + '\n' +
                          '</pre>')
                self._failure(_("Error"), redirect_url=redirect_url)

            try:
                # login right away
                if adhocracy_user is not None and velruse_user is not None:
                    update_email_trust(adhocracy_user, email)
                    self._login(adhocracy_user, redirect_url=redirect_url)

                # create new user in both Velruse and User and login
                elif adhocracy_user is None and velruse_user is None:
                    new_user = self._create(user_name,
                                            email,
                                            domain,
                                            domain_user,
                                            email_verified=True,
                                            display_name=display_name,
                                            redirect_url=redirect_url)

                    adhocracy_user, velruse_user = new_user
                    self._login(adhocracy_user, redirect_url=redirect_url)

                # create new user in Velruse for a logged in user
                elif adhocracy_user is not None and velruse_user is None:
                    self._connect(adhocracy_user, domain, domain_user,
                                  provider_name,
                                  email, email_verified=True,
                                  redirect_url=redirect_url)

                # error case
                else:
                    raise DatabaseInconsistent('velruse user is not associated'
                                               ' with any adhocracy user')

            # if users are deleted and we try to create them again
            # we get an IntegrityError
            except IntegrityError:
                self._failure(_("Your %(provider)s account is locked.")
                              % {'provider': provider_name.capitalize()})
Пример #8
0
def setup_entities(config, initial_setup):
    #model.meta.Session.begin()
    model.meta.Session.commit()

    # administrate installation wide
    admins = mk_group("Administrator", model.Group.CODE_ADMIN)
    organization = mk_group("Organization", model.Group.CODE_ORGANIZATION)
    # administrate instance
    supervisor = mk_group("Supervisor", model.Group.CODE_SUPERVISOR)
    moderator = mk_group("Moderator", model.Group.CODE_MODERATOR)
    voter = mk_group("Voter", model.Group.CODE_VOTER)
    observer = mk_group("Observer", model.Group.CODE_OBSERVER)
    advisor = mk_group("Advisor", model.Group.CODE_ADVISOR)
    default = mk_group("Default", model.Group.CODE_DEFAULT)
    anonymous = mk_group("Anonymous", model.Group.CODE_ANONYMOUS)
    addressee = mk_group("Addressee", model.Group.CODE_ADDRESSEE)

    model.meta.Session.commit()

    # To simplify initial configuration, we allow to define permission
    # includes, e.g. permissions granted to observers are automatically granted
    # to advisors and organizations as well. This is resolved recursively.
    # Note that this applies only to the initial setup.

    def included_groups(groups):
        all_groups = set(groups)
        includes = set()
        for group in groups:
            includes = includes.union(perm_includes.get(group, []))
        for include in includes:
            all_groups = all_groups.union(included_groups(includes))
        return list(all_groups)

    perm_includes = {
        anonymous: [observer],
        observer: [advisor, organization],
        advisor: [voter],
        voter: [moderator, addressee],
        moderator: [supervisor],
        supervisor: [admins],
    }

    default_permission_groups = {
        u'abuse.report': [anonymous],
        u'badge.index': [anonymous],
        u'comment.create': [advisor],
        u'comment.delete': [moderator],
        u'comment.edit': [advisor],
        u'comment.show': [anonymous],
        u'comment.view': [anonymous],
        u'delegation.create': [voter],
        u'delegation.delete': [voter],
        u'delegation.show': [anonymous],
        u'delegation.view': [anonymous],
        u'event.index_all': [anonymous],
        u'global.admin': [admins],
        u'global.member': [admins],
        u'global.message': [admins],
        u'global.organization': [organization],
        u'global.staticpage': [admins],
        u'instance.admin': [supervisor],
        u'instance.create': [admins],
        u'instance.delete': [admins],
        u'instance.index': [anonymous],
        u'instance.join': [default],
        u'instance.leave': [default],
        u'instance.news': [anonymous],
        u'instance.show': [anonymous],
        u'instance.message': [admins],
        u'milestone.create': [supervisor],
        u'milestone.delete': [supervisor],
        u'milestone.edit': [supervisor],
        u'milestone.show': [anonymous],
        u'page.create': [advisor],
        u'page.delete': [moderator],
        u'page.delete_history': [moderator],
        u'page.edit': [advisor],
        u'page.edit_head': [moderator],
        u'page.show': [anonymous],
        u'page.view': [anonymous],
        u'poll.create': [moderator],
        u'poll.delete': [moderator],
        u'poll.show': [anonymous],
        u'proposal.create': [advisor],
        u'proposal.delete': [moderator],
        u'proposal.edit': [advisor],
        u'proposal.freeze': [supervisor],
        u'proposal.show': [anonymous],
        u'proposal.view': [anonymous],
        u'static.show': [anonymous],
        u'tag.create': [advisor],
        u'tag.delete': [advisor],
        u'tag.show': [anonymous],
        u'tag.view': [anonymous],
        u'user.edit': [default],
        u'user.index_all': [anonymous],
        u'user.manage': [admins],
        u'user.message': [advisor],
        u'user.show': [anonymous],
        u'user.view': [anonymous],
        u'vote.cast': [voter],
        u'vote.prohibit': [organization],
        u'watch.create': [observer, default],
        u'watch.delete': [observer],
        u'watch.show': [anonymous],
    }

    autoupdate = asbool(config.get('adhocracy.autoassign_permissions', 'true'))
    assign_perms = initial_setup or autoupdate

    for perm_name, groups in default_permission_groups.items():
        new_perm = mk_perm(perm_name)
        if assign_perms and new_perm is not None:
            assigned_groups = included_groups(groups)
            log.debug("Assigning to groups: %s" % assigned_groups)
            new_perm.groups = assigned_groups

    model.meta.Session.commit()

    admin = model.User.find(u"admin")
    if not admin:
        email = u'admin@%s' % get_domain_part(config.get('adhocracy.domain'))
        admin = model.User.create(ADMIN,
                                  email,
                                  password=ADMIN_PASSWORD,
                                  global_admin=True)
        admin.activation_code = None

    model.meta.Session.commit()

    if config.get('adhocracy.instance'):
        model.Instance.create(config.get('adhocracy.instance'), u"Adhocracy",
                              admin)
    else:
        if not model.Instance.find(u"test"):
            log.debug(u'Creating test instance')
            model.Instance.create(u"test", u"Test Instance", admin)

        if config_get_bool('adhocracy.use_feedback_instance', config=config):
            feedback_key = config.get('adhocracy.feedback_instance_key',
                                      u'feedback')
            feedback_label = config.get('adhocracy.feedback_instance_label',
                                        u'Feedback')
            feedback_available = model.Instance.find(feedback_key)
            if feedback_key and feedback_label and not feedback_available:
                log.debug('Creating feedback instance: %s' % feedback_label)
                fb = model.Instance.create(feedback_key, feedback_label, admin)
                fb.use_norms = False
                fb.allow_adopt = False
                fb.allow_delegate = False
                fb.hide_global_categories = True
                fb.require_valid_email = False

    if 'shibboleth' in allowed_login_types(config):
        from adhocracy.lib.auth.shibboleth import get_userbadge_mapping
        for mapping in get_userbadge_mapping(config):
            title = mapping[0]
            if model.UserBadge.find(title) is None:
                model.UserBadge.create(mapping[0], u'#000000', True, u'')

    model.meta.Session.commit()
Пример #9
0
    def logged_in(self):
        """
        Recieves authentication messages from the velruse service.
        It will log in users or connect their adhocracy account
        to an existing velruse account.
        It also creates adhocracy accounts if it thinks the user has none.
        We expect the ssi service to provide a *verified* email address.
        If none is provided, this function will crash.
        """

        redirect_url = session.get('came_from', h.base_url('/login'))

        token = request.params['token']
        payload = {'format': 'json', 'token': token}
        rsp = get(h.velruse_url('/auth_info'),
                  params=payload,
                  timeout=1,
                  verify=config.get_bool('velruse.verify_ssl'))
        if rsp.status_code >= 400:
            return self._failure(_('Internal server error:'
                                   'velruse service not available.'),
                                 redirect_url=redirect_url)

        auth_info = loads(rsp.content)
        log.debug('received auth_info from velruse:\n' + '<pre>' +
                  dumps(auth_info, indent=4) + '</pre>')

        if 'error' in auth_info:
            error = auth_info['error']
            if error == 'user_denied':
                return self._failure(_('Login failed: ') +
                                     _('You have to give Adhocracy permission '
                                       'to connect to your Facebook account.'),
                                     auth_info,
                                     redirect_url=redirect_url)
            else:
                return self._failure(_('Login failed: ') + auth_info['error'],
                                     auth_info,
                                     redirect_url=redirect_url)

        provider_name = auth_info['provider_name']

        if provider_name not in allowed_login_types():
            self._failure(_("Logging in with %s "
                            "is not allowed on this installation.") %
                          provider_name.capitalize(),
                          auth_info,
                          redirect_url=redirect_url)
        else:
            try:
                profile = auth_info['profile']
                email = profile[
                    'verifiedEmail']  # FIXME: this is not always available.  we should catch that earlier above.
                display_name = profile['displayName']
                preferred_name = profile['preferredUsername'].replace('.', '_')
                user_name = unused_user_name(preferred_name)
                accounts = profile['accounts']
            except KeyError:
                log.error('could not parse velruse response:\n' + '<pre>' +
                          dumps(auth_info, indent=4) + '</pre>')
                self._failure(_("Error"))

            if c.user is not None:
                adhocracy_user = c.user
                velruse_user = Velruse.by_user_and_domain_first(
                    adhocracy_user, accounts[0]['domain'])

                if velruse_user is not None:
                    self._failure(_("This %(provider)s account"
                                    " is already connected.") %
                                  {'provider': provider_name.capitalize()},
                                  redirect_url=redirect_url)
            else:
                velruse_user = Velruse.find_any(accounts)

                if velruse_user is not None:
                    adhocracy_user = velruse_user.user
                else:
                    adhocracy_user = None

            if velruse_user is not None:
                domain = velruse_user.domain
                domain_user = velruse_user.domain_user
            else:
                domain = accounts[0]['domain']
                domain_user = accounts[0][
                    'userid']  # FIXME: this is not always available.  we should catch that earlier above.

            if not domain or not domain_user:
                log.error('domain and/or domain_user not found:\n' +
                          '<pre>\n' + str(domain, domain_user) + '\n' +
                          dumps(auth_info, indent=4) + '\n' + '</pre>')
                self._failure(_("Error"), redirect_url=redirect_url)

            try:
                # login right away
                if adhocracy_user is not None and velruse_user is not None:
                    update_email_trust(adhocracy_user, email)
                    self._login(adhocracy_user, redirect_url=redirect_url)

                # create new user in both Velruse and User and login
                elif adhocracy_user is None and velruse_user is None:
                    new_user = self._create(user_name,
                                            email,
                                            domain,
                                            domain_user,
                                            email_verified=True,
                                            display_name=display_name,
                                            redirect_url=redirect_url)

                    adhocracy_user, velruse_user = new_user
                    self._login(adhocracy_user, redirect_url=redirect_url)

                # create new user in Velruse for a logged in user
                elif adhocracy_user is not None and velruse_user is None:
                    self._connect(adhocracy_user,
                                  domain,
                                  domain_user,
                                  provider_name,
                                  email,
                                  email_verified=True,
                                  redirect_url=redirect_url)

                # error case
                else:
                    raise DatabaseInconsistent('velruse user is not associated'
                                               ' with any adhocracy user')

            # if users are deleted and we try to create them again
            # we get an IntegrityError
            except IntegrityError:
                self._failure(
                    _("Your %(provider)s account is locked.") %
                    {'provider': provider_name.capitalize()})
Пример #10
0
def setup_entities(config, initial_setup):
    # model.meta.Session.begin()
    model.meta.Session.commit()

    # administrate installation wide
    admins = mk_group("Administrator", model.Group.CODE_ADMIN)
    organization = mk_group("Organization", model.Group.CODE_ORGANIZATION)
    # administrate instance
    supervisor = mk_group("Supervisor", model.Group.CODE_SUPERVISOR)
    moderator = mk_group("Moderator", model.Group.CODE_MODERATOR)
    voter = mk_group("Voter", model.Group.CODE_VOTER)
    observer = mk_group("Observer", model.Group.CODE_OBSERVER)
    advisor = mk_group("Advisor", model.Group.CODE_ADVISOR)
    default = mk_group("Default", model.Group.CODE_DEFAULT)
    anonymous = mk_group("Anonymous", model.Group.CODE_ANONYMOUS)
    addressee = mk_group("Addressee", model.Group.CODE_ADDRESSEE)

    model.meta.Session.commit()

    # To simplify initial configuration, we allow to define permission
    # includes, e.g. permissions granted to observers are automatically granted
    # to advisors and organizations as well. This is resolved recursively.
    # Note that this applies only to the initial setup.

    def included_groups(groups):
        all_groups = set(groups)
        includes = set()
        for group in groups:
            includes = includes.union(perm_includes.get(group, []))
        for include in includes:
            all_groups = all_groups.union(included_groups(includes))
        return list(all_groups)

    perm_includes = {
        anonymous: [observer],
        observer: [advisor, organization],
        advisor: [voter],
        voter: [moderator, addressee],
        moderator: [supervisor],
        supervisor: [admins],
    }

    default_permission_groups = {
        u'abuse.report': [anonymous],
        u'badge.index': [anonymous],
        u'badge.edit_global': [admins],
        u'badge.manage_global': [admins],
        u'badge.edit_instance': [moderator],
        u'badge.manage_instance': [moderator],
        u'comment.create': [advisor],
        u'comment.delete': [moderator],
        u'comment.edit': [advisor],
        u'comment.show': [anonymous],
        u'comment.view': [anonymous],
        u'delegation.create': [voter],
        u'delegation.delete': [voter],
        u'delegation.show': [anonymous],
        u'delegation.view': [anonymous],
        u'event.index_all': [anonymous],
        u'global.admin': [admins],
        u'global.member': [admins],
        u'global.message': [admins],
        u'global.organization': [organization],
        u'global.staticpage': [admins],
        u'instance.admin': [supervisor],
        u'instance.manage': [moderator],
        u'instance.create': [admins],
        u'instance.delete': [admins],
        u'instance.index': [anonymous],
        u'instance.join': [default],
        u'instance.leave': [default],
        u'instance.news': [anonymous],
        u'instance.show': [anonymous],
        u'instance.message': [admins],
        u'milestone.create': [supervisor],
        u'milestone.delete': [supervisor],
        u'milestone.edit': [supervisor],
        u'milestone.show': [anonymous],
        u'page.create': [advisor],
        u'page.delete': [moderator],
        u'page.delete_history': [moderator],
        u'page.edit': [advisor],
        u'page.edit_head': [moderator],
        u'page.show': [anonymous],
        u'page.view': [anonymous],
        u'poll.create': [moderator],
        u'poll.delete': [moderator],
        u'poll.show': [anonymous],
        u'proposal.create': [advisor],
        u'proposal.delete': [moderator],
        u'proposal.edit': [advisor],
        u'proposal.freeze': [supervisor],
        u'proposal.show': [anonymous],
        u'proposal.view': [anonymous],
        u'proposal.message': [moderator],
        u'static.show': [anonymous],
        u'static.show_private': [admins],
        u'tag.create': [advisor],
        u'tag.delete': [advisor],
        u'tag.show': [anonymous],
        u'tag.view': [anonymous],
        u'user.edit': [default],
        u'user.index_all': [admins],
        u'user.manage': [admins],
        u'user.message': [advisor],
        u'user.show': [anonymous],
        u'user.view': [anonymous],
        u'user.badge': [moderator],
        u'vote.cast': [voter],
        u'vote.prohibit': [organization],
        u'watch.create': [observer, default],
        u'watch.delete': [observer],
        u'watch.instance': [moderator],
        u'watch.show': [anonymous],
    }

    autoupdate = asbool(config.get('adhocracy.autoassign_permissions', 'true'))
    assign_perms = initial_setup or autoupdate

    for perm_name, groups in default_permission_groups.items():
        new_perm = mk_perm(perm_name)
        if assign_perms and new_perm is not None:
            assigned_groups = included_groups(groups)
            log.debug("Assigning to groups: %s" % assigned_groups)
            new_perm.groups = assigned_groups

    model.meta.Session.commit()

    admin = model.User.find(u"admin")
    if not admin:
        email = u'admin@%s' % get_domain_part(config.get('adhocracy.domain'))
        admin = model.User.create(ADMIN, email,
                                  password=ADMIN_PASSWORD,
                                  global_admin=True)
        admin.activation_code = None

    model.meta.Session.commit()

    if config.get('adhocracy.instance'):
        model.Instance.create(config.get('adhocracy.instance'),
                              u"Adhocracy", admin)
    else:
        if config_get_bool('adhocracy.use_test_instance', config=config)\
                and not model.Instance.find(u"test"):
            log.debug(u'Creating test instance')
            model.Instance.create(u"test", u"Test Instance", admin)

        if config_get_bool('adhocracy.use_feedback_instance', config=config):
            feedback_key = config.get('adhocracy.feedback_instance_key',
                                      u'feedback')
            feedback_label = config.get('adhocracy.feedback_instance_label',
                                        u'Feedback')
            feedback_available = model.Instance.find(feedback_key)
            if feedback_key and feedback_label and not feedback_available:
                log.debug('Creating feedback instance: %s' % feedback_label)
                fb = model.Instance.create(feedback_key, feedback_label, admin)
                fb.use_norms = False
                fb.allow_adopt = False
                fb.allow_delegate = False
                fb.hide_global_categories = True
                fb.require_valid_email = False

    if 'shibboleth' in allowed_login_types(config):
        mappings = config_get_json("adhocracy.shibboleth.userbadge_mapping",
                                   config=config)
        for mapping in mappings:
            title = mapping["title"]
            if model.UserBadge.find(title) is None:
                model.UserBadge.create(mapping["title"], u'#000000', True, u'')

    model.meta.Session.commit()
Пример #11
0
def openid_login_allowed():
    return 'openid' in allowed_login_types()
Пример #12
0
    def logged_in(self):
        """
        Recieves authentication messages from the velruse service.
        It will log in users or connect their adhocracy account
        to an existing velruse account.
        It also creates adhocracy accounts if it thinks the user has none.
        We expect the ssi service to provide a *verified* email address.
        If none is provided, this function will crash.
        """

        token = request.params['token']
        payload = {'format': 'json', 'token': token}
        rsp = get(h.velruse_url('/auth_info'),
                  params=payload,
                  timeout=1)
        if rsp.status_code >= 400:
            return self._failure(_('Internal server error:'
                                 'velruse service not available.'))

        auth_info = loads(rsp.content)
        log.debug('received auth_info from velruse:\n' +
                  '<pre>' + dumps(auth_info, indent=4) + '</pre>')

        if 'error' in auth_info:
            error = auth_info['error']
            if error == 'user_denied':
                return self._failure(_('Login failed: ') +
                                     _('You have to give Adhocracy permission '
                                       'to connect to your Facebook account.'),
                                     auth_info)
            else:
                return self._failure(_('Login failed: ') + auth_info['error'],
                                     auth_info)

        provider_name = auth_info['provider_name']

        if provider_name not in allowed_login_types():
            self._failure(_("Logging in with %s "
                          "is not allowed on this installation.")
                          % provider_name.capitalize(),
                          auth_info)
        else:
            profile = auth_info['profile']
            email = profile['verifiedEmail']
            display_name = profile['displayName']
            preferred_name = profile['preferredUsername'].replace('.', '_')
            user_name = unused_user_name(preferred_name)

            accounts = profile['accounts']

            if c.user:
                adhocracy_user = c.user
                velruse_user = Velruse.by_user_and_domain_first(
                    adhocracy_user,
                    accounts[0]['domain'])
            else:
                velruse_user = Velruse.find_any(accounts)

                adhocracy_user = velruse_user.user if velruse_user else None

            if velruse_user:
                domain = velruse_user.domain
                domain_user = velruse_user.domain_user
            else:
                domain = accounts[0]['domain']
                domain_user = accounts[0]['userid']

            try:
                # login right away
                if adhocracy_user and velruse_user:
                    update_email_trust(adhocracy_user, email)
                    self._login(adhocracy_user)

                # create new user in both Velruse and User and login
                elif not adhocracy_user and not velruse_user:
                        new_user = self._create(user_name,
                                                email,
                                                domain,
                                                domain_user,
                                                email_verified=True,
                                                display_name=display_name)

                        adhocracy_user, velruse_user = new_user
                        self._login(adhocracy_user)

                # create new user in Velruse for a logged in user
                elif adhocracy_user and not velruse_user:
                    self._connect(adhocracy_user, domain, domain_user,
                                  provider_name,
                                  email, email_verified=True)

                # error case
                elif not adhocracy_user and velruse_user:
                    raise DatabaseInconsistent('velruse user is not associated'
                                               ' with any adhocracy user')
                else:
                    raise Exception

            # if users are deleted and we try to create them again
            # we get an IntegrityError
            except IntegrityError:
                self._failure(_("Error"))
Пример #13
0
def openid_login_allowed():
    return "openid" in allowed_login_types()
Пример #14
0
def openid_login_allowed():
    return 'openid' in allowed_login_types()