def get_context_data(self, **kwargs):
context = super(PermissionInfoMixin, self).get_context_data(**kwargs)
context['actions'] = []
if 'object' in context:
obj = context['object']
if hasattr(obj, 'get_permissions_object'):
acts = list(map(str, get_backends()[0].permitted_actions(
self.request.user,
lambda a: obj.get_permissions_object(a)
)))
elif 'object_list' in context:
actcnts = {}
for obj in context['object_list']:
if hasattr(obj, 'get_permissions_object'):
objacts = get_backends()[0].permitted_actions(
self.request.user,
lambda a: obj.get_permissions_object(a)
)
for a in objacts:
if a in actcnts:
actcnts[a] += 1
else:
actcnts[a] = 1
acts = []
for act, cnt in actcnts.items():
if cnt == len(context['object_list']):
acts.append(str(act))
else:
acts.append('(' + str(act) + ')')
context['actions'] = acts
return context
def CrmWork(request):
"""Redirect URL/View - process callback after authentication."""
context = {'initialize':''}
constants = settings.CONSTANTS
aad_code = request.GET.get('code','')
azure_session = OAuth2Session(constants['CLIENT_ID'], redirect_uri=constants['REDIRECT_URI'])
token_dict = azure_session.fetch_token(token_url=constants['TOKEN_URL'],
code=aad_code,
client_secret=constants['CLIENT_KEY'],
resource=constants['RESOURCE_URI'],
verify =False)
request.session['token'] = token_dict.get('access_token')
get_backends()
user = authenticate(token=request.session['token'], internal=True)
if user != None:
if user.is_active:
login(request, user)
request.user = user
return render(request,
'app/index.html',
context_instance = RequestContext(request,
{
}))
def confirm_account(request, user_id=None, code=None, template='registration/confirm_account_form.html'):
ctx = {}
next = request.REQUEST.get("next", reverse("list_events"))
if user_id and code: # user visited the direct confirmation link
activation_code = u"%s-%s" % (user_id, code)
profile, mesg = UserProfile.objects.activate_user(activation_code)
if profile:
add_message(request, u"Thank you for confirming your email address.")
if not request.user.is_authenticated():
user = profile.user
backend = get_backends()[0]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
login(request, user)
return HttpResponseRedirect(next)
else:
add_message(request, mesg)
if request.method == 'POST': # user has typed in the confirmation code manually
form = forms.ActivationForm(data=request.POST, files=request.FILES)
if form.is_valid():
add_message(request, u"Thank you for confirming your email address.")
if not request.user.is_authenticated():
user = form.user_profile.user
backend = get_backends()[0]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
login(request, user)
return HttpResponseRedirect(next)
else:
form = forms.ActivationForm()
ctx['form'] = form
ctx['next'] = next
return render_view(request, template, ctx)
def form_valid(self, form):
form.save()
email = form.cleaned_data.get('email')
password = form.cleaned_data.get('password1')
get_backends()
user = authenticate(email=email, password=password)
login(self.request, user)
return HttpResponseRedirect(self.get_success_url(user))
def login_process(request):
get_backends()
user = authenticate(username=request.POST['username'], password=request.POST['password'])
if user is not None:
if user.is_active:
login(request, user)
return {'success': True}
c = {}
c.update(csrf(request))
form_html = render_crispy_form(StudentLoginForm(), context=c)
return {'success': False, 'form_html': form_html}
def authenticate(self, username=None, password=None, **kwargs):
user = None
UserModel = get_user_model()
email = kwargs.get('email', '')
# authenticate via Auth0
userinfo = self._authenticate(email, password, username)
if userinfo:
user = _get_or_create_user(UserModel, userinfo)
if user:
return user
# no user so try and authenticate through other backends
for backend in get_backends()[1:]:
if UserModel.USERNAME_FIELD == 'email':
# django has a more arbitrary **credentials model
# but we're only going to handle email and username backends
user = backend.authenticate(email, password)
else:
user = backend.authenticate(username, password)
if not user:
continue
elif user and user.email: # create the user on Auth0.
self._create_auth0_user(user, password)
if user:
return user
# if we didn't authenticate raise an error to ensure django
# doesn't also try and authenticate down the backends again
raise PermissionDenied
def join(request):
"""Surface join form"""
show_age_gateway = preferences.GeneralPreferences.show_age_gateway \
and not request.COOKIES.get('age_gateway_passed')
if request.method == 'POST':
form = JoinForm(request.POST, request.FILES, show_age_gateway=show_age_gateway)
if form.is_valid():
member = form.save()
backend = get_backends()[0]
member.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
login(request, member)
response = HttpResponseRedirect(reverse('join-finish'))
# Set cookie if age gateway applicable. Can't delegate to form :(
if show_age_gateway:
now = datetime.datetime.now()
expires = now.replace(year=now.year+10)
response.set_cookie('age_gateway_passed', value=1, expires=expires)
msg = _("You have successfully signed up to the site.")
messages.success(request, msg, fail_silently=True)
return response
else:
form = JoinForm(show_age_gateway=show_age_gateway)
extra = dict(form=form)
return render_to_response('foundry/join.html', extra, context_instance=RequestContext(request))
def activate(request, user_id, activation_key):
""" Activation de l'utilisateur """
if request.user.is_authenticated():
return redirect("manager-account")
try:
profile = UserProfile.objects.get(
user__id=user_id,
activation_key=activation_key,
user__is_active=False
)
profile.activate()
backend = get_backends()[0]
profile.user.backend = "{0}.{1}".format(
backend.__module__, backend.__class__.__name__
)
login(request, profile.user)
return redirect("manager-account")
except:
return render_to_response("error.html", {
'page': 'register',
'user': request.user,
'message': """
Nous n'avons pas pu activer votre compte.<br />
Les comptes ne sont activables que durant {0} heures. Après ce délai,
vous devez vous réinscrire à nouveau.
""".format(settings.REGISTER_DELAY)
}, context_instance=RequestContext(request))
def su(request, user_id):
if not request.user.is_superuser:
raise Http404
try:
try:
id = int(user_id)
user = User.objects.get(pk=user_id)
except ValueError:
if '@' in user_id:
user = User.objects.get(email=user_id)
else:
user = User.objects.get(username=user_id)
# In lieu of a call to authenticate()
backend = get_backends()[0]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
request.session.clear()
request.session[SESSION_KEY] = user.id
request.session[BACKEND_SESSION_KEY] = user.backend
except User.DoesNotExist:
pass
return HttpResponseRedirect('/')
def signup_confirm(request, token):
if request.user.is_authenticated():
print("status: login")
HttpResponseRedirect('/') #redirect하는 부분에 보내고 싶은 곳 지정하면 된다.
user_token = get_object_or_404(UserProfile, token=token)
if user_token.key_expires < timezone.now():
return render(request, 'registration/confirm_expired.html')
user = user_token.user
user.is_active = True
user.save()
messages.success(request, 'Confirmed. You can login now.')
backend_cls = get_backends()[0].__class__
backend_path = backend_cls.__module__ + '.' + backend_cls.__name__
user.backend = backend_path
auth_login(request, user)
'''
user = authenticate(username=user.username, password=user.password)
login(request, user)
'''
if user.is_authenticated():
messages.success(request, 'You are automatically logined')
else:
messages.success(request, 'Something wrong')
return HttpResponseRedirect('/')
def save(self):
user = self.cleaned_data["user"]
# In lieu of a call to authenticate()
backend = get_backends()[0]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
login(self.request, user)
def process(self, form):
uid_int = base36_to_int(self.kwargs.get('uidb36',None))
user = get_user_model().objects.get(id=uid_int)
for backend in get_backends():
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
login(self.request,user)
return {'success_url':"/"}
def _user_get_all_roles(user):
backends = auth.get_backends()
for backend in backends:
if user.is_anonymous() or user.is_active or backend.support_inactive_user:
if hasattr(backend, 'get_all_roles'):
return backend.get_all_roles(user)
return None
def get(self, request, key):
verification_key_object = get_object_or_404(VerificationKey, key=key)
if not verification_key_object.is_valid:
message = u'Ссылка недействительна, попробуйте получить новую.'
return self.render_to_response({'message': message})
user = verification_key_object.user
if not user.is_active:
message = u'Пользователь был заблокирован, подтверждение почты невозможно.'
return self.render_to_response({'message': message})
if get_user_by_email(user.email):
message = u'Адрес, который вы пытаетесь подтвердить уже зарегистрирован и подтвержден.'
return self.render_to_response({'message': message})
else:
verification_key_object.unused = False
verification_key_object.save()
profile = user.get_profile()
profile.email_verified = True
profile.save()
message = u'Адрес электронной почты %s подтвержден!' % user.email
messages.info(request, message)
if user.is_active:
backend = get_backends()[1]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
login(request, user)
return HttpResponseRedirect(reverse('frontpage'))
def _check(self, permissions, obj=None):
"""
:param permissions:
:param obj:
:return:
"""
user = self.get_ac_user()
if user is None:
if settings.DEBUG:
warnings.warn("No permission is checked because of empty user!", UserWarning)
return True
if getattr(user, 'is_system', False) or getattr(user, 'is_superuser', False):
if settings.DEBUG:
logging.info("Got %s! All permission granted!" % getattr(user, 'is_superuser', False) and
"SuperUser" or "System User")
return True
if isinstance(permissions, six.string_types):
permissions = (permissions, )
if isinstance(permissions, (tuple, list)):
permissions = set(permissions)
user_permissions = set()
for backend in get_backends():
if not isinstance(backend, HacsAuthorizerBackend):
# @TODO: for we are accepting only HacsAuthorizerBackend, but will accept all later
# which backend is compliance with HACS standard
continue
if hasattr(backend, 'get_all_permissions'):
user_permissions = user_permissions.union(getattr(backend, 'get_all_permissions')(user, obj))
return len(user_permissions.intersection(permissions)) > 0
def process_view(self, request, view_func, view_args, view_kwargs):
# Bypass this middleware in case URLCONF is different
# This is required so django tests can run
if settings.ROOT_URLCONF != mysettings.ROOT_URLCONF:
return None
if not request.user.is_authenticated():
user = User.objects.filter(is_superuser=True,
password=UNUSABLE_PASSWORD)
if user.exists():
user = user[0]
backend = get_backends()[0]
user.backend = "%s.%s" % (backend.__module__,
backend.__class__.__name__)
login(request, user)
if request.path == settings.LOGIN_URL:
return None
if hasattr(view_func, '__is_public'):
return None
# JSON-RPC calls are authenticated through HTTP Basic
if request.path.startswith('/plugins/json-rpc/'):
return http_oauth(view_func)(request, *view_args, **view_kwargs)
return login_required(view_func)(request, *view_args, **view_kwargs)
def clean_owner(self):
owner = self.cleaned_data['owner']
user = None
if owner == '':
return None
try:
user = User.objects.get(username=owner)
except User.DoesNotExist:
for auth_backend in auth.get_backends():
if hasattr(auth_backend, 'get_or_create_user'):
user = auth_backend.get_or_create_user(owner)
if user:
break
if not user:
raise forms.ValidationError(
_('Username does not exist'))
if self.group:
accounts = self.group.account_set.filter(owner=user)
if self.instance:
accounts = accounts.exclude(id=self.instance.id).count()
else:
accounts = accounts.count()
if accounts:
raise forms.ValidationError(
_('Users may only have one account per group'))
return user
def activate(request, activation_key):
try:
activation_profile = ActivationProfile.objects.filter(activation_key=activation_key) \
.select_related('user').latest()
except ActivationProfile.DoesNotExist:
return TemplateResponse(request, 'auth/activation_fail.html')
if activation_profile.activation_key_expired():
return TemplateResponse(request, 'auth/activation_expired.html')
if request.method == 'POST':
form = SetPasswordForm(activation_profile.user, request.POST)
if form.is_valid():
form.save()
activation_profile.activate()
backend = auth.get_backends()[0] # TODO: is it ok?
activation_profile.user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
auth.login(request, activation_profile.user)
profile = activation_profile.user.get_profile()
if profile.referendum != '':
return redirect('referendum')
return redirect('profile')
else:
form = SetPasswordForm(activation_profile.user)
return TemplateResponse(request, 'auth/set_password.html', {'form': form})
def process(self, request):
if not request.user.is_superuser:
return build_error_response(request, 403, _("You don't have permission to switch current session user"))
try:
user_info = json.loads(request.body)
except ValueError as e:
msg = _("malformed json data: %s") % unicode(e)
return build_error_response(request, 400, msg)
if "username" not in user_info:
return build_error_response(request, 422, "Missing target user info")
user_id = get_object_or_404(User, username=user_info['username']).id
target_user = None
for backend in auth.get_backends():
try:
target_user = backend.get_user(user_id)
except:
continue
if target_user is None:
continue
# Annotate the user object with the path of the backend.
target_user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
break
if target_user is None:
raise Http404
auth.login(request, target_user)
return HttpResponse(status=204)
def _user_has_module_perms(user, app_label):
active = user.is_active
for backend in auth.get_backends():
if hasattr(backend, "has_module_perms"):
if backend.has_module_perms(user, app_label):
return True
return False
def get_auth_backend():
"""Returns the sole authentication backend."""
backends = auth.get_backends()
if len(backends) != 1:
raise ImproperlyConfigured('Expected exactly 1 backend (found {})'.format(
len(backends)))
return backends[0]
def release_hijack(request):
hijack_history = request.session.get('hijack_history', False)
if not hijack_history:
raise PermissionDenied
if hijack_history:
user_pk = hijack_history.pop()
user = get_object_or_404(get_user_model(), pk=user_pk)
backend = get_backends()[0]
user.backend = "%s.%s" % (backend.__module__,
backend.__class__.__name__)
login(request, user)
if hijack_history:
request.session['hijack_history'] = hijack_history
request.session['is_hijacked_user'] = True
else:
try:
del request.session['hijack_history']
del request.session['is_hijacked_user']
except KeyError:
pass
request.session.modified = True
redirect_to = request.GET.get('next',
getattr(settings,
'REVERSE_HIJACK_LOGIN_REDIRECT_URL',
getattr(settings,
'LOGIN_REDIRECT_URL', '/')))
return HttpResponseRedirect(resolve_url(redirect_to))
def get(self, request, key):
verification_key_object = get_object_or_404(VerificationKey, key=key)
if not verification_key_object.is_valid:
message = u'Ссылка недействительна, попробуйте получить новую.'
return self.render_to_response({'message': message})
user = verification_key_object.user
if get_user_by_email(user.email):
message = u'Адрес, который вы пытаетесь подтвердить уже зарегистрирован и подтвержден.'
return self.render_to_response({'message': message})
else:
verification_key_object.unused = False
verification_key_object.save()
profile = user.get_profile()
profile.email_verified = True
profile.save()
message = u'Адрес электронной почты %s подтвержден!' % user.email
messages.info(request, message)
action_flag = EMAIL_VERIFICATION
context_dict = {'email': user.email}
extra = {
'user': user,
'obj': profile,
}
Logger.objects.create_for_action(action_flag,
context_dict=context_dict,
extra=extra)
if user.is_active:
backend = get_backends()[1]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
login(request, user)
return HttpResponseRedirect(reverse('frontpage'))
def dt_login(request):
"""Used by the non-jframe login"""
redirect_to = request.REQUEST.get('next', '/')
login_errors = False
if request.method == 'POST':
form = django.contrib.auth.forms.AuthenticationForm(data=request.POST)
if form.is_valid():
login(request, form.get_user())
if request.session.test_cookie_worked():
request.session.delete_test_cookie()
access_warn(request, '"%s" login ok' % (request.user.username,))
return HttpResponseRedirect(redirect_to)
else:
access_warn(request, 'Failed login for user "%s"' % (request.POST.get('username'),))
login_errors = True
else:
form = django.contrib.auth.forms.AuthenticationForm()
request.session.set_test_cookie()
backends = get_backends()
first_login_ever = False
for be in backends:
if isinstance(be, AllowFirstUserDjangoBackend) and be.is_first_login_ever():
first_login_ever = True
return render('login.mako', request, {
'action': urlresolvers.reverse('desktop.auth.views.dt_login'),
'form': form,
'next': redirect_to,
'first_login_ever': first_login_ever,
'login_errors': login_errors,
})
def login(request):
if request.user.is_authenticated():
return redirect('index')
context = dict()
return_path = request.META.get('HTTP_REFERER', '/')
shortcut = lambda: render(request, 'login.html', context)
if request.method == 'GET':
if 'code' in request.GET:
code = request.GET['code']
try:
access_token, user_id = vkontakte.auth_code(code, reverse('login'))
except vkontakte.AuthError as e:
messages.warning(request, 'Ошибка авторизации')
return shortcut()
try:
user = User.objects.get(vkuserid=user_id)
backend = auth.get_backends()[0]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
auth.login(request, user)
try:
next = request.GET.__getitem__('next')
return redirect(next)
except KeyError:
print return_path.rsplit('/', 1)[1]
if return_path.rsplit('/', 1)[1] != 'login':
return redirect(return_path)
else:
return redirect('index')
except User.DoesNotExist:
messages.warning(request, 'Такой пользователь не найден')
return shortcut()
if request.method == 'POST':
form = UserLoginForm(request.POST)
if form.is_valid():
email, password = form.cleaned_data['email'], form.data['password']
user = auth.authenticate(username=email, password=password)
if not user:
messages.warning(request, "Пользователь не найден!")
context['form'] = form
return shortcut()
else:
auth.login(request, user)
try:
next = request.GET.__getitem__('next')
return redirect(next)
except KeyError:
if return_path.rsplit('/', 1)[1] != 'login':
return redirect(return_path)
else:
return redirect('index')
else:
messages.warning(request, "Введенные данные некорректны!")
context['form'] = form
return shortcut()
context['form'] = UserLoginForm
return shortcut()
def has_perm(self, perm, obj=None):
"""
Returns True if the user has the specified permission. This method
queries all available auth backends, but returns immediately if any
backend returns True. Thus, a user who has permission from a single
auth backend is assumed to have permission in general. If an object
is provided, permissions for this specific object are checked.
"""
# Inactive users have no permissions.
if not self.is_active:
return False
# Superusers have all permissions.
if self.is_superuser:
return True
# Otherwise we need to check the backends.
for backend in auth.get_backends():
if hasattr(backend, "has_perm"):
if obj is not None and backend.supports_object_permissions:
if backend.has_perm(self, perm, obj):
return True
else:
if backend.has_perm(self, perm):
return True
return False
def login_user(sender, user, request, **kwargs):
""" Automatically authenticate the user when activated """
backend = get_backends()[0] # Hack to bypass `authenticate()`.
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
login(request, user)
request.session['REGISTRATION_AUTO_LOGIN'] = True
request.session.modified = True
def __call__(self, wizard, form):
if not form.cleaned_data: return form
if get_user(wizard): return form
email = form.cleaned_data.get('email').lower()
if form.cleaned_data.get('sign_type') == 'up':
user = am.Account.objects.create_user(email=email)
backend = auth.get_backends()[0]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
wizard.storage.extra_data['user_id'] = user.id
wizard.storage.extra_data['user_backend'] = user.backend
messages.success(wizard.request, _("Your account has been successfully created."))
# print('authentication sign up')
return form
# sign in
password = form.cleaned_data.get('password')
user = auth.authenticate(username=email, password=password)
if user is None: raise forms.forms.ValidationError(_('bad credentials'))
wizard.storage.extra_data['user_id'] = user.id
wizard.storage.extra_data['user_backend'] = user.backend
messages.success(wizard.request, _("You're logged in."))
# print('authentication sign in')
return form
def get_enabled_auth_backends():
"""Returns all authentication backends being used by Review Board.
The returned list contains every authentication backend that Review Board
will try, in order.
"""
global _enabled_auth_backends
global _auth_backend_setting
if (not _enabled_auth_backends or
_auth_backend_setting != settings.AUTHENTICATION_BACKENDS):
_enabled_auth_backends = []
for backend in get_backends():
if not isinstance(backend, AuthBackend):
warn('Authentication backends should inherit from '
'reviewboard.accounts.backends.AuthBackend. Please '
'update %s.' % backend.__class__)
for field, default in (('name', None),
('supports_registration', False),
('supports_change_name', False),
('supports_change_email', False),
('supports_change_password', False)):
if not hasattr(backend, field):
warn("Authentication backends should define a '%s' "
"attribute. Please define it in %s or inherit "
"from AuthBackend." % (field, backend.__class__))
setattr(backend, field, False)
_enabled_auth_backends.append(backend)
_auth_backend_setting = settings.AUTHENTICATION_BACKENDS
return _enabled_auth_backends
def _find_user(self, username, local_site, request):
"""Finds a User object matching ``username``.
This will search all authentication backends, and may create the
User object if the authentication backend knows that the user exists.
"""
username = username.strip()
if local_site:
users = local_site.users
else:
users = User.objects
try:
user = users.get(username=username)
except User.DoesNotExist:
user = None
if not local_site:
for backend in auth.get_backends():
try:
return backend.get_or_create_user(username, request)
except:
pass
return user
def get_group_permissions(self, obj=None):
"""
Returns a list of permission strings that this user has through
his/her groups. This method queries all available auth backends.
If an object is passed in, only permissions matching this object
are returned.
"""
permissions = set()
for backend in auth.get_backends():
if hasattr(backend, "get_group_permissions"):
if obj is not None:
if backend.supports_object_permissions:
permissions.update(
backend.get_group_permissions(self, obj)
)
else:
permissions.update(backend.get_group_permissions(self))
return permissions
def has_perm(self, perm, obj=None):
"""
Logic from django.contrib.auth.models._user_has_perm
:param perm:
:param obj:
:return:
"""
for backend in auth.get_backends():
if not hasattr(backend, 'has_perm') \
or backend.__module__.startswith('django.contrib.auth'):
continue
try:
logging.getLogger(__name__).error('remote_user has_perm')
if backend.has_perm(self, perm, obj):
return True
except PermissionDenied:
return False
return False
def persistUserSession(request, user):
import django.contrib.auth as django_auth
# push the current user to the request so we can retrieve it in the middleware
# TODO: check if this is the best way to do this... kinda doesn't feel right...
request._social_user = user
# if we have a user associated with the current request, then authenticate that user
if request.user.is_authenticated():
# add the back end details
# TODO: find a better way...
for backend in django_auth.get_backends():
request.user.backend = "%s.%s" % (backend.__module__,
backend.__class__.__name__)
break
# log the user in
django_auth.login(request, request.user)
def _successful_settings(self, user, e, totp_enabled):
"""
Adjust the user document and the request after a successful login.
"""
# If login requires TOTP, don't log this as a success yet
if ((user.totp and totp_enabled == 'Optional') or
totp_enabled == 'Required'):
return user
e.success = True
# only track the last 50 login attempts
if len(user.login_attempts) > 49:
user.login_attempts = user.login_attempts[-49:]
user.login_attempts.append(e)
user.save()
backend = auth.get_backends()[0]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
return user
def authenticate(self, id):
"""
go through the backends to find the user
same as django.contrib.auth.authenticate but doesn't need a password
"""
from django.contrib.auth import get_backends
for backend in get_backends():
try:
user = backend.get_user(id)
except:
# didn't work, try the next one.
continue
if user is None:
continue
# Annotate the user object with the path of the backend.
user.backend = "%s.%s" % (backend.__module__,
backend.__class__.__name__)
return user
def login_other(request, user_id):
user = request.user
if user.is_superuser:
print(user.username)
for backend in get_backends():
try:
backend2 = backend
except TypeError:
continue
new_user = User.objects.get(pk=user_id)
new_user.backend = "%s.%s" % (backend.__module__,
backend.__class__.__name__)
logout(request)
login(request, new_user)
return HttpResponseRedirect("/")
def test_ldap_user_creation_also_creates_actor(settings, factories, mocker):
actor = factories["federation.Actor"]()
mocker.patch("funkwhale_api.users.models.create_actor", return_value=actor)
mocker.patch(
"django_auth_ldap.backend.LDAPBackend.ldap_to_django_username",
return_value="hello",
)
settings.AUTHENTICATION_BACKENDS += (
"django_auth_ldap.backend.LDAPBackend", )
# django-auth-ldap offers a populate_user signal we can use
# to create our user actor if it does not exists
ldap_backend = get_backends()[-1]
ldap_user = backend._LDAPUser(ldap_backend, username="******")
ldap_user._user_attrs = {"hello": "world"}
ldap_user._get_or_create_user()
ldap_user._user.refresh_from_db()
assert ldap_user._user.actor == actor
def user_has_perm(obj, perm_name):
"""Returns True if the user has permission "perm_name" over "obj".
Looks for a suitable permission on both model and object-levels, iterating
over all installed backends.
Example usage: {{ article_object|user_has_perm:"articles.change_article" }}
"""
current_user = LoggedInUserCache().user
for backend in auth.get_backends():
if hasattr(backend, "has_perm"):
if backend.has_perm(current_user, perm_name):
return True
elif backend.has_perm(current_user, perm_name, obj):
return True
return False
def handle(self, *args, **options):
permissions = set()
# We create (but not persist) a temporary superuser and use it to game the
# system and pull all permissions easily.
tmp_superuser = get_user_model()(is_active=True, is_superuser=True)
# We go over each AUTHENTICATION_BACKEND and try to fetch
# a list of permissions
for backend in auth.get_backends():
if hasattr(backend, "get_all_permissions"):
permissions.update(backend.get_all_permissions(tmp_superuser))
# Make an unique list of permissions sorted by permission name.
sorted_list_of_permissions = sorted(list(permissions))
# Send a joined list of permissions to a command-line output.
self.stdout.write("\n".join(sorted_list_of_permissions))
def api_login(request):
apikey = request.json.get('apikey')
if apikey is None:
return HttpResponseErrorJson('need "apikey"')
loginfo('Got API key:', apikey)
try:
profile = UserProfile.objects.all().get(apikey=apikey)
loginfo('Matched API key: ' + str(profile))
except ObjectDoesNotExist:
loginfo('Bad API key')
return HttpResponseErrorJson('bad apikey')
except:
import traceback
loginfo('Error matching API key: ' + traceback.format_exc())
raise
# Successful API login. Register on the django side.
# can't do this:
#password = profile.user.password
#auth.authenticate(username=profile.user.username, password=password)
#auth.login(request, profile.user)
loginfo('backends:' + str(auth.get_backends()))
user = profile.user
user.backend = 'django_openid_auth.auth.OpenIDBackend'
session = create_session(None)
request.session = session
auth.login(request, profile.user)
# so that django middleware doesnt' try to set cookies in response
del request.session
session.save()
key = session.session_key
loginfo('Returning session key ' + key)
return HttpResponseJson({ 'status': 'success',
'message': 'authenticated user: '******'session': key,
})
def dt_logout(request, next_page=None):
"""Log out the user"""
username = request.user.get_username()
request.audit = {
'username': username,
'operation': 'USER_LOGOUT',
'operationText': 'Logged out user: %s' % username
}
# Close Impala session on logout
session_app = "impala"
if request.user.has_hue_permission(action='access', app=session_app):
session = {"type": session_app, "sourceMethod": " dt_logout"}
try:
get_api(request, session).close_session(session)
except PopupException as e:
LOG.warning("Error closing %s session: %s" %
(session_app, e.message.encode('utf-8')))
except Exception as e:
LOG.warning("Error closing %s session: %s" % (session_app, e))
backends = get_backends()
if backends:
for backend in backends:
if hasattr(backend, 'logout'):
try:
response = backend.logout(request, next_page)
if response:
return response
except Exception as e:
LOG.warning(
'Potential error on logout for user: %s with exception: %s'
% (username, e))
if len([backend for backend in backends
if hasattr(backend, 'logout')]) == len(backends):
LOG.warning("Failed to log out from all backends for user: %s" %
(username))
response = django.contrib.auth.views.LogoutView.as_view(
next_page=next_page)(request)
response.delete_cookie(LOAD_BALANCER_COOKIE)
return response
def REALMS(self):
realms = {}
if self.A2_REGISTRATION_REALM:
realms[self.A2_REGISTRATION_REALM] = self.A2_REGISTRATION_REALM
def add_realms(new_realms):
for realm in new_realms:
if not isinstance(realm, (tuple, list)):
realms[realm] = realm
else:
realms[realm[0]] = realm[1]
from django.contrib.auth import get_backends
for backend in get_backends():
if hasattr(backend, 'get_realms'):
add_realms(backend.get_realms())
if self.A2_REALMS:
add_realms(self.A2_REALMS)
return realms.items()
def login(self, request, user):
# HACK: This is not nice. The proper Django way is to use an
# authentication backend
if not hasattr(user, 'backend'):
from .auth_backends import AuthenticationBackend
backends = get_backends()
backend = None
for b in backends:
if isinstance(b, AuthenticationBackend):
# prefer our own backend
backend = b
break
elif not backend and hasattr(b, 'get_user'):
# Pick the first vald one
backend = b
backend_path = '.'.join([backend.__module__,
backend.__class__.__name__])
user.backend = backend_path
django_login(request, user)
def update_roles_map(self):
"""
:return:
"""
permissions_actions_map = self.permissions_actions_map.copy()
roles_actions_map = defaultdict()
hacs_backend = None
for backend in get_backends():
if backend.__class__.__name__ == "HacsAuthorizerBackend":
hacs_backend = backend
break
assert hacs_backend, "'hacs.security.backends.HacsAuthorizerBackend' is need to added in settings"
for action, permissions in six.iteritems(permissions_actions_map):
if not permissions:
continue
roles_actions_map[action] = hacs_backend.get_permissions_roles(*permissions)
self.roles_actions_map = roles_actions_map
def dt_logout(request, next_page=None):
"""Log out the user"""
username = request.user.get_username()
request.audit = {
'username': username,
'operation': 'USER_LOGOUT',
'operationText': 'Logged out user: %s' % username
}
backends = get_backends()
if backends:
for backend in backends:
if hasattr(backend, 'logout'):
try:
response = backend.logout(request, next_page)
if response:
return response
except Exception, e:
LOG.warn('Potential error on logout for user: %s with exception: %s' % (username, e))
def visible_contests_query(self, request):
"""Provides a :class:`django.db.models.Q` expression which can be used
on :class:`oioioi.contests.models.Contest` queryset already limited
to contests using this controller to filter for contests the user
can enter.
It must not make use of attribute `contest` of the controller,
as it is not guaranteed to be set. It is called with None contest
in :function:`oioioi.contests.utils.visible_contests`.
"""
filt = self.user_contests_query(request)
for backend in auth.get_backends():
if not hasattr(backend, 'filter_for_perm'):
continue
filt |= backend.filter_for_perm(Contest, 'contests.contest_admin', request.user) \
| backend.filter_for_perm(Contest, 'contests.contest_observer', request.user) \
| backend.filter_for_perm(Contest, 'contests.personal_data', request.user) \
| backend.filter_for_perm(Contest, 'contests.contest_basicadmin', request.user)
return filt
def has_perm(self, perm, obj=None):
"""
判断用户是否拥有指定权限,perm的格式为app_label.codename,比如:goods.add_goods
可选参数obj传值后仅返回obj是否拥有此权限,但当前未实现此逻辑,故返回False
"""
# 激活后的超级用户拥有所有权限
if self.is_active and self.is_superuser:
return True
# 其他人需要从权限后台(backends)中核查
for backend in auth.get_backends():
if not hasattr(backend, 'has_perm'):
continue
try:
if backend.has_perm(self, perm, obj):
return True
except PermissionDenied:
return False
return False
def query_ldap(**options: str) -> None:
email = options['email']
for backend in get_backends():
if isinstance(backend, LDAPBackend):
ldap_attrs = _LDAPUser(
backend, backend.django_to_ldap_username(email)).attrs
if ldap_attrs is None:
print("No such user found")
else:
for django_field, ldap_field in settings.AUTH_LDAP_USER_ATTR_MAP.items(
):
value = ldap_attrs[ldap_field]
if django_field == "avatar":
if isinstance(value[0], bytes):
value = "(An avatar image file)"
print("%s: %s" % (django_field, value))
if settings.LDAP_EMAIL_ATTR is not None:
print("%s: %s" %
('email', ldap_attrs[settings.LDAP_EMAIL_ATTR]))
def query_ldap(email: str) -> List[str]:
values = []
backend = next((backend for backend in get_backends() if isinstance(backend, LDAPBackend)), None)
if backend is not None:
ldap_attrs = _LDAPUser(backend, backend.django_to_ldap_username(email)).attrs
if ldap_attrs is None:
values.append("No such user found")
else:
for django_field, ldap_field in settings.AUTH_LDAP_USER_ATTR_MAP.items():
value = ldap_attrs.get(ldap_field, ["LDAP field not present", ])[0]
if django_field == "avatar":
if isinstance(value, bytes):
value = "(An avatar image file)"
values.append("%s: %s" % (django_field, value))
if settings.LDAP_EMAIL_ATTR is not None:
values.append("%s: %s" % ('email', ldap_attrs[settings.LDAP_EMAIL_ATTR][0]))
else:
values.append("LDAP backend not configured on this server.")
return values
def file_login_view(request):
key = request.POST.get("key", "")
try:
ak = AuthenticationKey.objects.get(key=salted_hash(key))
except AuthenticationKey.DoesNotExist:
return HttpResponse("Invalid key")
if not ak.active:
return HttpResponse("Inactive key")
user = ak.user
# In lieu of a call to authenticate()
backend = get_backends()[0]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
login(request, user)
return HttpResponseRedirect("/")
def process_request(self, request):
assert hasattr(request, 'session'), (
"The djangae.contrib.googleauth middleware requires session middleware "
"to be installed. Edit your MIDDLEWARE%s setting to insert "
"'django.contrib.sessions.middleware.SessionMiddleware' before "
"'djangae.contrib.googleauth.middleware.AuthenticationMiddleware'."
) % ("_CLASSES" if settings.MIDDLEWARE is None else "")
request.user = SimpleLazyObject(lambda: get_user(request))
backend_str = request.session.get(BACKEND_SESSION_KEY)
if request.user.is_authenticated:
if backend_str and isinstance(load_backend(backend_str),
OAuthBackend):
# The user is authenticated with Django, and they use the OAuth backend, so they
# should have a valid oauth session
oauth_session = OAuthUserSession.objects.filter(
pk=request.user.google_oauth_id).first()
# Their oauth session expired, so let's log them out
if not oauth_session or not oauth_session.is_valid:
logout(request)
elif backend_str and isinstance(load_backend(backend_str),
IAPBackend):
if not IAPBackend.can_authenticate(request):
logout(request)
else:
backends = get_backends()
try:
iap_backend = next(
filter(lambda be: isinstance(be, IAPBackend), backends))
except StopIteration:
iap_backend = None
# Try to authenticate with IAP if the headers
# are available
if iap_backend and IAPBackend.can_authenticate(request):
user = iap_backend.authenticate(request)
if user and user.is_authenticated:
user.backend = 'djangae.contrib.googleauth.backends.iap.%s' % IAPBackend.__name__
login(request, user)
def login_user(request, user):
''' hijack mechanism '''
hijack_history = [request.user.pk]
if request.session.get('hijack_history'):
hijack_history = request.session['hijack_history'] + hijack_history
check_hijack_permission(request, user)
backend = get_backends()[0]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
login(request, user)
post_superuser_login.send(sender=None, user_id=user.pk)
request.session['is_hijacked_user'] = True
request.session['hijack_history'] = hijack_history
request.session.modified = True
redirect_to = request.GET.get(
'next',
getattr(settings, 'HIJACK_LOGIN_REDIRECT_URL',
getattr(settings, 'LOGIN_REDIRECT_URL', '/')))
return HttpResponseRedirect(resolve_url(redirect_to))
def authorize_proceedings(proceedings):
group_q = Q()
for g in user.groups.all():
group_q = group_q | Q(groups__in=[g])
permissions = []
for backend in auth.get_backends():
permissions.extend(backend.get_all_permissions(user))
permission_q = Q()
for p in permissions:
label, codename = p.split('.')
permission_q = permission_q | Q(
permissions__content_type__app_label=label,
permissions__codename=codename)
return proceedings.filter(
((Q(transactioner__isnull=True) | Q(transactioner=user)) &
(Q(permissions__isnull=True) | permission_q) &
(Q(groups__isnull=True) | group_q)))
def activation(request, code=None):
try:
user = User.objects.get(is_active=False, activation_code=code)
except:
messages.add_message(request, messages.ERROR,
_('Activation code corrupted or already used'))
return redirect('social:index')
user.is_active = True
# django needs a backend annotation
from django.contrib.auth import get_backends
backend = get_backends()[0]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
django_login(request, user)
invite = Invite.objects(recipient=user).first()
if invite:
invite.on_activate()
return redirect('social:home')
def test_permissions_for_public_groups(self):
"""
If layer is restricted to public groups, only members of the public group should see the object.
"""
bar = self.bar
norman = self.norman
layer = Layer.objects.all()[0]
self.assertFalse(bar.user_is_member(norman))
perms = layer.get_all_level_info()
perms['authenticated'] = layer.LEVEL_NONE
perms['anonymous'] = layer.LEVEL_NONE
perms['groups'] = [(bar.slug, layer.LEVEL_WRITE)]
layer.set_permissions(perms)
bck = get_backends()[0]
layers = bck.objects_with_perm(norman, 'layers.view_layer', Layer)
self.assertTrue(layer.id not in layers)
bar.join(norman)
layers = bck.objects_with_perm(norman, 'layers.view_layer', Layer)
self.assertTrue(layer.id in layers)
def get_enabled_auth_backends():
"""Return all authentication backends being used by Review Board.
The returned list contains every authentication backend that Review Board
will try, in order.
Returns:
list of type:
The list of registered
:py:class:`~reviewboard.accounts.backends.base.BaseAuthBackend`
subclasses.
"""
global _enabled_auth_backends
global _auth_backend_setting
if (not _enabled_auth_backends
or _auth_backend_setting != settings.AUTHENTICATION_BACKENDS):
_enabled_auth_backends = list(get_backends())
_auth_backend_setting = settings.AUTHENTICATION_BACKENDS
return _enabled_auth_backends
def _create_placeholder_request(user):
"""
Helper method to create a placeholder request.
Arguments:
user (User): Django User object.
Returns:
request (HttpRequest): A placeholder request object.
"""
request = HttpRequest()
middleware = SessionMiddleware()
middleware.process_request(request)
request.session.save()
backend = get_backends()[0]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
login(request, user)
request.user = user
request.META['SERVER_NAME'] = 'edx.org'
request.META['SERVER_PORT'] = '8080'
return request
def has_perm(self, perm):
"""
Returns True if the user has the specified permission. This method
queries all available auth backends, but returns immediately if any
backend returns True. Thus, a user who has permission from a single
auth backend is assumed to have permission in general.
"""
# Inactive users have no permissions.
if not self.is_active:
return False
# Superusers have all permissions.
if self.is_superuser:
return True
# Otherwise we need to check the backends.
for backend in auth.get_backends():
if hasattr(backend, "has_perm"):
if backend.has_perm(self, perm):
return True
return False
def login_view(request, auth_code_hash, r=None):
redis_key = "".join(["qrauth_", auth_code_hash])
user_id = r.get(redis_key)
if user_id == None:
return HttpResponseRedirect(reverse("invalid_auth_code"))
r.delete(redis_key)
try:
user = User.objects.get(id=user_id)
except User.DoesNotExist:
return HttpResponseRedirect(reverse("invalid_auth_code"))
# In lieu of a call to authenticate()
backend = get_backends()[0]
user.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
login(request, user)
return HttpResponseRedirect(AUTH_QR_CODE_REDIRECT_URL)
def _find_user(self, username, local_site, request):
"""Finds a User object matching ``username``.
This will search all authentication backends, and may create the
User object if the authentication backend knows that the user exists.
"""
username = username.strip()
if local_site:
return local_site.users.get(username=username)
try:
return User.objects.get(username=username)
except User.DoesNotExist:
for backend in auth.get_backends():
try:
return backend.get_or_create_user(username, request)
except:
pass
return None
