class ElectionAuthBackend(object): """ Authenticate against django.contrib.auth.backends.ModelBackend AND ipauth.backend.RangeBackend Users must pass both sets of authentication to use the system """ supports_anonymous_user = False ipauth_backend = None model_backend = None def __init__(self): self.ipauth_backend = RangeBackend() self.model_backend = ModelBackend() def authenticate(self, username=None, password=None, ip=None): """ Authenticate against multiple backends AND'd together TODO: Election admin """ model_user = self.model_backend.authenticate(username=username, password=password) ip_user = self.ipauth_backend.authenticate(ip=ip) #print 'model_user', repr(model_user) #print 'model_user groups', repr(model_user.groups.all()) #print 'ip_user', repr(ip_user) admin_group = Group.objects.filter(name='ADMIN').all() if admin_group.count() > 0: admin_group = admin_group[0] else: admin_group = None if not model_user: return None if model_user.is_superuser or model_user.is_staff: # Super admin return model_user if model_user.groups.count() > 0 and admin_group in model_user.groups.all(): # Election admin return model_user #if ip_user is None: #print 'Your IP=%s is not in the IPAuth' % (ip, ) #return None return model_user def get_group_permissions(self, user_obj): """ Returns a set of permission strings that this user has through his/her groups. """ return self.model_backend.get_group_permissions(user_obj) def get_all_permissions(self, user_obj): return self.model_backend.get_all_permissions(user_obj) def has_perm(self, user_obj, perm): return self.model_backend.has_perm(user_obj, perm) def has_module_perms(self, user_obj, app_label): return self.model_backend.has_module_perms(user_obj, app_label) def get_user(self, user_id): return self.model_backend.get_user(user_id)
def has_perm(self, user_obj, perm, obj=None): if obj is None: # fallback to Django default permission backend return ModelBackend.has_perm(self, user_obj, perm) else: # in case the user is the owner, he/she has always permissions, # otherwise we need to check if hasattr(obj, 'owner') and user_obj == obj.owner: return True else: return perm in self.get_all_permissions(user_obj, obj=obj)
def has_permission(user, permission_codename, obj=None, canedit = False): from djpcms.models import Page, BlockContent, ObjectPermission if not obj: back = ModelBackend() if permission_codename[-4:] == 'view': return True if not user.is_active: return False if user.is_superuser: return True return back.has_perm(user, permission_codename) else: anony = user.is_anonymous() opts = obj._meta viewperm = get_view_permission(obj) == permission_codename changeperm = opts.app_label + '.' + opts.get_change_permission() == permission_codename # Do Page and BlockContent first if isinstance(obj,Page): if anony and obj.requires_login: return False if changeperm and obj.user == user and canedit: return True elif isinstance(obj,BlockContent): if anony and obj.requires_login: return False if changeperm and obj.page.user == user and canedit: return True if viewperm and not anony and obj.for_not_authenticated: return False if user.is_superuser: return True perms = ObjectPermission.objects.for_object(obj, permission_codename) if perms: for perm in perms: if perm.has_perm(user): return True return False # Fall back to permission without object return has_permission(user, permission_codename)
def has_perm(self, user_obj, perm, obj=None): """ It is assumed that perm will be one of the Django default perm codes like 'delete_comment' or 'change_comment'. The default users, however, will not have the default privileges for the delete and change verbs. Instead, they will have '_own' versions of the verbs: 'change_comment_own', 'delete_comment_own' The first step is to call has_perm w/o the object to use standard permission checking (do this on purpose). If the user has the permission, return True. """ # print "ModelBackendPlus.has_perm()" allowed = ModelBackend.has_perm(self, user_obj, perm) if allowed: return True # The majority of users will fail this check because only non-default # auth_groups will have any of the default permissions for the create # and delete verbs # # If an obj is not None, however, we have the chance to check the # business rule for the "_own" extension of the perm verb, namely, that # the object was created by the user. # # The idea is that in a conventional RBAC scheme, we would always have # a task, i.e., "read" as the lowest child and it would have a parent # "read_own" that would need a business rule of "the session user # created this model" # # All of the "_own" permissions verbs would be put into the default # auth_group if obj is not None: # print "ModelBackendPlus.has_perm() obj is not None" # Make sure obj has a user property. If it does not, return # False. Again, we will call ModelBackend.has_perm without the # object parameter so that we bypass the built-in object workflow, # which is incomplete if hasattr(obj, "user"): #print "ModelBackendPlus.has_perm() obj has user property" # DEBUG #a = ModelBackend.has_perm(self, user_obj, perm + '_own') #b = obj.user == user_obj # #print "ModelBackendPlus.has_perm() _own:" + \ # "true" if a else "false" #print "ModelBackendPlus.has_perm() obj.user = user: "******"true" if b else "false" return (ModelBackend.has_perm(self, user_obj, perm + '_own') and obj.user == user_obj) else: return False else: return False