def is_unprivileged_query(self, request, identifier): """ Return True if a non-superuser requests information about another user. Params must be a dict that includes only one of 'username' or 'email' """ if identifier.kind not in self.identifier_kinds: # This is already checked before we get here, so raise a 500 error # if the check fails. raise ValueError(u"Identifier kind {} not in {}".format(identifier.kind, self.identifier_kinds)) self_request = False if identifier == self.identifier('username', request.user.username): self_request = True elif identifier.kind == 'email' and getattr(identifier, 'value', object()) == request.user.email: # AnonymousUser does not have an email attribute, so fall back to # something that will never compare equal to the provided email. self_request = True if self_request: # We can always ask for our own provider return False # We are querying permissions for a user other than the current user. if not request.user.is_superuser and not ApiKeyHeaderPermission().has_permission(request, self): # The user does not have elevated permissions. return True return False
def has_api_key_permissions(self, request): """ Checks to see if the request was made by a server with an API key. Args: request (Request): the request being made into the view Return: True if the request has been made with a valid API key False otherwise """ return ApiKeyHeaderPermission().has_permission(request, self)
def is_unprivileged_query(self, request, username): """ Return True if a non-superuser requests information about another user. """ # AnonymousUser does not have an email attribute, so fall back to something # that will never compare equal to username. if username not in {request.user.username, getattr(request.user, 'email', object())}: # We are querying permissions for a user other than the current user. if not request.user.is_superuser and not ApiKeyHeaderPermission().has_permission(request, self): # The user does not have elevated permissions. return True return False
def get_queryset(self): provider_id = self.kwargs.get('provider_id') # permission checking. We allow both API_KEY access and OAuth2 client credential access if not (self.request.user.is_superuser or ApiKeyHeaderPermission().has_permission(self.request, self) or ThirdPartyAuthProviderApiPermission( provider_id).has_permission(self.request, self)): raise exceptions.PermissionDenied() # provider existence checking self.provider = Registry.get(provider_id) if not self.provider: raise Http404 query_set = UserSocialAuth.objects.select_related('user').filter( provider=self.provider.backend_name) # build our query filters # When using multi-IdP backend, we only retrieve the ones that are for current IdP. # test if the current provider has a slug uid = self.provider.get_social_auth_uid('uid') if uid != 'uid': # if yes, we add a filter for the slug on uid column query_set = query_set.filter(uid__startswith=uid[:-3]) query = Q() usernames = self.request.query_params.getlist('username', None) remote_ids = self.request.query_params.getlist('remote_id', None) if usernames: usernames = ','.join(usernames) usernames = set(usernames.split(',')) if usernames else set() if usernames: query = query | Q(user__username__in=usernames) if remote_ids: remote_ids = ','.join(remote_ids) remote_ids = set(remote_ids.split(',')) if remote_ids else set() if remote_ids: query = query | Q(uid__in=[ self.provider.get_social_auth_uid(remote_id) for remote_id in remote_ids ]) return query_set.filter(query)
def is_unprivileged_query(self, request, identifier): """ Return True if a non-superuser requests information about another user. Params must be a dict that includes only one of 'username' or 'email' """ if identifier.kind not in self.identifier_kinds: # This is already checked before we get here, so raise a 500 error # if the check fails. raise ValueError("Identifier kind {} not in {}".format(identifier.kind, self.identifier_kinds)) # Custom change to support username and email from superuser. if self.kwargs[u'username'] not in {request.user.username, getattr(request.user, 'email', object())}: if not request.user.is_superuser and not ApiKeyHeaderPermission().has_permission(request, self): # The user does not have elevated permissions. return True return False
def get(self, request, username): """Create, read, or update enrollment information for a user. HTTP Endpoint for all CRUD operations for a user course enrollment. Allows creation, reading, and updates of the current enrollment for a particular course. Args: request (Request): The HTTP GET request username (str): Fetch the list of providers linked to this user Return: JSON serialized list of the providers linked to this user. """ if request.user.username != username: # We are querying permissions for a user other than the current user. if not request.user.is_superuser and not ApiKeyHeaderPermission().has_permission(request, self): # Return a 403 (Unauthorized) without validating 'username', so that we # do not let users probe the existence of other user accounts. return Response(status=status.HTTP_403_FORBIDDEN) try: user = User.objects.get(username=username) except User.DoesNotExist: return Response(status=status.HTTP_404_NOT_FOUND) providers = pipeline.get_provider_user_states(user) active_providers = [ { "provider_id": assoc.provider.provider_id, "name": assoc.provider.name, "remote_id": assoc.remote_id, } for assoc in providers if assoc.has_account ] # In the future this can be trivially modified to return the inactive/disconnected providers as well. return Response({ "active": active_providers })
def has_permission(self, request, view): return ApiKeyHeaderPermission().has_permission(request, view) or DjangoModelPermissions().has_permission( request, view)