Ticket #689: 689_full-3.diff
| File 689_full-3.diff, 13.7 KB (added by , 17 years ago) |
|---|
-
django/contrib/auth/backends.py
diff -r 581e90af582f django/contrib/auth/backends.py
a b from django.db import connection 1 1 from django.db import connection 2 2 from django.contrib.auth.models import User 3 3 4 try: 5 set 6 except NameError: 4 try: 5 set 6 except NameError: 7 7 from sets import Set as set # Python 2.3 fallback 8 8 9 9 class ModelBackend: 10 10 """ 11 11 Authenticate against django.contrib.auth.models.User … … class ModelBackend: 50 50 cursor.execute(sql, [user_obj.id]) 51 51 user_obj._group_perm_cache = set(["%s.%s" % (row[0], row[1]) for row in cursor.fetchall()]) 52 52 return user_obj._group_perm_cache 53 53 54 54 def get_all_permissions(self, user_obj): 55 55 if not hasattr(user_obj, '_perm_cache'): 56 56 user_obj._perm_cache = set([u"%s.%s" % (p.content_type.app_label, p.codename) for p in user_obj.user_permissions.select_related()]) … … class ModelBackend: 68 68 return User.objects.get(pk=user_id) 69 69 except User.DoesNotExist: 70 70 return None 71 72 class RemoteUserAuthBackend: 73 74 def __init__(self): 75 if self.__class__ == RemoteUserAuthBackend: 76 raise TypeError, "You must create your own class derived\ 77 from Remote UserAuthBackend in order to use it." 78 79 def authenticate(self, username, password=None): 80 """ 81 Authenticate user - RemoteUserAuth middleware passes REMOTE_USER 82 as username. 83 """ 84 if password is not None: 85 return None 86 user = None 87 if username: 88 username = self.parse_user(username) 89 try: 90 user = User.objects.get(username=username) 91 except User.DoesNotExist: 92 user = self.unknown_user(username) 93 user = self.configure_user(user) 94 return user 95 96 def parse_user(self, username): 97 """ Parse the provided username. 98 Override this method if you need to do special things with the 99 username, like stripping @realm or cleaning something like 100 cn=x,dc=sas,etc. 101 """ 102 return username 103 104 def get_user(self, user_id): 105 try: 106 return User.objects.get(pk=user_id) 107 except User.DoesNotExist: 108 return None 109 110 def unknown_user(self, username): 111 # Auto-create user 112 user = User.objects.create_user(username, '') 113 user.is_staff = False 114 user.save() 115 return user 116 117 def configure_user(self, user): 118 """ Configure a user after login. 119 i.e: to read group membership from LDAP and so on. 120 """ 121 return user 122 -
django/contrib/auth/middleware.py
diff -r 581e90af582f django/contrib/auth/middleware.py
a b class AuthenticationMiddleware(object): 10 10 assert hasattr(request, 'session'), "The Django authentication middleware requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.contrib.sessions.middleware.SessionMiddleware'." 11 11 request.__class__.user = LazyUser() 12 12 return None 13 14 class RemoteUserAuthMiddleware(object): 15 def process_request(self, request): 16 from django.contrib.auth import authenticate, login 17 # AuthenticationMiddleware is required to create request.user 18 error = """The Django RemoteUserAuth middleware requires authentication middleware to be installed. Edit your MIDDLEWARE_CLASSES 19 setting to insert 'django.contrib.auth.middleware.AuthenticationMiddleware' *before* the RemoteUserMiddleware class.""" 20 assert hasattr(request, 'user'), error 21 if request.user.is_anonymous(): 22 user = None 23 try: 24 user = authenticate(username=request.META['REMOTE_USER']) 25 except KeyError: 26 pass # No remote user available 27 if user is not None: 28 request.user = user # set request.user to the authenticated user 29 login(request, user) # auto-login the user to Django 30 return None -
django/contrib/auth/tests.py
diff -r 581e90af582f django/contrib/auth/tests.py
a b 1 import os 2 import unittest 3 from django.contrib.auth.models import User 4 from django.contrib.auth.backends import RemoteUserAuthBackend 5 from django.test.client import Client 6 from django.conf import settings 7 8 class SimpleDerivedBackend(RemoteUserAuthBackend): 9 pass 10 11 class HttpAuthTest(unittest.TestCase): 12 def setUp(self): 13 self.extra_headers = {'REMOTE_USER': 'iamnotanuser'} 14 self.curr_middleware = settings.MIDDLEWARE_CLASSES 15 self.curr_auth = settings.AUTHENTICATION_BACKENDS 16 17 settings.MIDDLEWARE_CLASSES +=\ 18 ('django.contrib.auth.middleware.RemoteUserAuthMiddleware', ) 19 settings.AUTHENTICATION_BACKENDS =\ 20 ('django.contrib.auth.tests.SimpleDerivedBackend',) 21 22 def testBackendMustBeDerived(self): 23 """ 24 HttpAuthTest.testBackendMustBeDerived: RemoteUserAuthBackend cannot be 25 used without being inherited by another class. 26 """ 27 # RemoteUserAuthBackend cannot be instantiated! 28 self.assertRaises(TypeError, RemoteUserAuthBackend) 29 30 # Check that it won't work on a request. 31 settings.AUTHENTICATION_BACKENDS =\ 32 ('django.contrib.auth.backends.RemoteUserAuthBackend',) 33 c = Client() 34 self.assertRaises(TypeError, c.get ,'/', {}, **self.extra_headers) 35 36 def testRemoteUserIsRespected(self): 37 c = Client() 38 extra_headers = {'REMOTE_USER': 'iamnotanuser'} 39 res = c.get('/', {}, **self.extra_headers) 40 41 u = User.objects.get(username='iamnotanuser') 42 # wow, the user was created! this works. 43 44 def tearDown(self): 45 # Restore settings to avoid breaking other tests. 46 settings.MIDDLEWARE_CLASSES = self.curr_middleware 47 settings.AUTHENTICATION_BACKENDS = self.curr_auth 48 1 49 """ 2 50 >>> from models import User, AnonymousUser 3 51 >>> u = User.objects.create_user('testuser', 'test@example.com', 'testpw') … … False 23 71 [] 24 72 >>> a.user_permissions.all() 25 73 [] 26 """ 27 No newline at end of file 74 """ -
new file docs/auth_remote_user.txt
diff -r 581e90af582f docs/auth_remote_user.txt
- + 1 ====================================================== 2 Authenticating against REMOTE_USER from the Web Server 3 ====================================================== 4 5 Typically on intranet sites users are already authenticated (i.e. in a Windows 6 domain) by the web server (i.e. using IIS Integrated Authentication). 7 8 When the web server takes care of authentication it sets the ``REMOTE_USER`` HTTP 9 header for use in the underlying application (i.e. Django). Then it's up to 10 this application take care of the authorization. 11 12 Django brings all you need to make use of the ``REMOTE_USER`` header bringing you 13 one step furder to single sign-on on enterprise infrastucure! 14 15 We assume that you have already configured your web server to authenticate 16 users, maybe with mod_auth_sspi in Apache, Integrated Authentication in IIS 17 and so on. 18 19 Configuring Django 20 ================== 21 22 First of all, you must add the ``RemoteUserAuthMiddleware`` just **after** 23 (never before) ``AuthenticationMiddleware``. 24 25 After this, you'll have to create you authentication backend that will take 26 care of checking that ``REMOTE_USER`` is valid. But don't be scared, 27 ``RemoteUserAuthBackend`` is here to help you. 28 29 ``RemoteUserAuthBackend`` provides a "template" of what you need, you could 30 create a backend that simply inherits it and you are done. It will simply 31 assume that ``REMOTE_USER`` is always correct and create ``User``objects for 32 it. 33 34 If you want more control, in you inherited authentication backend you can 35 override a few methods: 36 37 * ``parse_user``: Should cleanup ``REMOTE_USER`` (i.e. strip @realm from 38 it). It takes the ``username`` as argument, and must return the cleaned 39 ``username``. 40 * ``unkown_user``: Should create and return a ``User`` object, will be 41 called when a ``User`` object does not exist for ``REMOTE_USER``. Takes 42 ``username`` as it's only argument. 43 * ``configure_user``: Will be called after ``unkown_user`` so you can 44 configure the recently created ``User`` object (in case you did not want 45 to override ``unkown_user``. Takes the ``User`` instance as an argument. 46 Should also return the ``User`` instance that represents the User. 47 48 49 Examples: 50 51 settings.py:: 52 53 MIDDLEWARE_CLASSES = ( 54 'django.contrib.auth.middleware.AuthenticationMiddleware', 55 'django.contrib.auth.middleware.RemoteUserAuthMiddleware', 56 ... 57 ) 58 59 AUTHENTICATION_BACKENDS = ( 60 'myproject.backends.MyDerivedBackend', 61 ) 62 63 myproject/backends.py:: 64 65 from django.contrib.auth.backends import RemoteUserAuthBackend 66 67 class MyDerivedBackend(RemoteUserAuthBackend): 68 # We don't really do anything, we are fine with the default 69 # behaviour. 70 pass -
docs/authentication.txt
diff -r 581e90af582f docs/authentication.txt
a b This example shows how you might use bot 380 380 # Return an 'invalid login' error message. 381 381 382 382 .. admonition:: Calling ``authenticate()`` first 383 383 384 384 When you're manually logging a user in, you *must* call 385 385 ``authenticate()`` before you call ``login()``; ``authenticate()`` 386 386 sets an attribute on the ``User`` noting which authentication 387 387 backend successfully authenticated that user (see the `backends 388 388 documentation`_ for details), and this information is needed later 389 389 during the login process. 390 390 391 391 .. _backends documentation: #other-authentication-sources 392 392 393 393 Manually checking a user's password … … introduced in Python 2.4:: 460 460 461 461 In the Django development version, ``login_required`` also takes an optional 462 462 ``redirect_field_name`` parameter. Example:: 463 463 464 464 from django.contrib.auth.decorators import login_required 465 465 466 466 def my_view(request): … … In the Django development version, ``log 468 468 my_view = login_required(redirect_field_name='redirect_to')(my_view) 469 469 470 470 Again, an equivalent example of the more compact decorator syntax introduced in Python 2.4:: 471 471 472 472 from django.contrib.auth.decorators import login_required 473 473 474 474 @login_required(redirect_field_name='redirect_to') … … Again, an equivalent example of the more 479 479 480 480 * If the user isn't logged in, redirect to ``settings.LOGIN_URL`` 481 481 (``/accounts/login/`` by default), passing the current absolute URL 482 in the query string as ``next`` or the value of ``redirect_field_name``. 482 in the query string as ``next`` or the value of ``redirect_field_name``. 483 483 For example: 484 484 ``/accounts/login/?next=/polls/3/``. 485 485 * If the user is logged in, execute the view normally. The view code is … … database-based scheme, or you can use th 1019 1019 database-based scheme, or you can use the default system in tandem with other 1020 1020 systems. 1021 1021 1022 .. admonition:: Handling authentication at the web server 1023 1024 There's a very specific situation/scenario in which you want to handle 1025 authentication at the web server's level (i.e. standard HTTP AUTH) and want 1026 Django to honour this authentication. This is covered in a separate page: 1027 `Authenticating against REMOTE_USER from the Web Server`_ 1028 1029 .. _Authenticating against REMOTE_USER from the Web Server: ../auth_remote_user/ 1030 1022 1031 Specifying authentication backends 1023 1032 ---------------------------------- 1024 1033 … … Handling authorization in custom backend 1119 1128 Handling authorization in custom backends 1120 1129 ----------------------------------------- 1121 1130 1122 Custom auth backends can provide their own permissions. 1131 Custom auth backends can provide their own permissions. 1123 1132 1124 1133 The user model will delegate permission lookup functions 1125 1134 (``get_group_permissions()``, ``get_all_permissions()``, ``has_perm()``, and … … one backend grants. 1132 1141 1133 1142 The simple backend above could implement permissions for the magic admin fairly 1134 1143 simply:: 1135 1144 1136 1145 class SettingsBackend: 1137 1146 1138 1147 # ... 1139 1148 1140 1149 def has_perm(self, user_obj, perm): … … simply:: 1142 1151 return True 1143 1152 else: 1144 1153 return False 1145 1154 1146 1155 This gives full permissions to the user granted access in the above example. Notice 1147 1156 that the backend auth functions all take the user object as an argument, and 1148 1157 they also accept the same arguments given to the associated ``User`` functions. -
docs/request_response.txt
diff -r 581e90af582f docs/request_response.txt
a b All attributes except ``session`` should 109 109 * ``QUERY_STRING`` -- The query string, as a single (unparsed) string. 110 110 * ``REMOTE_ADDR`` -- The IP address of the client. 111 111 * ``REMOTE_HOST`` -- The hostname of the client. 112 * ``REMOTE_USER`` -- The user authenticated by the web server, if any. 112 113 * ``REQUEST_METHOD`` -- A string such as ``"GET"`` or ``"POST"``. 113 114 * ``SERVER_NAME`` -- The hostname of the server. 114 115 * ``SERVER_PORT`` -- The port of the server.