Newer
Older
return redirect(request.GET["referer"])
user_form = UserForm(
instance=request.user,
is_inst_id_locked=is_inst_id_locked(request.user),
)
request.user.refresh_from_db()
user_form = UserForm(
instance=request.user,
is_inst_id_locked=is_inst_id_locked(request.user),
)
return render(request, "user-profile-form.html", {
"form": user_form,
"form_description": _("User Profile"),
"is_requesting_inst_id": is_requesting_inst_id(),
"enable_profile_form_js": (
not is_inst_id_locked(request.user)
and getattr(settings, "RELATE_SHOW_INST_ID_FORM", True))
# {{{ SAML auth backend
# This ticks the 'verified' boxes once we've receive attribute assertions
# through SAML2.
class Saml2Backend(Saml2BackendBase):
def _set_attribute(self, obj, attr, value):
mod = super(Saml2Backend, self)._set_attribute(obj, attr, value)
if attr == "institutional_id":
if not obj.institutional_id_verified:
obj.institutional_id_verified = True
mod = True
if attr in ["first_name", "last_name"]:
if not obj.name_verified:
obj.name_verified = True
mod = True
if attr == "email":
from course.constants import user_status
if obj.status != user_status.active:
obj.status = user_status.active
mod = True
return mod
# }}}
Dong Zhuang
committed
def sign_out_confirmation(request, redirect_field_name=REDIRECT_FIELD_NAME):
if not request.user.is_authenticated:
messages.add_message(request, messages.ERROR,
_("You've already signed out."))
return redirect("relate-home")
Dong Zhuang
committed
redirect_to = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name, ''))
next_uri = ""
if redirect_to:
next_uri = "?%s=%s" % (redirect_field_name, redirect_to)
return render(request, "sign-out-confirmation.html",
{"next_uri": next_uri})
Dong Zhuang
committed
def sign_out(request, redirect_field_name=REDIRECT_FIELD_NAME):
if not request.user.is_authenticated:
messages.add_message(request, messages.ERROR,
_("You've already signed out."))
return redirect("relate-home")
Dong Zhuang
committed
redirect_to = request.POST.get(redirect_field_name,
request.GET.get(redirect_field_name, ''))
if settings.RELATE_SIGN_IN_BY_SAML2_ENABLED:
from djangosaml2.views import _get_subject_id, logout as saml2_logout
if _get_subject_id(request.session) is not None:
response = saml2_logout(request)
auth_logout(request)
Dong Zhuang
committed
elif redirect_to:
return redirect(redirect_to)
class APIError(Exception):
pass
def find_matching_token(
course_identifier=None, token_id=None, token_hash_str=None,
now_datetime=None):
# type: (Text, int, Text, datetime.datetime) -> Optional[AuthenticationToken]
token = AuthenticationToken.objects.get(
id=token_id,
participation__course__identifier=course_identifier)
except AuthenticationToken.DoesNotExist:
return None
from django.contrib.auth.hashers import check_password
if not check_password(token_hash_str, token.token_hash):
return None
if token.revocation_time is not None:
return None
if token.valid_until is not None and now_datetime > token.valid_until:
return None
return token
class APIBearerTokenBackend(object):
Andreas Klöckner
committed
def authenticate(self, request, course_identifier=None, token_id=None,
token_hash_str=None, now_datetime=None):
token = find_matching_token(course_identifier, token_id, token_hash_str,
now_datetime)
if token is None:
return None
token.last_use_time = now_datetime
token.save()
return token.user
def get_user(self, user_id):
try:
return get_user_model().objects.get(pk=user_id)
except get_user_model().DoesNotExist:
return None
AUTH_HEADER_RE = re.compile("^Token ([0-9]+)_([a-z0-9]+)$")
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
class APIContext(object):
def __init__(self, request, token):
self.request = request
self.token = token
self.participation = token.participation
self.course = self.participation.course
restrict_to_role = token.restrict_to_participation_role
if restrict_to_role is not None:
role_restriction_ok = False
if restrict_to_role in token.participation.roles.all():
role_restriction_ok = True
if not role_restriction_ok and self.participation.has_permission(
pperm.impersonate_role, restrict_to_role.identifier):
role_restriction_ok = True
if not role_restriction_ok:
raise PermissionDenied(
"API token specifies invalid role restriction")
self.restrict_to_role = restrict_to_role
def has_permission(self, perm, argument=None):
if self.restrict_to_role is None:
return self.participation.has_permission(perm, argument)
else:
return self.restrict_to_role.has_permission(perm, argument)
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
def auth_course_with_token(
request, # type: http.HttpRequest
course_identifier, # type: Text
token_id, # type: int
token_hash_str, # type: Text
now_datetime # type: datetime.datetime
):
# type: (...) -> Tuple[User, AuthenticationToken]
# FIXME: Redundant db roundtrip
token = find_matching_token(course_identifier=course_identifier,
token_id=token_id, token_hash_str=token_hash_str,
now_datetime=now_datetime)
if token is None:
raise PermissionDenied("invalid authentication token")
from django.contrib.auth import authenticate, login
user = authenticate(course_identifier=course_identifier,
token_id=token_id, token_hash_str=token_hash_str,
now_datetime=now_datetime)
assert user is not None
login(request, user)
return user, token
def with_course_api_auth(f):
def wrapper(request, course_identifier, *args, **kwargs):
from django.utils.timezone import now
now_datetime = now()
try:
auth_header = request.META.get("HTTP_AUTHORIZATION", None)
if auth_header is None:
raise PermissionDenied("No Authorization header provided")
match = AUTH_HEADER_RE.match(auth_header)
if match is None:
raise PermissionDenied("ill-formed Authorization header")
auth_data = dict(
course_identifier=course_identifier,
token_id=int(match.group(1)),
token_hash_str=match.group(2),
now_datetime=now_datetime)
user, token = auth_course_with_token(request, **auth_data)
response = f(
APIContext(request, token),
course_identifier, *args, **kwargs)
except PermissionDenied as e:
return http.HttpResponseForbidden(
"403 Forbidden: " + str(e))
except APIError as e:
return http.HttpResponseBadRequest(
"400 Bad Request: " + str(e))
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
return response
from functools import update_wrapper
update_wrapper(wrapper, f)
return wrapper
# }}}
# {{{ manage API auth tokens
class AuthenticationTokenForm(StyledModelForm):
class Meta:
model = AuthenticationToken
fields = (
"restrict_to_participation_role",
"description",
"valid_until",
)
widgets = {
"valid_until": DateTimePicker(options={"format": "YYYY-MM-DD"})
}
def __init__(self, participation, *args, **kwargs):
# type: (Participation, *Any, **Any) -> None
super(AuthenticationTokenForm, self).__init__(*args, **kwargs)
self.participation = participation
allowable_role_ids = (
set(role.id for role in participation.roles.all())
| set(
prole.id
for prole in ParticipationRole.objects.filter(
course=participation.course)
if participation.has_permission(
pperm.impersonate_role, prole.identifier))
)
self.fields["restrict_to_participation_role"].queryset = (
ParticipationRole.objects.filter(
id__in=list(allowable_role_ids)
))
self.helper.add_input(Submit("create", _("Create")))
@course_view
def manage_authentication_tokens(pctx):
# type: (http.HttpRequest) -> http.HttpResponse
request = pctx.request
if not request.user.is_authenticated:
raise PermissionDenied()
from course.views import get_now_or_fake_time
now_datetime = get_now_or_fake_time(request)
form = AuthenticationTokenForm(pctx.participation, request.POST)
revoke_prefix = "revoke_"
revoke_post_args = [key for key in request.POST if key.startswith("revoke_")]
if revoke_post_args:
token_id = int(revoke_post_args[0][len(revoke_prefix):])
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
auth_token = get_object_or_404(AuthenticationToken,
id=token_id,
user=request.user)
auth_token.revocation_time = now_datetime
auth_token.save()
form = AuthenticationTokenForm(pctx.participation)
elif "create" in request.POST:
if form.is_valid():
token = make_sign_in_key(request.user)
from django.contrib.auth.hashers import make_password
auth_token = AuthenticationToken(
user=pctx.request.user,
participation=pctx.participation,
restrict_to_participation_role=form.cleaned_data[
"restrict_to_participation_role"],
description=form.cleaned_data["description"],
valid_until=form.cleaned_data["valid_until"],
token_hash=make_password(token))
auth_token.save()
user_token = "%d_%s" % (auth_token.id, token)
messages.add_message(request, messages.SUCCESS,
_("A new authentication token has been created: %s. "
"Please save this token, as you will not be able "
"to retrieve it later.")
% user_token)
else:
messages.add_message(request, messages.ERROR,
_("Could not find which button was pressed."))
form = AuthenticationTokenForm(pctx.participation)
from django.db.models import Q
from datetime import timedelta
tokens = AuthenticationToken.objects.filter(
user=request.user,
participation__course=pctx.course,
).filter(
Q(revocation_time=None)
| Q(revocation_time__gt=now_datetime - timedelta(weeks=1)))
return render_course_page(pctx, "course/manage-auth-tokens.html", {
"form": form,
"new_token_message": "",
"tokens": tokens,
})
# }}}