Moved Apache auth handler to django/contrib/auth/handlers/modpython.py
git-svn-id: http://code.djangoproject.com/svn/django/trunk@1500 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
Adrian Holovaty
parent
5066fe528c
commit
3cb20c45c7
|
|
@ -0,0 +1,44 @@
|
||||||
|
from mod_python import apache
|
||||||
|
import os
|
||||||
|
|
||||||
|
def authenhandler(req, **kwargs):
|
||||||
|
"""
|
||||||
|
Authentication handler that checks against Django's auth database.
|
||||||
|
"""
|
||||||
|
|
||||||
|
# mod_python fakes the environ, and thus doesn't process SetEnv. This fixes
|
||||||
|
# that so that the following import works
|
||||||
|
os.environ.update(req.subprocess_env)
|
||||||
|
|
||||||
|
from django.models.auth import users
|
||||||
|
|
||||||
|
# check for PythonOptions
|
||||||
|
_str_to_bool = lambda s: s.lower() in '1', 'true', 'on', 'yes'
|
||||||
|
|
||||||
|
options = req.get_options()
|
||||||
|
permission_name = options.get('DjangoPermissionName', None)
|
||||||
|
staff_only = _str_to_bool(options.get('DjangoRequireStaffStatus', "on"))
|
||||||
|
superuser_only = _str_to_bool(options.get('DjangoRequireSuperuserStatus', "off"))
|
||||||
|
|
||||||
|
# check that the username is valid
|
||||||
|
kwargs = {'username__exact': req.user, 'is_active__exact': True}
|
||||||
|
if staff_only:
|
||||||
|
kwargs['is_staff__exact'] = True
|
||||||
|
if superuser_only:
|
||||||
|
kwargs['is_superuser__exact'] = True
|
||||||
|
try:
|
||||||
|
user = users.get_object(**kwargs)
|
||||||
|
except users.UserDoesNotExist:
|
||||||
|
return apache.HTTP_UNAUTHORIZED
|
||||||
|
|
||||||
|
# check the password and any permission given
|
||||||
|
if user.check_password(req.get_basic_auth_pw()):
|
||||||
|
if permission_name:
|
||||||
|
if user.has_perm(permission_name):
|
||||||
|
return apache.OK
|
||||||
|
else:
|
||||||
|
return apache.HTTP_UNAUTHORIZED
|
||||||
|
else:
|
||||||
|
return apache.OK
|
||||||
|
else:
|
||||||
|
return apache.HTTP_UNAUTHORIZED
|
||||||
|
|
@ -163,46 +163,3 @@ def populate_apache_request(http_response, mod_python_req):
|
||||||
def handler(req):
|
def handler(req):
|
||||||
# mod_python hooks into this function.
|
# mod_python hooks into this function.
|
||||||
return ModPythonHandler()(req)
|
return ModPythonHandler()(req)
|
||||||
|
|
||||||
def authenhandler(req, **kwargs):
|
|
||||||
"""
|
|
||||||
Authentication handler that checks against Django's auth database.
|
|
||||||
"""
|
|
||||||
from mod_python import apache
|
|
||||||
|
|
||||||
# mod_python fakes the environ, and thus doesn't process SetEnv. This fixes
|
|
||||||
# that so that the following import works
|
|
||||||
os.environ.update(req.subprocess_env)
|
|
||||||
from django.models.auth import users
|
|
||||||
|
|
||||||
# check for PythonOptions
|
|
||||||
_str_to_bool = lambda s: s.lower() in '1', 'true', 'on', 'yes'
|
|
||||||
|
|
||||||
options = req.get_options()
|
|
||||||
permission_name = options.get('DjangoPermissionName', None)
|
|
||||||
staff_only = _str_to_bool(options.get('DjangoRequireStaffStatus', "on"))
|
|
||||||
superuser_only = _str_to_bool(options.get('DjangoRequireSuperuserStatus', "off"))
|
|
||||||
|
|
||||||
# check that the username is valid
|
|
||||||
kwargs = {'username__exact': req.user, 'is_active__exact': True}
|
|
||||||
if staff_only:
|
|
||||||
kwargs['is_staff__exact'] = True
|
|
||||||
if superuser_only:
|
|
||||||
kwargs['is_superuser__exact'] = True
|
|
||||||
try:
|
|
||||||
user = users.get_object(**kwargs)
|
|
||||||
except users.UserDoesNotExist:
|
|
||||||
return apache.HTTP_UNAUTHORIZED
|
|
||||||
|
|
||||||
# check the password and any permission given
|
|
||||||
if user.check_password(req.get_basic_auth_pw()):
|
|
||||||
if permission_name:
|
|
||||||
if user.has_perm(permission_name):
|
|
||||||
return apache.OK
|
|
||||||
else:
|
|
||||||
return apache.HTTP_UNAUTHORIZED
|
|
||||||
else:
|
|
||||||
return apache.OK
|
|
||||||
else:
|
|
||||||
return apache.HTTP_UNAUTHORIZED
|
|
||||||
|
|
||||||
|
|
@ -7,12 +7,12 @@ dealing with Apache, you can configuring Apache to authenticate against Django's
|
||||||
`authentication system`_ directly. For example, you could:
|
`authentication system`_ directly. For example, you could:
|
||||||
|
|
||||||
* Serve media files directly from Apache only to authenticated users.
|
* Serve media files directly from Apache only to authenticated users.
|
||||||
|
|
||||||
* Authenticate access to a Subversion_ repository against Django users with
|
* Authenticate access to a Subversion_ repository against Django users with
|
||||||
a certain permission.
|
a certain permission.
|
||||||
|
|
||||||
* Allow certain users to connect to a WebDAV share created with mod_dav_.
|
* Allow certain users to connect to a WebDAV share created with mod_dav_.
|
||||||
|
|
||||||
Configuring Apache
|
Configuring Apache
|
||||||
==================
|
==================
|
||||||
|
|
||||||
|
|
@ -24,9 +24,9 @@ with the standard ``Auth*`` and ``Require`` directives::
|
||||||
AuthType basic
|
AuthType basic
|
||||||
AuthName "example.com"
|
AuthName "example.com"
|
||||||
Require valid-user
|
Require valid-user
|
||||||
|
|
||||||
SetEnv DJANGO_SETTINGS_MODULE mysite.settings
|
SetEnv DJANGO_SETTINGS_MODULE mysite.settings
|
||||||
PythonAuthenHandler django.core.handlers.modpython
|
PythonAuthenHandler django.contrib.auth.handlers.modpython
|
||||||
</Location>
|
</Location>
|
||||||
|
|
||||||
By default, the authentication handler will limit access to the ``/example/``
|
By default, the authentication handler will limit access to the ``/example/``
|
||||||
|
|
@ -37,26 +37,26 @@ location to users marked as staff members. You can use a set of
|
||||||
``PythonOption`` Explanation
|
``PythonOption`` Explanation
|
||||||
================================ =========================================
|
================================ =========================================
|
||||||
``DjangoRequireStaffStatus`` If set to ``on`` only "staff" users (i.e.
|
``DjangoRequireStaffStatus`` If set to ``on`` only "staff" users (i.e.
|
||||||
those with the ``is_staff`` flag set)
|
those with the ``is_staff`` flag set)
|
||||||
will be allowed.
|
will be allowed.
|
||||||
|
|
||||||
Defaults to ``on``.
|
Defaults to ``on``.
|
||||||
|
|
||||||
``DjangoRequireSuperuserStatus`` If set to ``on`` only superusers (i.e.
|
``DjangoRequireSuperuserStatus`` If set to ``on`` only superusers (i.e.
|
||||||
those with the ``is_superuser`` flag set)
|
those with the ``is_superuser`` flag set)
|
||||||
will be allowed.
|
will be allowed.
|
||||||
|
|
||||||
Defaults to ``off``.
|
Defaults to ``off``.
|
||||||
|
|
||||||
``DjangoPermissionName`` The name of a permission to require for
|
``DjangoPermissionName`` The name of a permission to require for
|
||||||
access. See `custom permissions`_ for
|
access. See `custom permissions`_ for
|
||||||
more information.
|
more information.
|
||||||
|
|
||||||
By default no specific permission will be
|
By default no specific permission will be
|
||||||
required.
|
required.
|
||||||
================================ =========================================
|
================================ =========================================
|
||||||
|
|
||||||
.. _authentication system: http://www.djangoproject.com/documentation/authentication/
|
.. _authentication system: http://www.djangoproject.com/documentation/authentication/
|
||||||
.. _Subversion: http://subversion.tigris.org/
|
.. _Subversion: http://subversion.tigris.org/
|
||||||
.. _mod_dav: http://httpd.apache.org/docs/2.0/mod/mod_dav.html
|
.. _mod_dav: http://httpd.apache.org/docs/2.0/mod/mod_dav.html
|
||||||
.. _custom permissions: http://www.djangoproject.com/documentation/authentication/#custom-permissions
|
.. _custom permissions: http://www.djangoproject.com/documentation/authentication/#custom-permissions
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue