Fixed #14249 -- Added support for inactive users to the auth backend system. Thanks, Harro van der Klauw.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@15010 bcc190cf-cafb-0310-a4f2-bffc1f526a37
This commit is contained in:
parent
5830477e46
commit
745c255a19
|
@ -30,6 +30,11 @@ def load_backend(path):
|
||||||
warn("Authentication backends without a `supports_anonymous_user` attribute are deprecated. Please define it in %s." % cls,
|
warn("Authentication backends without a `supports_anonymous_user` attribute are deprecated. Please define it in %s." % cls,
|
||||||
DeprecationWarning)
|
DeprecationWarning)
|
||||||
cls.supports_anonymous_user = False
|
cls.supports_anonymous_user = False
|
||||||
|
|
||||||
|
if not hasattr(cls, 'supports_inactive_user'):
|
||||||
|
warn("Authentication backends without a `supports_inactive_user` attribute are deprecated. Please define it in %s." % cls,
|
||||||
|
DeprecationWarning)
|
||||||
|
cls.supports_inactive_user = False
|
||||||
return cls()
|
return cls()
|
||||||
|
|
||||||
def get_backends():
|
def get_backends():
|
||||||
|
|
|
@ -8,6 +8,7 @@ class ModelBackend(object):
|
||||||
"""
|
"""
|
||||||
supports_object_permissions = False
|
supports_object_permissions = False
|
||||||
supports_anonymous_user = True
|
supports_anonymous_user = True
|
||||||
|
supports_inactive_user = True
|
||||||
|
|
||||||
# TODO: Model, login attribute name and password attribute name should be
|
# TODO: Model, login attribute name and password attribute name should be
|
||||||
# configurable.
|
# configurable.
|
||||||
|
@ -42,12 +43,16 @@ class ModelBackend(object):
|
||||||
return user_obj._perm_cache
|
return user_obj._perm_cache
|
||||||
|
|
||||||
def has_perm(self, user_obj, perm):
|
def has_perm(self, user_obj, perm):
|
||||||
|
if not user_obj.is_active:
|
||||||
|
return False
|
||||||
return perm in self.get_all_permissions(user_obj)
|
return perm in self.get_all_permissions(user_obj)
|
||||||
|
|
||||||
def has_module_perms(self, user_obj, app_label):
|
def has_module_perms(self, user_obj, app_label):
|
||||||
"""
|
"""
|
||||||
Returns True if user_obj has any permissions in the given app_label.
|
Returns True if user_obj has any permissions in the given app_label.
|
||||||
"""
|
"""
|
||||||
|
if not user_obj.is_active:
|
||||||
|
return False
|
||||||
for perm in self.get_all_permissions(user_obj):
|
for perm in self.get_all_permissions(user_obj):
|
||||||
if perm[:perm.index('.')] == app_label:
|
if perm[:perm.index('.')] == app_label:
|
||||||
return True
|
return True
|
||||||
|
|
|
@ -170,8 +170,10 @@ def _user_get_all_permissions(user, obj):
|
||||||
|
|
||||||
def _user_has_perm(user, perm, obj):
|
def _user_has_perm(user, perm, obj):
|
||||||
anon = user.is_anonymous()
|
anon = user.is_anonymous()
|
||||||
|
active = user.is_active
|
||||||
for backend in auth.get_backends():
|
for backend in auth.get_backends():
|
||||||
if not anon or backend.supports_anonymous_user:
|
if (not active and not anon and backend.supports_inactive_user) or \
|
||||||
|
(not anon or backend.supports_anonymous_user):
|
||||||
if hasattr(backend, "has_perm"):
|
if hasattr(backend, "has_perm"):
|
||||||
if obj is not None:
|
if obj is not None:
|
||||||
if (backend.supports_object_permissions and
|
if (backend.supports_object_permissions and
|
||||||
|
@ -185,8 +187,10 @@ def _user_has_perm(user, perm, obj):
|
||||||
|
|
||||||
def _user_has_module_perms(user, app_label):
|
def _user_has_module_perms(user, app_label):
|
||||||
anon = user.is_anonymous()
|
anon = user.is_anonymous()
|
||||||
|
active = user.is_active
|
||||||
for backend in auth.get_backends():
|
for backend in auth.get_backends():
|
||||||
if not anon or backend.supports_anonymous_user:
|
if (not active and not anon and backend.supports_inactive_user) or \
|
||||||
|
(not anon or backend.supports_anonymous_user):
|
||||||
if hasattr(backend, "has_module_perms"):
|
if hasattr(backend, "has_module_perms"):
|
||||||
if backend.has_module_perms(user, app_label):
|
if backend.has_module_perms(user, app_label):
|
||||||
return True
|
return True
|
||||||
|
@ -310,12 +314,9 @@ class User(models.Model):
|
||||||
auth backend is assumed to have permission in general. If an object
|
auth backend is assumed to have permission in general. If an object
|
||||||
is provided, permissions for this specific object are checked.
|
is provided, permissions for this specific object are checked.
|
||||||
"""
|
"""
|
||||||
# Inactive users have no permissions.
|
|
||||||
if not self.is_active:
|
|
||||||
return False
|
|
||||||
|
|
||||||
# Superusers have all permissions.
|
# Active superusers have all permissions.
|
||||||
if self.is_superuser:
|
if self.is_active and self.is_superuser:
|
||||||
return True
|
return True
|
||||||
|
|
||||||
# Otherwise we need to check the backends.
|
# Otherwise we need to check the backends.
|
||||||
|
@ -337,10 +338,8 @@ class User(models.Model):
|
||||||
Returns True if the user has any permissions in the given app
|
Returns True if the user has any permissions in the given app
|
||||||
label. Uses pretty much the same logic as has_perm, above.
|
label. Uses pretty much the same logic as has_perm, above.
|
||||||
"""
|
"""
|
||||||
if not self.is_active:
|
# Active superusers have all permissions.
|
||||||
return False
|
if self.is_active and self.is_superuser:
|
||||||
|
|
||||||
if self.is_superuser:
|
|
||||||
return True
|
return True
|
||||||
|
|
||||||
return _user_has_module_perms(self, app_label)
|
return _user_has_module_perms(self, app_label)
|
||||||
|
|
|
@ -1,14 +1,18 @@
|
||||||
from django.contrib.auth.tests.auth_backends import BackendTest, RowlevelBackendTest, AnonymousUserBackendTest, NoAnonymousUserBackendTest, NoBackendsTest
|
from django.contrib.auth.tests.auth_backends import (BackendTest,
|
||||||
|
RowlevelBackendTest, AnonymousUserBackendTest, NoAnonymousUserBackendTest,
|
||||||
|
NoBackendsTest, InActiveUserBackendTest, NoInActiveUserBackendTest)
|
||||||
from django.contrib.auth.tests.basic import BasicTestCase
|
from django.contrib.auth.tests.basic import BasicTestCase
|
||||||
from django.contrib.auth.tests.decorators import LoginRequiredTestCase
|
from django.contrib.auth.tests.decorators import LoginRequiredTestCase
|
||||||
from django.contrib.auth.tests.forms import UserCreationFormTest, AuthenticationFormTest, SetPasswordFormTest, PasswordChangeFormTest, UserChangeFormTest, PasswordResetFormTest
|
from django.contrib.auth.tests.forms import (UserCreationFormTest,
|
||||||
from django.contrib.auth.tests.remote_user \
|
AuthenticationFormTest, SetPasswordFormTest, PasswordChangeFormTest,
|
||||||
import RemoteUserTest, RemoteUserNoCreateTest, RemoteUserCustomTest
|
UserChangeFormTest, PasswordResetFormTest)
|
||||||
|
from django.contrib.auth.tests.remote_user import (RemoteUserTest,
|
||||||
|
RemoteUserNoCreateTest, RemoteUserCustomTest)
|
||||||
from django.contrib.auth.tests.models import ProfileTestCase
|
from django.contrib.auth.tests.models import ProfileTestCase
|
||||||
from django.contrib.auth.tests.signals import SignalTestCase
|
from django.contrib.auth.tests.signals import SignalTestCase
|
||||||
from django.contrib.auth.tests.tokens import TokenGeneratorTest
|
from django.contrib.auth.tests.tokens import TokenGeneratorTest
|
||||||
from django.contrib.auth.tests.views import PasswordResetTest, \
|
from django.contrib.auth.tests.views import (PasswordResetTest,
|
||||||
ChangePasswordTest, LoginTest, LogoutTest, LoginURLSettings
|
ChangePasswordTest, LoginTest, LogoutTest, LoginURLSettings)
|
||||||
from django.contrib.auth.tests.permissions import TestAuthPermissions
|
from django.contrib.auth.tests.permissions import TestAuthPermissions
|
||||||
|
|
||||||
# The password for the fixture data users is 'password'
|
# The password for the fixture data users is 'password'
|
||||||
|
|
|
@ -102,9 +102,12 @@ class TestObj(object):
|
||||||
|
|
||||||
class SimpleRowlevelBackend(object):
|
class SimpleRowlevelBackend(object):
|
||||||
supports_object_permissions = True
|
supports_object_permissions = True
|
||||||
|
supports_inactive_user = False
|
||||||
|
|
||||||
|
# This class also supports tests for anonymous user permissions, and
|
||||||
|
# inactive user permissions via subclasses which just set the
|
||||||
|
# 'supports_anonymous_user' or 'supports_inactive_user' attribute.
|
||||||
|
|
||||||
# This class also supports tests for anonymous user permissions,
|
|
||||||
# via subclasses which just set the 'supports_anonymous_user' attribute.
|
|
||||||
|
|
||||||
def has_perm(self, user, perm, obj=None):
|
def has_perm(self, user, perm, obj=None):
|
||||||
if not obj:
|
if not obj:
|
||||||
|
@ -116,9 +119,13 @@ class SimpleRowlevelBackend(object):
|
||||||
elif user.is_anonymous() and perm == 'anon':
|
elif user.is_anonymous() and perm == 'anon':
|
||||||
# not reached due to supports_anonymous_user = False
|
# not reached due to supports_anonymous_user = False
|
||||||
return True
|
return True
|
||||||
|
elif not user.is_active and perm == 'inactive':
|
||||||
|
return True
|
||||||
return False
|
return False
|
||||||
|
|
||||||
def has_module_perms(self, user, app_label):
|
def has_module_perms(self, user, app_label):
|
||||||
|
if not user.is_anonymous() and not user.is_active:
|
||||||
|
return False
|
||||||
return app_label == "app1"
|
return app_label == "app1"
|
||||||
|
|
||||||
def get_all_permissions(self, user, obj=None):
|
def get_all_permissions(self, user, obj=None):
|
||||||
|
@ -192,11 +199,13 @@ class RowlevelBackendTest(TestCase):
|
||||||
class AnonymousUserBackend(SimpleRowlevelBackend):
|
class AnonymousUserBackend(SimpleRowlevelBackend):
|
||||||
|
|
||||||
supports_anonymous_user = True
|
supports_anonymous_user = True
|
||||||
|
supports_inactive_user = False
|
||||||
|
|
||||||
|
|
||||||
class NoAnonymousUserBackend(SimpleRowlevelBackend):
|
class NoAnonymousUserBackend(SimpleRowlevelBackend):
|
||||||
|
|
||||||
supports_anonymous_user = False
|
supports_anonymous_user = False
|
||||||
|
supports_inactive_user = False
|
||||||
|
|
||||||
|
|
||||||
class AnonymousUserBackendTest(TestCase):
|
class AnonymousUserBackendTest(TestCase):
|
||||||
|
@ -258,6 +267,7 @@ class NoAnonymousUserBackendTest(TestCase):
|
||||||
def test_get_all_permissions(self):
|
def test_get_all_permissions(self):
|
||||||
self.assertEqual(self.user1.get_all_permissions(TestObj()), set())
|
self.assertEqual(self.user1.get_all_permissions(TestObj()), set())
|
||||||
|
|
||||||
|
|
||||||
class NoBackendsTest(TestCase):
|
class NoBackendsTest(TestCase):
|
||||||
"""
|
"""
|
||||||
Tests that an appropriate error is raised if no auth backends are provided.
|
Tests that an appropriate error is raised if no auth backends are provided.
|
||||||
|
@ -272,3 +282,67 @@ class NoBackendsTest(TestCase):
|
||||||
|
|
||||||
def test_raises_exception(self):
|
def test_raises_exception(self):
|
||||||
self.assertRaises(ImproperlyConfigured, self.user.has_perm, ('perm', TestObj(),))
|
self.assertRaises(ImproperlyConfigured, self.user.has_perm, ('perm', TestObj(),))
|
||||||
|
|
||||||
|
|
||||||
|
class InActiveUserBackend(SimpleRowlevelBackend):
|
||||||
|
|
||||||
|
supports_anonymous_user = False
|
||||||
|
supports_inactive_user = True
|
||||||
|
|
||||||
|
|
||||||
|
class NoInActiveUserBackend(SimpleRowlevelBackend):
|
||||||
|
|
||||||
|
supports_anonymous_user = False
|
||||||
|
supports_inactive_user = False
|
||||||
|
|
||||||
|
|
||||||
|
class InActiveUserBackendTest(TestCase):
|
||||||
|
"""
|
||||||
|
Tests for a inactive user delegating to backend if it has 'supports_inactive_user' = True
|
||||||
|
"""
|
||||||
|
|
||||||
|
backend = 'django.contrib.auth.tests.auth_backends.InActiveUserBackend'
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
self.curr_auth = settings.AUTHENTICATION_BACKENDS
|
||||||
|
settings.AUTHENTICATION_BACKENDS = (self.backend,)
|
||||||
|
self.user1 = User.objects.create_user('test', 'test@example.com', 'test')
|
||||||
|
self.user1.is_active = False
|
||||||
|
self.user1.save()
|
||||||
|
|
||||||
|
def tearDown(self):
|
||||||
|
settings.AUTHENTICATION_BACKENDS = self.curr_auth
|
||||||
|
|
||||||
|
def test_has_perm(self):
|
||||||
|
self.assertEqual(self.user1.has_perm('perm', TestObj()), False)
|
||||||
|
self.assertEqual(self.user1.has_perm('inactive', TestObj()), True)
|
||||||
|
|
||||||
|
def test_has_module_perms(self):
|
||||||
|
self.assertEqual(self.user1.has_module_perms("app1"), False)
|
||||||
|
self.assertEqual(self.user1.has_module_perms("app2"), False)
|
||||||
|
|
||||||
|
|
||||||
|
class NoInActiveUserBackendTest(TestCase):
|
||||||
|
"""
|
||||||
|
Tests that an inactive user does not delegate to backend if it has 'supports_inactive_user' = False
|
||||||
|
"""
|
||||||
|
backend = 'django.contrib.auth.tests.auth_backends.NoInActiveUserBackend'
|
||||||
|
|
||||||
|
def setUp(self):
|
||||||
|
self.curr_auth = settings.AUTHENTICATION_BACKENDS
|
||||||
|
settings.AUTHENTICATION_BACKENDS = tuple(self.curr_auth) + (self.backend,)
|
||||||
|
self.user1 = User.objects.create_user('test', 'test@example.com', 'test')
|
||||||
|
self.user1.is_active = False
|
||||||
|
self.user1.save()
|
||||||
|
|
||||||
|
def tearDown(self):
|
||||||
|
settings.AUTHENTICATION_BACKENDS = self.curr_auth
|
||||||
|
|
||||||
|
def test_has_perm(self):
|
||||||
|
self.assertEqual(self.user1.has_perm('perm', TestObj()), False)
|
||||||
|
self.assertEqual(self.user1.has_perm('inactive', TestObj()), True)
|
||||||
|
|
||||||
|
def test_has_module_perms(self):
|
||||||
|
self.assertEqual(self.user1.has_module_perms("app1"), False)
|
||||||
|
self.assertEqual(self.user1.has_module_perms("app2"), False)
|
||||||
|
|
||||||
|
|
|
@ -98,6 +98,9 @@ their deprecation, as per the :ref:`Django deprecation policy
|
||||||
* The ``no`` language code has been deprecated in favor of the ``nb``
|
* The ``no`` language code has been deprecated in favor of the ``nb``
|
||||||
language code.
|
language code.
|
||||||
|
|
||||||
|
* Authentication backends need to define the boolean attribute
|
||||||
|
``supports_inactive_user``.
|
||||||
|
|
||||||
* 1.5
|
* 1.5
|
||||||
* The ``mod_python`` request handler has been deprecated since the 1.3
|
* The ``mod_python`` request handler has been deprecated since the 1.3
|
||||||
release. The ``mod_wsgi`` handler should be used instead.
|
release. The ``mod_wsgi`` handler should be used instead.
|
||||||
|
@ -139,6 +142,11 @@ their deprecation, as per the :ref:`Django deprecation policy
|
||||||
* The :djadmin:`reset` and :djadmin:`sqlreset` management commands
|
* The :djadmin:`reset` and :djadmin:`sqlreset` management commands
|
||||||
are deprecated.
|
are deprecated.
|
||||||
|
|
||||||
|
* Authentication backends need to support a inactive user
|
||||||
|
being passed to all methods dealing with permissions.
|
||||||
|
The ``supports_inactive_user`` variable is not checked any
|
||||||
|
longer and can be removed.
|
||||||
|
|
||||||
* 2.0
|
* 2.0
|
||||||
* ``django.views.defaults.shortcut()``. This function has been moved
|
* ``django.views.defaults.shortcut()``. This function has been moved
|
||||||
to ``django.contrib.contenttypes.views.shortcut()`` as part of the
|
to ``django.contrib.contenttypes.views.shortcut()`` as part of the
|
||||||
|
|
|
@ -55,6 +55,14 @@ displayed by most translation tools.
|
||||||
|
|
||||||
For more information, see :ref:`translator-comments`.
|
For more information, see :ref:`translator-comments`.
|
||||||
|
|
||||||
|
Permissions for inactive users
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
If you provide a custom auth backend with ``supports_inactive_user`` set to
|
||||||
|
``True``, an inactive user model will check the backend for permissions.
|
||||||
|
This is useful for further centralizing the permission handling. See the
|
||||||
|
:ref:`authentication docs <topics-auth>` for more details.
|
||||||
|
|
||||||
Backwards-incompatible changes in 1.3 alpha 2
|
Backwards-incompatible changes in 1.3 alpha 2
|
||||||
=============================================
|
=============================================
|
||||||
|
|
||||||
|
|
|
@ -177,6 +177,14 @@ caching in Django<topics/cache>`.
|
||||||
|
|
||||||
.. _pylibmc: http://sendapatch.se/projects/pylibmc/
|
.. _pylibmc: http://sendapatch.se/projects/pylibmc/
|
||||||
|
|
||||||
|
Permissions for inactive users
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
If you provide a custom auth backend with ``supports_inactive_user`` set to
|
||||||
|
``True``, an inactive user model will check the backend for permissions.
|
||||||
|
This is useful for further centralizing the permission handling. See the
|
||||||
|
:ref:`authentication docs <topics-auth>` for more details.
|
||||||
|
|
||||||
Everything else
|
Everything else
|
||||||
~~~~~~~~~~~~~~~
|
~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
|
|
@ -1645,6 +1645,31 @@ loudly. Additionally ``supports_anonymous_user`` will be set to ``False``.
|
||||||
Django 1.4 will assume that every backend supports anonymous users being
|
Django 1.4 will assume that every backend supports anonymous users being
|
||||||
passed to the authorization methods.
|
passed to the authorization methods.
|
||||||
|
|
||||||
|
Authorization for inactive users
|
||||||
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||||
|
|
||||||
|
.. versionadded:: 1.3
|
||||||
|
|
||||||
|
An inactive user is a one that is authenticated but has its attribute
|
||||||
|
``is_active`` set to ``False``. However this does not mean they are not
|
||||||
|
authrozied to do anything. For example they are allowed to activate their
|
||||||
|
account.
|
||||||
|
|
||||||
|
The support for anonymous users in the permission system allows for
|
||||||
|
anonymous users to have permissions to do something while inactive
|
||||||
|
authenticated users do not.
|
||||||
|
|
||||||
|
To enable this on your own backend, you must set the class attribute
|
||||||
|
``supports_inactive_user`` to ``True``.
|
||||||
|
|
||||||
|
A nonexisting ``supports_inactive_user`` attribute will raise a
|
||||||
|
``PendingDeprecationWarning`` if used in Django 1.3. In Django 1.4, this
|
||||||
|
warning will be updated to a ``DeprecationWarning`` which will be displayed
|
||||||
|
loudly. Additionally ``supports_inactive_user`` will be set to ``False``.
|
||||||
|
Django 1.5 will assume that every backend supports inactive users being
|
||||||
|
passed to the authorization methods.
|
||||||
|
|
||||||
|
|
||||||
Handling object permissions
|
Handling object permissions
|
||||||
---------------------------
|
---------------------------
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue