Move auth-related from 'kfet' app to 'kfet.auth'.

kfet/auth/__init__.py

@@ -0,0 +1 @@
+default_app_config = 'kfet.auth.apps.KFetAuthConfig'

kfet/auth/apps.py

@@ -0,0 +1,8 @@
+from django.apps import AppConfig
+from django.utils.translation import ugettext_lazy as _
+
+
+class KFetAuthConfig(AppConfig):
+    name = 'kfet.auth'
+    label = 'kfetauth'
+    verbose_name = _("K-Fêt - Authentification et Autorisation")

kfet/auth/backends.py

@@ -0,0 +1,54 @@
+# -*- coding: utf-8 -*-
+
+import hashlib
+
+from django.contrib.auth.models import User, Permission
+from gestioncof.models import CofProfile
+from kfet.models import Account, GenericTeamToken
+
+
+class KFetBackend(object):
+    def authenticate(self, request):
+        password = request.POST.get('KFETPASSWORD', '')
+        password = request.META.get('HTTP_KFETPASSWORD', password)
+        if not password:
+            return None
+
+        try:
+            password_sha256 = (
+                hashlib.sha256(password.encode('utf-8'))
+                .hexdigest()
+            )
+            account = Account.objects.get(password=password_sha256)
+            return account.cofprofile.user
+        except Account.DoesNotExist:
+            return None
+
+
+class GenericTeamBackend(object):
+    def authenticate(self, username=None, token=None):
+        valid_token = GenericTeamToken.objects.get(token=token)
+        if username == 'kfet_genericteam' and valid_token:
+            # Création du user s'il n'existe pas déjà
+            user, _ = User.objects.get_or_create(username='kfet_genericteam')
+            profile, _ = CofProfile.objects.get_or_create(user=user)
+            account, _ = Account.objects.get_or_create(
+                    cofprofile=profile,
+                    trigramme='GNR')
+
+            # Ajoute la permission kfet.is_team à ce user
+            perm_is_team = Permission.objects.get(codename='is_team')
+            user.user_permissions.add(perm_is_team)
+
+            return user
+        return None
+
+    def get_user(self, user_id):
+        try:
+            return (
+                User.objects
+                .select_related('profile__account_kfet')
+                .get(pk=user_id)
+            )
+        except User.DoesNotExist:
+            return None

kfet/auth/context_processors.py

@@ -0,0 +1,10 @@
+from django.contrib.auth.context_processors import PermWrapper
+
+
+def auth(request):
+    if hasattr(request, 'real_user'):
+        return {
+            'user': request.real_user,
+            'perms': PermWrapper(request.real_user),
+        }
+    return {}

kfet/auth/fields.py

@@ -0,0 +1,20 @@
+from django import forms
+from django.contrib.auth.models import Permission
+from django.contrib.contenttypes.models import ContentType
+from django.forms import widgets
+
+
+class KFetPermissionsField(forms.ModelMultipleChoiceField):
+
+    def __init__(self, *args, **kwargs):
+        queryset = Permission.objects.filter(
+            content_type__in=ContentType.objects.filter(app_label="kfet"),
+        )
+        super().__init__(
+            queryset=queryset,
+            widget=widgets.CheckboxSelectMultiple,
+            *args, **kwargs
+        )
+
+    def label_from_instance(self, obj):
+        return obj.name

kfet/auth/forms.py

@@ -0,0 +1,44 @@
+from django import forms
+from django.contrib.auth.models import Group, User
+
+from .fields import KFetPermissionsField
+
+
+class GroupForm(forms.ModelForm):
+    permissions = KFetPermissionsField()
+
+    def clean_name(self):
+        name = self.cleaned_data['name']
+        return 'K-Fêt %s' % name
+
+    def clean_permissions(self):
+        kfet_perms = self.cleaned_data['permissions']
+        # TODO: With Django >=1.11, the QuerySet method 'difference' can be
+        # used.
+        # other_groups = self.instance.permissions.difference(
+        #     self.fields['permissions'].queryset
+        # )
+        other_perms = self.instance.permissions.exclude(
+            pk__in=[p.pk for p in self.fields['permissions'].queryset],
+        )
+        return list(kfet_perms) + list(other_perms)
+
+    class Meta:
+        model = Group
+        fields = ['name', 'permissions']
+
+
+class UserGroupForm(forms.ModelForm):
+    groups = forms.ModelMultipleChoiceField(
+            Group.objects.filter(name__icontains='K-Fêt'),
+            label='Statut équipe',
+            required=False)
+
+    def clean_groups(self):
+        kfet_groups = self.cleaned_data.get('groups')
+        other_groups = self.instance.groups.exclude(name__icontains='K-Fêt')
+        return list(kfet_groups) + list(other_groups)
+
+    class Meta:
+        model = User
+        fields = ['groups']

kfet/auth/middleware.py

@@ -0,0 +1,29 @@
+# -*- coding: utf-8 -*-
+
+from django.contrib.auth.models import User
+
+from .backends import KFetBackend
+
+
+class KFetAuthenticationMiddleware(object):
+    """Authenticate another user for this request if KFetBackend succeeds.
+
+    By the way, if a user is authenticated, we refresh its from db to add
+    values from CofProfile and Account of this user.
+
+    """
+    def process_request(self, request):
+        if request.user.is_authenticated():
+            # avoid multiple db accesses in views and templates
+            user_pk = request.user.pk
+            request.user = (
+                User.objects
+                .select_related('profile__account_kfet')
+                .get(pk=user_pk)
+            )
+
+        kfet_backend = KFetBackend()
+        temp_request_user = kfet_backend.authenticate(request)
+        if temp_request_user:
+            request.real_user = request.user
+            request.user = temp_request_user

kfet/auth/migrations/0001_initial.py

@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+from __future__ import unicode_literals
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('auth', '0006_require_contenttypes_0002'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='GenericTeamToken',
+            fields=[
+                ('id', models.AutoField(verbose_name='ID', auto_created=True, serialize=False, primary_key=True)),
+                ('token', models.CharField(unique=True, max_length=50)),
+            ],
+        ),
+    ]

kfet/auth/models.py

@@ -0,0 +1,5 @@
+from django.db import models
+
+
+class GenericTeamToken(models.Model):
+    token = models.CharField(max_length=50, unique=True)

kfet/auth/templates/kfet/login_genericteam.html

@@ -0,0 +1,7 @@
+{% extends 'kfet/base.html' %}
+
+{% block extra_head %}
+<script type="text/javascript">
+    close();
+</script>
+{% endblock %}

kfet/auth/tests.py

@@ -0,0 +1,56 @@
+# -*- coding: utf-8 -*-
+
+from django.test import TestCase
+from django.contrib.auth.models import User, Group
+
+from kfet.forms import UserGroupForm
+
+
+class UserGroupFormTests(TestCase):
+    """Test suite for UserGroupForm."""
+
+    def setUp(self):
+        # create user
+        self.user = User.objects.create(username="foo", password="foo")
+
+        # create some K-Fêt groups
+        prefix_name = "K-Fêt "
+        names = ["Group 1", "Group 2", "Group 3"]
+        self.kfet_groups = [
+            Group.objects.create(name=prefix_name+name)
+            for name in names
+        ]
+
+        # create a non-K-Fêt group
+        self.other_group = Group.objects.create(name="Other group")
+
+    def test_choices(self):
+        """Only K-Fêt groups are selectable."""
+        form = UserGroupForm(instance=self.user)
+        groups_field = form.fields['groups']
+        self.assertQuerysetEqual(
+            groups_field.queryset,
+            [repr(g) for g in self.kfet_groups],
+            ordered=False,
+        )
+
+    def test_keep_others(self):
+        """User stays in its non-K-Fêt groups."""
+        user = self.user
+
+        # add user to a non-K-Fêt group
+        user.groups.add(self.other_group)
+
+        # add user to some K-Fêt groups through UserGroupForm
+        data = {
+            'groups': [group.pk for group in self.kfet_groups],
+        }
+        form = UserGroupForm(data, instance=user)
+
+        form.is_valid()
+        form.save()
+        self.assertQuerysetEqual(
+            user.groups.all(),
+            [repr(g) for g in [self.other_group] + self.kfet_groups],
+            ordered=False,
+        )

kfet/auth/views.py

@@ -0,0 +1,69 @@
+from django.contrib import messages
+from django.contrib.messages.views import SuccessMessageMixin
+from django.contrib.auth import authenticate, login
+from django.contrib.auth.decorators import permission_required
+from django.contrib.auth.models import Group, User
+from django.core.urlresolvers import reverse_lazy
+from django.db.models import Prefetch
+from django.shortcuts import render
+from django.utils.crypto import get_random_string
+from django.views.generic.edit import CreateView, UpdateView
+
+from django_cas_ng.views import logout as cas_logout_view
+
+from kfet.decorators import teamkfet_required
+
+from .forms import GroupForm
+from .models import GenericTeamToken
+
+
+@teamkfet_required
+def login_genericteam(request):
+    # Check si besoin de déconnecter l'utilisateur de CAS
+    cas_logout = None
+    if request.user.profile.login_clipper:
+        # Récupèration de la vue de déconnexion de CAS
+        # Ici, car request sera modifié après
+        next_page = request.META.get('HTTP_REFERER', None)
+        cas_logout = cas_logout_view(request, next_page=next_page)
+
+    # Authentification du compte générique
+    token = GenericTeamToken.objects.create(token=get_random_string(50))
+    user = authenticate(username="kfet_genericteam", token=token.token)
+    login(request, user)
+
+    messages.success(request, "Connecté en utilisateur partagé")
+
+    return cas_logout or render(request, "kfet/login_genericteam.html")
+
+
+@permission_required('kfet.manage_perms')
+def account_group(request):
+    user_pre = Prefetch(
+        'user_set',
+        queryset=User.objects.select_related('profile__account_kfet'),
+    )
+    groups = (
+        Group.objects
+        .filter(name__icontains='K-Fêt')
+        .prefetch_related('permissions', user_pre)
+    )
+    return render(request, 'kfet/account_group.html', {
+        'groups': groups,
+    })
+
+
+class AccountGroupCreate(SuccessMessageMixin, CreateView):
+    model = Group
+    template_name = 'kfet/account_group_form.html'
+    form_class = GroupForm
+    success_message = 'Nouveau groupe : %(name)s'
+    success_url = reverse_lazy('kfet.account.group')
+
+
+class AccountGroupUpdate(SuccessMessageMixin, UpdateView):
+    queryset = Group.objects.filter(name__icontains='K-Fêt')
+    template_name = 'kfet/account_group_form.html'
+    form_class = GroupForm
+    success_message = 'Groupe modifié : %(name)s'
+    success_url = reverse_lazy('kfet.account.group')