DGNum/www-bocal
6
0
Fork 0
Code Issues 3 Pull requests Projects Releases Packages Wiki Activity Actions
www-bocal/bocal_auth/rhosts.py
Théophile Bastian eed3653d22 Use rhosts file to grant permissions to users. 
Whenever a user logs in through CAS, their username is looked up in the
.rhosts file provided through settings. If it is found, the user is
granted staff status and BOcal group (cf fixture).

The rights are re-evaluated at each login and at each access to
/admin/login.

Close #2.
2017-10-14 19:36:13 +02:00

99 lines
2.3 KiB
Python
Raw Blame History

''' Reads a .rhosts file '''
from django.conf import settings
from django.contrib.auth.models import Group
from .models import CasUser
def hasUser(user, allowed_domains=[]):
''' Check that `user` appears in the rhosts file.
If `allowed_domains` is not empty, also checks that the user belongs to one
of the specified domains. '''
def clearLine(line):
line = line.strip()
hashPos = line.find('#')
if hashPos >= 0:
line = line[:hashPos]
return line
with open(settings.RHOSTS_PATH, 'r') as handle:
for line in handle:
line = clearLine(line)
if not line:
continue
spl = line.split()
if len(spl) != 2:
continue # Not a login line
domain, login = spl
if login != user: # Not the ones we're looking for
continue
if domain[:2] != '+@': # Not a valid domain
continue
domain = domain[2:]
if allowed_domains != [] and domain not in allowed_domains:
continue
return True
return False
def default_allowed(user):
return hasUser(user, allowed_domains=['eleves'])
class NoBOcalException(Exception):
def __str__():
return "The BOcal group was not created"
def bocalGroup():
qs = Group.objects.filter(name='BOcal')
if qs.count() != 1:
raise NoBOcalException
return qs[0]
def stripCasPrivileges(user):
user.groups.remove(bocalGroup())
user.is_staff = False
user.save()
def grantBOcalPrivileges(user):
user.is_staff = True
user.groups.add(bocalGroup())
user.save()
def requireCasUser(fct):
def wrap(user, *args, **kwargs):
qs = CasUser.objects.filter(user=user)
if not qs.count() > 0:
return
return fct(user, *args, **kwargs)
return wrap
@requireCasUser
def evalRhostsPrivileges(user):
if default_allowed(user.username):
grantBOcalPrivileges(user)
else:
stripCasPrivileges(user)
@requireCasUser
def logout(user):
stripCasPrivileges()
def forceReevalRhosts(fct):
def wrap(req, *args, **kwargs):
evalRhostsPrivileges(req.user)
return fct(req, *args, **kwargs)
return wrap
Reference in a new issue View git blame Copy permalink