diff options
| author |   Michał Górny <mgorny@gentoo.org> | 2013-08-14 21:09:36 +0200 |
|---|---|---|
| committer | Michał Górny <mgorny@gentoo.org> | 2013-08-17 21:12:18 +0200 |
| commit | cb94ee9e6bc920d95a2176d02ce5eb509147fd14 (patch) | |
| tree | e54ce115f96f8432e8cad62fc01095525eaf23d1 /okupy/common | |
| parent | Reuse @require_POST decorator from django. (diff) | |
| download | identity.gentoo.org-cb94ee9e6bc920d95a2176d02ce5eb509147fd14.tar.gz identity.gentoo.org-cb94ee9e6bc920d95a2176d02ce5eb509147fd14.tar.bz2 identity.gentoo.org-cb94ee9e6bc920d95a2176d02ce5eb509147fd14.zip | |
Add @strong_auth_required decorator.
And support re-login with @strong_auth_required.
Diffstat (limited to 'okupy/common')
| -rw-r--r-- | okupy/common/decorators.py | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/okupy/common/decorators.py b/okupy/common/decorators.py new file mode 100644 index 0000000..f6065e9 --- /dev/null +++ b/okupy/common/decorators.py @@ -0,0 +1,53 @@ +# vim:fileencoding=utf8:et:ts=4:sts=4:sw=4:ft=python + +from django.conf import settings +from django.contrib.auth import REDIRECT_FIELD_NAME +from django.contrib.auth.views import redirect_to_login +from django.shortcuts import resolve_url +from django.utils.decorators import available_attrs +from django.utils.encoding import force_str + +from functools import wraps +try: + from urllib.parse import urlparse +except ImportError: # Python 2 + from urlparse import urlparse + + +def strong_auth_required(function=None, + redirect_field_name=REDIRECT_FIELD_NAME, + login_url=None): + """ + Decorator that enforces strong authentication (user bind) + in function scope. + + It checks whether user has secondary password set. If he has one, + it sets up LDAP database connection to use it. Otherwise, it + redirects to login with stronger authentication request. + """ + # most of the code ripped off django.contrib.auth + def decorator(view_func): + @wraps(view_func, assigned=available_attrs(view_func)) + def _wrapped_view(request, *args, **kwargs): + if 'secondary_password' in request.session: + return view_func(request, *args, **kwargs) + request.session['strong_auth_requested'] = True + + # -- ripoff starts here -- + path = request.build_absolute_uri() + # urlparse chokes on lazy objects in Python 3, force to str + resolved_login_url = force_str( + resolve_url(login_url or settings.LOGIN_URL)) + # If the login url is the same scheme and net location then just + # use the path as the "next" url. + login_scheme, login_netloc = urlparse(resolved_login_url)[:2] + current_scheme, current_netloc = urlparse(path)[:2] + if ((not login_scheme or login_scheme == current_scheme) and + (not login_netloc or login_netloc == current_netloc)): + path = request.get_full_path() + return redirect_to_login( + path, resolved_login_url, redirect_field_name) + return _wrapped_view + if function: + return decorator(function) + return decorator |