bofh/fet2020
8
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

check if user has finance perm

Browse Source
This commit is contained in:
Patrick Mayr
2023-10-25 10:43:17 +00:00
parent 5a1222187a
commit 4a6be8f75e
3 changed files with 116 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

108
fet2020/authentications/authentications.py
View File

@@ -4,6 +4,8 @@ from ldap3 import HASHED_SALTED_SHA, MODIFY_REPLACE, Connection, Server
from ldap3.core.exceptions import LDAPBindError from ldap3.core.exceptions import LDAPBindError
from ldap3.utils.hashed import hashed from ldap3.utils.hashed import hashed
from members.models import Member
logger = logging.getLogger(__name__) logger = logging.getLogger(__name__)
host = "ldap://juri.fet.htu.tuwien.ac.at" host = "ldap://juri.fet.htu.tuwien.ac.at"
port = 389 port = 389
@@ -17,18 +19,110 @@ def authentication(username, password):
server = Server(host, port=port) server = Server(host, port=port)
userdn = f"uid={username},ou=user,dc=fet,dc=htu,dc=tuwien,dc=ac,dc=at" userdn = f"uid={username},ou=user,dc=fet,dc=htu,dc=tuwien,dc=ac,dc=at"
finance_perm = None
firstname = ""
surname = ""
mail = ""
try: try:
c = Connection(server, user=userdn, password=password, auto_bind=True) c = Connection(server, user=userdn, password=password, auto_bind=True)
if c.extend.standard.who_am_i():
return username if not c.extend.standard.who_am_i():
logger.info(f"Username '{username}' is not in the list.")
return None
# get member infos from ldap
c.search(
search_base=userdn,
search_filter=f"(uid={username})",
search_scope="SUBTREE",
attributes=["givenName", "sn", "mail"],
)
firstname = c.response[0]["attributes"]["givenName"][0]
surname = c.response[0]["attributes"]["sn"][0]
mail = c.response[0]["attributes"]["mail"][0]
# check if member has finance permission
c.search(
search_base="CN=finance,OU=Groups,dc=fet,dc=htu,dc=tuwien,dc=ac,dc=at",
search_filter="(objectClass=posixGroup)",
search_scope="SUBTREE",
attributes=["memberUid"],
)
if username in c.response[0]["attributes"]["memberUid"]:
finance_perm = True
except LDAPBindError as e: except LDAPBindError as e:
logger.info(f"LDAP Bind error. Error: {e}") logger.info(f"LDAP Bind error from username '{username}'. Error: {e}")
except Exception as e: return None
logger.info(f"Auth exception. Error: {e}")
logger.info(f"This username has been typed: '{username}'") except Exception as e:
return None logger.info(f"Auth exception from username '{username}'. Error: {e}")
return None
# get member or if not then create a new member
try:
member = Member.objects.get(mailaccount=mail)
except Member.DoesNotExist:
member = Member()
member.firstname = firstname
member.surname = surname
member.username = username
member.mailaccount = mail
logger.info(f"Member '{username}' created.")
member.save()
# set username if not exists
if not member.username:
member.username = username
logger.info(f"User '{username}' saved.")
member.save()
logger.info(f"User '{username}' logged in.")
return username
def get_finance_perm(username, password):
# no empty passwords
if password is None or password.strip() == "":
return None
server = Server(host, port=port)
userdn = f"uid={username},ou=user,dc=fet,dc=htu,dc=tuwien,dc=ac,dc=at"
finance_perm = None
try:
c = Connection(server, user=userdn, password=password, auto_bind=True)
if not c.extend.standard.who_am_i():
logger.info(f"Username '{username}' is not in the list.")
return None
# check if member has finance permission
c.search(
search_base="CN=finance,OU=Groups,dc=fet,dc=htu,dc=tuwien,dc=ac,dc=at",
search_filter="(objectClass=posixGroup)",
search_scope="SUBTREE",
attributes=["memberUid"],
)
if username in c.response[0]["attributes"]["memberUid"]:
logger.info(f"User '{username}' has finance permission.")
finance_perm = True
except LDAPBindError as e:
logger.info(f"LDAP Bind error from username '{username}'. Error: {e}")
return None
except Exception as e:
logger.info(f"Auth exception from username '{username}'. Error: {e}")
return None
return finance_perm
def change_password(username, old_password, new_password): def change_password(username, old_password, new_password):

17
fet2020/authentications/forms.py
View File

@@ -1,8 +1,12 @@
import logging
from django.contrib.auth.forms import AuthenticationForm, PasswordChangeForm from django.contrib.auth.forms import AuthenticationForm, PasswordChangeForm
from django.contrib.auth.models import User from django.contrib.auth.models import Group, User
from django.core.exceptions import ValidationError from django.core.exceptions import ValidationError
from .authentications import authentication, change_password from .authentications import authentication, change_password, get_finance_perm
logger = logging.getLogger(__name__)
class LoginForm(AuthenticationForm): class LoginForm(AuthenticationForm):
@@ -25,6 +29,15 @@ class LoginForm(AuthenticationForm):
finally: finally:
self.confirm_login_allowed(self.user_cache) self.confirm_login_allowed(self.user_cache)
# add user to all groups
for elem in Group.objects.all():
elem.user_set.add(self.user_cache)
# delete finance group if no permission
if not get_finance_perm(username, password):
finance_group = Group.objects.get(name="finance")
finance_group.user_set.remove(self.user_cache)
return self.cleaned_data return self.cleaned_data

6
fet2020/fet2020/middleware.py
View File

@@ -12,10 +12,4 @@ class FETHeaderMiddleware(RemoteUserMiddleware):
super().process_request(request) super().process_request(request)
if request.user.is_authenticated: if request.user.is_authenticated:
from django.contrib.auth.models import Group
groups = Group.objects.all()
[request.user.groups.add(group.pk) for group in groups]
# request.user.is_superuser = True
request.user.is_staff = True request.user.is_staff = True