Ticket #3583: apache_auth.patch

django/contrib/auth/handlers/modpython.py

@@ -1 +1 @@
-from mod_python import apache
-import os
+from django.core import signals
+from django.dispatch import dispatcher
+from django.core.handlers.base import BaseHandler
+from django.core.handlers.modpython import ModPythonRequest
+from django.contrib.auth import authenticate
-
+_str_to_bool = lambda s: s.lower() in ('1', 'true', 'on', 'yes')
+
+class ModPythonAuthOptions:
+    def __init__(self, req):
+        options = req.get_options()
+        self.permission_name = options.get('DjangoPermissionName', None)
+        self.staff_only = _str_to_bool(options.get('DjangoRequireStaffStatus', "on"))
+        self.superuser_only = _str_to_bool(options.get('DjangoRequireSuperuserStatus', "off"))
+        self.settings_module = options.get('DJANGO_SETTINGS_MODULE', None)
+
+def setup_environment(req, options):
+    """
+    mod_python fakes the environ, and thus doesn't process SetEnv. This ensures
+    any future imports relying on settings will work.
+    """
+    os.environ.update(req.subprocess_env)
+    if options.settings_module:
+        os.environ['DJANGO_SETTINGS_MODULE'] = options.settings_module
+
+def validate_user(user, options):
+    if not user:
+        return False
+    # Don't require an is_authenticated property, but if it's there then check it
+    if hasattr(user, 'is_authenticated') and not user.is_authenticated():
+        return False
+    # Don't require an is_active property, but if it's there then check it
+    if hasattr(user, 'is_active') and not user.is_active:
+        return False
+    if options.staff_only and not getattr(user, 'is_staff', None):
+        return False
+    if options.superuser_only and not getattr(user, 'is_superuser', None):
+        return False
+    # If a permission is required then user must have a has_perm function to validate
+    if options.permission_name and (not hasattr(user, 'has_perm') or not user.has_perm(self.permission_name)):
+        return False
+    return True
+
-def authenhandler(req, **kwargs):
-    """
-
+
+
-    """
+    options = ModPythonAuthOptions(req)
+    setup_environment(req, options)
-
-
-
-
+
+
+
+
-
-# check for PythonOption
-_str_to_bool = lambda s: s.lower() in ('1', 'true', 'on', 'yes'
+    # Get the user from any of the installed backend
+    user = authenticate(username=req.user, password=password
-
-options = req.get_options()
-permission_name = options.get('DjangoPermissionName', None)
-staff_only = _str_to_bool(options.get('DjangoRequireStaffStatus', "on"))
-superuser_only = _str_to_bool(options.get('DjangoRequireSuperuserStatus', "off"))
-settings_module = options.get('DJANGO_SETTINGS_MODULE', None)
-if settings_module
-os.environ['DJANGO_SETTINGS_MODULE'] = settings_module
+    # Validate the user
+    if validate_user(user, options):
+        return apache.OK
+    else:
+        return apache.HTTP_UNAUTHORIZED
+finally
+dispatcher.send(signal=signals.request_finished)
-
-
-
-
+
+
+
+
+
+
+
-
-
-
-
-
-
-
+
+
+
+
+
-    try:
-try:
-
-except User.DoesNotExist:
-    return apache.HTTP_UNAUTHORIZED
-
-# check the password and any permission given
-if user.check_password(req.get_basic_auth_pw()):
-if permission_name:
-if user.has_perm(permission_name):
-
-        else:
-            return apache.HTTP_UNAUTHORIZED
-    else
-    
+request = ModPythonRequest(req)
+
+# Apply request middleware
+for middleware_method in base_handler._request_middleware:
+        response = middleware_method(request)
+    if response:
+        # If we get a response, we should probably stop processing any
+    # remaining request middleware.
+break
+
+# Validate the user
+user = getattr(request, 'user', None)
+if validate_user(user, options)
+
-        else:
-UNAUTHORIZED
+FORBIDDEN
-    finally:
-b.connection.close(
+ispatcher.send(signal=signals.request_finished

docs/apache_auth.txt

@@ -17 +17 @@
-==================
-
-To check against Django's authorization database from a Apache configuration
-'ll need to
+ can either
-with the standard ``Auth*`` and ``Require`` directives::
-
-    <Location /example/>
@@ -29 +29 @@
-        PythonAuthenHandler django.contrib.auth.handlers.modpython
-    </Location>
-
+... or use mod_python's ``PythonAccessHandler`` directive::
+
+    <Location /example/>
+        SetEnv DJANGO_SETTINGS_MODULE mysite.settings
+        PythonAccessHandler django.contrib.auth.handlers.modpython
+    </Location>
+
+The difference between these two methods is that ``PythonAuthenHandler`` uses
+basic HTTP authentication where as ``PythonAccessHandler`` uses the built-in
+``contrib.auth`` authentication (which uses a session cookie).
+
+``PythonAuthenHandler`` will prompt the user to enter their user name and
+password (usually via a basic authentication dialog box), while
+``PythonAccessHandler`` will simply raise an Apache "Forbidden" error if the
+user is not logged in or does not have the correct authorization.
+
-By default, the authentication handler will limit access to the ``/example/``
-location to users marked as staff members.  You can use a set of
-``PythonOption`` directives to modify this behavior: