Changeset 518

Timestamp:

08/16/05 17:54:05 (3 years ago)

Author:

adrian

Message:

Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create.

Files:

• django/trunk/django/bin/daily_cleanup.py (modified) (1 diff)
• django/trunk/django/conf/global_settings.py (modified) (3 diffs)
• django/trunk/django/contrib/comments/views/comments.py (modified) (2 diffs)
• django/trunk/django/core/handlers/modpython.py (modified) (2 diffs)
• django/trunk/django/core/handlers/wsgi.py (modified) (2 diffs)
• django/trunk/django/middleware/admin.py (modified) (5 diffs)
• django/trunk/django/middleware/sessions.py (added)
• django/trunk/django/models/auth.py (modified) (2 diffs)
• django/trunk/django/models/core.py (modified) (1 diff)
• django/trunk/django/parts/auth/anonymoususers.py (modified) (2 diffs)
• django/trunk/django/parts/auth/formfields.py (modified) (2 diffs)
• django/trunk/django/views/auth/login.py (modified) (3 diffs)
• django/trunk/docs/faq.txt (modified) (2 diffs)

django/trunk/django/bin/daily_cleanup.py

@@ -8 +8 @@
-    # Clean up old database records
-    cursor = db.cursor()
-auth_sessions WHERE start_time < NOW() - INTERVAL '2 weeks'
+core_sessions WHERE expire_date < NOW()
-    cursor.execute("DELETE FROM registration_challenges WHERE request_date < NOW() - INTERVAL '1 week'")
-    db.commit()

django/trunk/django/conf/global_settings.py

@@ -48 +48 @@
-# Host for sending e-mail.
-EMAIL_HOST = 'localhost'
-
-# Name of the session cookie. This can be whatever you want.
-AUTH_SESSION_COOKIE = 'rizzo'
-
-# List of locations of the template source files, in search order.
@@ -114 +111 @@
-)
-
+############
+# SESSIONS #
+############
+
+SESSION_COOKIE_NAME = 'hotclub'           # Cookie name. This can be whatever you want.
+SESSION_COOKIE_AGE = 60 * 60 * 24 * 7 * 2 # Age of cookie, in seconds (default: 2 weeks).
+SESSION_COOKIE_DOMAIN = None              # A string like ".lawrence.com", or None for standard domain cookie.
+
-#########
-# CACHE #
@@ -121 +126 @@
-# possible values.
-CACHE_BACKEND = 'simple://'
-
-# Set to a string like ".lawrence.com", or None for a standard domain cookie.
-REGISTRATION_COOKIE_DOMAIN = None
-
-####################

django/trunk/django/contrib/comments/views/comments.py

@@ -3 +3 @@
-from django.core.exceptions import Http404, ObjectDoesNotExist
-from django.core.extensions import DjangoContext as Context
-session
+user
-from django.models.comments import comments, freecomments
-from django.models.core import contenttypes
@@ -216 +216 @@
-    # so they don't have to enter a username/password again.
-    if manipulator.get_user() and new_data.has_key('password') and manipulator.get_user().check_password(new_data['password']):
-sessions.start_web_session(manipulator.get_user_id(), request, response
+request.session[users.SESSION_KEY] = manipulator.get_user_id(
-    if errors or request.POST.has_key('preview'):
-        class CommentFormWrapper(formfields.FormWrapper):

django/trunk/django/core/handlers/modpython.py

@@ -96 +96 @@
-            return self._raw_post_data
-
-    def _load_session_and_user(self):
-        from django.models.auth import sessions
-        from django.conf.settings import AUTH_SESSION_COOKIE
-        session_cookie = self.COOKIES.get(AUTH_SESSION_COOKIE, '')
-        try:
-            self._session = sessions.get_session_from_cookie(session_cookie)
-            self._user = self._session.get_user()
-        except sessions.SessionDoesNotExist:
-            from django.parts.auth import anonymoususers
-            self._session = None
-            self._user = anonymoususers.AnonymousUser()
-
-    def _get_session(self):
-        if not hasattr(self, '_session'):
-            self._load_session_and_user()
-        return self._session
-
-    def _set_session(self, session):
-        self._session = session
-
-    def _get_user(self):
-        if not hasattr(self, '_user'):
-
+
+
+
+
+
+
+
+
+
-        return self._user
-
@@ -131 +119 @@
-    REQUEST = property(_get_request)
-    raw_post_data = property(_get_raw_post_data)
-    session = property(_get_session, _set_session)
-    user = property(_get_user, _set_user)
-

django/trunk/django/core/handlers/wsgi.py

@@ -77 +77 @@
-            return self._raw_post_data
-
-    def _load_session_and_user(self):
-        from django.models.auth import sessions
-        from django.conf.settings import AUTH_SESSION_COOKIE
-        session_cookie = self.COOKIES.get(AUTH_SESSION_COOKIE, '')
-        try:
-            self._session = sessions.get_session_from_cookie(session_cookie)
-            self._user = self._session.get_user()
-        except sessions.SessionDoesNotExist:
-            from django.parts.auth import anonymoususers
-            self._session = None
-            self._user = anonymoususers.AnonymousUser()
-
-    def _get_session(self):
-        if not hasattr(self, '_session'):
-            self._load_session_and_user()
-        return self._session
-
-    def _set_session(self, session):
-        self._session = session
-
-    def _get_user(self):
-        if not hasattr(self, '_user'):
-
+
+
+
+
+
+
+
+
+
-        return self._user
-
@@ -111 +99 @@
-    REQUEST = property(_get_request)
-    raw_post_data = property(_get_raw_post_data)
-    session = property(_get_session, _set_session)
-    user = property(_get_user, _set_user)
-

django/trunk/django/middleware/admin.py

@@ -2 +2 @@
-from django.core import template_loader
-from django.core.extensions import DjangoContext as Context
-sessions, 
+
-from django.views.registration import passwords
-from django.views.auth.login import logout
@@ -30 +30 @@
-        # conf, which is a little uglier than this. Same goes for the logout
-        # view.
+
-        if view_func in (passwords.password_reset, passwords.password_reset_done, logout):
-            return
+
+        assert hasattr(request, 'session'), "The admin requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.middleware.sessions.SessionMiddleware' before %r." % self.__class__.__name__
-
-        # Check for a logged in, valid user
@@ -37 +40 @@
-            return
-
-
+d
-        if not request.POST.has_key('this_is_the_login_form'):
-            if request.POST:
@@ -65 +68 @@
-        else:
-            if self.authenticate_user(user, request.POST.get('password', '')):
+                request.session[users.SESSION_KEY] = user.id
-                if request.POST.has_key('post_data'):
-                    post_data = decode_post_data(request.POST['post_data'])
@@ -71 +75 @@
-                        request.POST = post_data
-                        request.user = user
-                        request.session = sessions.create_session(user.id)
-                        return
-                    else:
-
-
-
+
-            else:
-                return self.display_login_form(request, ERROR_MESSAGE)

django/trunk/django/models/auth.py

@@ -45 +45 @@
-        meta.ManyToManyField(Permission, name='user_permissions', blank=True, filter_interface=meta.HORIZONTAL),
-    )
+    module_constants = {
+        'SESSION_KEY': '_auth_user_id',
+    }
-    ordering = ('username',)
-    exceptions = ('SiteProfileNotAvailable',)
@@ -173 +176 @@
-        return ''.join([choice(allowed_chars) for i in range(length)])
-
-class Session(meta.Model):
-    fields = (
-        meta.ForeignKey(User),
-        meta.CharField('session_md5', maxlength=32),
-        meta.DateTimeField('start_time', auto_now=True),
-    )
-    module_constants = {
-        'TEST_COOKIE_NAME': 'testcookie',
-        'TEST_COOKIE_VALUE': 'worked',
-    }
-
-    def __repr__(self):
-        return "session started at %s" % self.start_time
-
-    def get_cookie(self):
-        "Returns a tuple of the cookie name and value for this session."
-        from django.conf.settings import AUTH_SESSION_COOKIE, SECRET_KEY
-        import md5
-        return AUTH_SESSION_COOKIE, self.session_md5 + md5.new(self.session_md5 + SECRET_KEY + 'auth').hexdigest()
-
-    def _module_create_session(user_id):
-        "Registers a session and returns the session_md5."
-        from django.conf.settings import SECRET_KEY
-        import md5, random, sys
-        # The random module is seeded when this Apache child is created.
-        # Use person_id and SECRET_KEY as added salt.
-        session_md5 = md5.new(str(random.randint(user_id, sys.maxint - 1)) + SECRET_KEY).hexdigest()
-        s = Session(None, user_id, session_md5, None)
-        s.save()
-        return s
-
-    def _module_get_session_from_cookie(session_cookie_string):
-        from django.conf.settings import SECRET_KEY
-        import md5
-        if not session_cookie_string:
-            raise SessionDoesNotExist
-        session_md5, tamper_check = session_cookie_string[:32], session_cookie_string[32:]
-        if md5.new(session_md5 + SECRET_KEY + 'auth').hexdigest() != tamper_check:
-            raise SessionDoesNotExist
-        return get_object(session_md5__exact=session_md5, select_related=True)
-
-    def _module_destroy_all_sessions(user_id):
-        "Destroys all sessions for a user, logging out all computers."
-        for session in get_list(user_id__exact=user_id):
-            session.delete()
-
-    def _module_start_web_session(user_id, request, response):
-        "Sets the necessary cookie in the given HttpResponse object, also updates last login time for user."
-        from django.models.auth import users
-        from django.conf.settings import REGISTRATION_COOKIE_DOMAIN
-        user = users.get_object(pk=user_id)
-        user.last_login = datetime.datetime.now()
-        user.save()
-        session = create_session(user_id)
-        key, value = session.get_cookie()
-        cookie_domain = REGISTRATION_COOKIE_DOMAIN or None
-        response.set_cookie(key, value, domain=cookie_domain)
-
-class Message(meta.Model):
-    fields = (

django/trunk/django/models/core.py

@@ -104 +104 @@
-    def get_absolute_url(self):
-        return self.url
+
+import base64, md5, random, sys
+import cPickle as pickle
+
+class Session(meta.Model):
+    fields = (
+        meta.CharField('session_key', maxlength=40, primary_key=True),
+        meta.TextField('session_data'),
+        meta.DateTimeField('expire_date'),
+    )
+    module_constants = {
+        'base64': base64,
+        'md5': md5,
+        'pickle': pickle,
+        'random': random,
+        'sys': sys,
+    }
+
+    def get_decoded(self):
+        from django.conf.settings import SECRET_KEY
+        encoded_data = base64.decodestring(self.session_data)
+        pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
+        if md5.new(pickled + SECRET_KEY).hexdigest() != tamper_check:
+            from django.core.exceptions import SuspiciousOperation
+            raise SuspiciousOperation, "User tampered with session cookie."
+        return pickle.loads(pickled)
+
+    def _module_encode(session_dict):
+        "Returns the given session dictionary pickled and encoded as a string."
+        from django.conf.settings import SECRET_KEY
+        pickled = pickle.dumps(session_dict)
+        pickled_md5 = md5.new(pickled + SECRET_KEY).hexdigest()
+        return base64.encodestring(pickled + pickled_md5)
+
+    def _module_get_new_session_key():
+        "Returns session key that isn't being used."
+        from django.conf.settings import SECRET_KEY
+        # The random module is seeded when this Apache child is created.
+        # Use person_id and SECRET_KEY as added salt.
+        while 1:
+            session_key = md5.new(str(random.randint(0, sys.maxint - 1)) + SECRET_KEY).hexdigest()
+            try:
+                get_object(session_key__exact=session_key)
+            except SessionDoesNotExist:
+                break
+        return session_key
+
+    def _module_save(session_key, session_dict, expire_date):
+        s = Session(session_key, encode(session_dict), expire_date)
+        if session_dict:
+            s.save()
+        else:
+            s.delete() # Clear sessions with no data.
+        return s

django/trunk/django/parts/auth/anonymoususers.py

@@ -1 @@
-"""
-Anonymous users
-"""
-
-class AnonymousUser:
-
-    def __init__(self):
-        pass
@@ -41 +36 @@
-        return []
-
-    def add_session(self, session_md5, start_time):
-        "Creates Session for this User, saves it, and returns the new object"
-        raise NotImplementedError
-
-    def is_anonymous(self):
-        return True

django/trunk/django/parts/auth/formfields.py

@@ -1 @@
-sessions, 
+
-from django.core import formfields, validators
-
@@ -24 +24 @@
-
-    def hasCookiesEnabled(self, field_data, all_data):
-(not self.request.COOKIES.has_key(sessions.TEST_COOKIE_NAME) or self.request.COOKIES[sessions.TEST_COOKIE_NAME] != sessions.TEST_COOKIE_VALUE
+not self.request.test_cookie_worked(
-            raise validators.ValidationError, "Your Web browser doesn't appear to have cookies enabled. Cookies are required for logging in."
-

django/trunk/django/views/auth/login.py

@@ -2 +2 @@
-from django.core import formfields, template_loader
-from django.core.extensions import DjangoContext as Context
-session
+user
-from django.models.core import sites
-from django.utils.httpwrappers import HttpResponse, HttpResponseRedirect
@@ -18 +18 @@
-            if not redirect_to or '://' in redirect_to or ' ' in redirect_to:
-                redirect_to = '/accounts/profile/'
-
-
-
+
+
-    else:
-        errors = {}
-    response = HttpResponse()
-
-
+
-    t = template_loader.get_template('registration/login')
-    c = Context(request, {
@@ -35 +33 @@
-    return response
-
-
+, next_page=None
-    "Logs out the user and displays 'You are logged out' message."
-
-
-
-
-
-
-
-
+
+
+
-        t = template_loader.get_template('registration/logged_out')
-        c = Context(request)
-        return HttpResponse(t.render(c))
+    else:
+        # Do a redirect to this page until the session has been cleared.
+        return HttpResponseRedirect(next_page or request.path)
-
-def logout_then_login(request):
-    "Logs out the user if he is logged in. Then redirects to the log-in page."
-
-
-
-
-
-
+
-
-def redirect_to_login(next):

django/trunk/docs/faq.txt

@@ -311 +311 @@
-things:
-
-REGISTRAT
+SESS
-      to match your domain. For example, if you're going to
-      "http://www.mysite.com/admin/" in your browser, in
-REGISTRAT
+SESS
-      'www.mysite.com'``.
-
@@ -321 +321 @@
-      or another domain that doesn't have a dot in it, try going to
-      "localhost.localdomain" or "127.0.0.1". And set
-REGISTRAT
+SESS
-
-I can't log in. When I enter a valid username and password, it brings up the login page again, with a "Please enter a correct username and password" error.