annotate MoinMoin/auth/__init__.py @ 6078:35473fe0967d

line wrap at 120 chars instead of 80
author 'Karl O. Pinc' <kop@meme.com>
date Tue, 16 Sep 2014 08:40:47 -0500
parents 3f7f4cef7c2a
children
rev   line source
0
77665d8e2254 tag of nonpublic@localhost--archive/moin--enterprise--1.5--base-0
Thomas Waldmann <tw-public@gmx.de>
parents:
diff changeset
1 # -*- coding: iso-8859-1 -*-
77665d8e2254 tag of nonpublic@localhost--archive/moin--enterprise--1.5--base-0
Thomas Waldmann <tw-public@gmx.de>
parents:
diff changeset
2 """
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
3 MoinMoin - modular authentication handling
295
91d47ebee530 make posted UserPreferences form values easily available for auth methods
Thomas Waldmann <tw@waldmann-edv.de>
parents: 268
diff changeset
4
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
5 Each authentication method is an object instance containing
2302
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
6 four methods:
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
7 * login(request, user_obj, **kw)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
8 * logout(request, user_obj, **kw)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
9 * request(request, user_obj, **kw)
2302
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
10 * login_hint(request)
2286
01f05e74aa9c Big PEP8 and whitespace cleanup
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 2040
diff changeset
11
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
12 The kw arguments that are passed in are currently:
2030
00f52826b5df allow unattended login (for xmlrpc)
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2025
diff changeset
13 attended: boolean indicating whether a user (attended=True) or
00f52826b5df allow unattended login (for xmlrpc)
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2025
diff changeset
14 a machine is requesting login, multistage auth is not
00f52826b5df allow unattended login (for xmlrpc)
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2025
diff changeset
15 currently possible for machine logins [login only]
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
16 username: the value of the 'username' form field (or None)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
17 [login only]
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
18 password: the value of the 'password' form field (or None)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
19 [login only]
2040
68e302934c77 add cookie back to auth keyword arguments
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2030
diff changeset
20 cookie: a Cookie.SimpleCookie instance containing the cookie
68e302934c77 add cookie back to auth keyword arguments
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2030
diff changeset
21 that the browser sent
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
22 multistage: boolean indicating multistage login continuation
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
23 [may not be present, login only]
2299
39d11cf4af6c OpenID relying party (client) support
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2286
diff changeset
24 openid_identifier: the OpenID identifier we got from the form
39d11cf4af6c OpenID relying party (client) support
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2286
diff changeset
25 (or None) [login only]
268
130bd0403e21 auth methods now return tuple (user_obj, continue_flag)
Thomas Waldmann <tw@waldmann-edv.de>
parents: 265
diff changeset
26
2302
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
27 login_hint() should return a HTML text that is displayed to the user right
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
28 below the login form, it should tell the user what to do in case of a
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
29 forgotten password and how to create an account (if applicable.)
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
30
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
31 More may be added.
769
66945b567d0e added TODO, PEP8 and other cosmetic fixes
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 768
diff changeset
32
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
33 The request method is called for each request except login/logout.
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
34
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
35 The 'request' and 'logout' methods must return a tuple (user_obj, continue)
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
36 where 'user_obj' can be
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
37 * None, to throw away any previous user_obj from previous auth methods
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
38 * the passed in user_obj for no changes
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
39 * a newly created MoinMoin.user.User instance
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
40 and 'continue' is a boolean to indicate whether the next authentication
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
41 method should be tried.
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
42
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
43 The 'login' method must return an instance of MoinMoin.auth.LoginReturn
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
44 which contains the members
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
45 * user_obj
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
46 * continue_flag
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
47 * multistage
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
48 * message
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
49 * redirect_to
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
50
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
51 There are some helpful subclasses derived from this class for the most
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
52 common cases, namely ContinueLogin(), CancelLogin(), MultistageFormLogin()
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
53 and MultistageRedirectLogin().
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
54
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
55 The user_obj and continue_flag members have the same semantics as for the
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
56 request and logout methods.
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
57
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
58 The messages that are returned by the various auth methods will be
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
59 displayed to the user, since they will all be displayed usually auth
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
60 methods will use the message feature only along with returning False for
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
61 the continue flag.
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
62
3644
5a760b6b6a97 add a note about auth vs. username not entered and similar
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3481
diff changeset
63 Note, however, that when no username is entered or the username is not
5a760b6b6a97 add a note about auth vs. username not entered and similar
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3481
diff changeset
64 found in the database, it may be appropriate to return with a message
5a760b6b6a97 add a note about auth vs. username not entered and similar
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3481
diff changeset
65 and the continue flag set to true (ContinueLogin) because a subsequent auth
5a760b6b6a97 add a note about auth vs. username not entered and similar
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3481
diff changeset
66 plugin might work even without the username, say the openid plugin for
5a760b6b6a97 add a note about auth vs. username not entered and similar
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3481
diff changeset
67 example.
5a760b6b6a97 add a note about auth vs. username not entered and similar
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3481
diff changeset
68
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
69 The multistage member must evaluate to false or be callable. If it is
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
70 callable, this indicates that the authentication method requires a second
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
71 login stage. In that case, the multistage item will be called with the
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
72 request as the only parameter. It should return an instance of
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
73 MoinMoin.widget.html.FORM and the generic code will append some required
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
74 hidden fields to it. It is also permissible to return some valid HTML,
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
75 but that feature has very limited use since it breaks the authentication
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
76 method chain.
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
77
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
78 Note that because multistage login does not depend on anonymous session
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
79 support, it is possible that users jump directly into the second stage
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
80 by giving the appropriate parameters to the login action. Hence, auth
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
81 methods should take care to recheck everything and not assume the user
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
82 has gone through all previous stages.
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
83
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
84 If the multistage login requires querying an external site that involves
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
85 a redirect, the redirect_to member may be set instead of the multistage
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
86 member. If this is set it must be a URL that user should be redirected to.
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
87 Since the user must be able to come back to the authentication, any
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
88 "%return" in the URL is replaced with the url-encoded form of the URL
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
89 to the next authentication stage, any "%return_form" is replaced with
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
90 the url-plus-encoded form (spaces encoded as +) of the same URL.
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
91
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
92 After the user has submitted the required form or has been redirected back
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
93 from the external site, execution of the auth login methods resumes with
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
94 the auth item that requested the multistage login and its login method is
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
95 called with the 'multistage' keyword parameter set to True.
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
96
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
97 Each authentication method instance must also contain the members
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
98 * login_inputs: a list of required inputs, currently supported are
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
99 - 'username': username entry field
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
100 - 'password': password entry field
2299
39d11cf4af6c OpenID relying party (client) support
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2286
diff changeset
101 - 'openid_identifier': OpenID entry field
3139
0c0fd7c894a3 allow auth methods that don't need input at all to skip input form
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3137
diff changeset
102 - 'special_no_input': manual login is required
0c0fd7c894a3 allow auth methods that don't need input at all to skip input form
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3137
diff changeset
103 but no form fields need to be filled in
0c0fd7c894a3 allow auth methods that don't need input at all to skip input form
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3137
diff changeset
104 (for example openid with forced provider)
0c0fd7c894a3 allow auth methods that don't need input at all to skip input form
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3137
diff changeset
105 in this case the theme may provide a short-
0c0fd7c894a3 allow auth methods that don't need input at all to skip input form
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3137
diff changeset
106 cut omitting the login form
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
107 * logout_possible: boolean indicating whether this auth methods
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
108 supports logging out
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
109 * name: name of the auth method, must be the same as given as the
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
110 user object's auth_method keyword parameter.
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
111
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
112 To simplify creating new authentication methods you can inherit from
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
113 MoinMoin.auth.BaseAuth that does nothing for all three methods, but
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
114 allows you to override only some methods.
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
115
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
116 cfg.auth is a list of authentication object instances whose methods
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
117 are called in the order they are listed. The session method is called
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
118 for every request, when logging in or out these are called before the
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
119 session method.
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
120
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
121 When creating a new MoinMoin.user.User object, you can give a keyword
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
122 argument "auth_attribs" to User.__init__ containing a list of user
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
123 attributes that are determined and fixed by this auth method and may
3333
928a45b60bb3 remove remaining mentions of "UserPreferences", add to CHANGES
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3234
diff changeset
124 not be changed by the user in their preferences.
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
125 You also have to give the keyword argument "auth_method" containing the
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
126 name of the authentication method.
1932
8916520c8314 session handling. anonymous sessions are not enabled by default because they
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1931
diff changeset
127
1950
bbfc3144a567 auth/session: misc cleanup, added some docstrings
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 1939
diff changeset
128 @copyright: 2005-2006 Bastian Blank, Florian Festi,
775
0e3327b36bc5 move cookie hash code to own function, add random string generator, src cosmetics
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 774
diff changeset
129 MoinMoin:AlexanderSchremmer, Nick Phillips,
1950
bbfc3144a567 auth/session: misc cleanup, added some docstrings
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 1939
diff changeset
130 MoinMoin:FrankieChow, MoinMoin:NirSoffer,
4537
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
131 2005-2009 MoinMoin:ThomasWaldmann,
1950
bbfc3144a567 auth/session: misc cleanup, added some docstrings
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 1939
diff changeset
132 2007 MoinMoin:JohannesBerg
1932
8916520c8314 session handling. anonymous sessions are not enabled by default because they
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1931
diff changeset
133
0
77665d8e2254 tag of nonpublic@localhost--archive/moin--enterprise--1.5--base-0
Thomas Waldmann <tw-public@gmx.de>
parents:
diff changeset
134 @license: GNU GPL, see COPYING for details.
77665d8e2254 tag of nonpublic@localhost--archive/moin--enterprise--1.5--base-0
Thomas Waldmann <tw-public@gmx.de>
parents:
diff changeset
135 """
77665d8e2254 tag of nonpublic@localhost--archive/moin--enterprise--1.5--base-0
Thomas Waldmann <tw-public@gmx.de>
parents:
diff changeset
136
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3123
diff changeset
137 from MoinMoin import log
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3123
diff changeset
138 logging = log.getLogger(__name__)
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3123
diff changeset
139
5381
105451cabedb fix auth methods that use redirects (like openid)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 5365
diff changeset
140 from werkzeug import redirect, abort, url_quote, url_quote_plus
105451cabedb fix auth methods that use redirects (like openid)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 5365
diff changeset
141
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
142 from MoinMoin import user, wikiutil
6048
ee7209311a0e surge protection for authentication (currently just for "moin" auth), updated docs/CHANGES
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 6047
diff changeset
143 from MoinMoin.web.utils import check_surge_protect
6045
f029e42ecdec add logging for login to detect potential abuse
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 5381
diff changeset
144 from MoinMoin.util.abuse import log_attempt
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
145
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
146
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
147 def get_multistage_continuation_url(request, auth_name, extra_fields={}):
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
148 """get_continuation_url - return a multistage continuation URL
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
149
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
150 This function returns a URL that when loaded continues a multistage
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
151 authentication at the auth method requesting it (parameter auth_name.)
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
152 Additional fields are added to the URL from the extra_fields dict.
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
153
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
154 @param request: the Moin request
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
155 @param auth_name: name of the auth method requesting the continuation
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
156 @param extra_fields: extra GET fields to add to the URL
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
157 """
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
158 # logically, this belongs to request, but semantically it should
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
159 # live in auth so people do auth.get_multistage_continuation_url()
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
160 fields = {'action': 'login',
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
161 'login': '1',
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
162 'stage': auth_name}
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
163 fields.update(extra_fields)
3137
ee546a8aaa8f apparently it is possible that request.page is None, fix auth
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3135
diff changeset
164 if request.page:
4885
97d38e725287 Force janrain_nonce at end of URL when asking for username input during the OpenID multiform sequence
Rowan Kerr <rowan@stasis.org>
parents: 4688
diff changeset
165 logging.debug("request.page.url: " + request.page.url(request, querystr=fields))
3234
a739558ca3dc Page.url() default changed to relative=False
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3139
diff changeset
166 return request.page.url(request, querystr=fields)
3137
ee546a8aaa8f apparently it is possible that request.page is None, fix auth
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 3135
diff changeset
167 else:
4885
97d38e725287 Force janrain_nonce at end of URL when asking for username input during the OpenID multiform sequence
Rowan Kerr <rowan@stasis.org>
parents: 4688
diff changeset
168 logging.debug("request.abs_href: " + request.abs_href(**fields))
4334
7add275cf4de Fixed: deprecated (and missing) getBaseURL() method
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4312
diff changeset
169 return request.abs_href(**fields)
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
170
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
171 class LoginReturn(object):
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
172 """ LoginReturn - base class for auth method login() return value"""
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
173 def __init__(self, user_obj, continue_flag, message=None, multistage=None,
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
174 redirect_to=None):
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
175 self.user_obj = user_obj
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
176 self.continue_flag = continue_flag
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
177 self.message = message
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
178 self.multistage = multistage
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
179 self.redirect_to = redirect_to
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
180
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
181 class ContinueLogin(LoginReturn):
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
182 """ ContinueLogin - helper for auth method login that just continues """
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
183 def __init__(self, user_obj, message=None):
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
184 LoginReturn.__init__(self, user_obj, True, message=message)
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
185
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
186 class CancelLogin(LoginReturn):
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
187 """ CancelLogin - cancel login showing a message """
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
188 def __init__(self, message):
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
189 LoginReturn.__init__(self, None, False, message=message)
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
190
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
191 class MultistageFormLogin(LoginReturn):
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
192 """ MultistageFormLogin - require user to fill in another form """
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
193 def __init__(self, multistage):
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
194 LoginReturn.__init__(self, None, False, multistage=multistage)
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
195
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
196 class MultistageRedirectLogin(LoginReturn):
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
197 """ MultistageRedirectLogin - redirect user to another site before continuing login """
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
198 def __init__(self, url):
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
199 LoginReturn.__init__(self, None, False, redirect_to=url)
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
200
1932
8916520c8314 session handling. anonymous sessions are not enabled by default because they
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1931
diff changeset
201
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
202 class BaseAuth:
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
203 name = None
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
204 login_inputs = []
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
205 logout_possible = False
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
206 def __init__(self):
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
207 pass
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
208 def login(self, request, user_obj, **kw):
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
209 return ContinueLogin(user_obj)
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
210 def request(self, request, user_obj, **kw):
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
211 return user_obj, True
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
212 def logout(self, request, user_obj, **kw):
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
213 if self.name and user_obj and user_obj.auth_method == self.name:
3481
9a3deab96cb7 improve auth/session logging, add auth/session debug logging config
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3333
diff changeset
214 logging.debug("%s: logout - invalidating user %r" % (self.name, user_obj.name))
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
215 user_obj.valid = False
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
216 return user_obj, True
2302
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
217 def login_hint(self, request):
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
218 return None
1932
8916520c8314 session handling. anonymous sessions are not enabled by default because they
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1931
diff changeset
219
3656
6060395dcdf1 rename MoinLogin to MoinAuth for better consistency with other auth classes
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3644
diff changeset
220 class MoinAuth(BaseAuth):
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
221 """ handle login from moin login form """
3481
9a3deab96cb7 improve auth/session logging, add auth/session debug logging config
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3333
diff changeset
222 def __init__(self):
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
223 BaseAuth.__init__(self)
456
12b6367214e3 feed current user_obj to auth methods, continue auth list in most cases, moved cookie code to auth module
Thomas Waldmann <tw@waldmann-edv.de>
parents: 450
diff changeset
224
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
225 login_inputs = ['username', 'password']
3656
6060395dcdf1 rename MoinLogin to MoinAuth for better consistency with other auth classes
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3644
diff changeset
226 name = 'moin'
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
227 logout_possible = True
1950
bbfc3144a567 auth/session: misc cleanup, added some docstrings
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 1939
diff changeset
228
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
229 def login(self, request, user_obj, **kw):
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
230 username = kw.get('username')
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
231 password = kw.get('password')
1932
8916520c8314 session handling. anonymous sessions are not enabled by default because they
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1931
diff changeset
232
2018
dbf06dea00aa MoinLogin auth: continue if a previous auth was successful
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2009
diff changeset
233 # simply continue if something else already logged in successfully
dbf06dea00aa MoinLogin auth: continue if a previous auth was successful
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2009
diff changeset
234 if user_obj and user_obj.valid:
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
235 return ContinueLogin(user_obj)
2018
dbf06dea00aa MoinLogin auth: continue if a previous auth was successful
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2009
diff changeset
236
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
237 if not username and not password:
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
238 return ContinueLogin(user_obj)
768
a463b24b01e3 move auth.py changes to new location auth/__init__.py
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 752
diff changeset
239
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
240 _ = request.getText
948
28ea5b3802b1 whitespace-only cleanup
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 776
diff changeset
241
3481
9a3deab96cb7 improve auth/session logging, add auth/session debug logging config
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3333
diff changeset
242 logging.debug("%s: performing login action" % self.name)
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
243
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
244 if username and not password:
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
245 return ContinueLogin(user_obj, _('Missing password. Please enter user name and password.'))
6049
a9567770da68 moin auth: give error msg when user name is missing
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 6048
diff changeset
246 if not username and password:
a9567770da68 moin auth: give error msg when user name is missing
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 6048
diff changeset
247 return ContinueLogin(user_obj, _('Missing user name. Please enter user name and password.'))
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
248
6048
ee7209311a0e surge protection for authentication (currently just for "moin" auth), updated docs/CHANGES
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 6047
diff changeset
249 check_surge_protect(request, action='auth-ip')
ee7209311a0e surge protection for authentication (currently just for "moin" auth), updated docs/CHANGES
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 6047
diff changeset
250 check_surge_protect(request, action='auth-name', username=username)
ee7209311a0e surge protection for authentication (currently just for "moin" auth), updated docs/CHANGES
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 6047
diff changeset
251
2009
1b14cc05a54a refactor authentication and split out session handling
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 1998
diff changeset
252 u = user.User(request, name=username, password=password, auth_method=self.name)
298
6c74345f4d55 cleaned up and moved moin's cookie stuff to auth.moin_cookie
Thomas Waldmann <tw@waldmann-edv.de>
parents: 295
diff changeset
253 if u.valid:
3481
9a3deab96cb7 improve auth/session logging, add auth/session debug logging config
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3333
diff changeset
254 logging.debug("%s: successfully authenticated user %r (valid)" % (self.name, u.name))
6075
3f7f4cef7c2a make log_attempt output easily parsed
'Karl O. Pinc' <kop@meme.com>
parents: 6049
diff changeset
255 log_attempt("auth/login (moin)", True, request, username)
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
256 return ContinueLogin(u)
774
ca827a12c524 replaced moin_cookie by moin_login, MOIN_ID by MOIN_SESSION cookie
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 770
diff changeset
257 else:
3481
9a3deab96cb7 improve auth/session logging, add auth/session debug logging config
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3333
diff changeset
258 logging.debug("%s: could not authenticate user %r (not valid)" % (self.name, username))
6075
3f7f4cef7c2a make log_attempt output easily parsed
'Karl O. Pinc' <kop@meme.com>
parents: 6049
diff changeset
259 log_attempt("auth/login (moin)", False, request, username)
2025
d919b7b7b3e9 auth framework: login() methods return an object now
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2018
diff changeset
260 return ContinueLogin(user_obj, _("Invalid username or password."))
2302
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
261
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
262 def login_hint(self, request):
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
263 _ = request.getText
4889
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
264 #if request.cfg.openidrp_registration_url:
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
265 # userprefslink = request.cfg.openidrp_registration_url
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
266 #else:
2302
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
267 userprefslink = request.page.url(request, querystr={'action': 'newaccount'})
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
268 sendmypasswordlink = request.page.url(request, querystr={'action': 'recoverpass'})
4889
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
269
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
270 msg = ''
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
271 #if request.cfg.openidrp_allow_registration:
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
272 msg = _('If you do not have an account, <a href="%(userprefslink)s">you can create one now</a>. ') % {
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
273 'userprefslink': userprefslink}
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
274 msg += _('<a href="%(sendmypasswordlink)s">Forgot your password?</a>') % {
2302
1f449e482bcc allow auth methods to set the login hint below the input fields
Johannes Berg <johannes AT sipsolutions DOT net>
parents: 2299
diff changeset
275 'sendmypasswordlink': sendmypasswordlink}
4889
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
276 return msg
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
277
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
278 #return _('If you do not have an account, <a href="%(userprefslink)s">you can create one now</a>. '
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
279 # '<a href="%(sendmypasswordlink)s">Forgot your password?</a>') % {
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
280 # 'userprefslink': userprefslink,
6279b8badd5f Removed no-value return statements from openid extensions. Prepared default auth login_prompt to have configurable registration url.
Rowan Kerr <rowan@stasis.org>
parents: 4885
diff changeset
281 # 'sendmypasswordlink': sendmypasswordlink}
3125
40c4670c3410 refactored auth package to use own logger
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 3123
diff changeset
282
4537
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
283
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
284 class GivenAuth(BaseAuth):
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
285 """ reuse a given authentication, e.g. http basic auth (or any other auth)
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
286 done by the web server, that sets REMOTE_USER environment variable.
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
287 This is the default behaviour.
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
288 You can also specify to read another environment variable (env_var).
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
289 Alternatively you can directly give a fixed user name (user_name)
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
290 that will be considered as authenticated.
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
291 """
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
292 name = 'given' # was 'http' in 1.8.x and before
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
293
4538
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
294 def __init__(self,
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
295 env_var=None, # environment variable we want to read (default: REMOTE_USER)
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
296 user_name=None, # can be used to just give a specific user name to log in
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
297 autocreate=False, # create/update the user profile for the auth. user
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
298 strip_maildomain=False, # joe@example.org -> joe
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
299 strip_windomain=False, # DOMAIN\joe -> joe
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
300 titlecase=False, # joe doe -> Joe Doe
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
301 remove_blanks=False, # Joe Doe -> JoeDoe
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
302 coding=None, # for decoding REMOTE_USER correctly (default: auto)
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
303 ):
4537
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
304 self.env_var = env_var
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
305 self.user_name = user_name
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
306 self.autocreate = autocreate
4538
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
307 self.strip_maildomain = strip_maildomain
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
308 self.strip_windomain = strip_windomain
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
309 self.titlecase = titlecase
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
310 self.remove_blanks = remove_blanks
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
311 self.coding = coding
4537
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
312 BaseAuth.__init__(self)
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
313
4538
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
314 def decode_username(self, name):
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
315 """ decode the name we got from the environment var to unicode """
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
316 if isinstance(name, str):
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
317 if self.coding:
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
318 name = name.decode(self.coding)
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
319 else:
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
320 # XXX we have no idea about REMOTE_USER encoding, please help if
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
321 # you know how to do that cleanly
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
322 name = wikiutil.decodeUnknownInput(name)
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
323 return name
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
324
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
325 def transform_username(self, name):
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
326 """ transform the name we got (unicode in, unicode out)
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
327
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
328 Note: if you need something more special, you could create your own
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
329 auth class, inherit from this class and overwrite this function.
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
330 """
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
331 assert isinstance(name, unicode)
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
332 if self.strip_maildomain:
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
333 # split off mail domain, e.g. "user@example.org" -> "user"
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
334 name = name.split(u'@')[0]
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
335
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
336 if self.strip_windomain:
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
337 # split off window domain, e.g. "DOMAIN\user" -> "user"
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
338 name = name.split(u'\\')[-1]
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
339
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
340 if self.titlecase:
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
341 # this "normalizes" the login name, e.g. meier, Meier, MEIER -> Meier
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
342 name = name.title()
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
343
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
344 if self.remove_blanks:
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
345 # remove blanks e.g. "Joe Doe" -> "JoeDoe"
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
346 name = u''.join(name.split())
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
347
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
348 return name
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
349
4537
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
350 def request(self, request, user_obj, **kw):
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
351 u = None
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
352 _ = request.getText
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
353 # always revalidate auth
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
354 if user_obj and user_obj.auth_method == self.name:
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
355 user_obj = None
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
356 # something else authenticated before us
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
357 if user_obj:
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
358 logging.debug("already authenticated, doing nothing")
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
359 return user_obj, True
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
360
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
361 if self.user_name is not None:
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
362 auth_username = self.user_name
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
363 elif self.env_var is None:
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
364 auth_username = request.remote_user
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
365 else:
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
366 auth_username = request.environ.get(self.env_var)
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
367
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
368 logging.debug("auth_username = %r" % auth_username)
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
369 if auth_username:
4538
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
370 auth_username = self.decode_username(auth_username)
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
371 auth_username = self.transform_username(auth_username)
d0afc869ab36 add some decoding/transformations to GivenAuth (similar to what we had hardcoded in 1.8)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4537
diff changeset
372 logging.debug("auth_username (after decode/transform) = %r" % auth_username)
4537
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
373 u = user.User(request, auth_username=auth_username,
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
374 auth_method=self.name, auth_attribs=('name', 'password'))
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
375
4914
4ee70cfce201 merged moin/1.8
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4889
diff changeset
376 logging.debug("u: %r" % u)
4537
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
377 if u and self.autocreate:
4914
4ee70cfce201 merged moin/1.8
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4889
diff changeset
378 logging.debug("autocreating user")
4537
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
379 u.create_or_update()
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
380 if u and u.valid:
4914
4ee70cfce201 merged moin/1.8
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4889
diff changeset
381 logging.debug("returning valid user %r" % u)
6075
3f7f4cef7c2a make log_attempt output easily parsed
'Karl O. Pinc' <kop@meme.com>
parents: 6049
diff changeset
382 log_attempt("auth/request (given)", True, request, auth_username)
4537
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
383 return u, True # True to get other methods called, too
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
384 else:
4914
4ee70cfce201 merged moin/1.8
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4889
diff changeset
385 logging.debug("returning %r" % user_obj)
6045
f029e42ecdec add logging for login to detect potential abuse
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 5381
diff changeset
386 if u and not u.valid:
6075
3f7f4cef7c2a make log_attempt output easily parsed
'Karl O. Pinc' <kop@meme.com>
parents: 6049
diff changeset
387 log_attempt("auth/request (given)", False, request, auth_username)
4537
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
388 return user_obj, True
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
389
f8bf8de778f2 move auth.http.HTTPAuth to auth.GivenAuth, see details below
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4530
diff changeset
390
4193
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
391 def handle_login(request, userobj=None, username=None, password=None,
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
392 attended=True, openid_identifier=None, stage=None):
4312
9831c40c5bd9 Code review: added doc strings, added missing abort check
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4309
diff changeset
393 """
9831c40c5bd9 Code review: added doc strings, added missing abort check
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4309
diff changeset
394 Process a 'login' request by going through the configured authentication
9831c40c5bd9 Code review: added doc strings, added missing abort check
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4309
diff changeset
395 methods in turn. The passable keyword arguments are explained in more
9831c40c5bd9 Code review: added doc strings, added missing abort check
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4309
diff changeset
396 detail at the top of this file.
9831c40c5bd9 Code review: added doc strings, added missing abort check
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4309
diff changeset
397 """
4193
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
398 params = {
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
399 'username': username,
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
400 'password': password,
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
401 'attended': attended,
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
402 'openid_identifier': openid_identifier,
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
403 'multistage': (stage and True) or None
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
404 }
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
405 for authmethod in request.cfg.auth:
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
406 if stage and authmethod.name != stage:
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
407 continue
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
408 ret = authmethod.login(request, userobj, **params)
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
409
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
410 userobj = ret.user_obj
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
411 cont = ret.continue_flag
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
412 if stage:
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
413 stage = None
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
414 del params['multistage']
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
415
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
416 if ret.multistage:
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
417 request._login_multistage = ret.multistage
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
418 request._login_multistage_name = authmethod.name
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
419 return userobj
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
420
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
421 if ret.redirect_to:
5365
dcc0d7a5fcf4 openid login: fixed it, did not work (traceback)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4914
diff changeset
422 nextstage = get_multistage_continuation_url(request, authmethod.name)
4193
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
423 url = ret.redirect_to
5381
105451cabedb fix auth methods that use redirects (like openid)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 5365
diff changeset
424 url = url.replace('%return_form', url_quote_plus(nextstage))
105451cabedb fix auth methods that use redirects (like openid)
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 5365
diff changeset
425 url = url.replace('%return', url_quote(nextstage))
4193
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
426 abort(redirect(url))
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
427 msg = ret.message
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
428 if msg and not msg in request._login_messages:
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
429 request._login_messages.append(msg)
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
430
4312
9831c40c5bd9 Code review: added doc strings, added missing abort check
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4309
diff changeset
431 if not cont:
9831c40c5bd9 Code review: added doc strings, added missing abort check
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4309
diff changeset
432 break
9831c40c5bd9 Code review: added doc strings, added missing abort check
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4309
diff changeset
433
4193
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
434 return userobj
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
435
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
436 def handle_logout(request, userobj):
4312
9831c40c5bd9 Code review: added doc strings, added missing abort check
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4309
diff changeset
437 """ Logout the passed user from every configured authentication method. """
4688
3e4e67bcbedd fix exception when trying to logout while not being logged in
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4638
diff changeset
438 if userobj is None:
3e4e67bcbedd fix exception when trying to logout while not being logged in
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4638
diff changeset
439 # not logged in
3e4e67bcbedd fix exception when trying to logout while not being logged in
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4638
diff changeset
440 return userobj
3e4e67bcbedd fix exception when trying to logout while not being logged in
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4638
diff changeset
441
4530
0ac99fdbe65d fixed suid functionality, compute cfg.auth_methods only once
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4334
diff changeset
442 if userobj.auth_method == 'setuid':
0ac99fdbe65d fixed suid functionality, compute cfg.auth_methods only once
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4334
diff changeset
443 # we have no authmethod object for setuid
0ac99fdbe65d fixed suid functionality, compute cfg.auth_methods only once
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4334
diff changeset
444 userobj = request._setuid_real_user
0ac99fdbe65d fixed suid functionality, compute cfg.auth_methods only once
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4334
diff changeset
445 del request._setuid_real_user
0ac99fdbe65d fixed suid functionality, compute cfg.auth_methods only once
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4334
diff changeset
446 return userobj
0ac99fdbe65d fixed suid functionality, compute cfg.auth_methods only once
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4334
diff changeset
447
4193
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
448 for authmethod in request.cfg.auth:
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
449 userobj, cont = authmethod.logout(request, userobj, cookie=request.cookies)
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
450 if not cont:
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
451 break
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
452 return userobj
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
453
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
454 def handle_request(request, userobj):
4312
9831c40c5bd9 Code review: added doc strings, added missing abort check
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4309
diff changeset
455 """ Handle the per-request callbacks of the configured authentication methods. """
4193
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
456 for authmethod in request.cfg.auth:
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
457 userobj, cont = authmethod.request(request, userobj, cookie=request.cookies)
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
458 if not cont:
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
459 break
1e954e802ed2 Start to make auth work again with the new session layer
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 3481
diff changeset
460 return userobj
4194
9c80451df643 Setup user from stored session
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4193
diff changeset
461
4309
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
462 def setup_setuid(request, userobj):
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
463 """ Check for setuid conditions in the session and setup an user
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
464 object accordingly. Returns a tuple of the new user objects.
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
465
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
466 @param request: a moin request object
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
467 @param userobj: a moin user object
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
468 @rtype: boolean
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
469 @return: (new_user, user) or (user, None)
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
470 """
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
471 old_user = None
4638
7bc4d1571f8f suid: simplify and fix, bigger selection box
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4538
diff changeset
472 if 'setuid' in request.session and userobj and userobj.isSuperUser():
4309
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
473 old_user = userobj
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
474 uid = request.session['setuid']
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
475 userobj = user.User(request, uid, auth_method='setuid')
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
476 userobj.valid = True
6078
35473fe0967d line wrap at 120 chars instead of 80
'Karl O. Pinc' <kop@meme.com>
parents: 6075
diff changeset
477 log_attempt("auth/login (setuid from %r)" % old_user.name, True, request, userobj.name)
4530
0ac99fdbe65d fixed suid functionality, compute cfg.auth_methods only once
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4334
diff changeset
478 logging.debug("setup_suid returns %r, %r" % (userobj, old_user))
4309
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
479 return (userobj, old_user)
7d97ce960ec2 Code review: relocate check_setuid into MoinMoin.auth with appropiate name
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4210
diff changeset
480
4194
9c80451df643 Setup user from stored session
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4193
diff changeset
481 def setup_from_session(request, session):
9c80451df643 Setup user from stored session
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4193
diff changeset
482 userobj = None
9c80451df643 Setup user from stored session
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4193
diff changeset
483 if 'user.id' in session:
9c80451df643 Setup user from stored session
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4193
diff changeset
484 auth_userid = session['user.id']
9c80451df643 Setup user from stored session
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4193
diff changeset
485 auth_method = session['user.auth_method']
9c80451df643 Setup user from stored session
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4193
diff changeset
486 auth_attrs = session['user.auth_attribs']
4530
0ac99fdbe65d fixed suid functionality, compute cfg.auth_methods only once
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4334
diff changeset
487 logging.debug("got from session: %r %r" % (auth_userid, auth_method))
0ac99fdbe65d fixed suid functionality, compute cfg.auth_methods only once
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4334
diff changeset
488 logging.debug("current auth methods: %r" % request.cfg.auth_methods)
0ac99fdbe65d fixed suid functionality, compute cfg.auth_methods only once
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4334
diff changeset
489 if auth_method and auth_method in request.cfg.auth_methods:
4194
9c80451df643 Setup user from stored session
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4193
diff changeset
490 userobj = user.User(request, id=auth_userid,
9c80451df643 Setup user from stored session
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4193
diff changeset
491 auth_method=auth_method,
9c80451df643 Setup user from stored session
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4193
diff changeset
492 auth_attribs=auth_attrs)
9c80451df643 Setup user from stored session
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4193
diff changeset
493 logging.debug("session started for user %r", userobj)
9c80451df643 Setup user from stored session
Florian Krupicka <florian.krupicka@googlemail.com>
parents: 4193
diff changeset
494 return userobj
4530
0ac99fdbe65d fixed suid functionality, compute cfg.auth_methods only once
Thomas Waldmann <tw AT waldmann-edv DOT de>
parents: 4334
diff changeset
495