counsyl / baya Goto Github PK
View Code? Open in Web Editor NEWHierarchical LDAP groups for authorization in django
License: MIT License
Hierarchical LDAP groups for authorization in django
License: MIT License
(Copied from internal github, original issue by rxia)
I'm not sure if this was intentional, but if you set BAYA_ALLOW_ALL = True
, then views decorated with @requires()
will allow unauthenticated users to log in. Do you think it's reasonable to change this so that it still forces you to be logged in as someone, but not do any actual checking on the groups?
I know that the use of BAYA_ALLOW_ALL = True
is discouraged, but I was making changes in an app I'm not familiar with, and I didn't want to figure out the exact permission required. One of the pages I visited was raising an exception because it assumed that request.user
was a valid, authenticated user, which is normally safe to make because of the @requires()
decorator. However, because I had BAYA_ALLOW_ALL = True
, the decorator actually let an unauthenticated user through.
I think the only thing required to make this change is to move this block of code over to this line. Alternatively, we could also redefine _has_permission()
to mean "is logged in and has permission" and short-circuit before the group check if the user is not logged in. I'd be more than happy to submit a PR if you agree with this change.
(Copied from internal github, original ticket by rxia)
As described in [internal ticket], we can update baya to automatically redirect to admin:login
, which is now defined in Django 1.7.
The normal django pattern of admin.site.urls
for admin urls doesn't work with baya. I'm pretty sure this is a problem with autodiscovery.
Docs fix: You need to do from myapp import admin as my_admin; my_admin.site.urls
at the bottom of your admin.py
file. This should be documented, but it's better to fix the core issue.
Long fix: make autodiscovery work properly
(Copied from internal github)
Setting it here allows admin 403 pages to show/inspect the required groups, but I haven't figured out how to make it happen. The request
object isn't available in the has_module_perms
method which is a big bummer.
There are some rough edges with integration of baya with django-admin
:
BayaInlineMixin
do not work correctly. AFAICT, a user who does not have UPDATE permissions also does not have READ permissions. This can be remedied by overriding get_readonly_fields
to return all fields if the user lacks update permissions, and has_change_permission
to allow users with update or read permissions.get_readonly_fields
.BayaModelAdmin.get_readonly_fields
and BayaModelAdmin.get_fieldsets
.(copied from internal github, original issue opened by alejandro)
baya.utils.has_permission
fails with the following error messages when view function (param fn
) is wrapped like so: requires(DynamicRolesNode(DjangoRequestGroupFormatter('%s', 'name'))
Traceback (most recent call last):
File "/Users/alejandro/Projects/baya/baya/tests/test_group_formatter.py", line 16, in test_has_permission_url_param
perm = has_permission(view_func, AnonymousUser(), 'any')
File "/Users/alejandro/Projects/baya/baya/utils.py", line 60, in has_permission
if check_perm(user):
File "/Users/alejandro/Projects/baya/baya/permissions.py", line 106, in user_has_any_permission
return (self.user_has_get_permission(user) or
File "/Users/alejandro/Projects/baya/baya/permissions.py", line 93, in user_has_get_permission
return self._has_permission(user, self.get_requires)
File "/Users/alejandro/Projects/baya/baya/permissions.py", line 87, in _has_permission
return user_in_group(user, membership_node, request=request)
File "/Users/alejandro/Projects/baya/baya/utils.py", line 26, in user_in_group
return PermissionChecker(user_groups).visit(group, **kwargs)
File "/Users/alejandro/Projects/baya/baya/visitors.py", line 27, in visit
return self._visit_roles_node(node, **kwargs)
File "/Users/alejandro/Projects/baya/baya/visitors.py", line 182, in _visit_roles_node
return roles_node.get_roles_set(**kwargs) <= self._roles_set
File "/Users/alejandro/Projects/baya/baya/membership.py", line 142, in get_roles_set
result = _callable(**kwargs)
File "/Users/alejandro/Projects/baya/baya/dynamic_roles.py", line 63, in __call__
url_kwargs = request.resolver_match.kwargs
AttributeError: 'NoneType' object has no attribute 'resolver_match'
To recreate this, checkout branch has_permission_breaks_drgf
and run make test
.
I discovered this when I was more thoroughly testing the new templatetag can_user_perform_action
.
DynamicRolesNode stores callables that return sets of groups that are called runtime when permission checking occurs. When that callable is a DjangoRequestGroupFormatter, problems occur because there is no request object to grab kwargs from for formatting the groups to return.
Probably make the DjangoRequestGroupFormatter not dependent on the request object to do the url parsing for it. There's got to be another way to pull out the kwargs and params of a url without doing it through a request.
I'll be trying to figure out how to solve this the has_permission_breaks_drgf
branch if the above solution sounds right.
Scratch that. I'm not sure how to fix this...
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.