I've inherited a Django project that used v0.12.1 of django-tastypie to create an API, I have updated it to use v0.14.4, and am trying to get the new site to work the same as the previous.
The API Resources use DjangoAuthorization and while I can mostly* read list and details of them OK, if I try to read an api/<model>/schema/ URL I get a "401 Unauthorized" error. I should be able to view the schema whether I'm logged in or not, which was the case on the previous site.
I've noticed that the DjangoAuthorization.read_detail() view is called when I try to view a schema, and that the object_list property of the passed-in bundle is None. I'm not sure if this is the cause or, if so, how to get around it.
How can I continue to use DjangoAuthorization, allow anyone to view an endpoint's schema, and not change any other permissions?
* There seem to be several other issues/differences with just viewing objects' data through the API, but those are probably questions for another time.
Related
I'm using django and trying to integrate it with quickbooks online through python-quickbooks package and already did so and it works fine, but the problem is I don't want to store the tokens in the request session because I'm trying to access them outside the views, to be exact I'm trying to send an invoice each time an invoice(invoice model from django) object was made I want to send one to quickbooks and I'm doing this through django signals but I can't access the session from the signals so where is the best place to store them on the server side?
thanks in advance.
You can create new Django model just for your integration and query it when you need to get tokens. Especially it can be useful if you plan to have multiple integrations, you can add relation from object (which is related to signal) to "integration object".
I'm trying to set up SAML authentication for HUE deployed with AWS EMR, using Azure SSO as the IdP. I can actually get the handshake to work and the users are logging in to HUE, matching network login details to the usernames that are prepopulated in the HUE backend database. We create the users in HUE first and part of that setup includes setting some users with "is_superuser" to TRUE. The only attribute I explicitly look for to get from the IdP to HUE is the username/network-credential
The behaviour I'm trying to understand is that the first person to log into the HUE UI is getting authenticated via SAML and logging in, with the admin/superuser privileges intact. But anyone after that logging in who is set up as an admin is losing the flag to indicate an admin, i.e. logged in as a normal user. If I manually go in afterward and set the users to have admin access in HUE database and have the users log in again, the access will be granted to the admin permissions and the problem seems to disappear but I don't understand why every login after the first is removing these permissions?
I tried setting Django up in Debug mode to see if I can get any insights, but the only things I can find that could potentially explain this are:
I found this line in the output of the runcpserver.log after the first login and not after any other ones, and when digging into the class there are definitely references to "is_superuser" in there.
backend INFO Augmenting users with class: <class 'desktop.auth.backend.DefaultUserAugmentor'>
However, I can't tell if this is SUPPOSED to be only called once. If it's supposed to be called every time, I've no idea how to force that from the from configuration available to me.
The other thing I found in the logs that leads me towards suspicion is the following two lines I found, after the login attempts of every user EXCEPT the first:
mdstore ERROR Unsupported binding: urn:oasis:names:tc:SAML:2.0:bindings:SOAP (https://sts.windows.net/xxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxx/)
mdstore ERROR Unsupported binding: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST (https://sts.windows.net/xxxxxxx-xxxx-xxxx-xxxxx-xxxxxxxxxxxx/)
But I would have expected this to result in the user not getting access at all if there were issues with the bindings rather than allowing the user to login but altering the attributes of said user.
Would appreciate any thoughts or insights into this, as it's not an area I know particularly well
Finally found the issue after going through the code, and the issue I was hitting was here:
https://github.com/cloudera/hue/blob/master/desktop/libs/libsaml/src/libsaml/backend.py#L91
# If the user already exists, we shouldn't change its superuser
# privileges. However, if there's a naming conflict with a non-external
# user, we should do the safe thing and turn off superuser privs.
existing_profile = get_profile(user)
if existing_profile.creation_method == UserProfile.CreationMethod.EXTERNAL.name:
is_super = user.is_superuser
The if statement checks to see if the way the user was created matches an external source (i.e. LDAP) to ensure that there aren't duplicated entries in the Django database. Since all my users were prepopulated in the database, the first variable was set to "HUE" and the second one was set to "EXTERNAL" consistently, so the if statement was always false.
This meant the user, even though I had set it as a superuser, wasn't inheriting this attribute when being created, UNLESS it was the first user as I was seeing because of this line of code:
https://github.com/cloudera/hue/blob/master/desktop/libs/libsaml/src/libsaml/backend.py#L80
if not UserProfile.objects.filter(creation_method=UserProfile.CreationMethod.EXTERNAL.name).exists():
# If there are no LDAP users already in the system, the first one will
# become a superuser
is_super = True
which was always executing because again, I wasn't using LDAP or anything, I was prepopulating the database in Django directly.
So the fix for me will be removing the if statement in the first code block. I hope this saves someone the two weeks it took me to find :)
I'd like to get the details for an individual post by the logged in user - specifically, the number of likes it's collected.
Using the Javascript API, I've got a working app ID and can login a user and get their basic info. To get info about a specific object, I think it should be:
FB.api('/1234567890_2345678901', function(response) { ...
Where the first part of the number is the user ID and the second part after the underscore is the ID of the post.
However it always returns the same error for every post ID I try:
Unsupported get request. Object with ID ... does not exist, cannot be loaded due to missing permissions, or does not support this operation.
I cannot find anything in the docs about getting details for an object. I'm not sure what additional permissions would be needed. The app control panel has no features for adding individual permissions or finding out what they would be.
You are not supposed to get any data of users who did not authorize your App. If that ID belongs to a post on another users wall, you can´t get access to it. That´s what the error message tells you - you are missing the permission to access it.
Try with an ID that belongs to a post of the currently logged in users wall and it will work. You need the user_posts permission, of course. For example: http://www.devils-heaven.com/facebook-javascript-sdk-login/
hello guys hopefully you guys are willing to work with a newbie I'm working in django and handling a google map (in jscript) which upon displaying a marker I have set a link that is clickable that opens a django url passing data regarding the location of that marker. If that data does not exist in the database I have created a definition in my view that does a check and populates the database with that data if it does not exist. Now the issue here is that what ever you type in for the url parameters ends up becoming populated in the database since there is nothing to validate it against regardless of whether you click in the google map or not. Now what I was looking to do was limit this database addition strictly to when a user clicks on a google map link, what would you guys recommend?
ajax, sessions etc... ? and how to go about it an example per se?
It would be good to have more info.
As a general rule, the http GET method shouldn't be used to change data. In this case, use a POST request, probably through AJAX.
I used read_stream, publish_stream and manage_pages as the permissions for the facebook graph api so that i can access and manipulate a user's feed. I tried using the type parameter to filter the feed and return posts that have messages i.e. by adding 'type=message' to the url but this does not seem to work.
I have tried using the sample in facebook developers' page and it work there. I then compared the two urls (one from the facebook developers' page and the other from my web app) but the only difference was they had different access_tokens. Thus, i concluded that the problem might be the permissions so i am wondering what permission will allow me to perform this operation.
When you said 'Sample in Facebook Developers' page were you referring to the Graph API Explorer?
If so, the explorer automatically requests metadata on queries by silently adding a '?metadata=1' to the query.
If you need the metadata, you should add this too, bearing in mind that there's a namespace collision between the properties of some objects and the metadata (i.e some objects have a field named 'type' which is suppressed if you force the metadata to be returned - you get the 'type' field from the metadata instead)