I have Django project that has two apps App1 and App2)
each app has only 1 view.
. My project connected to openldap using django-auth-ldap.
I have two groups(Group1, Group2).
I Added decorators before my views in app1 and app2 (#login_required) and the result as expected that all users from group1 and group2 will be able to login to both apps.
I want to be able to just allow group1 to access app1 only and group2 access app2 only.
I tried many codes but no one work with me.
Here is my code:
app1.views.py
from django.shortcuts import render
from django.template import loader
from django.http import HttpResponse
from django.contrib.auth.decorators import login_required
from django.contrib.auth import views as auth_views
#login_required(login_url='/accounts/login/')
def index(request):
#getting our template
template = loader.get_template('main/index.html')
#rendering the template in HttpResponse
return HttpResponse(template.render())
Here is my ldap settings from settings.py:
#Generated by 'django-admin startproject' using Django 1.11.
import os
import django
AUTHENTICATION_BACKENDS = ('django_auth_ldap.backend.LDAPBackend',)
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
AUTH_LDAP_SERVER_URI = "ldap://mydomain.com"
AUTH_LDAP_BIND_DN = "cn=admin,dc=mydomain,dc=com"
AUTH_LDAP_BIND_PASSWORD = "mypass"
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=ou_org_unit,dc=mydomain,dc=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=ou_org_unit,cn=group1,cn=group2,dc=mydomain,dc=com",
ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
First I would map a property to the user object that specifies which group the user is in:
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail",
"ldap_group": "cn" # not 100% sure if this is what's required, just guessing
}
Then make a decorator with user_passes_test:
from django.contrib.auth.decorators import user_passes_test
def ldap_group_required(group_name):
"""
Checks if a user is in the specified LDAP group.
"""
return user_passes_test(
lambda u: hasattr(u, 'ldap_group') and u.ldap_group == group_name,
login_url='/accounts/login/'
)
Use it on a view like so:
#ldap_group_required('group1')
def index(request):
#getting our template
template = loader.get_template('main/index.html')
#rendering the template in HttpResponse
return HttpResponse(template.render())
If you check out the source code, this is effectively how login_required works.
I would personally recommend a slightly different approach to this, using Django's built-in permissions.
What you can do is create custom permissions, for example, can_access_app1 and can_access_app2. Then, since django-auth-ldap will automatically copy all of your groups into the Django database for you, you can then assign those permissions to the appropriate groups.
Now that your groups and their respective permissions are set up, you would then decorate your views appropriately. For example:
# app1/views.py
from django.contrib.auth.decorators import permission_required
from django.http import HttpResponse
from django.shortcuts import render
from django.template import loader
#permission_required('app1.can_access_app1')
def index(request):
#getting our template
template = loader.get_template('main/index.html')
#rendering the template in HttpResponse
return HttpResponse(template.render())
This approach would be well-documented, not introduce any special trickery having to manipulate your user objects, and would also have the added advantage that you can assign these permissions to individuals as well if you want to give special access. In addition, any superuser account will automatically have both permissions for no extra effort!
Related
There are many similar questions to mine on Stack Overflow, but none which solve my problem.
I have a class-based view which accepts files, and once a valid file is found, I would like the website to redirect the user to a template inside a different app, passing in some parameters.
I've seen others put an extra path in 'urlpatterns' and get the view from there. But doing this only makes a GET signal on my command prompt, but not actually changing the web url.
views.py
from django.shortcuts import render, redirect # used to render templates
from django.http import JsonResponse
from django.views import View
from .forms import UploadForm
from .models import FileUpload
class UploadView(View):
def get(self, request):
files_list = FileUpload.objects.all()
return render(self.request, 'upload/upload.html', {'csv_files': files_list})
def post(self, request):
form = UploadForm(self.request.POST, self.request.FILES)
if form.is_valid():
csv_file = form.save()
data = {'is_valid': True,
'name': csv_file.file.name,
'url': csv_file.file.url,
'date': csv_file.uploaded_at}
# REDIRECT USER TO VIEW PASSING 'data' IN CONTEXT
return redirect('graph:chart', file_url=csv_file.file.url)
else:
data = {'is_valid': False}
return JsonResponse(data)
urls.py
from django.urls import path
from . import views
app_name = "upload"
urlpatterns = [
path('', views.UploadView.as_view(), name='drag_and_drop'),
]
urls.py (of other app)
from django.urls import path
from . import views
app_name = "graph"
urlpatterns = [
path('', views.page, name='chart'),
]
You can specify an app name and use exactly the redirect shortcut as you started:
https://docs.djangoproject.com/en/2.1/topics/http/urls/#naming-url-patterns
in the other app urls.py define app_name = 'other_app', and then use redirect('other_app:url_name', parameter1=p1, parameter2 = p2)
you can name easily your parameters either using path (Django >=2.0) or url (re_path for Django >=2.0), for instance:
from django.urls import path
from . import views
urlpatterns = [
path('articles/<int:year>/<int:month>/<slug:slug>/', views.article_detail),
re_path(r'^articles/(?P<year>[0-9]{4})/$', views.year_archive),
]
I am adding settings.py, root url and views.py. After login user is redirected to respective dashboard. In this situation, if user is pressing back button or changing url to accounts/login, then also it should remain on the dashboard page only. I am using django-registration-redux
settings.py
REGISTRATION_OPEN = True
ACCOUNT_ACTIVATION_DAYS = 7
REGISTRATION_AUTO_LOGIN = False
REGISTRATION_FORM = 'signin.forms.MyRegForm'
LOGIN_REDIRECT_URL = '/signin/user_sign/'
views.py
def user_sign(request):
obj = UserSelection.objects.get(user=request.user)
if obj.user_type == 'candidate':
return redirect('candidate:cand_dash')
else:
return redirect('employer:employer_dash')
urls.py
from django.conf.urls import url, include
from django.contrib import admin
from django.conf import settings
from signin.regbackend import MyRegistrationView
from django.contrib.auth import views as auth_views
urlpatterns = [
url(r'^$', auth_views.LoginView.as_view(template_name='registration/login.html'), name='home'),
url(r'^accounts/register/$', MyRegistrationView.as_view(), name='registration_register'),
url(r'^accounts/', include('registration.backends.default.urls')),
url(r'^candidate/', include('candidate.urls')),
url(r'^employer/', include('employer.urls')),
url(r'^signin/', include('signin.urls')),
]
You could use a Boolean variable authenticated.
Then you should need to set it as False before the user Authentication.
def registration(request):
authenticated = False
...
Then after the user's authentication just change the var as authenticated = True
Finally every time you need to know if user is authenticated just use if user.authenticated
Also, if you need to use authenticated a lot take a look at custom decorators (https://docs.djangoproject.com/en/2.0/topics/http/decorators/) maybe they could help you.
My Django ( Django 1.11) project is using django-auth-ldap 1.2 as authentication backed.
I have no problem to authenticate any user agents LDAP database using:
#login_required(login_url='/accounts/login/')
and in this case, any user from any group can login to the site.
I want to allow only user from 'group1' to be able to access the website.
I used the code listed below
from django.shortcuts import render
from django.template import loader
from django.http import HttpResponse
from django.contrib.auth.decorators import login_required
from django.contrib.auth import views as auth_views
#user_passes_test(
lambda u: hasattr(u, 'ldap_user') and 'group1' in u.ldap_user.group_names,
login_url='/accounts/login/')
def index(request):
template = loader.get_template('main/index.html')
return HttpResponse(template.render())
This is code is not working and user will never pass the test.
According to the model documents django-auth-ldap Document I can use ldap_user.group_names to get group names of a user.
Here is my ldap settings from settings.py:
import os
import django
AUTHENTICATION_BACKENDS = ('django_auth_ldap.backend.LDAPBackend',)
import ldap
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
AUTH_LDAP_SERVER_URI = "ldap://mydomain.com"
AUTH_LDAP_BIND_DN = "cn=admin,dc=mydomain,dc=com"
AUTH_LDAP_BIND_PASSWORD = "mypass"
AUTH_LDAP_USER_SEARCH = LDAPSearch("ou=ou_org_unit,dc=mydomain,dc=com",
ldap.SCOPE_SUBTREE, "(uid=%(user)s)")
AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=ou_org_unit,cn=group1,cn=group2,dc=mydomain,dc=com",
ldap.SCOPE_SUBTREE, "(objectClass=groupOfNames)"
)
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": "givenName",
"last_name": "sn",
"email": "mail"
}
AUTH_LDAP_FIND_GROUP_PERMS = True
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
My question is:
Why I am not able to authenticate any user with this code?
You should be using the AUTH_LDAP_REQUIRE_GROUP setting if you want to restrict logins to a single group.
You will also likely want to use AUTH_LDAP_MIRROR_GROUPS in order to have all of your LDAP groups automatically loaded into your Django database.
As a bonus, you can include multiple groups in the AUTH_LDAP_REQUIRE_GROUP setting, by using the LDAPGroupQuery class. For example (taken from the documentation):
from django_auth_ldap.config import LDAPGroupQuery
AUTH_LDAP_REQUIRE_GROUP = (
(
LDAPGroupQuery("cn=enabled,ou=groups,dc=example,dc=com") |
LDAPGroupQuery("cn=also_enabled,ou=groups,dc=example,dc=com")
) &
~LDAPGroupQuery("cn=disabled,ou=groups,dc=example,dc=com")
)
I created a view for my model, with the corresponding urls and template files. Then, in the admin panel, I have created a Rich text page, specifying the same URL (ingredients) defined in urlpatterns. Mezzanine ignores the view, displays the template but does not pass the context.
How can I solve it?
These are the codes:
models.py
from django.db import models
from mezzanine.pages.models import Page
from django.utils.translation import ugettext_lazy as _
class Ingredient(Page):
name = models.CharField(max_length=60)
information = models.TextField(null=True, blank=True, verbose_name=_("Description"))
views.py
from django.template.response import TemplateResponse
from .models import Ingredient
def ingredients(request):
ingredients = Ingredient.objects.all().order_by('name')
templates = ["pages/ingredients.html"]
return TemplateResponse(request, templates, {'ingredients':ingredients})
urls.py
from django.conf.urls import url
from .views import ingredients
urlpatterns = [
url("^$", ingredients, name="ingredients"),
]
TemplateResponse does not expect the request in its arguments. See the docs.
return TemplateResponse(templates, {'ingredients':ingredients})
However I expect you meant to use the standard render function there:
return render(request, "pages/ingredients.html", {'ingredients':ingredients})
Ok, the solution has been define my app urls before any other definition in my project urls.py file.
project_name/project_name/urls.py
# Add the urlpatterns for any custom Django applications here.
# You can also change the ``home`` view to add your own functionality
# to the project's homepage.
urlpatterns = [
url(r'^ingredients/', include("apps.ingredients.urls")),
]
urlpatterns += i18n_patterns(
# Change the admin prefix here to use an alternate URL for the
# admin interface, which would be marginally more secure.
url("^admin/", include(admin.site.urls)),
)
Django-Registration has several form classes in the forms.py file. One is "class RegistrationFormTermsOfService(RegistrationForm) ..
What do I change in the rest of Django Registration code to enable this form in my registration flow instead of RegistrationForm?
Updating the accepted answer to conform with Django 1.5 and the latest version of django-registration:
in urls.py:
from registration.forms import RegistrationFormTermsOfService
from registration.backends.default.views import RegistrationView
urlpatterns = patterns('',
url(r'^accounts/register/$', RegistrationView.as_view(form_class=RegistrationFormTermsOfService), name='registration_register'),
# your other URLconf stuff follows ...
)
then update the registration_form.html template and add a tos field, e.g.:
<p>
<label for="id_tos">I accept the terms of service</label>
{% if form.tos.errors %}
<p class="errors">{{ form.tos.errors.as_text }}</p>
{% endif %}
{{ form.tos }}
</p>
You can simply go into your urls.py and override the form class by doing something like:
from registration.forms import RegistrationFormTermsOfService
(r'^accounts/register/$', 'registration.views.register', {'form_class' : RegistrationFormTermsOfService}),
Here is a practical example using a custom form and backend which sets username == email address, and only prompts the user for an email address at registration. In, for e.g. my_registration.py:
from django.conf import settings
from django.contrib.sites.models import RequestSite
from django.contrib.sites.models import Site
from registration import signals
from registration.forms import RegistrationForm
from registration.models import RegistrationProfile
from registration.backends.default import DefaultBackend
class EmailRegistrationForm(RegistrationForm):
def __init__(self, *args, **kwargs):
super(EmailRegistrationForm,self).__init__(*args, **kwargs)
del self.fields['username']
def clean(self):
cleaned_data = super(EmailRegistrationForm,self).clean()
if 'email' in self.cleaned_data:
cleaned_data['username'] = self.cleaned_data['username'] = self.cleaned_data['email']
return cleaned_data
class EmailBackend(DefaultBackend):
def get_form_class(self, request):
return EmailRegistrationForm
In my_registration_urls.py:
from django.conf.urls.defaults import *
from django.views.generic.simple import direct_to_template
from registration.views import activate
from registration.views import register
urlpatterns = patterns('',
url(r'^activate/complete/$',
direct_to_template,
{ 'template': 'registration/activation_complete.html' },
name='registration_activation_complete'),
# Activation keys get matched by \w+ instead of the more specific
# [a-fA-F0-9]{40} because a bad activation key should still get to the view;
# that way it can return a sensible "invalid key" message instead of a
# confusing 404.
url(r'^activate/(?P<activation_key>\w+)/$',
activate,
{ 'backend': 'my_registration.EmailBackend' },
name='registration_activate'),
url(r'^register/$',
register,
{ 'backend': 'my_registration.EmailBackend' },
name='registration_register'),
url(r'^register/complete/$',
direct_to_template,
{ 'template': 'registration/registration_complete.html' },
name='registration_complete'),
url(r'^register/closed/$',
direct_to_template,
{ 'template': 'registration/registration_closed.html' },
name='registration_disallowed'),
(r'', include('registration.auth_urls')),
)
Then in your core urls.py, ensure you include:
url(r'^accounts/', include('my_registration_urls')),
You'll need to write a new registration form somewhere in your project. You can inherit off of the existing authentication form if you're just expanding new fields. You'll then want to write a new backend to process the form. Finally you'll need to write your own url and auth_urls and redefine the urls to switch the backend and authentication form in the views by changing the variables that get passed to the view.
It's helpful to break open the source to see how things are working. I base my structure off of the original django-registration code to keep things consistent.
As to django 1.11 and django-registration 2.2 there are some updated imports... so if you get "No module named 'registration'" this could be the problem...
Replace:
from registration.backends.hmac.views import RegistrationView
by from django_registration.backends.activation.views import RegistrationView
from registration.forms import RegistrationForm
by from django_registration.forms import RegistrationForm
include('django_registration.backends.hmac.urls') in urls
by include('django_registration.backends.activation.urls')
Just to name a few... ;)
Src: https://django-registration.readthedocs.io/en/3.0/custom-user.html