I'm trying to create a kind of quick response form where a user does not need to login but is identified with his uuid (in the url). Moreover i need to restrict his permissions for this session so that he only could to a few things.
User gets url with UUID and ID of event (Where he can response)
User clicks on link and response page opens
User is identified via uuid
With the id of the event the event response form is generated
User can chose options and submit the form
Normally there are multiple other options (e.g. in the menue) available but these should only be accessible if user identifies with his username and password.
Of course i could write a special view but is there a more elegant way where i could reuse my existing view for the response?
First you'll want to use the UUID to trigger the login.
How you approach this will depend on whether you mind using a specific login url/view or you want people to arrive directly at the intended url/view (just with the UUID parameter). If you use a specific view you'll check the UUID, (presumably mark it as used/expired), then login the user. Alternatively for the UUID to checked and have users login via any url/view, you'll want a to use a custom middleware that's placed ahead of AuthenticationMiddleware in your middleware settings. In each case, once you have the logged in the user, you'll want to store in session some sort of flag to indicate they've auth'd via a temporary login UUID.
Now that you've authenticated and logged in the user via the UUID, it's time to serve them the view. At this point in your View you'll check for presence of the flag in the user session to determine their permissions.
You could go further and create another middleware class to encapsulate the session lookups and add a property, say "is_auth_temporary", to the request.User object that is a sibling to the is_anonymous and is_authenticated property.
Related
i try to build a REST API with Flask-JSONAPI and Flask Security.
I use Auth Token for authentication and #login_required to secure my API Endpints. (Authentication)
But now I want to ensure that only the owner of objects (Creator) can (C)RUD the data. Right now every user can see every object that is created. (Autorisation)
I want to use Resource Manager here but did't find a proper example for Flask Security in Resource Managers.
For Example the user (person) can only see the computer objects associated with the same user id.
Do I have to use the Auth Token for that?
Is there a simple way to get the id of the user logged in, doing the request?
from flask_security import current user
That represents a user instance of the currently logged in user. This user can be anonymous in cases where no user is logged in, but if a user is logged in then the object will represent an object of the User class.
I'm using python-social-auth to allow users to login via SAML; everything's working correctly, except for the fact that if a logged-in user opens the SAML login page and logs in again as a different user, they'll get an association with both of the SAML users, rather than switch login.
I understand the purpose behind this (since it's what you can normally do to associate the user with different auth services) but in this case I need to enforce a single association (ie. if you're logged in with a given SAML IdP, you cannot add another association for the same user with the same provider).
Is there any python-social-auth solution for this, or should I cobble together something (for instance, preventing logged-in users from accessing the login page)?
There's no standard way to do it in python-social-auth, there are a few alternatives:
Override the login page and if there's a user authenticated, then log them out first, or show an error, whatever fits your projects.
Add a pipeline function and set it in the top that will act if user is not None, you can raise an error, logout the user, etc.
Override the backend and extend the auth_allowed method in it return False if there's a valid user instance at self.strategy.request.user. This will halt the auth flow and AuthForbidden will be raised.
I'm making a mobile app that allows a registered user to
make a list of favourite email addresses.
I pretend to make the authentication process through openId,
so the user can login to the system using its gmail account.
The registered users of the system can insert many email
addresses to a database.
Then I have many controller methods.
One of them is getUsersByName(admin_email), which receives the email
of a registered user and returns a list of email adress inserted
by that user.
Now, the problem is that I don't want everyone can access
to getUsersByName(admin_email) and retrieve the response
related to every registered user.
What options do I have so only the user that inserted the email
addresses can access to the list related to it.
For instance, if a registered user calls getUsersByName(admin_email),
the server responses with the right list, but if someone not
registered makes an http request to getUsersByName(admin_email), the
server responses with a JSON error object.
My backend is in django and I want to make the client in Android.
I hope I have been clear enough.
Thanks in advance!
The easiest way to achieve what you're looking for is this and I'm going to assume Django 1.6 and that you're using a functional view and not a Class based View.
#login_required
def getUsersByName(request):
user_email = request.user.email
all_users_emails = UserEmail.objects.filter(added_by=user_email)
return render_to_response(...)
What this does is that this view is now protected by the decorator #login_required from being accessed if you're not logged in, i.e. you have to be registered and logged in, in order to view your added emails.
It will also redirect to your login view if an unregistered users tries to gain access to the view.
Furthermore by doing it like this, your users will never be able to send in others email addresses in order to gain access to them.
For Class based views you can take two approaches, both explained here
I'm trying to limit access to a Django view for a unique user, but shouldn't require the user to register. The use case is a link would be sent to a customer to view a page with private information that only he/she can see, but doesn't require them to register with the site. I'm thinking using some type of token might be the way to go but I'm not sure. What is the best way to solve this?
Here is typically how such a use case is implemented:
A new entry is created in a model with a unique (and long) random token and a foreign key to the user information
A URL endpoint consisting of the random token in the path or part of query parameters is sent via email.
The view for that URL looks up the entry in the model and retrieves the corresponding user information.
Optionally, the entry is deleted so that the URL cannot be reused in case the email falls into wrong hands.
In this Django code I inherited there is a check for request.user.is_authenticated().
How do I set this authenticated attribute for a user, in particular when I am doing a registration through AJAX JSON?
To log a user in, you should django.contrib.auth.login - see the docs here: https://docs.djangoproject.com/en/1.5/topics/auth/default/#auth-web-requests
Note, though, that you should authenticate the user (i.e. check their credentials) before you do so, with django.contrib.auth.authenticate - same docs as above.
This is regardless of whether you're using AJAX or not - this code has to be in a view somewhere that gets called in order for the user to get logged in. Whether that view is called via AJAX or not is irrelevant.
The only user this will return false for is AnonymousUser; all other users have it return true via their superclass. Therefore all you need to do is authenticate the user normally.