I've been working on a Django app that authenticates against an LDAP. I've created permissions and groups in the admin interface. In development mode I have both back-ends active
AUTHENTICATION_BACKENDS = (
'django_auth_ldap.backend.LDAPBackend',
'django.contrib.auth.backends.ModelBackend',
)
Django tries authenticating across all of its authentication back-ends. Regardless of where it succeeds it uses the ModelBackend Authorization (permissions and groups) granted to the users.
But when disabling 'django.contrib.auth.backends.ModelBackend' Django does not use the standard Authorization methods. In production environment I want users to authenticate against LDAP only.
My question:
Is there an option to disable ModelBackend authorization but still use ModelBackend Authorization.
EDIT
First note in the docs of django-auth-ldap :
Note LDAPBackend does not inherit from ModelBackend. It is possible to use LDAPBackend exclusively by configuring it to draw group membership from the LDAP server. However, if you would like to assign permissions to individual users or add users to groups within Django, you’ll need to have both backends installed:
But I'm still puzzled. There is no technical reason for this. When both backends activated, and authenticating against LDAP, Django is still able to use the Django permissions.
This was asked quite a while ago, so I hope you found an answer... but to help anyone else who may stumble across this:
"The permissions given to the user will be the superset of all permissions returned by all backends. That is, Django grants a permission to a user that any one backend grants."
https://docs.djangoproject.com/en/1.11/topics/auth/customizing/#handling-authorization-in-custom-backends
This means that it is falling through and checking all permissions/perms methods in all of the backends, even though you were authenticated using the LDAPBackend, Django is pulling permissions/perms from LDAPBackend + ModelBackend and grouping them all together.
If you REALLY REALLY want to be SURE that ModelBackend.authenticate() is never called, you could always just make your own class MyAuth(ModelBackend) inheriting from ModelBackend and override authenticate in that to just always return None. Then you would include this in your settings.py file.
Related
I'm using rest_framework_simplejwt.authentication.JWTAuthentication in Django to create tokens for our users.
But some users have limited user permissions[in the admin panel]. For example they only allow to get articles and nothing else. But the token that simplejwt creates allow user to get all other data as well.
Is there a way to adjust it? I think simplejwt overwrites the Django permissions.
The token is used just for Authentication purposes, not for Authorisation purposes. You need to use permissions for assigning permissions to different users. Read about django permissions here. If you need to customize permissions, you can extend DjangoModelPermissions class.
I am relatively new to Django. I am user a remote auth backend, but I am wondering if there is a way that I can restrict users that do not have permissions, gotten from REMOTE_USER. Is it similar to the way you do it with a Django Auth system?
Right now everyone who is logged in on my auth backend can access my site.
I want to grant certain users permissions before they login, and deny all other users. Is there a way in which I can do this?
Django's standard user model has is_staff and is_superuser attributes that can easily be toggled.
If you use your remote auth backend for authentication and are still using the django User model you can easily re-use some of this built-in functionality, such as the staff_member_required decorator:
from django.contrib.admin.views.decorators import staff_member_required
#staff_member_required
def staff_view(request..):
...
I want to use LDAP AUTH for django.
For the moment I have also a django Model Backend where are all my users and theirs groups.
In my code, an user passes a test in order to access to application. This operation check if the group to allow is in the user information.
But now I wanted to stop using Model Authentication and use only LDAP AUTH...
How can I manage to use the same function to allow access, with LDAP groups without creating an user in the Model?
I don't know much about LDAP is general, but you can follow this tutorial on how to login to LDAP using Python : http://blog.emfeld.com/2013/03/ldap-login-authentication-using-python.html
Once you understand the basics, you can implement login in Django.
Hint : You will have to update the code of the login view. After getting the username and the password from the form, it will now search in LDAP instead of models
I'm using django-allauth for my Django web app. How can I ban certain users from logging in or restrict certain actions after they log in for a period of time?
Should I just deactivate their accounts outright? What are some good solutions?
Normally for django authentication you would set the user object's is_active attribute to False and the user wouldn't be able to log in (into django admin for example). But you're using allauth, so by simply setting the is_staff attribute would be enough to block them from entering django admin for example.
Now, if you're implementing another type of frontend dashboard or need to set rules to how a user logs in, I'd say for you to use AccessMixins if you're using CBVs or decorators if you're using FBV. Specially the UserPassesTest mixin and user_passes_test decorator. With them you can check if a user comply to a certain rule and then allow them to log in or not. Check the docs here.
I am using Django for a small one-person tool. I would like to add/adapt my models via the admin interface, but I don't want to login everytime.
How can I switch off the required authentication at /admin/?
I highly recommend against you doing down that road:
Is it possible? No; the admin relies on the django auth app being with your settings' INSTALLED_APPS; of course this is because the admin relies on permissions and permissions rely on the admin user being authenticated.
The admin is built to edit not simply "your" models but also the models enabling the admin itself, mainly the models exposed by the auth app itself.
What to do ... 2 options:
Quickly develop a simple solution requiring no authentication using Django's ModelForms - docs and another good link here.
If it's a "one-person tool" then simply keep your authentication details saved in the browser you use; i.e. let the browser remember your username and password, so you just have to hit the "login" button rather than re-enter your data.