On 9 April 2010 19:00, vishwajeet singh <[email protected]> wrote:
> Thanks for the quck response Graham I have gone through these links many
> times but still fail to understand how it will work for me.
> Let me give you some more details
> I am not doing either group authorization or host authorization, I have
> django app and users have different roles in that application, so once user
> is authenticated I want to look into db if the user is in particular role or
> not, if he is not a role give him authorization required or you don't have
> access to this resource. I want to use this authorization to handle access
> for webdav folders which are not directly part of django app.
> Hope that makes me more clear, thank you so much for your response.
Depends on how you are going to do this with Django, but a role is not
really any different to a group or even a Django user permission.
For example, the following might be able to be used (although I have
not tested it).
import os, sys
sys.path.append('/usr/local/django')
os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings'
from django.contrib.auth.models import User
from django import db
def groups_for_user(environ, user):
db.reset_queries()
kwargs = {'username': user, 'is_active': True}
try:
try:
user = User.objects.get(**kwargs)
except User.DoesNotExist:
return ['']
return user.get_group_permissions()
finally:
db.connection.close()
In other words, just look up user and return permissions associated
with that user through the groups they are in.
I don't actually use Django but I presume this can be used to
designate the roles they have.
Then in Apache configuration you can have:
AuthType Basic
AuthName "Top Secret"
AuthBasicProvider dbm
AuthDBMUserFile /usr/local/wsgi/accounts.dbm
WSGIAuthGroupScript /usr/local/wsgi/scripts/auth.wsgi
Require valid-user
<Location /some/url>
Require group can_do_stuff
</Location>
<Location /some/other/url>
Require group can_do_other_stuff
</Location>
So don't get hung up on the 'group' name used as argument to 'Require'
directive. You can still return a list of permissions and match
against that.
>From Apache 2.3 onwards, you will have to actually use 'wsgi-group'
instead of 'group'. Seems I haven't noted this in documentation and
that 'wsgi-group' already works for older Apache and should now be
used in preference to 'group'.
Also note if using check_password() to authenticate user against
Django previously, to avoid second database lookup, you could always
stash the permissions in thread local storage and have the
groups_for_user() look up that, validate is for same user and return
it.
You will need to use mod_wsgi 3.X to use thread local storage like that however.
BTW, if you get this working, post what you use. If I get a working
example from someone with a bit of a description of what you do on
Django admin side to populate permissions, could include it in
documentation as example.
Graham
> On Fri, Apr 9, 2010 at 2:22 PM, Graham Dumpleton
> <[email protected]> wrote:
>>
>> On 9 April 2010 18:25, Vishwajeet <[email protected]> wrote:
>> > Hi,
>> > I have script which is currently doing authentication and it's working
>> > fine.
>> > My question is how can i define an authorization script to check
>> > access ?
>> > I tried browsing through all directives but none of seems to mention
>> > about authorization.
>>
>> See:
>>
>>
>> http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIAuthUserScript
>>
>> http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIAuthGroupScript
>> http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms
>>
>> Graham
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "modwsgi" group.
>> To post to this group, send email to [email protected].
>> To unsubscribe from this group, send email to
>> [email protected].
>> For more options, visit this group at
>> http://groups.google.com/group/modwsgi?hl=en.
>>
>
>
>
> --
> Vishwajeet Singh
> +91-9657702154 | [email protected] | http://bootstraptoday.com
> Twitter: http://twitter.com/vishwajeets | LinkedIn:
> http://www.linkedin.com/in/singhvishwajeet
>
> --
> You received this message because you are subscribed to the Google Groups
> "modwsgi" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/modwsgi?hl=en.
>
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/modwsgi?hl=en.
