On Apr 9, 3:32 pm, Graham Dumpleton <[email protected]> wrote: > On 9 April 2010 19:00, vishwajeet singh <[email protected]> wrote: > > > Thanks for the quck response Graham I have gone through these links many > > times but still fail to understand how it will work for me. > > Let me give you some more details > > I am not doing either group authorization or host authorization, I have > > django app and users have different roles in that application, so once user > > is authenticated I want to look into db if the user is in particular role or > > not, if he is not a role give him authorization required or you don't have > > access to this resource. I want to use this authorization to handle access > > for webdav folders which are not directly part of django app. > > Hope that makes me more clear, thank you so much for your response. > > Depends on how you are going to do this with Django, but a role is not > really any different to a group or even a Django user permission. > > For example, the following might be able to be used (although I have > not tested it). > > import os, sys > sys.path.append('/usr/local/django') > os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings' > > from django.contrib.auth.models import User > from django import db > > def groups_for_user(environ, user): > db.reset_queries() > > kwargs = {'username': user, 'is_active': True} > > try: > try: > user = User.objects.get(**kwargs) > except User.DoesNotExist: > return [''] > > return user.get_group_permissions() > finally: > db.connection.close() > > In other words, just look up user and return permissions associated > with that user through the groups they are in. > > I don't actually use Django but I presume this can be used to > designate the roles they have. > > Then in Apache configuration you can have: > > AuthType Basic > AuthName "Top Secret" > AuthBasicProvider dbm > AuthDBMUserFile /usr/local/wsgi/accounts.dbm > WSGIAuthGroupScript /usr/local/wsgi/scripts/auth.wsgi > Require valid-user > > <Location /some/url> > Require group can_do_stuff > </Location> > > <Location /some/other/url> > Require group can_do_other_stuff > </Location> > > So don't get hung up on the 'group' name used as argument to 'Require' > directive. You can still return a list of permissions and match > against that. > > From Apache 2.3 onwards, you will have to actually use 'wsgi-group' > instead of 'group'. Seems I haven't noted this in documentation and > that 'wsgi-group' already works for older Apache and should now be > used in preference to 'group'. > > Also note if using check_password() to authenticate user against > Django previously, to avoid second database lookup, you could always > stash the permissions in thread local storage and have the > groups_for_user() look up that, validate is for same user and return > it. > > You will need to use mod_wsgi 3.X to use thread local storage like that > however. > > BTW, if you get this working, post what you use. If I get a working > example from someone with a bit of a description of what you do on > Django admin side to populate permissions, could include it in > documentation as example. >
Thanks for an elaborate reply that really helped me to move in the right direction, I did the suggested changes and It seems to be working. though I need to do some more testing before I have something concrete :) > Also note if using check_password() to authenticate user against > Django previously, to avoid second database lookup, you could always > stash the permissions in thread local storage and have the > groups_for_user() look up that, validate is for same user and return > it. I am using check_password() but I don't know how to stash the permissions in thread local storage, can you please let me know how to do this ? One more thing is that if the required group is not matched it keeps on prompting for authentication instead of saying authorization required. Once I am done with the implementation I will surely share the script. Thanks a lot for you help, much appreciated. > Graham > > > > > On Fri, Apr 9, 2010 at 2:22 PM, Graham Dumpleton > > <[email protected]> wrote: > > >> On 9 April 2010 18:25, Vishwajeet <[email protected]> wrote: > >> > Hi, > >> > I have script which is currently doing authentication and it's working > >> > fine. > >> > My question is how can i define an authorization script to check > >> > access ? > >> > I tried browsing through all directives but none of seems to mention > >> > about authorization. > > >> See: > > >> http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIAut... > > >> http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIAut... > >> http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms > > >> Graham > > >> -- > >> You received this message because you are subscribed to the Google Groups > >> "modwsgi" group. > >> To post to this group, send email to [email protected]. > >> To unsubscribe from this group, send email to > >> [email protected]. > >> For more options, visit this group at > >>http://groups.google.com/group/modwsgi?hl=en. > > > -- > > Vishwajeet Singh > > +91-9657702154 | [email protected] |http://bootstraptoday.com > > Twitter:http://twitter.com/vishwajeets| LinkedIn: > >http://www.linkedin.com/in/singhvishwajeet > > > -- > > You received this message because you are subscribed to the Google Groups > > "modwsgi" group. > > To post to this group, send email to [email protected]. > > To unsubscribe from this group, send email to > > [email protected]. > > For more options, visit this group at > >http://groups.google.com/group/modwsgi?hl=en. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
