On 9 April 2010 22:19, Vishwajeet <[email protected]> wrote: > > On Apr 9, 3:32 pm, Graham Dumpleton <[email protected]> > wrote: >> On 9 April 2010 19:00, vishwajeet singh <[email protected]> wrote: >> >> > Thanks for the quck response Graham I have gone through these links many >> > times but still fail to understand how it will work for me. >> > Let me give you some more details >> > I am not doing either group authorization or host authorization, I have >> > django app and users have different roles in that application, so once user >> > is authenticated I want to look into db if the user is in particular role >> > or >> > not, if he is not a role give him authorization required or you don't have >> > access to this resource. I want to use this authorization to handle access >> > for webdav folders which are not directly part of django app. >> > Hope that makes me more clear, thank you so much for your response. >> >> Depends on how you are going to do this with Django, but a role is not >> really any different to a group or even a Django user permission. >> >> For example, the following might be able to be used (although I have >> not tested it). >> >> import os, sys >> sys.path.append('/usr/local/django') >> os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings' >> >> from django.contrib.auth.models import User >> from django import db >> >> def groups_for_user(environ, user): >> db.reset_queries() >> >> kwargs = {'username': user, 'is_active': True} >> >> try: >> try: >> user = User.objects.get(**kwargs) >> except User.DoesNotExist: >> return [''] >> >> return user.get_group_permissions() >> finally: >> db.connection.close() >> >> In other words, just look up user and return permissions associated >> with that user through the groups they are in. >> >> I don't actually use Django but I presume this can be used to >> designate the roles they have. >> >> Then in Apache configuration you can have: >> >> AuthType Basic >> AuthName "Top Secret" >> AuthBasicProvider dbm >> AuthDBMUserFile /usr/local/wsgi/accounts.dbm >> WSGIAuthGroupScript /usr/local/wsgi/scripts/auth.wsgi >> Require valid-user >> >> <Location /some/url> >> Require group can_do_stuff >> </Location> >> >> <Location /some/other/url> >> Require group can_do_other_stuff >> </Location> >> >> So don't get hung up on the 'group' name used as argument to 'Require' >> directive. You can still return a list of permissions and match >> against that. >> >> From Apache 2.3 onwards, you will have to actually use 'wsgi-group' >> instead of 'group'. Seems I haven't noted this in documentation and >> that 'wsgi-group' already works for older Apache and should now be >> used in preference to 'group'. >> >> Also note if using check_password() to authenticate user against >> Django previously, to avoid second database lookup, you could always >> stash the permissions in thread local storage and have the >> groups_for_user() look up that, validate is for same user and return >> it. >> >> You will need to use mod_wsgi 3.X to use thread local storage like that >> however. >> >> BTW, if you get this working, post what you use. If I get a working >> example from someone with a bit of a description of what you do on >> Django admin side to populate permissions, could include it in >> documentation as example. >> > > Thanks for an elaborate reply that really helped me to move in the > right direction, I did the suggested changes and It seems to be > working. > though I need to do some more testing before I have something > concrete :) > >> Also note if using check_password() to authenticate user against >> Django previously, to avoid second database lookup, you could always >> stash the permissions in thread local storage and have the >> groups_for_user() look up that, validate is for same user and return >> it. > I am using check_password() but I don't know how to stash the > permissions in thread local storage, can you please let me know how to > do this ?
Will have to be tomorrow, no time tonight now and am logging off. > One more thing is that if the required group is not matched it keeps > on prompting for authentication instead of saying authorization > required. I would have thought it would actually return FORBIDDEN HTTP status response. Graham > Once I am done with the implementation I will surely share the script. > Thanks a lot for you help, much appreciated. > >> Graham >> >> >> >> > On Fri, Apr 9, 2010 at 2:22 PM, Graham Dumpleton >> > <[email protected]> wrote: >> >> >> On 9 April 2010 18:25, Vishwajeet <[email protected]> wrote: >> >> > Hi, >> >> > I have script which is currently doing authentication and it's working >> >> > fine. >> >> > My question is how can i define an authorization script to check >> >> > access ? >> >> > I tried browsing through all directives but none of seems to mention >> >> > about authorization. >> >> >> See: >> >> >> http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIAut... >> >> >> http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIAut... >> >> http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms >> >> >> Graham >> >> >> -- >> >> You received this message because you are subscribed to the Google Groups >> >> "modwsgi" group. >> >> To post to this group, send email to [email protected]. >> >> To unsubscribe from this group, send email to >> >> [email protected]. >> >> For more options, visit this group at >> >>http://groups.google.com/group/modwsgi?hl=en. >> >> > -- >> > Vishwajeet Singh >> > +91-9657702154 | [email protected] |http://bootstraptoday.com >> > Twitter:http://twitter.com/vishwajeets| LinkedIn: >> >http://www.linkedin.com/in/singhvishwajeet >> >> > -- >> > You received this message because you are subscribed to the Google Groups >> > "modwsgi" group. >> > To post to this group, send email to [email protected]. >> > To unsubscribe from this group, send email to >> > [email protected]. >> > For more options, visit this group at >> >http://groups.google.com/group/modwsgi?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "modwsgi" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/modwsgi?hl=en. > > -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
