On 9 April 2010 22:23, Graham Dumpleton <[email protected]> wrote:
> On 9 April 2010 22:19, Vishwajeet <[email protected]> wrote:
>>
>> On Apr 9, 3:32 pm, Graham Dumpleton <[email protected]>
>> wrote:
>>> On 9 April 2010 19:00, vishwajeet singh <[email protected]> wrote:
>>>
>>> > Thanks for the quck response Graham I have gone through these links many
>>> > times but still fail to understand how it will work for me.
>>> > Let me give you some more details
>>> > I am not doing either group authorization or host authorization, I have
>>> > django app and users have different roles in that application, so once
>>> > user
>>> > is authenticated I want to look into db if the user is in particular role
>>> > or
>>> > not, if he is not a role give him authorization required or you don't have
>>> > access to this resource. I want to use this authorization to handle access
>>> > for webdav folders which are not directly part of django app.
>>> > Hope that makes me more clear, thank you so much for your response.
>>>
>>> Depends on how you are going to do this with Django, but a role is not
>>> really any different to a group or even a Django user permission.
>>>
>>> For example, the following might be able to be used (although I have
>>> not tested it).
>>>
>>> import os, sys
>>> sys.path.append('/usr/local/django')
>>> os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings'
>>>
>>> from django.contrib.auth.models import User
>>> from django import db
>>>
>>> def groups_for_user(environ, user):
>>> db.reset_queries()
>>>
>>> kwargs = {'username': user, 'is_active': True}
>>>
>>> try:
>>> try:
>>> user = User.objects.get(**kwargs)
>>> except User.DoesNotExist:
>>> return ['']
>>>
>>> return user.get_group_permissions()
>>> finally:
>>> db.connection.close()
>>>
>>> In other words, just look up user and return permissions associated
>>> with that user through the groups they are in.
>>>
>>> I don't actually use Django but I presume this can be used to
>>> designate the roles they have.
>>>
>>> Then in Apache configuration you can have:
>>>
>>> AuthType Basic
>>> AuthName "Top Secret"
>>> AuthBasicProvider dbm
>>> AuthDBMUserFile /usr/local/wsgi/accounts.dbm
>>> WSGIAuthGroupScript /usr/local/wsgi/scripts/auth.wsgi
>>> Require valid-user
>>>
>>> <Location /some/url>
>>> Require group can_do_stuff
>>> </Location>
>>>
>>> <Location /some/other/url>
>>> Require group can_do_other_stuff
>>> </Location>
>>>
>>> So don't get hung up on the 'group' name used as argument to 'Require'
>>> directive. You can still return a list of permissions and match
>>> against that.
>>>
>>> From Apache 2.3 onwards, you will have to actually use 'wsgi-group'
>>> instead of 'group'. Seems I haven't noted this in documentation and
>>> that 'wsgi-group' already works for older Apache and should now be
>>> used in preference to 'group'.
>>>
>>> Also note if using check_password() to authenticate user against
>>> Django previously, to avoid second database lookup, you could always
>>> stash the permissions in thread local storage and have the
>>> groups_for_user() look up that, validate is for same user and return
>>> it.
>>>
>>> You will need to use mod_wsgi 3.X to use thread local storage like that
>>> however.
>>>
>>> BTW, if you get this working, post what you use. If I get a working
>>> example from someone with a bit of a description of what you do on
>>> Django admin side to populate permissions, could include it in
>>> documentation as example.
>>>
>>
>> Thanks for an elaborate reply that really helped me to move in the
>> right direction, I did the suggested changes and It seems to be
>> working.
>> though I need to do some more testing before I have something
>> concrete :)
>>
>>> Also note if using check_password() to authenticate user against
>>> Django previously, to avoid second database lookup, you could always
>>> stash the permissions in thread local storage and have the
>>> groups_for_user() look up that, validate is for same user and return
>>> it.
>> I am using check_password() but I don't know how to stash the
>> permissions in thread local storage, can you please let me know how to
>> do this ?
>
> Will have to be tomorrow, no time tonight now and am logging off.
Have couple of minutes left. Use something like:
import os, sys
sys.path.append('/usr/local/django')
os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings'
from django.contrib.auth.models import User
from django import db
import threading
cache = threading.local()
def check_password(environ, username, password):
cache.username = None
cache.permissions = ['']
db.reset_queries()
kwargs = {'username': username, 'is_active': True}
try:
try:
user = User.objects.get(**kwargs)
except User.DoesNotExist:
return None
if user.check_password(password):
cache.username = username
cache.permissions = user.get_group_permissions()
return True
else:
return False
finally:
db.connection.close()
def groups_for_user(environ, username):
if not cache.username or cache.username != username:
cache.username = None
cache.permissions = ['']
return ['']
permissions = cache.permissions
cache.username = None
cache.permissions = ['']
return permissions
Have to do this as only easy way of passing information between the
two Apache phases as no easy way of stashing information back in
Apache request object for passing across.
Note that by WSGIAuthUserScript and WSGIAuthGroupScript must be
delegated to same application-group for this to work as thread locals
are specific to an interpreter.
Graham
>> One more thing is that if the required group is not matched it keeps
>> on prompting for authentication instead of saying authorization
>> required.
>
> I would have thought it would actually return FORBIDDEN HTTP status response.
>
> Graham
>
>> Once I am done with the implementation I will surely share the script.
>> Thanks a lot for you help, much appreciated.
>>
>>> Graham
>>>
>>>
>>>
>>> > On Fri, Apr 9, 2010 at 2:22 PM, Graham Dumpleton
>>> > <[email protected]> wrote:
>>>
>>> >> On 9 April 2010 18:25, Vishwajeet <[email protected]> wrote:
>>> >> > Hi,
>>> >> > I have script which is currently doing authentication and it's working
>>> >> > fine.
>>> >> > My question is how can i define an authorization script to check
>>> >> > access ?
>>> >> > I tried browsing through all directives but none of seems to mention
>>> >> > about authorization.
>>>
>>> >> See:
>>>
>>> >> http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIAut...
>>>
>>> >> http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIAut...
>>> >> http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms
>>>
>>> >> Graham
>>>
>>> >> --
>>> >> You received this message because you are subscribed to the Google Groups
>>> >> "modwsgi" group.
>>> >> To post to this group, send email to [email protected].
>>> >> To unsubscribe from this group, send email to
>>> >> [email protected].
>>> >> For more options, visit this group at
>>> >>http://groups.google.com/group/modwsgi?hl=en.
>>>
>>> > --
>>> > Vishwajeet Singh
>>> > +91-9657702154 | [email protected] |http://bootstraptoday.com
>>> > Twitter:http://twitter.com/vishwajeets| LinkedIn:
>>> >http://www.linkedin.com/in/singhvishwajeet
>>>
>>> > --
>>> > You received this message because you are subscribed to the Google Groups
>>> > "modwsgi" group.
>>> > To post to this group, send email to [email protected].
>>> > To unsubscribe from this group, send email to
>>> > [email protected].
>>> > For more options, visit this group at
>>> >http://groups.google.com/group/modwsgi?hl=en.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "modwsgi" group.
>> To post to this group, send email to [email protected].
>> To unsubscribe from this group, send email to
>> [email protected].
>> For more options, visit this group at
>> http://groups.google.com/group/modwsgi?hl=en.
>>
>>
>
--
You received this message because you are subscribed to the Google Groups
"modwsgi" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/modwsgi?hl=en.
