On Apr 9, 6:00 pm, Graham Dumpleton <[email protected]> wrote: > On 9 April 2010 22:23, Graham Dumpleton <[email protected]> wrote: > > > > > > > On 9 April 2010 22:19, Vishwajeet <[email protected]> wrote: > > >> On Apr 9, 3:32 pm, Graham Dumpleton <[email protected]> > >> wrote: > >>> On 9 April 2010 19:00, vishwajeet singh <[email protected]> wrote: > > >>> > Thanks for the quck response Graham I have gone through these links many > >>> > times but still fail to understand how it will work for me. > >>> > Let me give you some more details > >>> > I am not doing either group authorization or host authorization, I have > >>> > django app and users have different roles in that application, so once > >>> > user > >>> > is authenticated I want to look into db if the user is in particular > >>> > role or > >>> > not, if he is not a role give him authorization required or you don't > >>> > have > >>> > access to this resource. I want to use this authorization to handle > >>> > access > >>> > for webdav folders which are not directly part of django app. > >>> > Hope that makes me more clear, thank you so much for your response. > > >>> Depends on how you are going to do this with Django, but a role is not > >>> really any different to a group or even a Django user permission. > > >>> For example, the following might be able to be used (although I have > >>> not tested it). > > >>> import os, sys > >>> sys.path.append('/usr/local/django') > >>> os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings' > > >>> from django.contrib.auth.models import User > >>> from django import db > > >>> def groups_for_user(environ, user): > >>> db.reset_queries() > > >>> kwargs = {'username': user, 'is_active': True} > > >>> try: > >>> try: > >>> user = User.objects.get(**kwargs) > >>> except User.DoesNotExist: > >>> return [''] > > >>> return user.get_group_permissions() > >>> finally: > >>> db.connection.close() > > >>> In other words, just look up user and return permissions associated > >>> with that user through the groups they are in. > > >>> I don't actually use Django but I presume this can be used to > >>> designate the roles they have. > > >>> Then in Apache configuration you can have: > > >>> AuthType Basic > >>> AuthName "Top Secret" > >>> AuthBasicProvider dbm > >>> AuthDBMUserFile /usr/local/wsgi/accounts.dbm > >>> WSGIAuthGroupScript /usr/local/wsgi/scripts/auth.wsgi > >>> Require valid-user > > >>> <Location /some/url> > >>> Require group can_do_stuff > >>> </Location> > > >>> <Location /some/other/url> > >>> Require group can_do_other_stuff > >>> </Location> > > >>> So don't get hung up on the 'group' name used as argument to 'Require' > >>> directive. You can still return a list of permissions and match > >>> against that. > > >>> From Apache 2.3 onwards, you will have to actually use 'wsgi-group' > >>> instead of 'group'. Seems I haven't noted this in documentation and > >>> that 'wsgi-group' already works for older Apache and should now be > >>> used in preference to 'group'. > > >>> Also note if using check_password() to authenticate user against > >>> Django previously, to avoid second database lookup, you could always > >>> stash the permissions in thread local storage and have the > >>> groups_for_user() look up that, validate is for same user and return > >>> it. > > >>> You will need to use mod_wsgi 3.X to use thread local storage like that > >>> however. > > >>> BTW, if you get this working, post what you use. If I get a working > >>> example from someone with a bit of a description of what you do on > >>> Django admin side to populate permissions, could include it in > >>> documentation as example. > > >> Thanks for an elaborate reply that really helped me to move in the > >> right direction, I did the suggested changes and It seems to be > >> working. > >> though I need to do some more testing before I have something > >> concrete :) > > >>> Also note if using check_password() to authenticate user against > >>> Django previously, to avoid second database lookup, you could always > >>> stash the permissions in thread local storage and have the > >>> groups_for_user() look up that, validate is for same user and return > >>> it. > >> I am using check_password() but I don't know how to stash the > >> permissions in thread local storage, can you please let me know how to > >> do this ? > > > Will have to be tomorrow, no time tonight now and am logging off. > > Have couple of minutes left. Use something like: > > import os, sys > sys.path.append('/usr/local/django') > os.environ['DJANGO_SETTINGS_MODULE'] = 'mysite.settings' > > from django.contrib.auth.models import User > from django import db > > import threading > > cache = threading.local() > > def check_password(environ, username, password): > > cache.username = None > cache.permissions = [''] > > db.reset_queries() > > kwargs = {'username': username, 'is_active': True} > > try: > try: > user = User.objects.get(**kwargs) > except User.DoesNotExist: > return None > > if user.check_password(password): > cache.username = username > cache.permissions = user.get_group_permissions() > return True > else: > return False > finally: > db.connection.close() > > def groups_for_user(environ, username): > if not cache.username or cache.username != username: > cache.username = None > cache.permissions = [''] > return [''] > > permissions = cache.permissions > cache.username = None > cache.permissions = [''] > return permissions > > Have to do this as only easy way of passing information between the > two Apache phases as no easy way of stashing information back in > Apache request object for passing across. > > Note that by WSGIAuthUserScript and WSGIAuthGroupScript must be > delegated to same application-group for this to work as thread locals > are specific to an interpreter.
Thanks I got it working > >> One more thing is that if the required group is not matched it keeps > >> on prompting for authentication instead of saying authorization > >> required. But this problem is still bugging me not able to understand why Apache keeps on returning 401 instead of 403 if some other group is returned instead of desired one. > > Graham > > >> One more thing is that if the required group is not matched it keeps > >> on prompting for authentication instead of saying authorization > >> required. > > > I would have thought it would actually return FORBIDDEN HTTP status > > response. > > > Graham > > >> Once I am done with the implementation I will surely share the script. > >> Thanks a lot for you help, much appreciated. > > >>> Graham > > >>> > On Fri, Apr 9, 2010 at 2:22 PM, Graham Dumpleton > >>> > <[email protected]> wrote: > > >>> >> On 9 April 2010 18:25, Vishwajeet <[email protected]> wrote: > >>> >> > Hi, > >>> >> > I have script which is currently doing authentication and it's > >>> >> > working > >>> >> > fine. > >>> >> > My question is how can i define an authorization script to check > >>> >> > access ? > >>> >> > I tried browsing through all directives but none of seems to mention > >>> >> > about authorization. > > >>> >> See: > > >>> >> http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIAut... > > >>> >> http://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIAut... > >>> >> http://code.google.com/p/modwsgi/wiki/AccessControlMechanisms > > >>> >> Graham > > >>> >> -- > >>> >> You received this message because you are subscribed to the Google > >>> >> Groups > >>> >> "modwsgi" group. > >>> >> To post to this group, send email to [email protected]. > >>> >> To unsubscribe from this group, send email to > >>> >> [email protected]. > >>> >> For more options, visit this group at > >>> >>http://groups.google.com/group/modwsgi?hl=en. > > >>> > -- > >>> > Vishwajeet Singh > >>> > +91-9657702154 | [email protected] |http://bootstraptoday.com > >>> > Twitter:http://twitter.com/vishwajeets|LinkedIn: > >>> >http://www.linkedin.com/in/singhvishwajeet > > >>> > -- > >>> > You received this message because you are subscribed to the Google > >>> > Groups > >>> > "modwsgi" group. > >>> > To post to this group, send email to [email protected]. > >>> > To unsubscribe from this group, send email to > >>> > [email protected]. > >>> > For more options, visit this group at > >>> >http://groups.google.com/group/modwsgi?hl=en. > > >> -- > >> You received this message because you are subscribed to the Google Groups > >> "modwsgi" group. > >> To post to this group, send email to [email protected]. > >> To unsubscribe from this group, send email to > >> [email protected]. > >> For more options, visit this group > >> athttp://groups.google.com/group/modwsgi?hl=en. -- You received this message because you are subscribed to the Google Groups "modwsgi" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/modwsgi?hl=en.
