I am using RemoteUserMiddleware to authenticate with VAS.
Right now I set it up so the REMOTE_USER variable gets set only for my SSO login URL (/accounts/login/sso/), because I must allow my users to login via forms (for users not present in our SSO system). According to my debugging, the user gets authenticated correctly in VasMiddleware (which extends RemoteUserMiddleware to pre-process REMOTE_USER), but after the user gets redirected to the home page (/), authentication is lost.
How can I persist the information that user has been logged in?
Django 1.9 will have a PersistentRemoteUserMiddleware, which will work when the authentication header is only present on the login page.
If you look at the patch, it shouldn't be too hard to do something similar in Django 1.8. I would try overriding process_request so that it doesn't call self._remove_invalid_user(request) to log out your user (that might end up duplicating a lot of code), or overriding _remove_invalid_user itself.
Related
I was wondering if it was possible to differentiate a request from the Django administration portal from a request from the API ?
For example, using permissions, a user would not be able to delete an instance with a basic API call. But the same user through the admin portal would be able to delete the instance.
I tried to look at the parameters of the request object but didn't find anything that can be used.
In my ideal case: User A can delete objects through the admin dashboard but the same User A cannot delete objects when not using the admin dashboard.
I want to do a social authentication with Google and Facebook. For that I have use social-auth-app-django. When I login with using Google it will directly create an account in django user model and redirect to my URL. But I want to fill extra required details of user, after entering detail create user after user's confirmation and don't want to directly login new user and redirect to my authenticated page.
Any suggestion is always appreciated.
Thanks.
That's basically the purpose of the partial pipelines feature on python-social-auth (docs). The idea is to pause the authentication flow at any time and resume it later, it's commonly used to ask for more details to the user, or to just send a validation email.
Check the example application here, in the settings it overrides the default pipeline with one that will ask the user for their email address.
I am working on a project in a team using Django. I am trying to implement User Registration part in Django. This is what I have done so far.
I have created a separate application within my project called signup.
In this application, I am providing a page to the anonymous user to sign up for my web application. The user is able to sign in successfully and I can see him as admin inside Django Admin interface.
I am also using django-allauth. Now, I want that whenever the user signs up, the admin should accept/reject the users registration. How can I achieve that in allauth?
This is what I have done so far. I have created a separate application within my project called signup.
You don't need to do this, as Django Allauth already does it. As soon as you get it running, which takes some time, allauth will already have standard apps, with views + templates for users who want to signup, login, change password, recover password, etc.
You can make new users have to confirm an email before using your app by specifying this in settings.py
ACCOUNT_EMAIL_VERIFICATION = 'mandatory'
However, I do not see a reason why you would want to manually accept users with human input. If that is the case, I suggest removing all signup pages, and manually creating users from a shell window or admin panel on request.
If you want more detail on how to set it up, try example1 or further reading.
I am getting my feet wet working with the Pyramid framework (great framework), and I've come to the point of user authorization. I want to take advantage of the ACL to block users who are already logged in from visiting the registration page. Obviously, I could do this other ways, but I was wondering if there was any way to do this using tools in pyramid.
I know that by adding permissions to a view, users who do not meet the criteria are shown a forbidden view. In my case, I simply want to re route users who are already members away from views that don't apply to them (registration, login, etc.).
I've tried __acl__ = [(Deny, Authenticated, 'guest')] to no avail, as it blocks the login page for all users.
Also, somewhat on another note, is there any way to dynamically change a route. I want the home page to be different for users who are logged in than it is for guests.
You'll want to investigate the principals that are being returned by your authentication policy to understand what's going on. It's easy to tell if you turn on pyramid.debug_authorization in your INI file. The authorization policy will compare the ACL found against the principals returned via pyramid.security.effective_principals(request). If these do not match up, it should be clear what is going on.
The way to implement a form-based login would be (assuming Pyramid 1.3a9+):
from pyramid.httpexceptions import HTTPSeeOther
from pyramid.security import authenticated_userid
from pyramid.view import forbidden_view_config
#forbidden_view_config()
def forbidden_view(request):
if authenticated_userid(request):
# user is already logged in, they are really forbidden
return request.context # the forbidden 403 response
url = request.route_url('login', _query={'came_from': request.path})
return HTTPSeeOther(url)
That will add the came_from parameter to the URL as request.GET['came_from'] in your login view. Of course if that isn't there you can just redirect them to the home screen after logging in.
From a very old blog post from FB:
As promised, we have changed the login procedure. This change should
improve your users experience and requires no modifications to
existing applications. Now, if a user was already using Facebook,
logging into an app happens transparently. Because of this, developers
might want to provide a way for users to logout by posting the word
"confirm" to http://www.facebook.com/logout.php. Alternatively,
developers can provide a link to switch the user via the login page’s
"skipcookie" parameter (as described in the authentication guide.
What if I don't want this to happen, but rather want the user to be redirected to FB and confirm his identity even if logged in to FB? I looked everywhere for this skipcookie directive but found nothing about it, in fact I think it has been discontinued.
For the record I'm using django in my app.
Thanks in advance for any help.
That is very old, and like you said, doesn't really apply anymore especially since everything moved from oauth over to oauth 2.
What if I don't want this to happen, but rather want the user to be redirected to FB and confirm his identity even if logged in to FB?
So here's what you do. If you want to force the user to re-login to facebook (confirming his identity and it's not some person who just walked up to an unlocked computer already logged into Facebook), call FB.logout() first, then call FB.login() to log the user in. Since you called logout() first, it will force the user to log into Facebook before authorizing your app.
If anybody is still curious as to how to implement this using Django, here's how I log the user out of facebook server-side:
next_url = 'http://your.app.url/return/from/fb/'
args = {
'next':next_url,
'access_token':access_token
}
redirect_to = "https://www.facebook.com/logout.php?" + urllib.urlencode(args)
return HttpResponseRedirect(redirect_to)
With this you can log the user out using the server side script (be it python/Django or any other language/framework, just use your language's url fetching API).
With this code the user will be redirected to the FB logout url and will then return to next_url