Home Explore Help
Sign In
221V
/
Misago
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: da52d419b0
Branches Tags
Misago
/
misago
/
admin
/
auth.py

auth.py 2.1 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677 
  1. from hashlib import md5
    2. 

  2. from time import time
    3. 

  3. 

  4. from django.contrib import auth as dj_auth
    5. 

  5. from django.contrib import messages
    6. 

  6. from django.utils.translation import gettext as _
    7. 

  7. 

  8. from ..conf import settings
    9. 

  9. 

  10. TOKEN_KEY = "misago_admin_session_token"
    11. 

  11. UPDATED_KEY = "misago_admin_session_updated"
    12. 

  12. 

  13. # Admin session state controls
    14. 

  14. def is_admin_authorized(request):
    15. 

  15.     if request.user.is_anonymous:
    16. 

  16.         return False
    17. 

  17. 

  18.     if not request.user.is_staff:
    19. 

  19.         return False
    20. 

  20. 

  21.     admin_token = request.session.get(TOKEN_KEY)
    22. 

  22.     if not admin_token == make_user_admin_token(request.user):
    23. 

  23.         return False
    24. 

  24. 

  25.     updated = request.session.get(UPDATED_KEY, 0)
    26. 

  26.     if updated < time() - (settings.MISAGO_ADMIN_SESSION_EXPIRATION * 60):
    27. 

  27.         if updated:
    28. 

  28.             request.session.pop(UPDATED_KEY, None)
    29. 

  29.             messages.info(request, _("Your admin session has expired."))
    30. 

  30.         return False
    31. 

  31. 

  32.     return True
    33. 

  33. 

  34. 

  35. def authorize_admin(request):
    36. 

  36.     request.session[TOKEN_KEY] = make_user_admin_token(request.user)
    37. 

  37.     request.session[UPDATED_KEY] = int(time())
    38. 

  38. 

  39. 

  40. def update_admin_authorization(request):
    41. 

  41.     request.session[UPDATED_KEY] = int(time())
    42. 

  42. 

  43. 

  44. def remove_admin_authorization(request):
    45. 

  45.     request.session.pop(TOKEN_KEY, None)
    46. 

  46.     request.session.pop(UPDATED_KEY, None)
    47. 

  47. 

  48. 

  49. def make_user_admin_token(user):
    50. 

  50.     formula = (str(user.pk), user.email, user.password, settings.SECRET_KEY)
    51. 

  51.     return md5(":".join(formula).encode()).hexdigest()
    52. 

  52. 

  53. 

  54. # Login/logout exposed
    55. 

  55. login = dj_auth.login
    56. 

  56. logout = dj_auth.logout
    57. 

  57. 

  58. 

  59. # Register signal for logout to make sure eventual admin session is closed
    60. 

  60. def django_login_handler(sender, **kwargs):
    61. 

  61.     request, user = kwargs["request"], kwargs["user"]
    62. 

  62.     try:
    63. 

  63.         admin_namespace = request.admin_namespace
    64. 

  64.     except AttributeError:
    65. 

  65.         admin_namespace = False
    66. 

  66.     if admin_namespace and user.is_staff:
    67. 

  67.         authorize_admin(request)
    68. 

  68. 

  69. 

  70. dj_auth.signals.user_logged_in.connect(django_login_handler)
    71. 

  71. 

  72. 

  73. def django_logout_handler(sender, **kwargs):
    74. 

  74.     remove_admin_authorization(kwargs["request"])
    75. 

  75. 

  76. 

  77. dj_auth.signals.user_logged_out.connect(django_logout_handler)
    78.