diff options
author | Neil Williams <neil.williams@linaro.org> | 2016-04-01 13:32:11 +0100 |
---|---|---|
committer | Neil Williams <neil.williams@linaro.org> | 2016-04-04 19:08:25 +0100 |
commit | 55dbc8627af3e4ea22b5a4f1495a75f70002ad72 (patch) | |
tree | 49e0ef03ce85c8ba019e9d69b8184a33ad7a283a /lava_results_app/utils.py | |
parent | a15e3ef28726e34ed8a03d280bbf7db1b5a05b22 (diff) |
LAVA-195 Allow authentication with result export
Support putting the token and the username into the query string
of the result export REST URLs and document the usage and security
implications of doing so.
Change-Id: I47d83300a60cdb3251cec11509737e49f9810055
Diffstat (limited to 'lava_results_app/utils.py')
-rw-r--r-- | lava_results_app/utils.py | 27 |
1 files changed, 27 insertions, 0 deletions
diff --git a/lava_results_app/utils.py b/lava_results_app/utils.py index e429d474b..a420150e4 100644 --- a/lava_results_app/utils.py +++ b/lava_results_app/utils.py @@ -3,6 +3,8 @@ import yaml import logging from django.utils.translation import ungettext_lazy from django.conf import settings +from django.http import Http404 +from linaro_django_xmlrpc.models import AuthToken def help_max_length(max_length): @@ -37,3 +39,28 @@ def description_data(job_id): if not data: return {} return data + + +def anonymous_token(request, job): + querydict = request.GET + user = querydict.get('user', default=None) + token = querydict.get('token', default=None) + # safe to call with (None, None) - returns None + auth_user = AuthToken.get_user_for_secret(username=user, secret=token) + if not user and not job.is_public: + raise Http404("Job %d requires authentication to view." % job.id) + if not auth_user: + raise Http404("User '%s' is not able to view job %d" % (user, job.id)) + return auth_user + + +def check_request_auth(request, job): + if not request.user and job.is_public: + return + if not request.user.is_authenticated(): + # handle anonymous access + auth_user = anonymous_token(request, job) + if not auth_user or not job.can_view(auth_user): + raise Http404("User '%s' is not able to view job %d" % (request.user, job.id)) + elif not job.can_view(request.user): + raise Http404("User '%s' is not able to view job %d" % (request.user.username, job.id)) |