Hello django-users!
I'm making a "google docs"-like service for users to create and
share documents with other users. I'd like to serve the documents
directly from apache authenticating against the django session. I've
read http://docs.djangoproject.com/en/dev/howto/apache-auth/ and the
excellent patch at http://code.djangoproject.com/ticket/3583, but as
far as I understand, the current implementation only allows
authentication based on staff, superuser, or a single static
permission, but as every document would need it's own permission, this
wouldn't work for a more complex auth system.
So my questions are:
1) Is there a way to do this currently in django? and if not,
2) I've rolled my own (attached below), a modification on the patch on
#3583. It treats the authentication like a view that returns True or
False. So if the patch is installed, you would add:
*mysite/settings.py
ROOT_AUTH_URLCONF = 'mysite.auth_urls'
*create mysite/auth_urls.py:
from django.conf.urls.defaults import *
from django.conf import settings
urlpatterns = patterns('',
(r'^media/authorized/mymodule/', include
('mysite.mymodule.auth_urls')),
)
*create mysite/mymodule/auth_urls.py:
from django.conf.urls.defaults import *
urlpatterns = patterns('mysite.mysite.authers',
(r'^documents/(?P<filename>[^/]+)$', 'document_auther'),
)
*create mysite/mymodule/authers.py:
from mysite.mymodule.models import Document
def document_auther(request, filename=None, *args, **kwargs):
# Here I can perform any logic like a normal view, with access
to request.user
(trimmed a bit for simplicity, a full solution would probably use
uuids on the filepath). So, is this a good idea/would people be
interested in this?
Thanks for reading,
Todd Gardner
The patch (applied on top of patch for #3583, might need better error
handling, like catching the resolver404):
--- original/modpython.py 2009-05-26 19:35:18.000000000 -0400
+++ authurl/modpython.py 2009-05-26 23:58:16.000000000 -0400
@@ -16,6 +16,7 @@
self.permission_name = options.get('DjangoPermissionName',
None)
self.staff_only = _str_to_bool(options.get
('DjangoRequireStaffStatus', "on"))
self.superuser_only = _str_to_bool(options.get
('DjangoRequireSuperuserStatus', "off"))
+ self.use_auth_urls = _str_to_bool(options.get
('DjangoUseAuthURLs', "off"))
self.raise_forbidden = _str_to_bool(options.get
('DjangoRaiseForbidden', "off"))
self.settings_module = options.get('DJANGO_SETTINGS_MODULE',
None)
@@ -49,6 +50,18 @@
return False
return True
+def check_auth_url(request):
+ from django.core import urlresolvers
+
+ auth_urlconf = getattr(request, "auth_urlconf",
settings.ROOT_AUTH_URLCONF)
+
+ resolver = urlresolvers.RegexURLResolver(r'^/', auth_urlconf)
+
+ callback, callback_args, callback_kwargs = resolver.resolve(
+ request.path_info)
+
+ return callback(request, *callback_args, **callback_kwargs)
+
def redirect_to_login(req):
path = quote(req.uri)
if req.args:
@@ -131,7 +144,8 @@
# a response which redirects to settings.LOGIN_URL
redirect_to_login(req)
- if validate_user(user, options):
+ if validate_user(user, options) and (not
options.use_auth_urls
+ or check_auth_url
(request)):
return apache.OK
# mod_python docs say that HTTP_FORBIDDEN should be raised if
the user
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en
-~----------~----~----~----~------~----~------~--~---
