From ecdc3c6d32e42d3b141023879d5db346436e87d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Josu=C3=A9=20Tille?= Date: Sun, 7 Jul 2024 22:35:35 +0200 Subject: [PATCH] Add support for group in django permissions --- conf/local.py.j2 | 16 ++++++++++++---- scripts/install | 1 + scripts/upgrade | 1 + sources/django_ldap_extension.py | 19 +++++++++++++++++++ 4 files changed, 33 insertions(+), 4 deletions(-) create mode 100644 sources/django_ldap_extension.py diff --git a/conf/local.py.j2 b/conf/local.py.j2 index 0654bae..745ad8c 100644 --- a/conf/local.py.j2 +++ b/conf/local.py.j2 @@ -2,6 +2,7 @@ from __future__ import unicode_literals import os from .settings_base import * +from .django_ldap_extension import * DEBUG = TEMPLATE_DEBUG = False @@ -43,9 +44,9 @@ EMAIL_HOST = '{{ domain }}' EMAIL_HOST_USER = '{{ app }}@{{ domain }}' EMAIL_HOST_PASSWORD = '{{ mail_pwd }}' -# Tous acces +# LDAP authentication and group management import ldap -from django_auth_ldap.config import LDAPSearch, MemberDNGroupType +from django_auth_ldap.config import LDAPSearch, LDAPSearchUnion, MemberDNGroupType, LDAPGroupType AUTHENTICATION_BACKENDS = ( 'django_auth_ldap.backend.LDAPBackend', 'django.contrib.auth.backends.ModelBackend', @@ -63,13 +64,20 @@ AUTH_LDAP_USER_FLAGS_BY_GROUP = { "is_staff": "cn={{ app }}.staff,ou=permission,dc=yunohost,dc=org", "is_superuser": "cn={{ app }}.superadmin,ou=permission,dc=yunohost,dc=org" } -AUTH_LDAP_GROUP_SEARCH = LDAPSearch("ou=permission,dc=yunohost,dc=org", ldap.SCOPE_SUBTREE) -AUTH_LDAP_GROUP_TYPE = MemberDNGroupType("inheritPermission", "permissionYnh") +AUTH_LDAP_GROUP_SEARCH = LDAPSearchUnion( + LDAPSearch("ou=permission,dc=yunohost,dc=org", ldap.SCOPE_SUBTREE, filterstr=u'(cn=coin.*)'), + LDAPSearch("ou=groups,dc=yunohost,dc=org", ldap.SCOPE_SUBTREE) +) +AUTH_LDAP_GROUP_TYPE = MemberDNGroupTypeUnion( + MemberDNGroupType("inheritPermission"), # permissionYnh + MemberDNGroupType("member")) # groupOfNamesYnh AUTH_LDAP_ALWAYS_UPDATE_USER = True AUTH_LDAP_AUTHORIZE_ALL_USERS = False AUTH_LDAP_FIND_GROUP_PERMS = True AUTH_LDAP_CACHE_GROUPS = True AUTH_LDAP_GROUP_CACHE_TIMEOUT = 1000 +# Link Yunohost group with django permission group +AUTH_LDAP_MIRROR_GROUPS_EXCEPT = ("{{ app }}.main", "{{ app }}.staff", "{{ app }}.superadmin") # import logging # logger = logging.getLogger('django_auth_ldap') # logger.addHandler(logging.StreamHandler()) diff --git a/scripts/install b/scripts/install index 89507fb..e9569fb 100644 --- a/scripts/install +++ b/scripts/install @@ -12,6 +12,7 @@ ynh_app_setting_set --app=$app --key=secret --value=$secret ynh_script_progression --message="Setting up source files..." ynh_setup_source --dest_dir="$install_dir" +cp ../sources/django_ldap_extension.py "$install_dir"/coin/ chmod 750 "$install_dir" chmod -R o-rwx "$install_dir" diff --git a/scripts/upgrade b/scripts/upgrade index d93dd70..08bed5a 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -24,6 +24,7 @@ then # Download, check integrity, uncompress and patch the source from app.src ynh_setup_source --dest_dir="$install_dir" --full_replace=1 --keep=coin/settings_local.py + cp ../sources/django_ldap_extension.py "$install_dir"/coin/ fi diff --git a/sources/django_ldap_extension.py b/sources/django_ldap_extension.py new file mode 100644 index 0000000..12384dd --- /dev/null +++ b/sources/django_ldap_extension.py @@ -0,0 +1,19 @@ +from django_auth_ldap.config import LDAPGroupType + +class MemberDNGroupTypeUnion(LDAPGroupType): + + def __init__(self, *types, name_attr='cn'): + self.types = types + super(MemberDNGroupTypeUnion, self).__init__(name_attr) + + def user_groups(self, ldap_user, group_search): + res = dict() + for t in self.types: + res.update(t.user_groups(ldap_user, group_search)) + return res.items() + + def is_member(self, ldap_user, group_dn): + for t in self.types: + if t.is_member(ldap_user, group_dn): + return True + return False