mirror of
https://gitlab.crans.org/bde/nk20
synced 2024-12-22 23:42:25 +00:00
Authenticate correctly users that connect with an authorization token
This commit is contained in:
parent
6a0dc4cb10
commit
72cc1638e6
@ -16,7 +16,7 @@ class StrongDjangoObjectPermissions(DjangoObjectPermissions):
|
||||
|
||||
# The queryset is filtered, and permissions are more powerful than a simple check than just "can view this model"
|
||||
perms_map = {
|
||||
'GET': [], # ['%(app_label)s.view_%(model_name)s'],
|
||||
'GET': ['%(app_label)s.view_%(model_name)s'],
|
||||
'OPTIONS': [],
|
||||
'HEAD': [],
|
||||
'POST': ['%(app_label)s.add_%(model_name)s'],
|
||||
|
@ -50,6 +50,20 @@ class SessionMiddleware(object):
|
||||
|
||||
def __call__(self, request):
|
||||
user = request.user
|
||||
|
||||
# If we authenticate through a token to connect to the API, then we query the good user
|
||||
if 'HTTP_AUTHORIZATION' in request.META and request.path.startswith("/api"):
|
||||
token = request.META.get('HTTP_AUTHORIZATION')
|
||||
if token.startswith("Token "):
|
||||
token = token[6:]
|
||||
from rest_framework.authtoken.models import Token
|
||||
if Token.objects.filter(key=token).exists():
|
||||
token_obj = Token.objects.get(key=token)
|
||||
user = token_obj.user
|
||||
session = request.session
|
||||
session["permission_mask"] = 42
|
||||
session.save()
|
||||
|
||||
if 'HTTP_X_REAL_IP' in request.META:
|
||||
ip = request.META.get('HTTP_X_REAL_IP')
|
||||
elif 'HTTP_X_FORWARDED_FOR' in request.META:
|
||||
|
Loading…
Reference in New Issue
Block a user