Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Added mod_python authentication handler and document on authenticatin…

…g against Django's auth database from Apache

git-svn-id: http://code.djangoproject.com/svn/django/trunk@1495 bcc190cf-cafb-0310-a4f2-bffc1f526a37
  • Loading branch information...
commit ae76186a4f86c1e5a687f58bfa54166a0dde6a93 1 parent e1b107b
Jacob Kaplan-Moss authored November 29, 2005
43  django/core/handlers/modpython.py
@@ -163,3 +163,46 @@ def populate_apache_request(http_response, mod_python_req):
163 163
 def handler(req):
164 164
     # mod_python hooks into this function.
165 165
     return ModPythonHandler()(req)
  166
+
  167
+def authenhandler(req, **kwargs):
  168
+    """
  169
+    Authentication handler that checks against Django's auth database.
  170
+    """
  171
+    from mod_python import apache
  172
+    
  173
+    # mod_python fakes the environ, and thus doesn't process SetEnv.  This fixes 
  174
+    # that so that the following import works
  175
+    os.environ.update(req.subprocess_env)
  176
+    from django.models.auth import users
  177
+    
  178
+    # check for PythonOptions
  179
+    _str_to_bool = lambda s: s.lower() in '1', 'true', 'on', 'yes'
  180
+    
  181
+    options = req.get_options()
  182
+    permission_name = options.get('DjangoPermissionName', None)
  183
+    staff_only = _str_to_bool(options.get('DjangoRequireStaffStatus', "on"))
  184
+    superuser_only = _str_to_bool(options.get('DjangoRequireSuperuserStatus', "off"))
  185
+    
  186
+    # check that the username is valid
  187
+    kwargs = {'username__exact': req.user, 'is_active__exact': True}
  188
+    if staff_only:
  189
+        kwargs['is_staff__exact'] = True
  190
+    if superuser_only:
  191
+        kwargs['is_superuser__exact'] = True
  192
+    try:
  193
+        user = users.get_object(**kwargs)
  194
+    except users.UserDoesNotExist:
  195
+        return apache.HTTP_UNAUTHORIZED
  196
+        
  197
+    # check the password and any permission given
  198
+    if user.check_password(req.get_basic_auth_pw()):
  199
+        if permission_name:
  200
+            if user.has_perm(permission_name):
  201
+                return apache.OK
  202
+            else:
  203
+                return apache.HTTP_UNAUTHORIZED
  204
+        else:
  205
+            return apache.OK
  206
+    else:
  207
+        return apache.HTTP_UNAUTHORIZED
  208
+    
62  docs/apache_auth.txt
... ...
@@ -0,0 +1,62 @@
  1
+=========================================================
  2
+Authenticating against Django's user database from Apache
  3
+=========================================================
  4
+
  5
+Since keeping multiple authentication databases in sync is a common problem when
  6
+dealing with Apache, you can configuring Apache to authenticate against Django's
  7
+`authentication system`_ directly.  For example, you could:
  8
+
  9
+    * Serve media files directly from Apache only to authenticated users.
  10
+    
  11
+    * Authenticate access to a Subversion_ repository against Django users with
  12
+      a certain permission.
  13
+      
  14
+    * Allow certain users to connect to a WebDAV share created with mod_dav_.
  15
+        
  16
+Configuring Apache
  17
+==================
  18
+
  19
+To check against Django's authorization database from a Apache configuration
  20
+file, you'll need to use mod_python's ``PythonAuthenHandler`` directive along
  21
+with the standard ``Auth*`` and ``Require`` directives::
  22
+
  23
+    <Location /example/>
  24
+        AuthType basic
  25
+        AuthName "example.com"
  26
+        Require valid-user
  27
+        
  28
+        SetEnv DJANGO_SETTINGS_MODULE mysite.settings
  29
+        PythonAuthenHandler django.core.handlers.modpython
  30
+    </Location>
  31
+
  32
+By default, the authentication handler will limit access to the ``/example/``
  33
+location to users marked as staff members.  You can use a set of
  34
+``PythonOption`` directives to modify this behavior::
  35
+
  36
+    ================================  =========================================
  37
+    ``PythonOption``                  Explanation
  38
+    ================================  =========================================
  39
+    ``DjangoRequireStaffStatus``      If set to ``on`` only "staff" users (i.e.
  40
+                                      those with the ``is_staff`` flag set) 
  41
+                                      will be allowed.
  42
+                                      
  43
+                                      Defaults to ``on``.
  44
+
  45
+    ``DjangoRequireSuperuserStatus``  If set to ``on`` only superusers (i.e.
  46
+                                      those with the ``is_superuser`` flag set)
  47
+                                      will be allowed.
  48
+                                      
  49
+                                      Defaults to ``off``.
  50
+    
  51
+    ``DjangoPermissionName``          The name of a permission to require for
  52
+                                      access.  See `custom permissions`_ for
  53
+                                      more information.
  54
+                                      
  55
+                                      By default no specific permission will be
  56
+                                      required.
  57
+    ================================  =========================================
  58
+    
  59
+.. _authentication system: http://www.djangoproject.com/documentation/authentication/
  60
+.. _Subversion: http://subversion.tigris.org/
  61
+.. _mod_dav: http://httpd.apache.org/docs/2.0/mod/mod_dav.html
  62
+.. _custom permissions: http://www.djangoproject.com/documentation/authentication/#custom-permissions

0 notes on commit ae76186

Please sign in to comment.
Something went wrong with that request. Please try again.