New 'groups_allowed' decorator for views

Can be used to restrict access to a view to only the groups whose names are passed as arguments to the decorator.

New 'groups_allowed' decorator for views
3c82ab98 · Tanner Prestegard · GraceDB · e309a6c0 · 3c82ab98 · 3c82ab98
Commit 3c82ab98 authored 6 years ago by Tanner Prestegard Committed by GraceDB 6 years ago
--- a/config/urls.py
+++ b/config/urls.py

 # Changed for Django 1.11 upgrade
-from django.conf.urls import url, include
 from django.conf import settings
+from django.conf.urls import url, include

 # Uncomment the next two lines to enable the admin:
 from django.contrib import admin
-admin.autodiscover()
+from django.contrib.auth.views import logout
 from django.views.generic import TemplateView

 # Import feeds
@@ -13,9 +13,13 @@ from events.feeds import EventFeed, feedview

 # After Django 1.10, have to import views directly, rather
 # than just using a string
+import events.reports
 import events.views
+from ligoauth.views import gracedb_login
 import search.views
-import events.reports
+
+# Django admin auto-discover
+admin.autodiscover()

 feeds = {
    'latest' : EventFeed
@@ -43,6 +47,8 @@ urlpatterns = [
    url(r'^reports/cbc_report/(?P<format>(json|flex))?$',
        events.reports.cbc_report, name="cbc_report"),
    url(r'^latest/$', search.views.latest, name="latest"),
+    url(r'^login/$', gracedb_login, name='login'),
+    url(r'^logout/$', logout, {'next_page': '/'}, name='logout'),
    #(r'^reports/(?P<path>.+)$', 'django.views.static.serve',
    #        {'document_root': settings.LATENCY_REPORT_DEST_DIR}),
    url(r'^search/$', search.views.search, name="mainsearch"),

--- a/gracedb/ligoauth/utils.py
+++ b/gracedb/ligoauth/utils.py
+from django.http import HttpResponseForbidden
+from django.utils.functional import wraps
+
+def groups_allowed(group_names):
+    """
+    Decorator to allow access to specified group(s).
+    Usage:
+        @groups_allowed(settings.LVC_GROUP)
+        @groups_allowed([settings.LVC_GROUP, settings.LVEM_OBSERVERS_GROUP])
+    """
+
+    if isinstance(group_names, str):
+        group_names = [group_names]
+    def decorator(view_func):
+        @wraps(view_func)
+        def wrapper(request, *args, **kwargs):
+            user_groups = [g.name for g in request.user.groups.all()]
+            if set(group_names).isdisjoint(user_groups):
+                # Use a template
+                return HttpResponseForbidden("You are not a member of {0}".format(group_names))
+            return view_func(request, *args, **kwargs)
+
+        return wrapper
+    return decorator
+
--- a/gracedb/ligoauth/views.py
+++ b/gracedb/ligoauth/views.py
+from django.http import HttpResponseRedirect
+from django.utils.http import urlquote
+from django.conf import settings
+
+def gracedb_login(request):
+    full_login_url = "{base}?target={path}".format(base=settings.LOGIN_URL,
+        path=urlquote(request.META.get('HTTP_REFERER', '/')))
+    return HttpResponseRedirect(full_login_url)