|
@@ -1,6 +1,12 @@
|
|
|
from django.contrib.auth.decorators import login_required
|
|
|
from django.shortcuts import get_object_or_404, redirect, render
|
|
|
from django.contrib import messages
|
|
|
+from django.core.exceptions import PermissionDenied
|
|
|
+from django.conf import settings
|
|
|
+from django.http import HttpResponse, HttpResponseBadRequest
|
|
|
+from django.views.decorators.http import require_POST
|
|
|
+from django.views.decorators.csrf import csrf_exempt
|
|
|
+from django.contrib.auth import authenticate, get_user_model
|
|
|
|
|
|
from .forms import UserForm, ProfileForm
|
|
|
|
|
@@ -19,3 +25,28 @@ def profile(request):
|
|
|
'user_form': user_form,
|
|
|
'profile_form': profile_form,
|
|
|
})
|
|
|
+
|
|
|
+
|
|
|
+@require_POST
|
|
|
+@csrf_exempt
|
|
|
+def auth_api(request, token):
|
|
|
+ # token could not be None due to url regex
|
|
|
+ if token != getattr(settings, 'AUTH_API_TOKEN', None):
|
|
|
+ raise PermissionDenied
|
|
|
+ username = request.POST.get('username')
|
|
|
+ if not username:
|
|
|
+ return HttpResponseBadRequest()
|
|
|
+ password = request.POST.get('password')
|
|
|
+ if password:
|
|
|
+ user = authenticate(username=username, password=password)
|
|
|
+ if user is None:
|
|
|
+ return HttpResponse('<h1>401 Unauthorized</h1>', status=401)
|
|
|
+ else:
|
|
|
+ user = get_object_or_404(get_user_model(), username=username)
|
|
|
+ required_groups = request.POST.get('groups')
|
|
|
+ if required_groups and not user.is_superuser: # skip groups check for superusers
|
|
|
+ required_groups = set(required_groups.split(' '))
|
|
|
+ user_groups = set(map(lambda g: g.name, user.groups.all()))
|
|
|
+ if required_groups - user_groups:
|
|
|
+ return HttpResponse('<h1>401 Unauthorized</h1>', status=401)
|
|
|
+ return HttpResponse()
|