mirror of
https://github.com/pretix/pretix.git
synced 2025-12-07 22:42:26 +00:00
a5c39271dd
* Make API security profiles pluggable * Update src/pretix/api/signals.py Co-authored-by: robbi5 <richt@rami.io> * REmove dead class --------- Co-authored-by: robbi5 <richt@rami.io>
66 lines
2.7 KiB
Python
66 lines
2.7 KiB
Python
#
|
|
# This file is part of pretix (Community Edition).
|
|
#
|
|
# Copyright (C) 2014-2020 Raphael Michel and contributors
|
|
# Copyright (C) 2020-2021 rami.io GmbH and contributors
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify it under the terms of the GNU Affero General
|
|
# Public License as published by the Free Software Foundation in version 3 of the License.
|
|
#
|
|
# ADDITIONAL TERMS APPLY: Pursuant to Section 7 of the GNU Affero General Public License, additional terms are
|
|
# applicable granting you additional permissions and placing additional restrictions on your usage of this software.
|
|
# Please refer to the pretix LICENSE file to obtain the full terms applicable to this work. If you did not receive
|
|
# this file, see <https://pretix.eu/about/en/license>.
|
|
#
|
|
# This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
|
|
# details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License along with this program. If not, see
|
|
# <https://www.gnu.org/licenses/>.
|
|
#
|
|
import logging
|
|
|
|
from django.contrib.auth.models import AnonymousUser
|
|
from django_scopes import scopes_disabled
|
|
from rest_framework import exceptions
|
|
from rest_framework.authentication import TokenAuthentication
|
|
|
|
from pretix.api.auth.devicesecurity import (
|
|
FullAccessSecurityProfile, get_all_security_profiles,
|
|
)
|
|
from pretix.base.models import Device
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
|
|
class DeviceTokenAuthentication(TokenAuthentication):
|
|
model = Device
|
|
keyword = 'Device'
|
|
|
|
def authenticate_credentials(self, key):
|
|
model = self.get_model()
|
|
try:
|
|
with scopes_disabled():
|
|
device = model.objects.select_related('organizer').get(api_token=key)
|
|
except model.DoesNotExist:
|
|
raise exceptions.AuthenticationFailed('Invalid token.')
|
|
|
|
if not device.initialized:
|
|
raise exceptions.AuthenticationFailed('Device has not been initialized.')
|
|
|
|
if device.revoked:
|
|
logging.warning(f'Connection attempt of revoked device {device.pk}.')
|
|
raise exceptions.AuthenticationFailed('Device access has been revoked.')
|
|
|
|
return AnonymousUser(), device
|
|
|
|
def authenticate(self, request):
|
|
r = super().authenticate(request)
|
|
if r and isinstance(r[1], Device):
|
|
profiles = get_all_security_profiles()
|
|
profile = profiles.get(r[1].security_profile, FullAccessSecurityProfile())
|
|
if not profile.is_allowed(request):
|
|
raise exceptions.PermissionDenied('Request denied by device security profile.')
|
|
return r
|