Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow inactive users to authenticate in Django 1.10+

Browse Source
This commit is contained in:
John Eskew
2018-01-11 15:05:02 -05:00
committed by Troy Sankey
parent e649d2d782
commit 5a71fa1e33
2 changed files with 27 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lms/envs/common.py
View File

@@ -668,8 +668,7 @@ derived_collection_entry('DEFAULT_TEMPLATE_ENGINE', 'DIRS')
###############################################################################################
# use the ratelimit backend to prevent brute force attacks
AUTHENTICATION_BACKENDS = ['ratelimitbackend.backends.RateLimitModelBackend']
AUTHENTICATION_BACKENDS = ['openedx.core.djangoapps.oauth_dispatch.dot_overrides.validators.EdxRateLimitedAllowAllUsersModelBackend']
STUDENT_FILEUPLOAD_MAX_SIZE = 4 * 1000 * 1000 # 4 MB
MAX_FILEUPLOADS_PER_INPUT = 20

26
openedx/core/djangoapps/oauth_dispatch/dot_overrides/validators.py
View File

@@ -5,12 +5,14 @@ from __future__ import unicode_literals
from datetime import datetime
import django
from django.contrib.auth import authenticate, get_user_model
from django.db.models.signals import pre_save
from django.dispatch import receiver
from oauth2_provider.models import AccessToken
from oauth2_provider.oauth2_validators import OAuth2Validator
from pytz import utc
from ratelimitbackend.backends import RateLimitMixin
from ..models import RestrictedApplication
@@ -29,6 +31,30 @@ def on_access_token_presave(sender, instance, *args, **kwargs): # pylint: disab
RestrictedApplication.set_access_token_as_expired(instance)
# TODO: Remove Django 1.11 upgrade shim
# SHIM: Allow users that are inactive to still authenticate while keeping rate-limiting functionality.
if django.VERSION < (1, 10):
# Old backend which allowed inactive users to authenticate prior to Django 1.10.
from django.contrib.auth.backends import ModelBackend as UserModelBackend
else:
# Django 1.10+ ModelBackend disallows inactive users from authenticating, so instead we use
# AllowAllUsersModelBackend which is the closest alternative.
from django.contrib.auth.backends import AllowAllUsersModelBackend as UserModelBackend
class EdxRateLimitedAllowAllUsersModelBackend(RateLimitMixin, UserModelBackend):
"""
Authentication backend needed to incorporate rate limiting of login attempts - but also
enabling users with is_active of False in the Django auth_user model to still authenticate.
This is necessary for mobile users using 3rd party auth who have not activated their accounts,
Inactive users who use 1st party auth (username/password auth) will still fail login attempts,
just at a higher layer, in the login_user view.
See: https://openedx.atlassian.net/browse/TNL-4516
"""
pass
class EdxOAuth2Validator(OAuth2Validator):
"""
Validator class that implements edX-specific custom behavior: