From 5a71fa1e33aaa3a28938d1506cfbbfee9c19f4d1 Mon Sep 17 00:00:00 2001 From: John Eskew Date: Thu, 11 Jan 2018 15:05:02 -0500 Subject: [PATCH] Allow inactive users to authenticate in Django 1.10+ --- lms/envs/common.py | 3 +-- .../dot_overrides/validators.py | 26 +++++++++++++++++++ 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/lms/envs/common.py b/lms/envs/common.py index 14548102ee..e386b85374 100644 --- a/lms/envs/common.py +++ b/lms/envs/common.py @@ -668,8 +668,7 @@ derived_collection_entry('DEFAULT_TEMPLATE_ENGINE', 'DIRS') ############################################################################################### -# use the ratelimit backend to prevent brute force attacks -AUTHENTICATION_BACKENDS = ['ratelimitbackend.backends.RateLimitModelBackend'] +AUTHENTICATION_BACKENDS = ['openedx.core.djangoapps.oauth_dispatch.dot_overrides.validators.EdxRateLimitedAllowAllUsersModelBackend'] STUDENT_FILEUPLOAD_MAX_SIZE = 4 * 1000 * 1000 # 4 MB MAX_FILEUPLOADS_PER_INPUT = 20 diff --git a/openedx/core/djangoapps/oauth_dispatch/dot_overrides/validators.py b/openedx/core/djangoapps/oauth_dispatch/dot_overrides/validators.py index 702d0b4e06..978e8394af 100644 --- a/openedx/core/djangoapps/oauth_dispatch/dot_overrides/validators.py +++ b/openedx/core/djangoapps/oauth_dispatch/dot_overrides/validators.py @@ -5,12 +5,14 @@ from __future__ import unicode_literals from datetime import datetime +import django from django.contrib.auth import authenticate, get_user_model from django.db.models.signals import pre_save from django.dispatch import receiver from oauth2_provider.models import AccessToken from oauth2_provider.oauth2_validators import OAuth2Validator from pytz import utc +from ratelimitbackend.backends import RateLimitMixin from ..models import RestrictedApplication @@ -29,6 +31,30 @@ def on_access_token_presave(sender, instance, *args, **kwargs): # pylint: disab RestrictedApplication.set_access_token_as_expired(instance) +# TODO: Remove Django 1.11 upgrade shim +# SHIM: Allow users that are inactive to still authenticate while keeping rate-limiting functionality. +if django.VERSION < (1, 10): + # Old backend which allowed inactive users to authenticate prior to Django 1.10. + from django.contrib.auth.backends import ModelBackend as UserModelBackend +else: + # Django 1.10+ ModelBackend disallows inactive users from authenticating, so instead we use + # AllowAllUsersModelBackend which is the closest alternative. + from django.contrib.auth.backends import AllowAllUsersModelBackend as UserModelBackend + + +class EdxRateLimitedAllowAllUsersModelBackend(RateLimitMixin, UserModelBackend): + """ + Authentication backend needed to incorporate rate limiting of login attempts - but also + enabling users with is_active of False in the Django auth_user model to still authenticate. + This is necessary for mobile users using 3rd party auth who have not activated their accounts, + Inactive users who use 1st party auth (username/password auth) will still fail login attempts, + just at a higher layer, in the login_user view. + + See: https://openedx.atlassian.net/browse/TNL-4516 + """ + pass + + class EdxOAuth2Validator(OAuth2Validator): """ Validator class that implements edX-specific custom behavior: