Commit bc071d3e authored by Julian Rother's avatar Julian Rother
Browse files

Rewrote video permission checking

parent 066ffe2d
......@@ -69,6 +69,72 @@ def mod_required(func):
return func(*args, **kwargs)
return decorator
def evalauth(auths):
cauths = []
lauths = []
vauths = []
for auth in auths:
if auth['course_id']:
cauths.append(auth)
elif auth['lecture_id']:
lauths.append(auth)
elif auth['video_id']:
vauths.append(auth)
if vauths:
return vauths
elif lauths:
return lauths
elif cauths:
return cauths
return [{'auth_type': 'public'}]
@app.template_filter()
def checkauth(auths, username=None, password=None):
auths = evalauth(auths)
for auth in auths:
if auth['auth_type'] == 'public':
return True
elif auth['auth_type'] == 'password':
if auth['auth_user'] == username and auth['auth_password'] == password:
return True
elif auth['auth_type'] == 'l2p':
if auth['auth_param'] in session.get('l2p_courses', []):
return True
elif auth['auth_type'] == 'rwth':
if session.get('rwthintern', False):
return True
return False
@app.template_filter()
def authdescr(auths):
auths = evalauth(auths)
public = False
password = False
l2p_courses = []
rwth_intern = False
for auth in auths:
if auth['auth_type'] == 'public':
public = True
elif auth['auth_type'] == 'password':
password = True
elif auth['auth_type'] == 'l2p':
l2p_courses.append(auth['auth_param'])
elif auth['auth_type'] == 'rwth':
rwth_intern = True
if public or not auths:
return 'public', 'Öffentlich verfügbar'
if rwth_intern:
if password:
return 'rwth', 'Nur für RWTH-Angehörige und Nutzer mit Passwort verfügbar'
return 'rwth', 'Nur für RWTH-Angehörige verfügbar'
if l2p_courses:
if password:
return 'rwth', 'Nur für Teilnehmer der Veranstaltung und Nutzer mit Passwort verfügbar'
return 'rwth', 'Nur für Teilnehmer der Veranstaltung verfügbar'
if password:
return 'password', 'Nur für Nutzer mit Passwort verfügbar'
return 'public', 'Öffentlich verfügbar'
app.jinja_env.globals['navbar'] = []
# iconlib can be 'bootstrap'
# ( see: http://getbootstrap.com/components/#glyphicons )
......@@ -361,7 +427,7 @@ def auth(): # For use with nginx auth_request
ip = request.headers.get('X-Real-IP', '')
if url.endswith('jpg'):
return "OK", 200
videos = query('''SELECT videos.path, videos.id, lectures.id AS lecture_id, courses.id AS course_id, auth.*
videos = query('''SELECT videos.path, videos.id, auth.*
FROM videos
JOIN lectures ON (videos.lecture_id = lectures.id)
JOIN courses ON (lectures.course_id = courses.id)
......@@ -372,34 +438,20 @@ def auth(): # For use with nginx auth_request
url, ismod())
if not videos:
return "Not allowed", 403
allowed = False
types = []
auth = request.authorization
for video in videos:
if videos[0] and ((videos[0]['video_id'] and not video['video_id']) \
or (videos[0]['lecture_id'] and not video['lecture_id'])):
break
types.append(video['auth_type'])
if video['auth_type'] == 'public':
allowed = True
break
elif video['auth_type'] == 'password':
if auth and video['auth_user'] == auth.username and video['auth_passwd'] == auth.password:
allowed = True
break
elif video['auth_type'] == 'l2p':
if video['auth_param'] in session.get('l2p_courses', []):
allowed = True
break
elif video['auth_type'] == 'rwth':
if session.get('rwthintern', False):
allowed = True
break
if not types[0] or allowed or ismod() or \
(auth and check_mod(*ldapauth(auth.username, auth.password))):
username = password = None
if auth:
username = auth.username
password = auth.password
if checkauth(videos, username=username, password=password):
return 'OK', 200
modify('INSERT INTO log VALUES (?, "", ?, "video", ?, ?)', ip, datetime.now(), videos[0]['id'], url)
elif 'password' in types:
password_auth = False
for video in videos:
if video['auth_type'] == 'password':
password_auth = True
break
if password_auth:
return Response("Login required", 401, {'WWW-Authenticate': 'Basic realm="Login Required"'})
return "Not allowed", 403
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment