Can login be required to see the site?

Question

Can OSQA be configured to require login to access the site? Default OSQA is configured that anyone can access/see the site regardless login or not then.

Thanks,

Ted

Accepted Answer

3

This is in jira. There is also a less developed thread here.

On a lead from @deniz I've modified forum/views/decorators.py - specifically the render function. When this is called, it will now check if the user is authenticated, and redirect to the signing page if not (All I've added is the else statement):

def render(template=None, tab=None, tab_title='', weight=500, tabbed=True):
    def decorator(func):
        def decorated(context, request, *args, **kwargs):
            if request.user.is_authenticated():
                ONLINE_USERS[request.user] = datetime.now()
            else:
                return HttpResponseRedirect(reverse('auth_signin'))

I'm uncertain if this is the 'right' way to do it - any suggestions?

I've submitted a patch at the linked jira ticket - this patch adds a configuration option in the basic configuration, then checks for that and if the user is not auth'ed before redirecting to login page.

link

answered 10 Apr '11, 00:11

askvictor
71●2●4
accept rate: 33%

edited 10 Apr '11, 00:38

Oh, that's really nice, I do like that. Way better than my attempt. I've put your way in straight away.

(EDIT: logo does actually get served on the login page)

(10 Apr '11, 06:32) Andrew_S ♦

It still seems to serve up the /questions/ask/ page ("Ask a question"), even if not logged in. Are you finding that too? Any thoughts on preventing it?

(10 Apr '11, 07:26) Andrew_S ♦

It still also serves up the about page, and the FAQ.

(10 Apr '11, 08:51) Andrew_S ♦

1

I knew it serves the about and FAQ pages; I see that as a feature more than a bug ;)

I hadn't realised the ask page. Though it still requires a login to actually get the question through, so I don't see it as a huge issue. I'll have a look where that might be changed in the code, but I reckon if you want the entire site completely walled off, it might be easier to use HTTP authentication, and add an module to osqa that grabs the HTTP header for auth.

(10 Apr '11, 22:05) askvictor

1

OK; to add auth to questions/ask, I think you'd need to get into forum/views/writers.py and change the ask() function. Similarly, for FAQ and about, page() in meta.py

But at this point I would be creating another decorator function, then decorating all of the relevant functions (or at least making a single check_login_required function that is called in each relevant function).

I'm still a little fuzzy on the overall architecture; if there isn't a single place to catch all requests, then I still reckon it's much cleaner to use HTTP auth. But hooking into render() does what I require.

(10 Apr '11, 22:17) askvictor

middleware/anon_user.py does catch all requests: including (if you're not serving them statically) the CSS and js too. So I've ended up reverting to patching that, because I needed the About and FAQ to be behind the wall too. Yeah, I know what you mean about using HTTP auth, and I started with that: but as I found no way to give users a "logout" function from HTTP auth, I had to abandon that.

(11 Apr '11, 01:51) Andrew_S ♦

By the way, /feeds/rss is also not caught by the render function. I'm looking into how to block it.

(11 May '11, 20:53) Cliff Spradlin

The patch to middleware/anon_user.py does stop /feeds/rss too.

(11 May '11, 23:52) Andrew_S ♦

showing 5 of 8 show 3 more comments

Answer 2

3

Certainly with middleware you can. I happen to be using django-sso middleware for single-sign on, and I modified process_request() to require the user to be logged in for any request to succeed. It's fairly easy to write your own routine that just does that, if you want.

link

answered 28 May '10, 07:00

expaand
731●11●16●20
accept rate: 33%

2

Could you describe that in more detail?

(02 Jun '10, 15:30) Joseph

Not sure which part you want. It is easy to write a django middleware component that checks to see if you are signed on - if not, for example, you can return a status code 401, or, redirect to a login page.

(02 Jun '10, 15:44) expaand

1

Since I'm quite new for Python and django, I have no clue how I can do it. Could you tell me which file of OSQA I should see to implement the django-sso middleware?

(07 Jun '10, 06:13) Ted Wada

I'd also be very interested in how that would be working. I've created a separate question - in case you read this, I'd very much appreciate if you could have a look, it's here: http://meta.osqa.net/questions/9997/how-to-set-up-django-sso-with-osqa

(20 Aug '11, 07:32) jashan

Answer 3

I've got a brutal fix to get this working: At the end of osqa/forum/middleware/anon_user.py is def process_request - here's what mine looks like now:

def process_request(self, request):
    if not request.user.is_authenticated():

if (request.path.find('/m/') == -1) & (request.path.find('/account/') == -1) & (request.path != reverse('auth_signin')):
            return HttpResponseRedirect(reverse('auth_signin'))

request.user.__deepcopy__ = dummy_deepcopy #plug on deepcopy which may be called by django db "driver"
        request.user.message_set = AnonymousMessageManager(request) #here request is linked to anon user
        request.user.get_and_delete_messages = request.user.message_set.get_and_delete

#also set the first greeting one time per session only
        #if 'greeting_set' not in request.session:
        #    request.session['greeting_set'] = True
        #    msg = _('First time here? Check out the <a href="%s">FAQ</a>!') % reverse('faq')
        #    request.user.message_set.create(message=msg)

I'm not proud of it. But it works. Note that users won't be able to access the FAQ until logged in, which is why the FAQ greeting (the last 4 lines) are commented out.

It does the check on request.path.find('/m/') to make sure that we're not trying to serve a CSS or javascript file. It does the other two checks to prevent eternal looping.

Answer 4

1

You can do it with decorators(and by playing with the source little bit). If you want example you can look into the forum/views/admin.py you will see there "super_user_required" which prevents you from logging in "yourdomain.com/admin/" . Similar thing can be done or in the same directory in decorators.py "login_required" can be used.

link

answered 25 Nov '10, 09:13

deniz
16●1
accept rate: 0%

Which functions would one decorate with login_required? I'm a bit new to the django model

(09 Apr '11, 23:17) askvictor

Answer 5

0

Another approach to this would be to hit the templates: forum/skins/default/templates/base_content.html seems to be the root template of everything - if that had an if/else checking if the user was authenticated, that might be enough to protect the entire site. My django template skills, however, are not that flash, so I'm not sure how to go about this.

link

answered 02 May '11, 19:53

askvictor
71●2●4
accept rate: 33%

Can login be required to see the site?

Follow this question

Learn more about OSQA

Related questions