middleware.py 2.43 KB
Newer Older
1
from re import compile
Florent Chehab's avatar
Florent Chehab committed
2 3

from django.conf import settings
4 5 6
from django.http import HttpResponseRedirect, HttpResponse
from django.utils.deprecation import MiddlewareMixin
from rest_framework import permissions
Florent Chehab's avatar
Florent Chehab committed
7

Florent Chehab's avatar
Florent Chehab committed
8
EXEMPT_URLS = []
9 10
if hasattr(settings, "LOGIN_EXEMPT_URLS"):
    EXEMPT_URLS += [compile(str.lstrip("/")) for str in settings.LOGIN_EXEMPT_URLS]
Florent Chehab's avatar
Florent Chehab committed
11

12 13
AUTHORIZED_REQUEST_METHODS = list(permissions.SAFE_METHODS) + ["POST", "PUT", "DELETE"]

Florent Chehab's avatar
Florent Chehab committed
14

15
class RexDriRequestMiddleware(MiddlewareMixin):
Florent Chehab's avatar
Florent Chehab committed
16
    """
17 18 19 20 21 22
    This middleware performs different actions.

    - It checks that the HTTP request method is authorized on the plateform.


    - It requires a user to be authenticated to view any page other
Florent Chehab's avatar
Florent Chehab committed
23 24 25 26 27 28 29 30 31
    than LOGIN_URL. Exemptions to this requirement can optionally be specified
    in settings via a list of regular expressions in LOGIN_EXEMPT_URLS (which
    you can copy from your urls.py).

    Requires authentication middleware and template context processors to be
    loaded. You'll get an error if they aren't.
    """

    def process_request(self, request):
32 33 34 35
        # Check that the request.method is authorized on the site
        if request.method not in AUTHORIZED_REQUEST_METHODS:
            return HttpResponse("Unauthorized", status=401)

36 37
        assert hasattr(
            request, "user"
38
        ), "The RexDriRequestMiddleware\
Florent Chehab's avatar
Florent Chehab committed
39 40 41 42 43
 requires authentication middleware to be installed. Edit your\
 MIDDLEWARE_CLASSES setting to insert\
 'django.contrib.auth.middlware.AuthenticationMiddleware'. If that doesn't\
 work, ensure your TEMPLATE_CONTEXT_PROCESSORS setting includes\
 'django.core.context_processors.auth'."
44

45 46 47
        path = request.path_info.lstrip("/")
        full_path = request.get_full_path()

48
        # If the user is not authenticated redirect him/her to the login page
Florent Chehab's avatar
Florent Chehab committed
49 50
        if not request.user.is_authenticated:
            if not any(m.match(path) for m in EXEMPT_URLS):
51
                return HttpResponseRedirect(settings.LOGIN_URL + "?next=/" + path)
52 53 54 55

        else:
            # User is authenticated
            # We check if he / she has validated the CGU and the full RGPD
56 57 58
            if not request.user.has_validated_cgu_rgpd:
                if not path.startswith("cgu-rgpd"):
                    return HttpResponseRedirect("/cgu-rgpd/?next={}".format(full_path))
59 60 61
            # Handling of banned users
            elif request.user.is_banned and full_path != "/banned_note/":
                return HttpResponseRedirect("/banned_note/")