1 """
2 Code for checking against our user db.
3
4 We don't use nevow.guard here since we know we're queried via http, but we
5 can't be sure that the other end knows html, and we don't want to fuzz around
6 with sessions. twisted.cred is a different issue but probably only complicates
7 matters unnecessarily.
8 """
9
10
11
12
13
14
15
16 from gavo import base
17
18 from gavo.utils import AllEncompassingSet
19
20
21 adminProfile = "admin"
22
23
25 """returns a set of all groups user username belongs to.
26
27 If username and password don't match, you'll get an empty set.
28 """
29 def parseResponse(dbTable):
30 return set([a[0] for a in dbTable])
31
32 if username is None:
33 return set()
34 if username=='gavoadmin' and (
35 password and password==base.getConfig("web", "adminpasswd")):
36 return AllEncompassingSet()
37 query = ("SELECT groupname FROM dc.groups NATURAL JOIN dc.users as u"
38 " where username=%(username)s AND u.password=%(password)s")
39 pars = {"username": username, "password": password}
40 with base.AdhocQuerier(base.getAdminConn) as querier:
41 return parseResponse(querier.query(query, pars))
42
43
45 """returns true if user and password match the db entry and the user
46 is in the reqGroup.
47
48 If reqGroup is None, true will be returned if the user/password pair
49 is in the user table.
50 """
51 if user=="gavoadmin" and base.getConfig("web", "adminpasswd"
52 ) and password==base.getConfig("web", "adminpasswd"):
53 return True
54
55 with base.AdhocQuerier(base.getAdminConn) as querier:
56 dbRes = list(querier.query("select password from dc.users where"
57 " username=%(user)s", {"user": user}))
58
59 if not dbRes or not dbRes[0]:
60 return False
61 dbPw = dbRes[0][0]
62 if dbPw!=password:
63 return False
64
65 if reqGroup:
66 dbRes = list(querier.query("select groupname from dc.groups where"
67 " username=%(user)s and groupname=%(group)s",
68 {"user": user, "group": reqGroup,}))
69 return not not dbRes
70 else:
71 return True
72