anoopmb
/
frappe
1
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
10524 Commits
1 Branch
314 MiB
 
 
 
 
 
 
Tree: efc02f6ffc
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'efc02f6ffc'
${ noResults }
frappe/frappe/auth.py

309 lines
9.2 KiB
Raw Blame History 

  1. # Copyright (c) 2015, Frappe Technologies Pvt. Ltd. and Contributors

  2. # MIT License. See license.txt

  3. 

  4. from __future__ import unicode_literals

  5. import datetime

  6. 

  7. from frappe import _

  8. import frappe

  9. import frappe.database

  10. import frappe.utils

  11. from frappe.utils import cint

  12. import frappe.utils.user

  13. from frappe import conf

  14. from frappe.sessions import Session, clear_sessions, delete_session

  15. from frappe.modules.patch_handler import check_session_stopped

  16. from frappe.translate import get_lang_code

  17. from frappe.utils.password import check_password

  18. 

  19. from urllib import quote

  20. 

  21. class HTTPRequest:

  22. 	def __init__(self):

  23. 		# Get Environment variables

  24. 		self.domain = frappe.request.host

  25. 		if self.domain and self.domain.startswith('www.'):

  26. 			self.domain = self.domain[4:]

  27. 

  28. 		if frappe.get_request_header('X-Forwarded-For'):

  29. 			frappe.local.request_ip = (frappe.get_request_header('X-Forwarded-For').split(",")[0]).strip()

  30. 

  31. 		elif frappe.get_request_header('REMOTE_ADDR'):

  32. 			frappe.local.request_ip = frappe.get_request_header('REMOTE_ADDR')

  33. 

  34. 		else:

  35. 			frappe.local.request_ip = '127.0.0.1'

  36. 

  37. 		# language

  38. 		self.set_lang()

  39. 

  40. 		# load cookies

  41. 		frappe.local.cookie_manager = CookieManager()

  42. 

  43. 		# set db

  44. 		self.connect()

  45. 

  46. 		# login

  47. 		frappe.local.login_manager = LoginManager()

  48. 

  49. 		if frappe.form_dict._lang:

  50. 			lang = get_lang_code(frappe.form_dict._lang)

  51. 			if lang:

  52. 				frappe.local.lang = lang

  53. 

  54. 		self.validate_csrf_token()

  55. 

  56. 		# write out latest cookies

  57. 		frappe.local.cookie_manager.init_cookies()

  58. 

  59. 		# check status

  60. 		check_session_stopped()

  61. 

  62. 		# run login triggers

  63. 		if frappe.form_dict.get('cmd')=='login':

  64. 			frappe.local.login_manager.run_trigger('on_session_creation')

  65. 

  66. 	def validate_csrf_token(self):

  67. 		if frappe.local.request and frappe.local.request.method=="POST":

  68. 			if not frappe.local.session.data.csrf_token \

  69. 				or frappe.local.session.data.device=="mobile" \

  70. 				or frappe.conf.get('ignore_csrf', None):

  71. 				# not via boot

  72. 				return

  73. 

  74. 			csrf_token = frappe.get_request_header("X-Frappe-CSRF-Token")

  75. 			if not csrf_token and "csrf_token" in frappe.local.form_dict:

  76. 				csrf_token = frappe.local.form_dict.csrf_token

  77. 				del frappe.local.form_dict["csrf_token"]

  78. 

  79. 			if frappe.local.session.data.csrf_token != csrf_token:

  80. 				frappe.local.flags.disable_traceback = True

  81. 				frappe.throw(_("Invalid Request"), frappe.CSRFTokenError)

  82. 

  83. 	def set_lang(self):

  84. 		from frappe.translate import guess_language

  85. 		frappe.local.lang = guess_language()

  86. 

  87. 	def get_db_name(self):

  88. 		"""get database name from conf"""

  89. 		return conf.db_name

  90. 

  91. 	def connect(self, ac_name = None):

  92. 		"""connect to db, from ac_name or db_name"""

  93. 		frappe.local.db = frappe.database.Database(user = self.get_db_name(), \

  94. 			password = getattr(conf,'db_password', ''))

  95. 

  96. class LoginManager:

  97. 	def __init__(self):

  98. 		self.user = None

  99. 		self.info = None

  100. 		self.full_name = None

  101. 		self.user_type = None

  102. 

  103. 		if frappe.local.form_dict.get('cmd')=='login' or frappe.local.request.path=="/api/method/login":

  104. 			self.login()

  105. 			self.resume = False

  106. 		else:

  107. 			try:

  108. 				self.resume = True

  109. 				self.make_session(resume=True)

  110. 				self.set_user_info(resume=True)

  111. 			except AttributeError:

  112. 				self.user = "Guest"

  113. 				self.make_session()

  114. 				self.set_user_info()

  115. 

  116. 	def login(self):

  117. 		# clear cache

  118. 		frappe.clear_cache(user = frappe.form_dict.get('usr'))

  119. 		self.authenticate()

  120. 		self.post_login()

  121. 

  122. 	def post_login(self):

  123. 		self.run_trigger('on_login')

  124. 		self.validate_ip_address()

  125. 		self.validate_hour()

  126. 		self.make_session()

  127. 		self.set_user_info()

  128. 

  129. 	def set_user_info(self, resume=False):

  130. 		# set sid again

  131. 		frappe.local.cookie_manager.init_cookies()

  132. 

  133. 		self.info = frappe.db.get_value("User", self.user,

  134. 			["user_type", "first_name", "last_name", "user_image"], as_dict=1)

  135. 		self.full_name = " ".join(filter(None, [self.info.first_name,

  136. 			self.info.last_name]))

  137. 		self.user_type = self.info.user_type

  138. 

  139. 		if self.info.user_type=="Website User":

  140. 			frappe.local.cookie_manager.set_cookie("system_user", "no")

  141. 			if not resume:

  142. 				frappe.local.response["message"] = "No App"

  143. 				frappe.local.response["home_page"] = get_website_user_home_page(self.user)

  144. 		else:

  145. 			frappe.local.cookie_manager.set_cookie("system_user", "yes")

  146. 			if not resume:

  147. 				frappe.local.response['message'] = 'Logged In'

  148. 				frappe.local.response["home_page"] = "/desk"

  149. 

  150. 		if not resume:

  151. 			frappe.response["full_name"] = self.full_name

  152. 

  153. 		frappe.local.cookie_manager.set_cookie("full_name", self.full_name)

  154. 		frappe.local.cookie_manager.set_cookie("user_id", self.user)

  155. 		frappe.local.cookie_manager.set_cookie("user_image", self.info.user_image or "")

  156. 

  157. 	def make_session(self, resume=False):

  158. 		# start session

  159. 		frappe.local.session_obj = Session(user=self.user, resume=resume,

  160. 			full_name=self.full_name, user_type=self.user_type)

  161. 

  162. 		# reset user if changed to Guest

  163. 		self.user = frappe.local.session_obj.user

  164. 		frappe.local.session = frappe.local.session_obj.data

  165. 		self.clear_active_sessions()

  166. 

  167. 	def clear_active_sessions(self):

  168. 		"""Clear other sessions of the current user if `deny_multiple_sessions` is not set"""

  169. 		if not (cint(frappe.conf.get("deny_multiple_sessions")) or cint(frappe.db.get_system_setting('deny_multiple_sessions'))):

  170. 			return

  171. 

  172. 		if frappe.session.user != "Guest":

  173. 			clear_sessions(frappe.session.user, keep_current=True)

  174. 

  175. 	def authenticate(self, user=None, pwd=None):

  176. 		if not (user and pwd):

  177. 			user, pwd = frappe.form_dict.get('usr'), frappe.form_dict.get('pwd')

  178. 		if not (user and pwd):

  179. 			self.fail('Incomplete login details')

  180. 

  181. 		self.check_if_enabled(user)

  182. 		self.user = self.check_password(user, pwd)

  183. 

  184. 	def check_if_enabled(self, user):

  185. 		"""raise exception if user not enabled"""

  186. 		if user=='Administrator': return

  187. 		if not cint(frappe.db.get_value('User', user, 'enabled')):

  188. 			self.fail('User disabled or missing')

  189. 

  190. 	def check_password(self, user, pwd):

  191. 		"""check password"""

  192. 		try:

  193. 			# returns user in correct case

  194. 			return check_password(user, pwd)

  195. 		except frappe.AuthenticationError:

  196. 			self.fail('Incorrect password')

  197. 

  198. 	def fail(self, message):

  199. 		frappe.local.response['message'] = message

  200. 		raise frappe.AuthenticationError

  201. 

  202. 	def run_trigger(self, event='on_login'):

  203. 		for method in frappe.get_hooks().get(event, []):

  204. 			frappe.call(frappe.get_attr(method), login_manager=self)

  205. 

  206. 	def validate_ip_address(self):

  207. 		"""check if IP Address is valid"""

  208. 		ip_list = frappe.db.get_value('User', self.user, 'restrict_ip', ignore=True)

  209. 		if not ip_list:

  210. 			return

  211. 

  212. 		ip_list = ip_list.replace(",", "\n").split('\n')

  213. 		ip_list = [i.strip() for i in ip_list]

  214. 

  215. 		for ip in ip_list:

  216. 			if frappe.local.request_ip.startswith(ip):

  217. 				return

  218. 

  219. 		frappe.throw(_("Not allowed from this IP Address"), frappe.AuthenticationError)

  220. 

  221. 	def validate_hour(self):

  222. 		"""check if user is logging in during restricted hours"""

  223. 		login_before = int(frappe.db.get_value('User', self.user, 'login_before', ignore=True) or 0)

  224. 		login_after = int(frappe.db.get_value('User', self.user, 'login_after', ignore=True) or 0)

  225. 

  226. 		if not (login_before or login_after):

  227. 			return

  228. 

  229. 		from frappe.utils import now_datetime

  230. 		current_hour = int(now_datetime().strftime('%H'))

  231. 

  232. 		if login_before and current_hour > login_before:

  233. 			frappe.throw(_("Login not allowed at this time"), frappe.AuthenticationError)

  234. 

  235. 		if login_after and current_hour < login_after:

  236. 			frappe.throw(_("Login not allowed at this time"), frappe.AuthenticationError)

  237. 

  238. 	def login_as_guest(self):

  239. 		"""login as guest"""

  240. 		self.login_as("Guest")

  241. 

  242. 	def login_as(self, user):

  243. 		self.user = user

  244. 		self.post_login()

  245. 

  246. 	def logout(self, arg='', user=None):

  247. 		if not user: user = frappe.session.user

  248. 		self.run_trigger('on_logout')

  249. 

  250. 		if user == frappe.session.user:

  251. 			delete_session(frappe.session.sid)

  252. 			self.clear_cookies()

  253. 		else:

  254. 			clear_sessions(user)

  255. 

  256. 	def clear_cookies(self):

  257. 		clear_cookies()

  258. 

  259. class CookieManager:

  260. 	def __init__(self):

  261. 		self.cookies = {}

  262. 		self.to_delete = []

  263. 

  264. 	def init_cookies(self):

  265. 		if not frappe.local.session.get('sid'): return

  266. 

  267. 		# sid expires in 3 days

  268. 		expires = datetime.datetime.now() + datetime.timedelta(days=3)

  269. 		if frappe.session.sid:

  270. 			self.cookies["sid"] = {"value": frappe.session.sid, "expires": expires}

  271. 		if frappe.session.session_country:

  272. 			self.cookies["country"] = {"value": frappe.session.get("session_country")}

  273. 

  274. 	def set_cookie(self, key, value, expires=None):

  275. 		self.cookies[key] = {"value": value, "expires": expires}

  276. 

  277. 	def delete_cookie(self, to_delete):

  278. 		if not isinstance(to_delete, (list, tuple)):

  279. 			to_delete = [to_delete]

  280. 

  281. 		self.to_delete.extend(to_delete)

  282. 

  283. 	def flush_cookies(self, response):

  284. 		for key, opts in self.cookies.items():

  285. 			response.set_cookie(key, quote((opts.get("value") or "").encode('utf-8')),

  286. 				expires=opts.get("expires"))

  287. 

  288. 		# expires yesterday!

  289. 		expires = datetime.datetime.now() + datetime.timedelta(days=-1)

  290. 		for key in set(self.to_delete):

  291. 			response.set_cookie(key, "", expires=expires)

  292. 

  293. @frappe.whitelist()

  294. def get_logged_user():

  295. 	return frappe.session.user

  296. 

  297. def clear_cookies():

  298. 	if hasattr(frappe.local, "session"):

  299. 		frappe.session.sid = ""

  300. 	frappe.local.cookie_manager.delete_cookie(["full_name", "user_id", "sid", "user_image", "system_user"])

  301. 

  302. def get_website_user_home_page(user):

  303. 	home_page_method = frappe.get_hooks('get_website_user_home_page')

  304. 	if home_page_method:

  305. 		home_page = frappe.get_attr(home_page_method[-1])(user)

  306. 		return '/' + home_page.strip('/')

  307. 	else:

  308. 		return '/me'