diff options
| author | Adrian Holovaty <adrian@holovaty.com> | 2005-08-16 22:54:05 +0000 |
|---|---|---|
| committer | Adrian Holovaty <adrian@holovaty.com> | 2005-08-16 22:54:05 +0000 |
| commit | 07889c13a63eeb3e8a73f1e02a21227def3ae548 (patch) | |
| tree | 04a76ba333ae0308450710f4d8e7e251948437ad /django/models | |
| parent | f21ff30b104ef1eedcfebd230a98fef4b6cc7ebd (diff) | |
Fixed #1 -- Added anonymous session support via middleware and request.session. Removed the former request.session, which wasn't being used anyway. Removed auth.Session model. See the BackwardsIncompatibleChanges wiki page for IMPORTANT notes on code you'll have to change and a DB table you'll have to create.
git-svn-id: http://code.djangoproject.com/svn/django/trunk@518 bcc190cf-cafb-0310-a4f2-bffc1f526a37
Diffstat (limited to 'django/models')
| -rw-r--r-- | django/models/auth.py | 61 | ||||
| -rw-r--r-- | django/models/core.py | 54 |
2 files changed, 57 insertions, 58 deletions
diff --git a/django/models/auth.py b/django/models/auth.py index 91ed0650ec..9ab403af34 100644 --- a/django/models/auth.py +++ b/django/models/auth.py @@ -44,6 +44,9 @@ class User(meta.Model): help_text="In addition to the permissions manually assigned, this user will also get all permissions granted to each group he/she is in."), meta.ManyToManyField(Permission, name='user_permissions', blank=True, filter_interface=meta.HORIZONTAL), ) + module_constants = { + 'SESSION_KEY': '_auth_user_id', + } ordering = ('username',) exceptions = ('SiteProfileNotAvailable',) admin = meta.Admin( @@ -172,64 +175,6 @@ class User(meta.Model): from random import choice return ''.join([choice(allowed_chars) for i in range(length)]) -class Session(meta.Model): - fields = ( - meta.ForeignKey(User), - meta.CharField('session_md5', maxlength=32), - meta.DateTimeField('start_time', auto_now=True), - ) - module_constants = { - 'TEST_COOKIE_NAME': 'testcookie', - 'TEST_COOKIE_VALUE': 'worked', - } - - def __repr__(self): - return "session started at %s" % self.start_time - - def get_cookie(self): - "Returns a tuple of the cookie name and value for this session." - from django.conf.settings import AUTH_SESSION_COOKIE, SECRET_KEY - import md5 - return AUTH_SESSION_COOKIE, self.session_md5 + md5.new(self.session_md5 + SECRET_KEY + 'auth').hexdigest() - - def _module_create_session(user_id): - "Registers a session and returns the session_md5." - from django.conf.settings import SECRET_KEY - import md5, random, sys - # The random module is seeded when this Apache child is created. - # Use person_id and SECRET_KEY as added salt. - session_md5 = md5.new(str(random.randint(user_id, sys.maxint - 1)) + SECRET_KEY).hexdigest() - s = Session(None, user_id, session_md5, None) - s.save() - return s - - def _module_get_session_from_cookie(session_cookie_string): - from django.conf.settings import SECRET_KEY - import md5 - if not session_cookie_string: - raise SessionDoesNotExist - session_md5, tamper_check = session_cookie_string[:32], session_cookie_string[32:] - if md5.new(session_md5 + SECRET_KEY + 'auth').hexdigest() != tamper_check: - raise SessionDoesNotExist - return get_object(session_md5__exact=session_md5, select_related=True) - - def _module_destroy_all_sessions(user_id): - "Destroys all sessions for a user, logging out all computers." - for session in get_list(user_id__exact=user_id): - session.delete() - - def _module_start_web_session(user_id, request, response): - "Sets the necessary cookie in the given HttpResponse object, also updates last login time for user." - from django.models.auth import users - from django.conf.settings import REGISTRATION_COOKIE_DOMAIN - user = users.get_object(pk=user_id) - user.last_login = datetime.datetime.now() - user.save() - session = create_session(user_id) - key, value = session.get_cookie() - cookie_domain = REGISTRATION_COOKIE_DOMAIN or None - response.set_cookie(key, value, domain=cookie_domain) - class Message(meta.Model): fields = ( meta.ForeignKey(User), diff --git a/django/models/core.py b/django/models/core.py index 985dc38179..e94a35b694 100644 --- a/django/models/core.py +++ b/django/models/core.py @@ -103,3 +103,57 @@ class FlatFile(meta.Model): def get_absolute_url(self): return self.url + +import base64, md5, random, sys +import cPickle as pickle + +class Session(meta.Model): + fields = ( + meta.CharField('session_key', maxlength=40, primary_key=True), + meta.TextField('session_data'), + meta.DateTimeField('expire_date'), + ) + module_constants = { + 'base64': base64, + 'md5': md5, + 'pickle': pickle, + 'random': random, + 'sys': sys, + } + + def get_decoded(self): + from django.conf.settings import SECRET_KEY + encoded_data = base64.decodestring(self.session_data) + pickled, tamper_check = encoded_data[:-32], encoded_data[-32:] + if md5.new(pickled + SECRET_KEY).hexdigest() != tamper_check: + from django.core.exceptions import SuspiciousOperation + raise SuspiciousOperation, "User tampered with session cookie." + return pickle.loads(pickled) + + def _module_encode(session_dict): + "Returns the given session dictionary pickled and encoded as a string." + from django.conf.settings import SECRET_KEY + pickled = pickle.dumps(session_dict) + pickled_md5 = md5.new(pickled + SECRET_KEY).hexdigest() + return base64.encodestring(pickled + pickled_md5) + + def _module_get_new_session_key(): + "Returns session key that isn't being used." + from django.conf.settings import SECRET_KEY + # The random module is seeded when this Apache child is created. + # Use person_id and SECRET_KEY as added salt. + while 1: + session_key = md5.new(str(random.randint(0, sys.maxint - 1)) + SECRET_KEY).hexdigest() + try: + get_object(session_key__exact=session_key) + except SessionDoesNotExist: + break + return session_key + + def _module_save(session_key, session_dict, expire_date): + s = Session(session_key, encode(session_dict), expire_date) + if session_dict: + s.save() + else: + s.delete() # Clear sessions with no data. + return s |