8
0
Fork 0
mirror of https://gitlab2.federez.net/re2o/re2o synced 2024-12-23 23:43:47 +00:00
re2o/users/models.py

1681 lines
59 KiB
Python
Raw Permalink Normal View History

# -*- mode: python; coding: utf-8 -*-
2017-10-14 18:18:12 +00:00
# Re2o est un logiciel d'administration développé initiallement au rezometz.
# Il se veut agnostique au réseau considéré, de manière à être installable
# en quelques clics.
2017-01-15 23:01:18 +00:00
#
# Copyright © 2017 Gabriel Détraz
# Copyright © 2017 Goulven Kermarec
# Copyright © 2017 Augustin Lemesle
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
2017-10-14 18:18:12 +00:00
"""
Models de l'application users.
On défini ici des models django classiques:
- users, qui hérite de l'abstract base user de django. Permet de définit
un utilisateur du site (login, passwd, chambre, adresse, etc)
- les whiteslist
- les bannissements
- les établissements d'enseignement (school)
- les droits (right et listright)
- les utilisateurs de service (pour connexion automatique)
On défini aussi des models qui héritent de django-ldapdb :
- ldapuser
- ldapgroup
- ldapserviceuser
Ces utilisateurs ldap sont synchronisés à partir des objets
models sql classiques. Seuls certains champs essentiels sont
dupliqués.
"""
2017-01-15 23:01:18 +00:00
from __future__ import unicode_literals
2017-10-14 18:18:12 +00:00
import re
import uuid
import datetime
2016-06-30 01:39:07 +00:00
from django.db import models
from django.db.models import Q
from django import forms
from django.db.models.signals import post_save, post_delete
from django.dispatch import receiver
from django.utils.functional import cached_property
2017-10-14 18:18:12 +00:00
from django.template import Context, loader
from django.core.mail import send_mail
from django.core.urlresolvers import reverse
2017-10-14 18:18:12 +00:00
from django.db import transaction
from django.utils import timezone
from django.contrib.auth.models import (
AbstractBaseUser,
BaseUserManager,
PermissionsMixin,
Group
)
2017-10-14 18:18:12 +00:00
from django.core.validators import RegexValidator
from reversion import revisions as reversion
import ldapdb.models
import ldapdb.models.fields
2017-10-14 18:18:12 +00:00
from re2o.settings import RIGHTS_LINK, LDAP, GID_RANGES, UID_RANGES
from re2o.login import hashNT
from re2o.field_permissions import FieldPermissionModelMixin
2016-06-30 01:39:07 +00:00
2017-06-26 17:23:01 +00:00
from cotisations.models import Cotisation, Facture, Paiement, Vente
2017-10-14 18:18:12 +00:00
from machines.models import Domain, Interface, Machine, regen
from preferences.models import GeneralOption, AssoOption, OptionalUser
from preferences.models import OptionalMachine, MailMessageOption
2017-10-04 15:53:30 +00:00
2017-10-14 18:18:12 +00:00
# Utilitaires généraux
2017-10-04 15:53:30 +00:00
def linux_user_check(login):
2016-07-06 00:56:30 +00:00
""" Validation du pseudo pour respecter les contraintes unix"""
UNIX_LOGIN_PATTERN = re.compile("^[a-zA-Z0-9-]*[$]?$")
return UNIX_LOGIN_PATTERN.match(login)
def linux_user_validator(login):
2017-10-14 18:18:12 +00:00
""" Retourne une erreur de validation si le login ne respecte
2017-10-04 15:53:30 +00:00
pas les contraintes unix (maj, min, chiffres ou tiret)"""
if not linux_user_check(login):
2016-07-06 00:56:30 +00:00
raise forms.ValidationError(
2017-10-14 18:18:12 +00:00
", ce pseudo ('%(label)s') contient des carractères interdits",
params={'label': login},
2016-07-06 00:56:30 +00:00
)
2017-10-14 18:18:12 +00:00
2016-10-12 10:24:01 +00:00
def get_fresh_user_uid():
2017-10-04 15:53:30 +00:00
""" Renvoie le plus petit uid non pris. Fonction très paresseuse """
2017-10-14 18:18:12 +00:00
uids = list(range(
int(min(UID_RANGES['users'])),
int(max(UID_RANGES['users']))
))
2016-12-18 09:52:20 +00:00
try:
used_uids = list(User.objects.values_list('uid_number', flat=True))
2016-12-18 09:52:20 +00:00
except:
used_uids = []
2017-10-14 18:18:12 +00:00
free_uids = [id for id in uids if id not in used_uids]
2016-10-12 10:24:01 +00:00
return min(free_uids)
2017-10-14 18:18:12 +00:00
2016-10-12 10:24:01 +00:00
def get_fresh_gid():
2017-10-04 15:53:30 +00:00
""" Renvoie le plus petit gid libre """
2017-10-14 18:18:12 +00:00
gids = list(range(
int(min(GID_RANGES['posix'])),
int(max(GID_RANGES['posix']))
))
used_gids = list(ListRight.objects.values_list('gid', flat=True))
2017-10-14 18:18:12 +00:00
free_gids = [id for id in gids if id not in used_gids]
2016-10-12 10:24:01 +00:00
return min(free_gids)
2017-10-14 18:18:12 +00:00
class UserManager(BaseUserManager):
2017-10-14 18:18:12 +00:00
"""User manager basique de django"""
def _create_user(
self,
pseudo,
surname,
email,
password=None,
su=False
):
if not pseudo:
raise ValueError('Users must have an username')
if not linux_user_check(pseudo):
raise ValueError('Username shall only contain [a-z0-9-]')
2018-01-21 16:40:00 +00:00
user = Adherent(
pseudo=pseudo,
surname=surname,
2018-01-21 16:40:00 +00:00
name=surname,
email=self.normalize_email(email),
)
user.set_password(password)
if su:
user.is_superuser=True
user.save(using=self._db)
return user
def create_user(self, pseudo, surname, email, password=None):
"""
Creates and saves a User with the given pseudo, name, surname, email,
and password.
"""
return self._create_user(pseudo, surname, email, password, False)
def create_superuser(self, pseudo, surname, email, password):
"""
Creates and saves a superuser with the given pseudo, name, surname,
email, and password.
"""
return self._create_user(pseudo, surname, email, password, True)
class User(FieldPermissionModelMixin, AbstractBaseUser, PermissionsMixin):
2017-10-04 15:53:30 +00:00
""" Definition de l'utilisateur de base.
Champs principaux : name, surnname, pseudo, email, room, password
Herite du django BaseUser et du système d'auth django"""
2017-10-27 20:12:55 +00:00
PRETTY_NAME = "Utilisateurs (clubs et adhérents)"
2016-06-30 01:39:07 +00:00
STATE_ACTIVE = 0
2016-10-18 15:11:45 +00:00
STATE_DISABLED = 1
STATE_ARCHIVE = 2
2016-06-30 01:39:07 +00:00
STATES = (
2017-10-14 18:18:12 +00:00
(0, 'STATE_ACTIVE'),
(1, 'STATE_DISABLED'),
(2, 'STATE_ARCHIVE'),
)
2016-06-30 01:39:07 +00:00
2016-07-31 03:03:07 +00:00
def auto_uid():
2017-10-14 18:18:12 +00:00
"""Renvoie un uid libre"""
2016-10-12 10:24:01 +00:00
return get_fresh_user_uid()
2016-07-31 03:03:07 +00:00
2016-06-30 01:39:07 +00:00
surname = models.CharField(max_length=255)
2017-10-14 18:18:12 +00:00
pseudo = models.CharField(
max_length=32,
unique=True,
help_text="Doit contenir uniquement des lettres, chiffres, ou tirets",
validators=[linux_user_validator]
)
2016-06-30 01:39:07 +00:00
email = models.EmailField()
2017-10-14 18:18:12 +00:00
school = models.ForeignKey(
'School',
on_delete=models.PROTECT,
null=True,
blank=True
)
shell = models.ForeignKey(
'ListShell',
on_delete=models.PROTECT,
null=True,
blank=True
)
comment = models.CharField(
help_text="Commentaire, promo",
max_length=255,
blank=True
)
2016-06-30 01:39:07 +00:00
pwd_ntlm = models.CharField(max_length=255)
state = models.IntegerField(choices=STATES, default=STATE_ACTIVE)
registered = models.DateTimeField(auto_now_add=True)
2017-06-25 02:12:21 +00:00
telephone = models.CharField(max_length=15, blank=True, null=True)
uid_number = models.PositiveIntegerField(default=auto_uid, unique=True)
rezo_rez_uid = models.PositiveIntegerField(unique=True, blank=True, null=True)
2016-06-30 01:39:07 +00:00
USERNAME_FIELD = 'pseudo'
REQUIRED_FIELDS = ['surname', 'email']
objects = UserManager()
2017-12-31 19:53:38 +00:00
class Meta:
permissions = (
("change_user_password", "Peut changer le mot de passe d'un user"),
("change_user_state", "Peut éditer l'etat d'un user"),
("change_user_force", "Peut forcer un déménagement"),
("change_user_shell", "Peut éditer le shell d'un user"),
("change_user_groups", "Peut éditer les groupes d'un user ! Permission critique"),
("change_all_users", "Peut éditer tous les users, y compris ceux dotés de droits. Superdroit"),
2017-12-31 19:53:38 +00:00
("view_user", "Peut voir un objet user quelquonque"),
)
@cached_property
def name(self):
"""Si il s'agit d'un adhérent, on renvoie le prénom"""
if self.is_class_adherent:
return self.adherent.name
else:
return ''
@cached_property
def room(self):
"""Alias vers room """
if self.is_class_adherent:
return self.adherent.room
elif self.is_class_club:
return self.club.room
else:
raise NotImplementedError("Type inconnu")
@cached_property
def class_name(self):
"""Renvoie si il s'agit d'un adhérent ou d'un club"""
if hasattr(self, 'adherent'):
2017-10-27 20:12:55 +00:00
return "Adherent"
elif hasattr(self, 'club'):
return "Club"
else:
raise NotImplementedError("Type inconnu")
@cached_property
def is_class_club(self):
return hasattr(self, 'club')
@cached_property
def is_class_adherent(self):
return hasattr(self, 'adherent')
@property
def is_active(self):
2017-10-04 15:53:30 +00:00
""" Renvoie si l'user est à l'état actif"""
return self.state == self.STATE_ACTIVE
@property
def is_staff(self):
2017-10-04 15:53:30 +00:00
""" Fonction de base django, renvoie si l'user est admin"""
return self.is_admin
@property
def is_admin(self):
2017-10-04 15:53:30 +00:00
""" Renvoie si l'user est admin"""
2018-03-08 17:43:27 +00:00
admin,_ = Group.objects.get_or_create(name="admin")
return self.is_superuser or admin in self.groups.all()
def get_full_name(self):
2017-10-04 15:53:30 +00:00
""" Renvoie le nom complet de l'user formaté nom/prénom"""
name = self.name
if name:
return '%s %s' % (name, self.surname)
else:
return self.surname
def get_short_name(self):
2017-10-04 15:53:30 +00:00
""" Renvoie seulement le nom"""
return self.surname
def end_adhesion(self):
2017-10-04 15:53:30 +00:00
""" Renvoie la date de fin d'adhésion d'un user. Examine les objets
cotisation"""
2017-10-14 18:18:12 +00:00
date_max = Cotisation.objects.filter(
vente__in=Vente.objects.filter(
facture__in=Facture.objects.filter(
user=self
).exclude(valid=False)
)
2017-10-28 03:12:18 +00:00
).filter(
Q(type_cotisation='All') | Q(type_cotisation='Adhesion')
).aggregate(models.Max('date_end'))['date_end__max']
return date_max
def end_connexion(self):
""" Renvoie la date de fin de connexion d'un user. Examine les objets
cotisation"""
date_max = Cotisation.objects.filter(
vente__in=Vente.objects.filter(
facture__in=Facture.objects.filter(
user=self
).exclude(valid=False)
)
).filter(
Q(type_cotisation='All') | Q(type_cotisation='Connexion')
2017-10-14 18:18:12 +00:00
).aggregate(models.Max('date_end'))['date_end__max']
return date_max
def is_adherent(self):
2017-10-14 18:18:12 +00:00
""" Renvoie True si l'user est adhérent : si
self.end_adhesion()>now"""
2017-07-18 01:49:36 +00:00
end = self.end_adhesion()
if not end:
return False
2018-01-10 20:20:54 +00:00
elif end < timezone.now():
return False
else:
return True
2017-10-28 03:12:18 +00:00
def is_connected(self):
""" Renvoie True si l'user est adhérent : si
self.end_adhesion()>now et end_connexion>now"""
end = self.end_connexion()
if not end:
return False
2018-01-10 20:20:54 +00:00
elif end < timezone.now():
2017-10-28 03:12:18 +00:00
return False
else:
return self.is_adherent()
def end_ban(self):
""" Renvoie la date de fin de ban d'un user, False sinon """
2017-10-14 18:18:12 +00:00
date_max = Ban.objects.filter(
user=self
).aggregate(models.Max('date_end'))['date_end__max']
return date_max
def end_whitelist(self):
""" Renvoie la date de fin de whitelist d'un user, False sinon """
2017-10-14 18:18:12 +00:00
date_max = Whitelist.objects.filter(
user=self
).aggregate(models.Max('date_end'))['date_end__max']
return date_max
def is_ban(self):
""" Renvoie si un user est banni ou non """
end = self.end_ban()
if not end:
return False
2018-01-10 20:20:54 +00:00
elif end < timezone.now():
return False
else:
return True
def is_whitelisted(self):
""" Renvoie si un user est whitelisté ou non """
end = self.end_whitelist()
if not end:
return False
2018-01-10 20:20:54 +00:00
elif end < timezone.now():
return False
else:
return True
def has_access(self):
""" Renvoie si un utilisateur a accès à internet """
2017-10-14 18:18:12 +00:00
return self.state == User.STATE_ACTIVE\
and not self.is_ban() and (self.is_connected() or self.is_whitelisted())
def end_access(self):
""" Renvoie la date de fin normale d'accès (adhésion ou whiteliste)"""
2017-10-28 03:12:18 +00:00
if not self.end_connexion():
if not self.end_whitelist():
return None
else:
return self.end_whitelist()
else:
if not self.end_whitelist():
2017-10-28 03:12:18 +00:00
return self.end_connexion()
2017-10-14 18:18:12 +00:00
else:
return max(self.end_connexion(), self.end_whitelist())
2017-06-26 17:23:01 +00:00
@cached_property
def solde(self):
2017-10-14 18:18:12 +00:00
""" Renvoie le solde d'un user. Vérifie que l'option solde est
activé, retourne 0 sinon.
2017-10-04 15:53:30 +00:00
Somme les crédits de solde et retire les débit payés par solde"""
user_solde = OptionalUser.get_cached_value('user_solde')
2017-06-26 17:23:01 +00:00
if user_solde:
solde_objects = Paiement.objects.filter(moyen='Solde')
2017-10-14 18:18:12 +00:00
somme_debit = Vente.objects.filter(
facture__in=Facture.objects.filter(
user=self,
paiement__in=solde_objects,
valid=True
2017-10-14 18:18:12 +00:00
)
).aggregate(
total=models.Sum(
models.F('prix')*models.F('number'),
output_field=models.FloatField()
)
)['total'] or 0
somme_credit = Vente.objects.filter(
facture__in=Facture.objects.filter(user=self, valid=True),
2017-10-14 18:18:12 +00:00
name="solde"
).aggregate(
total=models.Sum(
models.F('prix')*models.F('number'),
output_field=models.FloatField()
)
)['total'] or 0
2017-06-26 17:23:01 +00:00
return somme_credit - somme_debit
else:
return 0
2017-10-04 15:53:30 +00:00
def user_interfaces(self, active=True):
2017-10-14 18:18:12 +00:00
""" Renvoie toutes les interfaces dont les machines appartiennent à
self. Par defaut ne prend que les interfaces actives"""
return Interface.objects.filter(
machine__in=Machine.objects.filter(user=self, active=active)
).select_related('domain__extension')
def assign_ips(self):
""" Assign une ipv4 aux machines d'un user """
interfaces = self.user_interfaces()
for interface in interfaces:
if not interface.ipv4:
with transaction.atomic(), reversion.create_revision():
interface.assign_ipv4()
reversion.set_comment("Assignation ipv4")
interface.save()
def unassign_ips(self):
2017-10-04 15:53:30 +00:00
""" Désassigne les ipv4 aux machines de l'user"""
interfaces = self.user_interfaces()
for interface in interfaces:
with transaction.atomic(), reversion.create_revision():
interface.unassign_ipv4()
reversion.set_comment("Désassignation ipv4")
interface.save()
def archive(self):
2017-10-14 18:18:12 +00:00
""" Archive l'user : appelle unassign_ips() puis passe state à
ARCHIVE"""
self.unassign_ips()
2017-10-14 18:18:12 +00:00
self.state = User.STATE_ARCHIVE
def unarchive(self):
2017-10-14 18:18:12 +00:00
""" Désarchive l'user : réassigne ses ip et le passe en state
ACTIVE"""
self.assign_ips()
self.state = User.STATE_ACTIVE
def ldap_sync(self, base=True, access_refresh=True, mac_refresh=True, group_refresh=False):
2017-10-14 18:18:12 +00:00
""" Synchronisation du ldap. Synchronise dans le ldap les attributs de
self
Options : base : synchronise tous les attributs de base - nom, prenom,
mail, password, shell, home
access_refresh : synchronise le dialup_access notant si l'user a accès
aux services
mac_refresh : synchronise les machines de l'user
group_refresh : synchronise les group de l'user
Si l'instance n'existe pas, on crée le ldapuser correspondant"""
2016-07-31 01:36:54 +00:00
self.refresh_from_db()
try:
2016-10-11 15:11:46 +00:00
user_ldap = LdapUser.objects.get(uidNumber=self.uid_number)
except LdapUser.DoesNotExist:
2016-10-11 15:11:46 +00:00
user_ldap = LdapUser(uidNumber=self.uid_number)
base = True
access_refresh = True
mac_refresh = True
if base:
2016-07-31 03:03:07 +00:00
user_ldap.name = self.pseudo
user_ldap.sn = self.pseudo
2017-07-18 01:49:36 +00:00
user_ldap.dialupAccess = str(self.has_access())
user_ldap.home_directory = '/home/' + self.pseudo
user_ldap.mail = self.email
2017-10-14 18:18:12 +00:00
user_ldap.given_name = self.surname.lower() + '_'\
+ self.name.lower()[:3]
user_ldap.gid = LDAP['user_gid']
2016-11-20 15:53:59 +00:00
user_ldap.user_password = self.password[:6] + self.password[7:]
2016-11-21 17:32:53 +00:00
user_ldap.sambat_nt_password = self.pwd_ntlm.upper()
2016-07-31 01:36:54 +00:00
if self.shell:
2017-06-26 20:23:58 +00:00
user_ldap.login_shell = self.shell.shell
if self.state == self.STATE_DISABLED:
user_ldap.shadowexpire = str(0)
else:
user_ldap.shadowexpire = None
if access_refresh:
2017-07-18 01:49:36 +00:00
user_ldap.dialupAccess = str(self.has_access())
if mac_refresh:
user_ldap.macs = [str(mac) for mac in Interface.objects.filter(
machine__user=self
).values_list('mac_address', flat=True).distinct()]
if group_refresh:
for group in self.groups.all():
if hasattr(group, 'listright'):
group.listright.ldap_sync()
user_ldap.save()
def ldap_del(self):
2017-10-04 15:53:30 +00:00
""" Supprime la version ldap de l'user"""
try:
user_ldap = LdapUser.objects.get(name=self.pseudo)
user_ldap.delete()
except LdapUser.DoesNotExist:
pass
def notif_inscription(self):
""" Prend en argument un objet user, envoie un mail de bienvenue """
2017-10-14 18:18:12 +00:00
template = loader.get_template('users/email_welcome')
mailmessageoptions, _created = MailMessageOption\
.objects.get_or_create()
context = Context({
'nom': self.get_full_name(),
2018-01-31 02:27:59 +00:00
'asso_name': AssoOption.get_cached_value('name'),
'asso_email': AssoOption.get_cached_value('contact'),
2017-10-14 18:18:12 +00:00
'welcome_mail_fr': mailmessageoptions.welcome_mail_fr,
'welcome_mail_en': mailmessageoptions.welcome_mail_en,
'pseudo': self.pseudo,
})
2017-10-14 18:18:12 +00:00
send_mail(
'Bienvenue au %(name)s / Welcome to %(name)s' % {
2018-01-31 02:27:59 +00:00
'name': AssoOption.get_cached_value('name')
2017-10-14 18:18:12 +00:00
},
'',
GeneralOption.get_cached_value('email_from'),
2017-10-14 18:18:12 +00:00
[self.email],
html_message=template.render(context)
)
return
def reset_passwd_mail(self, request):
2017-10-14 18:18:12 +00:00
""" Prend en argument un request, envoie un mail de
réinitialisation de mot de pass """
req = Request()
req.type = Request.PASSWD
req.user = self
req.save()
2017-10-14 18:18:12 +00:00
template = loader.get_template('users/email_passwd_request')
context = {
'name': req.user.get_full_name(),
2018-01-31 02:27:59 +00:00
'asso': AssoOption.get_cached_value('name'),
'asso_mail': AssoOption.get_cached_value('contact'),
'site_name': GeneralOption.get_cached_value('site_name'),
'url': request.build_absolute_uri(
2017-10-14 18:18:12 +00:00
reverse('users:process', kwargs={'token': req.token})),
'expire_in': str(GeneralOption.get_cached_value('req_expire_hrs')) + ' heures',
}
2017-10-14 18:18:12 +00:00
send_mail(
'Changement de mot de passe du %(name)s / Password\
2018-01-31 02:27:59 +00:00
renewal for %(name)s' % {'name': AssoOption.get_cached_value('name')},
2017-10-14 18:18:12 +00:00
template.render(context),
GeneralOption.get_cached_value('email_from'),
2017-10-14 18:18:12 +00:00
[req.user.email],
fail_silently=False
)
return
2017-09-14 16:15:14 +00:00
def autoregister_machine(self, mac_address, nas_type):
2017-10-14 18:18:12 +00:00
""" Fonction appellée par freeradius. Enregistre la mac pour
une machine inconnue sur le compte de l'user"""
2017-10-04 15:53:30 +00:00
all_interfaces = self.user_interfaces(active=False)
if all_interfaces.count() > OptionalMachine.get_cached_value('max_lambdauser_interfaces'):
return False, "Maximum de machines enregistrees atteinte"
2017-09-14 16:15:14 +00:00
if not nas_type:
2017-10-14 18:18:12 +00:00
return False, "Re2o ne sait pas à quel machinetype affecter cette\
machine"
2017-09-14 16:15:14 +00:00
machine_type_cible = nas_type.machine_type
try:
machine_parent = Machine()
machine_parent.user = self
interface_cible = Interface()
interface_cible.mac_address = mac_address
interface_cible.type = machine_type_cible
interface_cible.clean()
machine_parent.clean()
domain = Domain()
domain.name = self.get_next_domain_name()
domain.interface_parent = interface_cible
domain.clean()
2017-09-11 01:37:01 +00:00
machine_parent.save()
interface_cible.machine = machine_parent
interface_cible.save()
domain.interface_parent = interface_cible
domain.clean()
domain.save()
2017-10-25 23:59:05 +00:00
self.notif_auto_newmachine(interface_cible)
2017-10-14 18:18:12 +00:00
except Exception as error:
return False, error
return True, "Ok"
2017-10-25 23:59:05 +00:00
def notif_auto_newmachine(self, interface):
"""Notification mail lorsque une machine est automatiquement
ajoutée par le radius"""
template = loader.get_template('users/email_auto_newmachine')
context = Context({
'nom': self.get_full_name(),
'mac_address' : interface.mac_address,
2018-01-31 02:27:59 +00:00
'asso_name': AssoOption.get_cached_value('name'),
2017-10-25 23:59:05 +00:00
'interface_name' : interface.domain,
2018-01-31 02:27:59 +00:00
'asso_email': AssoOption.get_cached_value('contact'),
2017-10-25 23:59:05 +00:00
'pseudo': self.pseudo,
})
send_mail(
"Ajout automatique d'une machine / New machine autoregistered",
'',
GeneralOption.get_cached_value('email_from'),
2017-10-25 23:59:05 +00:00
[self.email],
html_message=template.render(context)
)
return
def set_password(self, password):
2017-10-14 18:18:12 +00:00
""" A utiliser de préférence, set le password en hash courrant et
2017-10-04 15:53:30 +00:00
dans la version ntlm"""
super().set_password(password)
self.pwd_ntlm = hashNT(password)
return
def get_next_domain_name(self):
"""Look for an available name for a new interface for
this user by trying "pseudo0", "pseudo1", "pseudo2", ...
2017-10-14 18:18:12 +00:00
Recherche un nom disponible, pour une machine. Doit-être
unique, concatène le nom, le pseudo et le numero de machine
"""
def simple_pseudo():
2017-10-14 18:18:12 +00:00
"""Renvoie le pseudo sans underscore (compat dns)"""
return self.pseudo.replace('_', '-').lower()
2017-10-14 18:18:12 +00:00
def composed_pseudo(name):
"""Renvoie le resultat de simplepseudo et rajoute le nom"""
return simple_pseudo() + str(name)
num = 0
2017-10-14 18:18:12 +00:00
while Domain.objects.filter(name=composed_pseudo(num)):
num += 1
return composed_pseudo(num)
def get_instance(userid, *args, **kwargs):
"""Get the User instance with userid.
:param userid: The id
:return: The user
"""
return User.objects.get(pk=userid)
def can_edit(self, user_request, *args, **kwargs):
"""Check if an user can edit an user object.
:param self: The user which is to be edited.
:param user_request: The user who requests to edit self.
:return: a message and a boolean which is True if self is a club and
user_request one of its member, or if user_request is self, or if
user_request has the 'cableur' right.
"""
if self.is_class_club and user_request.is_class_adherent:
2018-01-07 01:14:41 +00:00
if self == user_request or \
user_request.has_perm('users.change_user') or \
user_request.adherent in self.club.administrators.all():
return True, None
else:
return False, u"Vous n'avez pas le droit d'éditer ce club"
else:
if self == user_request:
return True, None
elif user_request.has_perm('users.change_all_users'):
return True, None
elif user_request.has_perm('users.change_user'):
if self.groups.filter(listright__critical=True):
return False, u"Utilisateurs avec droits critiques, ne peut etre édité"
elif self == AssoOption.get_cached_value('utilisateur_asso'):
return False, u"Impossible d'éditer l'utilisateur asso sans droit change_all_users"
else:
return True, None
elif user_request.has_perm('users.change_all_users'):
return True, None
else:
return False, u"Vous ne pouvez éditer un autre utilisateur que vous même"
def can_change_password(self, user_request, *args, **kwargs):
if self.is_class_club and user_request.is_class_adherent:
2018-01-07 01:14:41 +00:00
if self == user_request or \
user_request.has_perm('users.change_user_password') or \
user_request.adherent in self.club.administrators.all():
return True, None
else:
return False, u"Vous n'avez pas le droit d'éditer ce club"
else:
2018-01-07 01:14:41 +00:00
if self == user_request or \
user_request.has_perm('users.change_user_groups'):
# Peut éditer les groupes d'un user, c'est un privilège élevé, True
return True, None
2017-12-31 19:53:38 +00:00
elif user_request.has_perm('users.change_user') and not self.groups.all():
return True, None
else:
return False, u"Vous ne pouvez éditer un autre utilisateur que vous même"
def check_selfpasswd(self, user_request, *args, **kwargs):
return user_request == self, None
2017-12-29 18:43:44 +00:00
@staticmethod
def can_change_state(user_request, *args, **kwargs):
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.change_user_state'), "Droit requis pour changer l'état"
2017-12-29 18:43:44 +00:00
@staticmethod
def can_change_shell(user_request, *args, **kwargs):
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.change_user_shell'), "Droit requis pour changer le shell"
2017-12-29 18:43:44 +00:00
@staticmethod
def can_change_force(user_request, *args, **kwargs):
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.change_user_force'), "Droit requis pour forcer le déménagement"
@staticmethod
def can_change_groups(user_request, *args, **kwargs):
return user_request.has_perm('users.change_user_groups'), "Droit requis pour éditer les groupes de l'user"
def can_delete(self, user_request, *args, **kwargs):
"""Check if an user can delete an user object.
:param self: The user who is to be deleted.
:param user_request: The user who requests deletion.
:return: True if user_request has the right 'bureau', and a message.
"""
2017-12-31 19:53:38 +00:00
if user_request.has_perm('users.delete_user'):
return True, None
else:
return False, u"Vous ne pouvez pas supprimer cet utilisateur."
def can_view_all(user_request, *args, **kwargs):
"""Check if an user can access to the list of every user objects
:param user_request: The user who wants to view the list.
:return: True if the user can view the list and an explanation message.
"""
2017-12-31 19:53:38 +00:00
if user_request.has_perm('users.view_user'):
return True, None
else:
return False, u"Vous n'avez pas accès à la liste des utilisateurs."
def can_view(self, user_request, *args, **kwargs):
"""Check if an user can view an user object.
:param self: The targeted user.
:param user_request: The user who ask for viewing the target.
:return: A boolean telling if the acces is granted and an explanation
text
"""
if self.is_class_club and user_request.is_class_adherent:
2018-01-07 01:14:41 +00:00
if self == user_request or \
user_request.has_perm('users.view_user') or \
user_request.adherent in self.club.administrators.all() or \
user_request.adherent in self.club.members.all():
return True, None
else:
return False, u"Vous n'avez pas le droit de voir ce club"
else:
2017-12-31 19:53:38 +00:00
if self == user_request or user_request.has_perm('users.view_user'):
return True, None
else:
return False, u"Vous ne pouvez voir un autre utilisateur que vous même"
def __init__(self, *args, **kwargs):
super(User, self).__init__(*args, **kwargs)
self.field_permissions = {
'shell' : self.can_change_shell,
'force' : self.can_change_force,
'selfpasswd' : self.check_selfpasswd,
}
def __str__(self):
return self.pseudo
2016-06-30 01:39:07 +00:00
2017-10-14 18:18:12 +00:00
class Adherent(User):
2017-10-27 20:12:55 +00:00
PRETTY_NAME = "Adhérents"
name = models.CharField(max_length=255)
room = models.OneToOneField(
'topologie.Room',
on_delete=models.PROTECT,
blank=True,
null=True
)
2018-01-21 16:40:00 +00:00
def get_instance(adherentid, *args, **kwargs):
"""Try to find an instance of `Adherent` with the given id.
:param adherentid: The id of the adherent we are looking for.
:return: An adherent.
"""
return Adherent.objects.get(pk=adherentid)
def can_create(user_request, *args, **kwargs):
"""Check if an user can create an user object.
:param user_request: The user who wants to create a user object.
:return: a message and a boolean which is True if the user can create
an user or if the `options.all_can_create` is set.
"""
if(not user_request.is_authenticated and not OptionalUser.get_cached_value('self_adhesion')):
return False, None
else:
if(OptionalUser.get_cached_value('all_can_create_adherent') or OptionalUser.get_cached_value('self_adhesion')):
return True, None
else:
return user_request.has_perm('users.add_user'), u"Vous n'avez pas le\
droit de créer un utilisateur"
class Club(User):
2017-10-27 20:12:55 +00:00
PRETTY_NAME = "Clubs"
room = models.ForeignKey(
'topologie.Room',
on_delete=models.PROTECT,
blank=True,
null=True
)
administrators = models.ManyToManyField(
blank=True,
to='users.Adherent',
related_name='club_administrator'
)
members = models.ManyToManyField(
blank=True,
to='users.Adherent',
related_name='club_members'
)
mailing = models.BooleanField(
default = False
)
def can_create(user_request, *args, **kwargs):
"""Check if an user can create an user object.
:param user_request: The user who wants to create a user object.
:return: a message and a boolean which is True if the user can create
an user or if the `options.all_can_create` is set.
"""
if not user_request.is_authenticated:
return False, None
else:
if OptionalUser.get_cached_value('all_can_create_club'):
return True, None
else:
return user_request.has_perm('users.add_user'), u"Vous n'avez pas le\
droit de créer un club"
2017-12-28 15:10:34 +00:00
def can_view_all(user_request, *args, **kwargs):
"""Check if an user can access to the list of every user objects
:param user_request: The user who wants to view the list.
:return: True if the user can view the list and an explanation message.
"""
2017-12-31 19:53:38 +00:00
if user_request.has_perm('users.view_user'):
2017-12-28 15:10:34 +00:00
return True, None
2018-01-14 22:47:44 +00:00
if hasattr(user_request,'is_class_adherent') and user_request.is_class_adherent:
2017-12-28 15:10:34 +00:00
if user_request.adherent.club_administrator.all() or user_request.adherent.club_members.all():
return True, None
return False, u"Vous n'avez pas accès à la liste des utilisateurs."
def get_instance(clubid, *args, **kwargs):
"""Try to find an instance of `Club` with the given id.
:param clubid: The id of the adherent we are looking for.
:return: A club.
"""
return Club.objects.get(pk=clubid)
2017-10-26 22:37:16 +00:00
@receiver(post_save, sender=Adherent)
@receiver(post_save, sender=Club)
@receiver(post_save, sender=User)
2016-11-20 15:53:59 +00:00
def user_post_save(sender, **kwargs):
2017-10-04 15:53:30 +00:00
""" Synchronisation post_save : envoie le mail de bienvenue si creation
Synchronise le ldap"""
is_created = kwargs['created']
2016-11-20 15:53:59 +00:00
user = kwargs['instance']
if is_created:
user.notif_inscription()
user.ldap_sync(base=True, access_refresh=True, mac_refresh=False, group_refresh=True)
2017-09-14 18:03:28 +00:00
regen('mailing')
2017-10-14 18:18:12 +00:00
2017-10-26 22:37:16 +00:00
@receiver(post_delete, sender=Adherent)
@receiver(post_delete, sender=Club)
@receiver(post_delete, sender=User)
def user_post_delete(sender, **kwargs):
2017-10-14 18:18:12 +00:00
"""Post delete d'un user, on supprime son instance ldap"""
user = kwargs['instance']
2016-11-20 15:53:59 +00:00
user.ldap_del()
2017-09-14 18:03:28 +00:00
regen('mailing')
2016-07-31 01:36:54 +00:00
class ServiceUser(AbstractBaseUser):
2017-10-04 15:53:30 +00:00
""" Classe des users daemons, règle leurs accès au ldap"""
2017-06-18 12:59:53 +00:00
readonly = 'readonly'
ACCESS = (
2017-10-14 18:18:12 +00:00
('auth', 'auth'),
('readonly', 'readonly'),
('usermgmt', 'usermgmt'),
)
2017-06-18 12:59:53 +00:00
PRETTY_NAME = "Utilisateurs de service"
2016-07-31 01:36:54 +00:00
2017-10-14 18:18:12 +00:00
pseudo = models.CharField(
max_length=32,
unique=True,
help_text="Doit contenir uniquement des lettres, chiffres, ou tirets",
validators=[linux_user_validator]
)
access_group = models.CharField(
choices=ACCESS,
default=readonly,
max_length=32
)
comment = models.CharField(
help_text="Commentaire",
max_length=255,
blank=True
)
2016-07-31 01:36:54 +00:00
USERNAME_FIELD = 'pseudo'
objects = UserManager()
2017-12-31 19:53:38 +00:00
class Meta:
permissions = (
("view_serviceuser", "Peut voir un objet serviceuser"),
)
2016-07-31 01:36:54 +00:00
def ldap_sync(self):
2017-10-04 15:53:30 +00:00
""" Synchronisation du ServiceUser dans sa version ldap"""
2016-07-31 01:36:54 +00:00
try:
user_ldap = LdapServiceUser.objects.get(name=self.pseudo)
except LdapServiceUser.DoesNotExist:
user_ldap = LdapServiceUser(name=self.pseudo)
2017-06-18 12:59:53 +00:00
user_ldap.user_password = self.password[:6] + self.password[7:]
2016-07-31 01:36:54 +00:00
user_ldap.save()
2017-06-18 12:59:53 +00:00
self.serviceuser_group_sync()
2016-07-31 01:36:54 +00:00
def ldap_del(self):
2017-10-14 18:18:12 +00:00
"""Suppression de l'instance ldap d'un service user"""
2016-07-31 01:36:54 +00:00
try:
user_ldap = LdapServiceUser.objects.get(name=self.pseudo)
user_ldap.delete()
except LdapUser.DoesNotExist:
pass
2017-06-18 12:59:53 +00:00
self.serviceuser_group_sync()
def serviceuser_group_sync(self):
2017-10-14 18:18:12 +00:00
"""Synchronise le groupe et les droits de groupe dans le ldap"""
2017-06-18 12:59:53 +00:00
try:
group = LdapServiceUserGroup.objects.get(name=self.access_group)
except:
group = LdapServiceUserGroup(name=self.access_group)
2017-10-14 18:18:12 +00:00
group.members = list(LdapServiceUser.objects.filter(
name__in=[user.pseudo for user in ServiceUser.objects.filter(
access_group=self.access_group
)]).values_list('dn', flat=True))
2017-06-18 12:59:53 +00:00
group.save()
2016-07-31 01:36:54 +00:00
def get_instance(userid, *args, **kwargs):
return ServiceUser.objects.get(pk=userid)
2016-07-31 01:36:54 +00:00
def can_create(user_request, *args, **kwargs):
"""Check if an user can create a ServiceUser object.
:param user_request: The user who wants to create a user object.
:return: a message and a boolean which is True if the user can create
or if the `options.all_can_create` is set.
"""
2018-01-07 01:14:41 +00:00
return user_request.has_perm('users.add_serviceuser'), (
u"Vous n'avez pas le droit de créer un service user"
)
2017-11-28 21:54:13 +00:00
def can_edit(self, user_request, *args, **kwargs):
"""Check if an user can edit a ServiceUser object.
:param self: The ServiceUser which is to be edited.
:param user_request: The user who requests to edit self.
:return: a message and a boolean which is True if edition is granted.
"""
2018-01-07 01:14:41 +00:00
return user_request.has_perm('users.change_serviceuser'), (
u"Vous n'avez pas le droit d'éditer les services users"
)
def can_delete(self, user_request, *args, **kwargs):
"""Check if an user can delete a ServiceUser object.
:param self: The ServiceUser who is to be deleted.
:param user_request: The user who requests deletion.
:return: True if user_request has the right 'infra', and a message.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.delete_serviceuser'), u"Vous n'avez pas le droit de\
supprimer un service user"
def can_view_all(user_request, *args, **kwargs):
"""Check if an user can access to the list of every ServiceUser objects
:param user_request: The user who wants to view the list.
:return: True if the user can view the list and an explanation message.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.view_serviceuser'), u"Vous n'avez pas le droit de\
voir un service user"
def can_view(self, user_request, *args, **kwargs):
"""Check if an user can view a ServiceUser object.
:param self: The targeted ServiceUser.
:param user_request: The user who ask for viewing the target.
:return: A boolean telling if the acces is granted and an explanation
text
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.view_serviceuser'), u"Vous n'avez pas le droit de\
voir un service user"
def __str__(self):
return self.pseudo
2017-10-14 18:18:12 +00:00
2016-07-31 01:36:54 +00:00
@receiver(post_save, sender=ServiceUser)
def service_user_post_save(sender, **kwargs):
2017-10-04 15:53:30 +00:00
""" Synchronise un service user ldap après modification django"""
2016-07-31 01:36:54 +00:00
service_user = kwargs['instance']
2017-06-18 12:59:53 +00:00
service_user.ldap_sync()
2016-07-31 01:36:54 +00:00
2017-10-14 18:18:12 +00:00
2016-07-31 01:36:54 +00:00
@receiver(post_delete, sender=ServiceUser)
def service_user_post_delete(sender, **kwargs):
2017-10-04 15:53:30 +00:00
""" Supprime un service user ldap après suppression django"""
2016-07-31 01:36:54 +00:00
service_user = kwargs['instance']
2017-06-18 12:59:53 +00:00
service_user.ldap_del()
2016-07-31 01:36:54 +00:00
2017-10-14 18:18:12 +00:00
2016-06-30 01:39:07 +00:00
class School(models.Model):
2017-10-04 15:53:30 +00:00
""" Etablissement d'enseignement"""
2018-01-07 01:14:41 +00:00
PRETTY_NAME = "Établissements enregistrés"
2016-06-30 01:39:07 +00:00
name = models.CharField(max_length=255)
2017-12-31 19:53:38 +00:00
class Meta:
permissions = (
("view_school", "Peut voir un objet school"),
)
def get_instance(schoolid, *args, **kwargs):
return School.objects.get(pk=schoolid)
def can_create(user_request, *args, **kwargs):
"""Check if an user can create a School object.
:param user_request: The user who wants to create a user object.
:return: a message and a boolean which is True if the user can create.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.add_school'), u"Vous n'avez pas le\
droit de créer des écoles"
def can_edit(self, user_request, *args, **kwargs):
"""Check if an user can edit a School object.
:param self: The School which is to be edited.
:param user_request: The user who requests to edit self.
:return: a message and a boolean which is True if edition is granted.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.change_school'), u"Vous n'avez pas le\
droit d'éditer des écoles"
def can_delete(self, user_request, *args, **kwargs):
"""Check if an user can delete a School object.
:param self: The School which is to be deleted.
:param user_request: The user who requests deletion.
:return: True if deletion is granted, and a message.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.delete_school'), u"Vous n'avez pas le\
droit de supprimer des écoles"
def can_view_all(user_request, *args, **kwargs):
"""Check if an user can access to the list of every School objects
:param user_request: The user who wants to view the list.
:return: True if the user can view the list and an explanation message.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.view_school'), u"Vous n'avez pas le\
droit de voir les écoles"
def can_view(self, user_request, *args, **kwargs):
"""Check if an user can view a School object.
:param self: The targeted School.
:param user_request: The user who ask for viewing the target.
:return: A boolean telling if the acces is granted and an explanation
text
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.view_school'), u"Vous n'avez pas le\
droit de voir les écoles"
def __str__(self):
return self.name
class ListRight(Group):
2017-10-14 18:18:12 +00:00
""" Ensemble des droits existants. Chaque droit crée un groupe
ldap synchronisé, avec gid.
2017-10-04 15:53:30 +00:00
Permet de gérer facilement les accès serveurs et autres
2017-10-14 18:18:12 +00:00
La clef de recherche est le gid, pour cette raison
il n'est plus modifiable après creation"""
PRETTY_NAME = "Liste des droits existants"
unix_name = models.CharField(
2017-10-14 18:18:12 +00:00
max_length=255,
unique=True,
validators=[RegexValidator(
'^[a-z]+$',
message="Les groupes unix ne peuvent contenir\
que des lettres minuscules"
)]
)
gid = models.PositiveIntegerField(unique=True, null=True)
critical = models.BooleanField(default=False)
2017-10-14 18:18:12 +00:00
details = models.CharField(
help_text="Description",
max_length=255,
blank=True
)
2017-12-31 19:53:38 +00:00
class Meta:
permissions = (
("view_listright", "Peut voir un objet Group/ListRight"),
)
def get_instance(listrightid, *args, **kwargs):
return ListRight.objects.get(pk=listrightid)
def can_create(user_request, *args, **kwargs):
"""Check if an user can create a ListRight object.
:param user_request: The user who wants to create a ListRight object.
:return: a message and a boolean which is True if the user can create.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.add_listright'), u"Vous n'avez pas le droit\
de créer des groupes de droits"
def can_edit(self, user_request, *args, **kwargs):
"""Check if an user can edit a ListRight object.
:param self: The object which is to be edited.
:param user_request: The user who requests to edit self.
:return: a message and a boolean which is True if edition is granted.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.change_listright'), u"Vous n'avez pas le droit\
d'éditer des groupes de droits"
def can_delete(self, user_request, *args, **kwargs):
"""Check if an user can delete a ListRight object.
:param self: The object which is to be deleted.
:param user_request: The user who requests deletion.
:return: True if deletion is granted, and a message.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.delete_listright'), u"Vous n'avez pas le droit\
de supprimer des groupes de droits"
def can_view_all(user_request, *args, **kwargs):
"""Check if an user can access to the list of every ListRight objects
:param user_request: The user who wants to view the list.
:return: True if the user can view the list and an explanation message.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.view_listright'), u"Vous n'avez pas le droit\
de voir les groupes de droits"
def can_view(self, user_request, *args, **kwargs):
"""Check if an user can view a ListRight object.
:param self: The targeted object.
:param user_request: The user who ask for viewing the target.
:return: A boolean telling if the acces is granted and an explanation
text
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.view_listright'), u"Vous n'avez pas le droit\
de voir les groupes de droits"
def __str__(self):
return self.name
def ldap_sync(self):
2017-10-14 18:18:12 +00:00
"""Sychronise les groups ldap avec le model listright coté django"""
try:
group_ldap = LdapUserGroup.objects.get(gid=self.gid)
except LdapUserGroup.DoesNotExist:
group_ldap = LdapUserGroup(gid=self.gid)
group_ldap.name = self.listright
2017-12-31 16:11:19 +00:00
group_ldap.members = [user.pseudo for user
in self.user_set.all()]
group_ldap.save()
def ldap_del(self):
2017-10-14 18:18:12 +00:00
"""Supprime un groupe ldap"""
try:
group_ldap = LdapUserGroup.objects.get(gid=self.gid)
group_ldap.delete()
except LdapUserGroup.DoesNotExist:
pass
2017-10-14 18:18:12 +00:00
@receiver(post_save, sender=ListRight)
def listright_post_save(sender, **kwargs):
2017-10-04 15:53:30 +00:00
""" Synchronise le droit ldap quand il est modifié"""
right = kwargs['instance']
2016-11-20 15:53:59 +00:00
right.ldap_sync()
2017-10-14 18:18:12 +00:00
@receiver(post_delete, sender=ListRight)
def listright_post_delete(sender, **kwargs):
2017-10-14 18:18:12 +00:00
"""Suppression d'un groupe ldap après suppression coté django"""
right = kwargs['instance']
2016-11-20 15:53:59 +00:00
right.ldap_del()
2017-10-14 18:18:12 +00:00
class ListShell(models.Model):
2017-10-14 18:18:12 +00:00
"""Un shell possible. Pas de check si ce shell existe, les
admin sont des grands"""
PRETTY_NAME = "Liste des shells disponibles"
shell = models.CharField(max_length=255, unique=True)
def __str__(self):
return self.shell
2017-10-14 18:18:12 +00:00
2016-07-02 19:57:31 +00:00
class Ban(models.Model):
2017-10-04 15:53:30 +00:00
""" Bannissement. Actuellement a un effet tout ou rien.
Gagnerait à être granulaire"""
PRETTY_NAME = "Liste des bannissements"
2017-03-06 01:28:16 +00:00
STATE_HARD = 0
STATE_SOFT = 1
STATE_BRIDAGE = 2
STATES = (
2017-10-14 18:18:12 +00:00
(0, 'HARD (aucun accès)'),
(1, 'SOFT (accès local seulement)'),
(2, 'BRIDAGE (bridage du débit)'),
)
2017-03-06 01:28:16 +00:00
2016-07-02 19:57:31 +00:00
user = models.ForeignKey('User', on_delete=models.PROTECT)
raison = models.CharField(max_length=255)
date_start = models.DateTimeField(auto_now_add=True)
date_end = models.DateTimeField(help_text='%d/%m/%y %H:%M:%S')
2017-10-14 18:18:12 +00:00
state = models.IntegerField(choices=STATES, default=STATE_HARD)
2016-07-02 19:57:31 +00:00
2017-12-31 19:53:38 +00:00
class Meta:
permissions = (
("view_ban", "Peut voir un objet ban quelqu'il soit"),
)
def notif_ban(self):
""" Prend en argument un objet ban, envoie un mail de notification """
2017-10-14 18:18:12 +00:00
template = loader.get_template('users/email_ban_notif')
context = Context({
'name': self.user.get_full_name(),
'raison': self.raison,
'date_end': self.date_end,
2018-01-31 02:27:59 +00:00
'asso_name': AssoOption.get_cached_value('name'),
})
2017-10-14 18:18:12 +00:00
send_mail(
'Deconnexion disciplinaire',
template.render(context),
GeneralOption.get_cached_value('email_from'),
2017-10-14 18:18:12 +00:00
[self.user.email],
fail_silently=False
)
return
2017-09-19 02:45:33 +00:00
def is_active(self):
2017-10-14 18:18:12 +00:00
"""Ce ban est-il actif?"""
2018-01-10 20:20:54 +00:00
return self.date_end > timezone.now()
2017-09-19 02:45:33 +00:00
def get_instance(banid, *args, **kwargs):
return Ban.objects.get(pk=banid)
def can_create(user_request, *args, **kwargs):
"""Check if an user can create a Ban object.
:param user_request: The user who wants to create a Ban object.
:return: a message and a boolean which is True if the user can create.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.add_ban'), u"Vous n'avez pas le droit de\
créer des bannissements"
def can_edit(self, user_request, *args, **kwargs):
"""Check if an user can edit a Ban object.
:param self: The object which is to be edited.
:param user_request: The user who requests to edit self.
:return: a message and a boolean which is True if edition is granted.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.change_ban'), u"Vous n'avez pas le droit\
d'éditer des bannissements"
def can_delete(self, user_request, *args, **kwargs):
"""Check if an user can delete a Ban object.
:param self: The object which is to be deleted.
:param user_request: The user who requests deletion.
:return: True if deletion is granted, and a message.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.delete_ban'), u"Vous n'avez pas le droit\
de supprimer des bannissements"
def can_view_all(user_request, *args, **kwargs):
"""Check if an user can access to the list of every Ban objects
:param user_request: The user who wants to view the list.
:return: True if the user can view the list and an explanation message.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.view_ban'), u"Vous n'avez pas le droit\
2017-12-28 15:10:34 +00:00
de voir tous les bannissements"
def can_view(self, user_request, *args, **kwargs):
"""Check if an user can view a Ban object.
:param self: The targeted object.
:param user_request: The user who ask for viewing the target.
:return: A boolean telling if the acces is granted and an explanation
text
"""
2017-12-31 19:53:38 +00:00
if not user_request.has_perm('users.view_ban') and\
self.user != user_request:
return False, u"Vous n'avez pas le droit de voir les bannissements\
autre que les vôtres"
else:
return True, None
2016-07-02 19:57:31 +00:00
def __str__(self):
return str(self.user) + ' ' + str(self.raison)
2017-10-14 18:18:12 +00:00
2016-11-20 15:53:59 +00:00
@receiver(post_save, sender=Ban)
def ban_post_save(sender, **kwargs):
2017-10-04 15:53:30 +00:00
""" Regeneration de tous les services après modification d'un ban"""
2016-11-20 15:53:59 +00:00
ban = kwargs['instance']
is_created = kwargs['created']
2016-11-20 15:53:59 +00:00
user = ban.user
user.ldap_sync(base=False, access_refresh=True, mac_refresh=False)
2017-09-14 18:03:28 +00:00
regen('mailing')
if is_created:
ban.notif_ban()
regen('dhcp')
regen('mac_ip_list')
if user.has_access():
regen('dhcp')
regen('mac_ip_list')
2016-11-20 15:53:59 +00:00
2017-10-14 18:18:12 +00:00
2016-11-20 15:53:59 +00:00
@receiver(post_delete, sender=Ban)
def ban_post_delete(sender, **kwargs):
2017-10-04 15:53:30 +00:00
""" Regen de tous les services après suppression d'un ban"""
2016-11-20 15:53:59 +00:00
user = kwargs['instance'].user
user.ldap_sync(base=False, access_refresh=True, mac_refresh=False)
2017-09-14 18:03:28 +00:00
regen('mailing')
regen('dhcp')
regen('mac_ip_list')
2017-10-14 18:18:12 +00:00
2016-07-04 18:04:11 +00:00
class Whitelist(models.Model):
2017-10-14 18:18:12 +00:00
"""Accès à titre gracieux. L'utilisateur ne paye pas; se voit
accorder un accès internet pour une durée défini. Moins
fort qu'un ban quel qu'il soit"""
PRETTY_NAME = "Liste des accès gracieux"
2016-07-04 18:04:11 +00:00
user = models.ForeignKey('User', on_delete=models.PROTECT)
raison = models.CharField(max_length=255)
date_start = models.DateTimeField(auto_now_add=True)
date_end = models.DateTimeField(help_text='%d/%m/%y %H:%M:%S')
2016-07-04 18:04:11 +00:00
2017-12-31 19:53:38 +00:00
class Meta:
permissions = (
("view_whitelist", "Peut voir un objet whitelist"),
)
2017-09-19 02:45:33 +00:00
def is_active(self):
2018-01-10 20:20:54 +00:00
return self.date_end > timezone.now()
2017-09-19 02:45:33 +00:00
def get_instance(whitelistid, *args, **kwargs):
return Whitelist.objects.get(pk=whitelistid)
def can_create(user_request, *args, **kwargs):
"""Check if an user can create a Whitelist object.
:param user_request: The user who wants to create a Whitelist object.
:return: a message and a boolean which is True if the user can create.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.add_whitelist'), u"Vous n'avez pas le\
droit de créer des accès gracieux"
def can_edit(self, user_request, *args, **kwargs):
"""Check if an user can edit a Whitelist object.
:param self: The object which is to be edited.
:param user_request: The user who requests to edit self.
:return: a message and a boolean which is True if edition is granted.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.change_whitelist'), u"Vous n'avez pas le\
droit d'éditer des accès gracieux"
def can_delete(self, user_request, *args, **kwargs):
"""Check if an user can delete a Whitelist object.
:param self: The object which is to be deleted.
:param user_request: The user who requests deletion.
:return: True if deletion is granted, and a message.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.delete_whitelist'), u"Vous n'avez pas le\
droit de supprimer des accès gracieux"
def can_view_all(user_request, *args, **kwargs):
"""Check if an user can access to the list of every Whitelist objects
:param user_request: The user who wants to view the list.
:return: True if the user can view the list and an explanation message.
"""
2017-12-31 19:53:38 +00:00
return user_request.has_perm('users.view_whitelist'), u"Vous n'avez pas le\
2017-12-28 15:10:34 +00:00
droit de voir les accès gracieux"
def can_view(self, user_request, *args, **kwargs):
"""Check if an user can view a Whitelist object.
:param self: The targeted object.
:param user_request: The user who ask for viewing the target.
:return: A boolean telling if the acces is granted and an explanation
text
"""
2017-12-31 19:53:38 +00:00
if not user_request.has_perm('users.view_whitelist') and\
self.user != user_request:
return False, u"Vous n'avez pas le droit de voir les accès\
gracieux autre que les vôtres"
else:
return True, None
2016-07-04 18:04:11 +00:00
def __str__(self):
return str(self.user) + ' ' + str(self.raison)
2017-10-14 18:18:12 +00:00
2016-11-20 15:53:59 +00:00
@receiver(post_save, sender=Whitelist)
def whitelist_post_save(sender, **kwargs):
2017-10-14 18:18:12 +00:00
"""Après modification d'une whitelist, on synchronise les services
et on lui permet d'avoir internet"""
2016-11-20 15:53:59 +00:00
whitelist = kwargs['instance']
user = whitelist.user
user.ldap_sync(base=False, access_refresh=True, mac_refresh=False)
is_created = kwargs['created']
2017-09-14 18:03:28 +00:00
regen('mailing')
if is_created:
regen('dhcp')
regen('mac_ip_list')
if user.has_access():
regen('dhcp')
regen('mac_ip_list')
2016-11-20 15:53:59 +00:00
2017-10-14 18:18:12 +00:00
2016-11-20 15:53:59 +00:00
@receiver(post_delete, sender=Whitelist)
def whitelist_post_delete(sender, **kwargs):
2017-10-14 18:18:12 +00:00
"""Après suppression d'une whitelist, on supprime l'accès internet
en forçant la régénration"""
2016-11-20 15:53:59 +00:00
user = kwargs['instance'].user
user.ldap_sync(base=False, access_refresh=True, mac_refresh=False)
2017-09-14 18:03:28 +00:00
regen('mailing')
regen('dhcp')
regen('mac_ip_list')
2016-11-20 15:53:59 +00:00
2017-10-14 18:18:12 +00:00
class Request(models.Model):
2017-10-04 15:53:30 +00:00
""" Objet request, générant une url unique de validation.
2017-10-14 18:18:12 +00:00
Utilisé par exemple pour la generation du mot de passe et
2017-10-04 15:53:30 +00:00
sa réinitialisation"""
PASSWD = 'PW'
EMAIL = 'EM'
TYPE_CHOICES = (
(PASSWD, 'Mot de passe'),
(EMAIL, 'Email'),
)
type = models.CharField(max_length=2, choices=TYPE_CHOICES)
token = models.CharField(max_length=32)
user = models.ForeignKey('User', on_delete=models.PROTECT)
created_at = models.DateTimeField(auto_now_add=True, editable=False)
expires_at = models.DateTimeField()
def save(self):
if not self.expires_at:
2018-01-10 20:20:54 +00:00
self.expires_at = timezone.now() \
+ datetime.timedelta(hours=GeneralOption.get_cached_value('req_expire_hrs'))
if not self.token:
self.token = str(uuid.uuid4()).replace('-', '') # remove hyphens
super(Request, self).save()
2017-10-14 18:18:12 +00:00
class LdapUser(ldapdb.models.Model):
"""
Class for representing an LDAP user entry.
"""
# LDAP meta-data
base_dn = LDAP['base_user_dn']
2017-10-14 18:18:12 +00:00
object_classes = ['inetOrgPerson', 'top', 'posixAccount',
'sambaSamAccount', 'radiusprofile',
'shadowAccount']
# attributes
gid = ldapdb.models.fields.IntegerField(db_column='gidNumber')
2017-10-14 18:18:12 +00:00
name = ldapdb.models.fields.CharField(
db_column='cn',
max_length=200,
primary_key=True
)
uid = ldapdb.models.fields.CharField(db_column='uid', max_length=200)
2017-10-14 18:18:12 +00:00
uidNumber = ldapdb.models.fields.IntegerField(
db_column='uidNumber',
unique=True
)
sn = ldapdb.models.fields.CharField(db_column='sn', max_length=200)
2017-10-14 18:18:12 +00:00
login_shell = ldapdb.models.fields.CharField(
db_column='loginShell',
max_length=200,
blank=True,
null=True
)
mail = ldapdb.models.fields.CharField(db_column='mail', max_length=200)
given_name = ldapdb.models.fields.CharField(
db_column='givenName',
max_length=200
)
home_directory = ldapdb.models.fields.CharField(
db_column='homeDirectory',
max_length=200
)
display_name = ldapdb.models.fields.CharField(
db_column='displayName',
max_length=200,
blank=True,
null=True
)
dialupAccess = ldapdb.models.fields.CharField(db_column='dialupAccess')
2017-10-14 18:18:12 +00:00
sambaSID = ldapdb.models.fields.IntegerField(
db_column='sambaSID',
unique=True
)
user_password = ldapdb.models.fields.CharField(
db_column='userPassword',
max_length=200,
blank=True,
null=True
)
sambat_nt_password = ldapdb.models.fields.CharField(
db_column='sambaNTPassword',
max_length=200,
blank=True,
null=True
)
macs = ldapdb.models.fields.ListField(
db_column='radiusCallingStationId',
max_length=200,
blank=True,
null=True
)
shadowexpire = ldapdb.models.fields.CharField(
db_column='shadowExpire',
blank=True,
null=True
)
def __str__(self):
return self.name
def __unicode__(self):
return self.name
def save(self, *args, **kwargs):
self.sn = self.name
self.uid = self.name
self.sambaSID = self.uidNumber
super(LdapUser, self).save(*args, **kwargs)
2017-10-14 18:18:12 +00:00
class LdapUserGroup(ldapdb.models.Model):
"""
2017-10-14 18:18:12 +00:00
Class for representing an LDAP group entry.
Un groupe ldap
"""
# LDAP meta-data
base_dn = LDAP['base_usergroup_dn']
object_classes = ['posixGroup']
# attributes
gid = ldapdb.models.fields.IntegerField(db_column='gidNumber')
members = ldapdb.models.fields.ListField(db_column='memberUid', blank=True)
2017-10-14 18:18:12 +00:00
name = ldapdb.models.fields.CharField(
db_column='cn',
max_length=200,
primary_key=True
)
def __str__(self):
return self.name
2017-10-14 18:18:12 +00:00
2016-07-31 01:36:54 +00:00
class LdapServiceUser(ldapdb.models.Model):
"""
Class for representing an LDAP userservice entry.
2017-10-14 18:18:12 +00:00
Un user de service coté ldap
2016-07-31 01:36:54 +00:00
"""
# LDAP meta-data
base_dn = LDAP['base_userservice_dn']
2017-10-14 18:18:12 +00:00
object_classes = ['applicationProcess', 'simpleSecurityObject']
2016-07-31 01:36:54 +00:00
# attributes
2017-10-14 18:18:12 +00:00
name = ldapdb.models.fields.CharField(
db_column='cn',
max_length=200,
primary_key=True
)
user_password = ldapdb.models.fields.CharField(
db_column='userPassword',
max_length=200,
blank=True,
null=True
)
2016-07-31 01:36:54 +00:00
2017-06-18 12:59:53 +00:00
def __str__(self):
return self.name
2017-10-14 18:18:12 +00:00
2017-06-18 12:59:53 +00:00
class LdapServiceUserGroup(ldapdb.models.Model):
"""
Class for representing an LDAP userservice entry.
2017-10-14 18:18:12 +00:00
Un group user de service coté ldap. Dans userservicegroupdn
(voir dans settings_local.py)
2017-06-18 12:59:53 +00:00
"""
# LDAP meta-data
base_dn = LDAP['base_userservicegroup_dn']
object_classes = ['groupOfNames']
# attributes
2017-10-14 18:18:12 +00:00
name = ldapdb.models.fields.CharField(
db_column='cn',
max_length=200,
primary_key=True
)
members = ldapdb.models.fields.ListField(
db_column='member',
blank=True
)
2017-06-18 12:59:53 +00:00
def __str__(self):
return self.name