RPC4Django

username and password authorization method

Bug #727879 reported by Raimon Esteve (www.zikzakmedia.com) on 2011-03-02

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	RPC4Django	Won't Fix	Undecided	davidfischer

Bug Description

Hello,
If use a authorization method, don't check user and return Anonymous user

For example:
proxy = xmlrpclib.ServerProxy("http://prova:prova@localhost:8443/xmlrpc") #rpc4django

in rpc4django views.py getattr(request, 'user', None) return always Anonymous

One solution is next code: validate username and password URI

response = True

    user = getattr(request, 'user', None)
    #authorization
    if 'HTTP_AUTHORIZATION' in request.META:
        auth = request.META['HTTP_AUTHORIZATION'].split()
        if not len(auth) == 2:
            logging.debug('HTTP Authorization is NOT authorized')
            response = False
        if not auth[0].lower() == "basic":
            logging.debug('HTTP Authorization is NOT authorized')
            response = False

uname, passwd = base64.b64decode(auth[1]).split(':')
user = authenticate(username=uname,password=passwd)

davidfischer (djfische) on 2011-03-03

Changed in rpc4django:
assignee:	nobody → davidfischer (djfische)

Revision history for this message

davidfischer (djfische) wrote on 2011-03-06:

This is by design.

When using authentication, you must either setup your webserver to use HTTP basic authentication or you must use the out of the box authentication. See the docs (http://packages.python.org/rpc4django/usage/auth.html) for details.

When using HTTP authentication, you should be using the RemoteUserMiddleware to do the password checking automatically. If using the out of the box authentication, you should use the system.login() method.

Changed in rpc4django:
status:	New → Won't Fix

Revision history for this message

davidfischer (djfische) wrote on 2011-03-06:

If you want to see this in action, you can visit: https://rpcauth.davidfischer.name
There are two logins:
- user: rpcnoauth with password: rpcnoauth - this user cannot call the secret method
- user: rpc4django with password: rpc4django - this user can call the secret method

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.