1 new commit in galaxy-central: https://bitbucket.org/galaxy/galaxy-central/changeset/d88a9fa7041c/ changeset: d88a9fa7041c user: dan date: 2012-04-12 17:32:01 summary: Rework OpenID process. Add a never_associate_with_user flag to OpenID providers that will prevent an OpenID Provider from being able to be used for logging in to Galaxy. Post authentication actions will still be performed. This is now used for the GenomeSpace OpenID Provider until it is working correctly. affected #: 10 files diff -r 8376ad08ae41b9b7efa06622b031cb731e2c0bcf -r d88a9fa7041c02f8c448eecb2a86c93b5c47d6a0 lib/galaxy/model/mapping.py --- a/lib/galaxy/model/mapping.py +++ b/lib/galaxy/model/mapping.py @@ -76,6 +76,7 @@ Column( "session_id", Integer, ForeignKey( "galaxy_session.id" ), index=True ), Column( "user_id", Integer, ForeignKey( "galaxy_user.id" ), index=True ), Column( "openid", TEXT, index=True, unique=True ), + Column( "provider", TrimmedString( 255 ) ), ) History.table = Table( "history", metadata, diff -r 8376ad08ae41b9b7efa06622b031cb731e2c0bcf -r d88a9fa7041c02f8c448eecb2a86c93b5c47d6a0 lib/galaxy/model/migrate/versions/0096_openid_provider.py --- /dev/null +++ b/lib/galaxy/model/migrate/versions/0096_openid_provider.py @@ -0,0 +1,45 @@ +""" +Migration script to add column to openid table for provider. +Remove any OpenID entries with nonunique GenomeSpace Identifier +""" + +BAD_IDENTIFIER = 'https://identity.genomespace.org/identityServer/xrd.jsp' +from sqlalchemy import * +from sqlalchemy.orm import * +from migrate import * +from migrate.changeset import * +from galaxy.model.custom_types import TrimmedString + +import logging +log = logging.getLogger( __name__ ) + +metadata = MetaData( migrate_engine ) +db_session = scoped_session( sessionmaker( bind=migrate_engine, autoflush=False, autocommit=True ) ) + +def upgrade(): + print __doc__ + metadata.reflect() + + try: + OpenID_table = Table( "galaxy_user_openid", metadata, autoload=True ) + c = Column( "provider", TrimmedString( 255 ) ) + c.create( OpenID_table ) + assert c is OpenID_table.c.provider + except Exception, e: + print "Adding provider column to galaxy_user_openid table failed: %s" % str( e ) + log.debug( "Adding provider column to galaxy_user_openid table failed: %s" % str( e ) ) + + try: + cmd = "DELETE FROM galaxy_user_openid WHERE openid='%s'" % ( BAD_IDENTIFIER ) + db_session.execute( cmd ) + except Exception, e: + log.debug( "Deleting bad Identifiers from galaxy_user_openid failed: %s" % str( e ) ) + +def downgrade(): + metadata.reflect() + try: + OpenID_table = Table( "galaxy_user_openid", metadata, autoload=True ) + OpenID_table.c.provider.drop() + except Exception, e: + print "Dropping provider column from galaxy_user_openid table failed: %s" % str( e ) + log.debug( "Dropping provider column from galaxy_user_openid table failed: %s" % str( e ) ) \ No newline at end of file diff -r 8376ad08ae41b9b7efa06622b031cb731e2c0bcf -r d88a9fa7041c02f8c448eecb2a86c93b5c47d6a0 lib/galaxy/openid/providers.py --- a/lib/galaxy/openid/providers.py +++ b/lib/galaxy/openid/providers.py @@ -9,6 +9,9 @@ log = logging.getLogger( __name__ ) +NO_PROVIDER_ID = 'None' +RESERVED_PROVIDER_IDS = [ NO_PROVIDER_ID ] + class OpenIDProvider( object ): '''An OpenID Provider object.''' @classmethod @@ -22,7 +25,9 @@ op_endpoint_url = provider_elem.find( 'op_endpoint_url' ) if op_endpoint_url is not None: op_endpoint_url = op_endpoint_url.text + never_associate_with_user = string_as_bool( provider_elem.get( 'never_associate_with_user', 'False' ) ) assert (provider_id and provider_name and op_endpoint_url), Exception( "OpenID Provider improperly configured" ) + assert provider_id not in RESERVED_PROVIDER_IDS, Exception( 'Specified OpenID Provider uses a reserved id: %s' % ( provider_id ) ) sreg_required = [] sreg_optional = [] use_for = {} @@ -45,8 +50,8 @@ sreg_required = None sreg_optional = None use_for = None - return cls( provider_id, provider_name, op_endpoint_url, sreg_required, sreg_optional, use_for, store_user_preference ) - def __init__( self, id, name, op_endpoint_url, sreg_required=None, sreg_optional=None, use_for=None, store_user_preference=None ): + return cls( provider_id, provider_name, op_endpoint_url, sreg_required=sreg_required, sreg_optional=sreg_optional, use_for=use_for, store_user_preference=store_user_preference, never_associate_with_user=never_associate_with_user ) + def __init__( self, id, name, op_endpoint_url, sreg_required=None, sreg_optional=None, use_for=None, store_user_preference=None, never_associate_with_user=None ): '''When sreg options are not specified, defaults are used.''' self.id = id self.name = name @@ -71,6 +76,10 @@ self.store_user_preference = store_user_preference else: self.store_user_preference = {} + if never_associate_with_user: + self.never_associate_with_user = True + else: + self.never_associate_with_user = False def post_authentication( self, trans, openid_manager, info ): sreg_attributes = openid_manager.get_sreg( info ) for store_pref_name, store_pref_value_name in self.store_user_preference.iteritems(): @@ -80,9 +89,12 @@ raise Exception( 'Only sreg is currently supported.' ) trans.sa_session.add( trans.user ) trans.sa_session.flush() + def has_post_authentication_actions( self ): + return bool( self.store_user_preference ) class OpenIDProviders( object ): '''Collection of OpenID Providers''' + NO_PROVIDER_ID = NO_PROVIDER_ID @classmethod def from_file( cls, filename ): try: @@ -107,6 +119,7 @@ self.providers = providers else: self.providers = odict() + self._banned_identifiers = [ provider.op_endpoint_url for provider in self.providers.itervalues() if provider.never_associate_with_user ] def __iter__( self ): for provider in self.providers.itervalues(): yield provider @@ -115,3 +128,5 @@ return self.providers[ name ] else: return default + def new_provider_from_identifier( self, identifier ): + return OpenIDProvider( None, identifier, identifier, never_associate_with_user = identifier in self._banned_identifiers ) diff -r 8376ad08ae41b9b7efa06622b031cb731e2c0bcf -r d88a9fa7041c02f8c448eecb2a86c93b5c47d6a0 lib/galaxy/web/controllers/tool_runner.py --- a/lib/galaxy/web/controllers/tool_runner.py +++ b/lib/galaxy/web/controllers/tool_runner.py @@ -59,7 +59,7 @@ trans.log_event( "Tool id '%s' does not exist" % tool_id ) return "Tool '%s' does not exist, kwd=%s " % (tool_id, kwd) if tool.require_login and not trans.user: - return trans.response.send_redirect( url_for( controller='user', action='login', cntrller='user', message="You must be logged in to use this tool.", status="info", referer=url_for( controller='/tool_runner', action='index', tool_id=tool_id, **kwd ) ) ) + return trans.response.send_redirect( url_for( controller='user', action='login', cntrller='user', message="You must be logged in to use this tool.", status="info", redirect=url_for( controller='/tool_runner', action='index', tool_id=tool_id, **kwd ) ) ) params = util.Params( kwd, sanitize = False ) #Sanitize parameters when substituting into command line via input wrappers #do param translation here, used by datasource tools if tool.input_translator: diff -r 8376ad08ae41b9b7efa06622b031cb731e2c0bcf -r d88a9fa7041c02f8c448eecb2a86c93b5c47d6a0 lib/galaxy/web/controllers/user.py --- a/lib/galaxy/web/controllers/user.py +++ b/lib/galaxy/web/controllers/user.py @@ -11,7 +11,6 @@ from galaxy.util.json import from_json_string, to_json_string from galaxy.web.framework.helpers import iff from galaxy.security.validate_user_input import validate_email, validate_publicname, validate_password -from galaxy.openid.providers import OpenIDProvider log = logging.getLogger( __name__ ) @@ -30,7 +29,7 @@ default_filter = { "openid" : "All" } default_sort_key = "-create_time" columns = [ - grids.TextColumn( "OpenID URL", key="openid" ), + grids.TextColumn( "OpenID URL", key="openid", link=( lambda x: dict( operation='openid_auth', login_button="Login", openid_url=x.openid if not x.provider else '', openid_provider=x.provider, auto_associate=True ) ) ), grids.GridColumn( "Created", key="create_time", format=time_ago ), ] operations = [ @@ -48,32 +47,30 @@ return trans.fill_template( '/user/index.mako', cntrller=cntrller, webapp=webapp ) @web.expose def openid_auth( self, trans, webapp='galaxy', **kwd ): + '''Handles user request to access an OpenID provider''' if not trans.app.config.enable_openid: return trans.show_error_message( 'OpenID authentication is not enabled in this instance of Galaxy' ) message = 'Unspecified failure authenticating via OpenID' status = kwd.get( 'status', 'done' ) openid_url = kwd.get( 'openid_url', '' ) openid_provider = kwd.get( 'openid_provider', '' ) - referer = kwd.get( 'referer', trans.request.referer ) + if not openid_provider or openid_url: + openid_provider = trans.app.openid_providers.NO_PROVIDER_ID #empty fields cause validation errors + redirect = kwd.get( 'redirect', '' ) auto_associate = util.string_as_bool( kwd.get( 'auto_associate', False ) ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) action = 'login' - if auto_associate: - action = 'openid_manage' - if not referer: - referer = url_for( '/' ) + if not redirect: + redirect = url_for( '/' ) consumer = trans.app.openid_manager.get_consumer( trans ) - openid_provider_obj = None - if not openid_url and openid_provider and trans.app.openid_providers.get( openid_provider ): + if openid_url: + openid_provider_obj = trans.app.openid_providers.new_provider_from_identifier( openid_url ) + else: openid_provider_obj = trans.app.openid_providers.get( openid_provider ) - elif openid_url: - openid_provider_obj = OpenIDProvider( openid_url, openid_url, openid_url ) #for manually entered links use the link for id, name and url - elif openid_provider: - message = 'Invalid OpenID provider specified: %s' % ( openid_provider ) - else: + if not openid_url and openid_provider == trans.app.openid_providers.NO_PROVIDER_ID: message = 'An OpenID provider was not specified' - process_url = trans.request.base.rstrip( '/' ) + url_for( controller='user', action='openid_process', referer=referer, auto_associate=auto_associate, openid_provider=openid_provider ) - if openid_provider_obj is not None: + elif openid_provider_obj: + process_url = trans.request.base.rstrip( '/' ) + url_for( controller='user', action='openid_process', redirect=redirect, openid_provider=openid_provider, auto_associate=auto_associate ) request = None try: request = consumer.begin( openid_provider_obj.op_endpoint_url ) @@ -87,84 +84,96 @@ redirect_url = request.redirectURL( trans.request.base, process_url ) trans.app.openid_manager.persist_session( trans, consumer ) - trans.response.send_redirect( redirect_url ) - return + return trans.response.send_redirect( redirect_url ) else: form = request.htmlMarkup( trans.request.base, process_url, form_tag_attrs={'id':'openid_message','target':'_top'} ) trans.app.openid_manager.persist_session( trans, consumer ) return form return trans.response.send_redirect( url_for( controller='user', action=action, + redirect=redirect, use_panels=use_panels, message=message, status='error' ) ) @web.expose def openid_process( self, trans, webapp='galaxy', **kwd ): + '''Handle's response from OpenID Providers''' if not trans.app.config.enable_openid: return trans.show_error_message( 'OpenID authentication is not enabled in this instance of Galaxy' ) auto_associate = util.string_as_bool( kwd.get( 'auto_associate', False ) ) action = 'login' - if auto_associate: + if trans.user: action = 'openid_manage' if trans.app.config.support_url is not None: contact = '<a href="%s">support</a>' % trans.app.config.support_url else: contact = 'support' - message = 'Verification failed for an unknown reason. Please contact support for assistance.' + message = 'Verification failed for an unknown reason. Please contact %s for assistance.' % ( contact ) status = 'error' consumer = trans.app.openid_manager.get_consumer( trans ) info = consumer.complete( kwd, trans.request.url ) display_identifier = info.getDisplayIdentifier() - redirect_url = kwd.get( 'referer', url_for( '/' ) ) - openid_provider = kwd.get( 'openid_provider', '' ) + redirect = kwd.get( 'redirect', url_for( '/' ) ) + openid_provider = kwd.get( 'openid_provider', None ) if info.status == trans.app.openid_manager.FAILURE and display_identifier: message = "Login via OpenID failed. The technical reason for this follows, please include this message in your email if you need to %s to resolve this problem: %s" % ( contact, info.message ) return trans.response.send_redirect( url_for( controller='user', action=action, use_panels=True, + redirect=redirect, message=message, status='error' ) ) elif info.status == trans.app.openid_manager.SUCCESS: if info.endpoint.canonicalID: display_identifier = info.endpoint.canonicalID + openid_provider_obj = trans.app.openid_providers.get( openid_provider ) user_openid = trans.sa_session.query( trans.app.model.UserOpenID ).filter( trans.app.model.UserOpenID.table.c.openid == display_identifier ).first() - openid_provider_obj = trans.app.openid_providers.get( openid_provider ) + if not openid_provider_obj and user_openid and user_openid.provider: + openid_provider_obj = trans.app.openid_providers.get( user_openid.provider ) if not openid_provider_obj: - openid_provider_obj = OpenIDProvider( display_identifier, display_identifier, display_identifier ) + openid_provider_obj = trans.app.openid_providers.new_provider_from_identifier( display_identifier ) if not user_openid: user_openid = trans.app.model.UserOpenID( session=trans.galaxy_session, openid=display_identifier ) - elif not user_openid.user and user_openid.session.id != trans.galaxy_session.id: + if not user_openid.user: user_openid.session = trans.galaxy_session - elif user_openid.user and not auto_associate: + if not user_openid.provider and openid_provider: + user_openid.provider = openid_provider + if trans.user: + if user_openid.user and user_openid.user.id != trans.user.id: + message = "The OpenID <strong>%s</strong> is already associated with another Galaxy account, <strong>%s</strong>. Please disassociate it from that account before attempting to associate it with a new account." % ( display_identifier, user_openid.user.email ) + status = "error" + elif not user_openid.user or user_openid.user == trans.user: + if openid_provider_obj.id: + user_openid.provider = openid_provider_obj.id + user_openid.session = trans.galaxy_session + if not openid_provider_obj.never_associate_with_user: + if not auto_associate and ( user_openid.user and user_openid.user.id == trans.user.id ): + message = "The OpenID <strong>%s</strong> is already associated with your Galaxy account, <strong>%s</strong>." % ( display_identifier, trans.user.email ) + status = "warning" + else: + message = "The OpenID <strong>%s</strong> has been associated with your Galaxy account, <strong>%s</strong>." % ( display_identifier, trans.user.email ) + status = "done" + user_openid.user = trans.user + trans.sa_session.add( user_openid ) + trans.sa_session.flush() + trans.log_event( "User associated OpenID: %s" % display_identifier ) + else: + message = "The OpenID <strong>%s</strong> cannot be used to log into your Galaxy account, but any post authentication actions have been performed." % ( openid_provider_obj.name ) + status ="info" + openid_provider_obj.post_authentication( trans, trans.app.openid_manager, info ) + if redirect: + message = '%s<br>Click <a href="%s"><strong>here</strong></a> to return to the page you were previously viewing.' % ( message, redirect ) + return trans.response.send_redirect( url_for( controller='user', + action='openid_manage', + use_panels=True, + redirect=redirect, + message=message, + status=status ) ) + elif user_openid.user: trans.handle_user_login( user_openid.user, webapp ) trans.log_event( "User logged in via OpenID: %s" % display_identifier ) openid_provider_obj.post_authentication( trans, trans.app.openid_manager, info ) - trans.response.send_redirect( redirect_url ) - return - if auto_associate and trans.user: - # The user is already logged in and requested association from - # the user prefs as opposed to using the OpenID form on the - # login page. - if user_openid.user and user_openid.user.id != trans.user.id: - message = "The OpenID <strong>%s</strong> is already associated with another Galaxy account, <strong>%s</strong>. Please disassociate it from that account before attempting to associate it with a new account." % ( display_identifier, user_openid.user.email ) - status = "error" - elif user_openid.user and user_openid.user.id == trans.user.id: - message = "The OpenID <strong>%s</strong> is already associated with your Galaxy account, <strong>%s</strong>." % ( display_identifier, trans.user.email ) - status = "warning" - else: - user_openid.user_id = trans.user.id - trans.sa_session.add( user_openid ) - trans.sa_session.flush() - trans.log_event( "User associated OpenID: %s" % display_identifier ) - message = "The OpenID <strong>%s</strong> has been associated with your Galaxy account, <strong>%s</strong>." % ( display_identifier, trans.user.email ) - status = "done" - openid_provider_obj.post_authentication( trans, trans.app.openid_manager, info ) - trans.response.send_redirect( url_for( controller='user', - action='openid_manage', - use_panels=True, - message=message, - status=status ) ) - return + return trans.response.send_redirect( redirect ) trans.sa_session.add( user_openid ) trans.sa_session.flush() message = "OpenID authentication was successful, but you need to associate your OpenID with a Galaxy account." @@ -179,10 +188,11 @@ email = sreg_resp.get( sreg_email_name, '' ) except AttributeError: email = '' - trans.response.send_redirect( url_for( controller='user', + #OpenID success, but user not logged in, and not previously associated + return trans.response.send_redirect( url_for( controller='user', action='openid_associate', - openid_provider=openid_provider, use_panels=True, + redirect=redirect, username=username, email=email, message=message, @@ -198,10 +208,12 @@ return trans.response.send_redirect( url_for( controller='user', action=action, use_panels=True, + redirect=redirect, message=message, status=status ) ) @web.expose def openid_associate( self, trans, cntrller='user', webapp='galaxy', **kwd ): + '''Associates a user with an OpenID log in''' if not trans.app.config.enable_openid: return trans.show_error_message( 'OpenID authentication is not enabled in this instance of Galaxy' ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) @@ -209,9 +221,7 @@ status = kwd.get( 'status', 'done' ) email = kwd.get( 'email', '' ) username = kwd.get( 'username', '' ) - referer = kwd.get( 'referer', trans.request.referer ) - openid_provider = kwd.get( 'openid_provider', '' ) - openid_provider_obj = trans.app.openid_providers.get( openid_provider ) + redirect = kwd.get( 'redirect', '' ) params = util.Params( kwd ) is_admin = cntrller == 'admin' and trans.user_is_admin() openids = trans.galaxy_session.openids @@ -223,18 +233,33 @@ if kwd.get( 'login_button', False ): message, status, user, success = self.__validate_login( trans, webapp, **kwd ) if success: + openid_objs = [] for openid in openids: - openid.user = user - trans.sa_session.add( openid ) + openid_provider_obj = trans.app.openid_providers.get( openid.provider ) + if not openid_provider_obj or not openid_provider_obj.never_associate_with_user: + openid.user = user + trans.sa_session.add( openid ) + trans.log_event( "User associated OpenID: %s" % openid.openid ) + if openid_provider_obj and openid_provider_obj.has_post_authentication_actions(): + openid_objs.append( openid_provider_obj ) trans.sa_session.flush() - for openid in openids: - trans.log_event( "User associated OpenID: %s" % openid.openid ) - redirect_url = referer - if not redirect_url: - redirect_url = url_for( '/' ) - if openid_provider_obj: - return trans.response.send_redirect( url_for( controller='user', action='openid_auth', openid_provider=openid_provider, referer=redirect_url ) ) - return trans.response.send_redirect( redirect_url ) + if len( openid_objs ) == 1: + return trans.response.send_redirect( url_for( controller='user', action='openid_auth', openid_provider=openid_objs[0].id, redirect=redirect, auto_associate=True ) ) + elif openid_objs: + message = 'You have authenticated with several OpenID providers, please click the following links to execute the post authentication actions. ' + message = "%s<br/><ul>" % ( message ) + for openid in openid_objs: + message = '%s<li><a href="%s" target="_blank">%s</a></li>' % ( message, url_for( controller='user', action='openid_auth', openid_provider=openid.id, redirect=redirect, auto_associate=True ), openid.name ) + message = "%s</ul>" % ( message ) + return trans.response.send_redirect( url_for( controller='user', + action='openid_manage', + use_panels=True, + redirect=redirect, + message=message, + status='info' ) ) + if not redirect: + redirect = url_for( '/' ) + return trans.response.send_redirect( redirect ) if kwd.get( 'create_user_button', False ): password = kwd.get( 'password', '' ) confirm = kwd.get( 'confirm', '' ) @@ -253,21 +278,35 @@ subscribe_checked, **kwd ) if success: - trans.handle_user_login( user, webapp ) - trans.log_event( "User created a new account" ) - trans.log_event( "User logged in" ) + openid_objs = [] for openid in openids: - openid.user = user - trans.sa_session.add( openid ) + openid_provider_obj = trans.app.openid_providers.get( openid.provider ) + if not openid_provider_obj: + openid_provider_obj = trans.app.openid_providers.new_provider_from_identifier( openid.identifier ) + if not openid_provider_obj.never_associate_with_user: + openid.user = user + trans.sa_session.add( openid ) + trans.log_event( "User associated OpenID: %s" % openid.openid ) + if openid_provider_obj.has_post_authentication_actions(): + openid_objs.append( openid_provider_obj ) trans.sa_session.flush() - for openid in openids: - trans.log_event( "User associated OpenID: %s" % openid.openid ) - redirect_url = referer - if not redirect_url: - redirect_url = url_for( '/' ) - if openid_provider_obj: - return trans.response.send_redirect( url_for( controller='user', action='openid_auth', openid_provider=openid_provider, referer=redirect_url ) ) - return trans.response.send_redirect( redirect_url ) + if len( openid_objs ) == 1: + return trans.response.send_redirect( url_for( controller='user', action='openid_auth', openid_provider=openid_objs[0].id, redirect=redirect, auto_associate=True ) ) + elif openid_objs: + message = 'You have authenticated with several OpenID providers, please click the following links to execute the post authentication actions. ' + message = "%s<br/><ul>" % ( message ) + for openid in openid_objs: + message = '%s<li><a href="%s" target="_blank">%s</a></li>' % ( message, url_for( controller='user', action='openid_auth', openid_provider=openid.id, redirect=redirect, auto_associate=True ), openid.name ) + message = "%s</ul>" % ( message ) + return trans.response.send_redirect( url_for( controller='user', + action='openid_manage', + use_panels=True, + redirect=redirect, + message=message, + status='info' ) ) + if not redirect: + redirect = url_for( '/' ) + return trans.response.send_redirect( redirect ) else: message = error status = 'error' @@ -291,8 +330,7 @@ username=username, header='', use_panels=use_panels, - redirect_url='', - referer='', + redirect=redirect, refresh_frames=[], message=message, status=status, @@ -301,11 +339,11 @@ user_type_fd_id_select_field=user_type_fd_id_select_field, user_type_form_definition=user_type_form_definition, widgets=widgets, - openids=openids, - openid_provider=openid_provider ) + openids=openids ) @web.expose @web.require_login( 'manage OpenIDs' ) def openid_disassociate( self, trans, webapp='galaxy', **kwd ): + '''Disassociates a user with an OpenID''' if not trans.app.config.enable_openid: return trans.show_error_message( 'OpenID authentication is not enabled in this instance of Galaxy' ) params = util.Params( kwd ) @@ -338,7 +376,7 @@ trans.log_event( "User disassociated OpenID: %s" % deleted_url ) message = '%s OpenIDs were disassociated from your Galaxy account.' % len( ids ) status = 'done' - trans.response.send_redirect( url_for( controller='user', + return trans.response.send_redirect( url_for( controller='user', action='openid_manage', use_panels=use_panels, message=message, @@ -346,29 +384,33 @@ @web.expose @web.require_login( 'manage OpenIDs' ) def openid_manage( self, trans, webapp='galaxy', **kwd ): + '''Manage OpenIDs for user''' if not trans.app.config.enable_openid: return trans.show_error_message( 'OpenID authentication is not enabled in this instance of Galaxy' ) use_panels = kwd.get( 'use_panels', False ) if 'operation' in kwd: operation = kwd['operation'].lower() if operation == "delete": - trans.response.send_redirect( url_for( controller='user', + return trans.response.send_redirect( url_for( controller='user', action='openid_disassociate', use_panels=use_panels, id=kwd['id'] ) ) - kwd['referer'] = url_for( controller='user', action='openid_manage', use_panels=True ) + elif operation == 'openid_auth': + return trans.response.send_redirect( url_for( controller='user', action='openid_auth', **kwd ) ) + + kwd['redirect'] = kwd.get( 'redirect', url_for( controller='user', action='openid_manage', use_panels=True ) ) kwd['openid_providers'] = trans.app.openid_providers return self.user_openid_grid( trans, **kwd ) @web.expose def login( self, trans, webapp='galaxy', redirect_url='', refresh_frames=[], **kwd ): - referer = kwd.get( 'referer', trans.request.referer ) + '''Handle Galaxy Log in''' + redirect = kwd.get( 'redirect', trans.request.referer ) use_panels = util.string_as_bool( kwd.get( 'use_panels', False ) ) message = kwd.get( 'message', '' ) status = kwd.get( 'status', 'done' ) header = '' user = None email = kwd.get( 'email', '' ) - openid_provider = kwd.get( 'openid_provider', '' ) if kwd.get( 'login_button', False ): if webapp == 'galaxy' and not refresh_frames: if trans.app.config.require_login: @@ -376,8 +418,8 @@ else: refresh_frames = [ 'masthead', 'history' ] message, status, user, success = self.__validate_login( trans, webapp, **kwd ) - if success and referer and not referer.startswith( trans.request.base + url_for( controller='user', action='logout' ) ): - redirect_url = referer + if success and redirect and not redirect.startswith( trans.request.base + url_for( controller='user', action='logout' ) ): + redirect_url = redirect elif success: redirect_url = url_for( '/' ) if not user and trans.app.config.require_login: @@ -399,7 +441,7 @@ header=header, use_panels=use_panels, redirect_url=redirect_url, - referer=referer, + redirect=redirect, refresh_frames=refresh_frames, message=message, status=status, @@ -410,7 +452,7 @@ status = kwd.get( 'status', 'done' ) email = kwd.get( 'email', '' ) password = kwd.get( 'password', '' ) - referer = kwd.get( 'referer', trans.request.referer ) + redirect = kwd.get( 'redirect', trans.request.referer ) success = False user = trans.sa_session.query( trans.app.model.User ).filter( trans.app.model.User.table.c.email==email ).first() if not user: @@ -430,7 +472,7 @@ if webapp == 'galaxy': trans.log_event( "User logged in" ) message = 'You are now logged in as %s.<br>You can <a target="_top" href="%s">go back to the page you were visiting</a> or <a target="_top" href="%s">go to the home page</a>.' % \ - ( user.email, referer, url_for( '/' ) ) + ( user.email, redirect, url_for( '/' ) ) if trans.app.config.require_login: message += ' <a target="_top" href="%s">Click here</a> to continue to the home page.' % web.url_for( '/static/welcome.html' ) success = True @@ -470,7 +512,7 @@ username = util.restore_text( params.get( 'username', '' ) ) subscribe = params.get( 'subscribe', '' ) subscribe_checked = CheckboxField.is_checked( subscribe ) - referer = kwd.get( 'referer', trans.request.referer ) + redirect = kwd.get( 'redirect', trans.request.referer ) is_admin = cntrller == 'admin' and trans.user_is_admin if not trans.app.config.allow_user_creation and not trans.user_is_admin(): message = 'User registration is disabled. Please contact your Galaxy administrator for an account.' @@ -534,7 +576,7 @@ widgets=widgets, webapp=webapp, use_panels=use_panels, - referer=referer, + redirect=redirect, redirect_url=redirect_url, refresh_frames=refresh_frames, message=message, diff -r 8376ad08ae41b9b7efa06622b031cb731e2c0bcf -r d88a9fa7041c02f8c448eecb2a86c93b5c47d6a0 openid/genomespace.xml --- a/openid/genomespace.xml +++ b/openid/genomespace.xml @@ -1,5 +1,5 @@ <?xml version="1.0"?> -<provider id="genomespace" name="GenomeSpace"> +<provider id="genomespace" name="GenomeSpace" never_associate_with_user="True"><op_endpoint_url>https://identity.genomespace.org/identityServer/xrd.jsp</op_endpoint_url><sreg><field name="nickname" required="True"> diff -r 8376ad08ae41b9b7efa06622b031cb731e2c0bcf -r d88a9fa7041c02f8c448eecb2a86c93b5c47d6a0 templates/user/login.mako --- a/templates/user/login.mako +++ b/templates/user/login.mako @@ -50,7 +50,7 @@ %if trans.app.config.enable_openid: <br/> - ${render_openid_form( referer, False, openid_providers )} + ${render_openid_form( redirect, False, openid_providers )} %endif %endif @@ -59,7 +59,7 @@ </%def> -<%def name="render_login_form( form_action=None, openid_provider='' )"> +<%def name="render_login_form( form_action=None )"><% if form_action is None: @@ -76,8 +76,7 @@ <label>Email address:</label><input type="text" name="email" value="${email}" size="40"/><input type="hidden" name="webapp" value="${webapp}" size="40"/> - <input type="hidden" name="referer" value="${referer}" size="40"/> - <input type="hidden" name="openid_provider" value="${openid_provider}" /> + <input type="hidden" name="redirect" value="${redirect}" size="40"/></div><div class="form-row"><label>Password:</label> @@ -94,7 +93,7 @@ </%def> -<%def name="render_openid_form( referer, auto_associate, openid_providers )"> +<%def name="render_openid_form( redirect, auto_associate, openid_providers )"><div class="toolForm"><div class="toolFormTitle">OpenID Login</div><form name="openid" id="openid" action="${h.url_for( controller='user', action='openid_auth' )}" method="post" target="_parent" > @@ -102,8 +101,7 @@ <label>OpenID URL:</label><input type="text" name="openid_url" size="60" style="background-image:url('${h.url_for( '/static/images/openid-16x16.gif' )}' ); background-repeat: no-repeat; padding-right: 20px; background-position: 99% 50%;"/><input type="hidden" name="webapp" value="${webapp}" size="40"/> - <input type="hidden" name="referer" value="${referer}" size="40"/> - <input type="hidden" name="auto_associate" value="${auto_associate}" size="40"/> + <input type="hidden" name="redirect" value="${redirect}" size="40"/></div><div class="form-row"> Or, authenticate with your <select name="openid_provider"> diff -r 8376ad08ae41b9b7efa06622b031cb731e2c0bcf -r d88a9fa7041c02f8c448eecb2a86c93b5c47d6a0 templates/user/openid_associate.mako --- a/templates/user/openid_associate.mako +++ b/templates/user/openid_associate.mako @@ -65,11 +65,11 @@ <% form_action = h.url_for( cntrller=cntrller, use_panels=use_panels ) %> - ${render_login_form( form_action=form_action, openid_provider=openid_provider )} + ${render_login_form( form_action=form_action )} <br/> - ${render_registration_form( form_action=form_action, openid_provider=openid_provider )} + ${render_registration_form( form_action=form_action )} </div></div> diff -r 8376ad08ae41b9b7efa06622b031cb731e2c0bcf -r d88a9fa7041c02f8c448eecb2a86c93b5c47d6a0 templates/user/openid_manage.mako --- a/templates/user/openid_manage.mako +++ b/templates/user/openid_manage.mako @@ -7,7 +7,7 @@ <%def name="grid_body( grid )"> ${make_grid( grid )} <h2>Associate more OpenIDs</h2> - ${render_openid_form( kwargs['referer'], True, kwargs['openid_providers'] )} + ${render_openid_form( kwargs['redirect'], True, kwargs['openid_providers'] )} </%def><%def name="center_panel()"> diff -r 8376ad08ae41b9b7efa06622b031cb731e2c0bcf -r d88a9fa7041c02f8c448eecb2a86c93b5c47d6a0 templates/user/register.mako --- a/templates/user/register.mako +++ b/templates/user/register.mako @@ -21,7 +21,7 @@ ${render_registration_form()} %endif -<%def name="render_registration_form( form_action=None, openid_provider='' )"> +<%def name="render_registration_form( form_action=None )"><% if form_action is None: @@ -37,8 +37,7 @@ <label>Email address:</label><input type="text" name="email" value="${email}" size="40"/><input type="hidden" name="webapp" value="${webapp}" size="40"/> - <input type="hidden" name="referer" value="${referer}" size="40"/> - <input type="hidden" name="openid_provider" value="${openid_provider}" /> + <input type="hidden" name="redirect" value="${redirect}" size="40"/></div><div class="form-row"><label>Password:</label> Repository URL: https://bitbucket.org/galaxy/galaxy-central/ -- This is a commit notification from bitbucket.org. You are receiving this because you have the service enabled, addressing the recipient of this email.