Refactoring auth check order (#985)

Co-authored-by: wlorenzetti <[email protected]>
(cherry picked from commit 4b25f9e)

g3w-admin/qdjango/auth.py

@@ -12,26 +12,36 @@ def __init__(self, **kwargs):
 
     def auth_request(self, **kwargs):
 
+        anonymous_user = get_anonymous_user()
+
         # Check for caching token
-        # TODO: create pluggable authentication layers
+        # -----------------------
         if (len(set(settings.G3WADMIN_LOCAL_MORE_APPS).intersection(set(['caching', 'qmapproxy']))) > 0
                 and 'g3wsuite_caching_token' in self.request.GET and \
                 (settings.TILESTACHE_CACHE_TOKEN == self.request.GET['g3wsuite_caching_token'] or \
                         getattr('MAPPROXY_URL_TOKEN') == self.request.GET['g3wsuite_caching_token'])):
                     return True
 
-        if self.request.user.has_perm('qdjango.view_project', self.project) or\
-                get_anonymous_user().has_perm('qdjango.view_project', self.project):
+        # Check for user != Anonymous user
+        # User already authenticated (session, middleware, etc.)
+        if self.request.user != anonymous_user and self.request.user.has_perm('qdjango.view_project', self.project):
             return True
         else:
-            # try to authenticate by http basic authentication
+
+            # Try to authenticate by HTTP Basic Authentication
+            # ------------------------------------------------
             try:
                 ba = BasicAuthentication()
                 user, other = ba.authenticate(self.request)
                 self.request.user = user
                 return user.has_perm('qdjango.view_project', self.project)
             except Exception as e:
-                print(e)
+
+                # Check for Anonymous user
+                # -------------------------
+                if anonymous_user.has_perm('qdjango.view_project', self.project):
+                    return True
+
                 pass
 
             raise AuthForbiddenRequest()

g3w-admin/qdjango/tests/test_ows.py

@@ -19,6 +19,7 @@
 from qgis.PyQt.QtCore import QPoint
 from core.models import G3WSpatialRefSys
 from core.models import Group as CoreGroup
+from guardian.shortcuts import get_anonymous_user
 from django.core.files import File
 from django.core.management import call_command
 from django.test import Client, override_settings
@@ -179,7 +180,7 @@ def test_authorizzer(self):
 
         self.assertEqual(response.status_code, 403)
 
-        # give permission to user
+        # Give permission to user
         assign_perm('view_project', self.test_viewer1, self.qdjango_project)
         for l in self.qdjango_project.layer_set.all():
             assign_perm("view_layer", self.test_viewer1, l)
@@ -194,8 +195,8 @@ def test_authorizzer(self):
 
         c.logout()
 
-        # try basic authentication
-        # for viewer1
+        # Try basic authentication for viewer1
+        # ------------------------------------
         c = Client(HTTP_AUTHORIZATION='Basic dmlld2VyMTp2aWV3ZXIx')
         response = c.get(ows_url, {
             'REQUEST': 'GetCapabilities',
@@ -249,6 +250,29 @@ def test_authorizzer(self):
         self.assertEqual(response.status_code, 200)
         self.assertTrue(b"<Name>world</Name>" in response.content)
 
+        c.logout()
+
+        c = Client()
+
+        # Test for Anonymous user
+        # -----------------------
+        response = c.get(ows_url, {
+            'REQUEST': 'GetCapabilities',
+            'SERVICE': 'WMS'
+        })
+
+        self.assertEqual(response.status_code, 403)
+
+        # Give permission to Anonympus user
+        assign_perm('view_project', get_anonymous_user(), self.qdjango_project)
+
+        response = c.get(ows_url, {
+            'REQUEST': 'GetCapabilities',
+            'SERVICE': 'WMS'
+        })
+
+        self.assertEqual(response.status_code, 200)
+
 
     def test_get_getfeatureinfo(self):
         """Test GetFeatureInfo for QGIS widget"""