Group permission with Remote User-like authentication

I’m going to ask if the comes-with-django authentication system will be useful for me or if anyone knows of libraries addressing similar needs.

I have a django CRUD app in a corporate network. Requests will come to me with headers for Group and User. The app doesn’t have any use for a user object, but it does care about groups.

Since valid users and the group membership are administered by other departments, the optimal thing would be to just use the Group header for permission. I see in the docs:

If your authentication mechanism uses a custom HTTP header and not REMOTE_USER , you can subclass RemoteUserMiddleware and set the header attribute to the desired request.META key.

So say I have two groups, “editor” and “publisher”. I could just treat the group header I get as the user; that is, I’d say I have 2 users, “editor” and “publisher” and I tell which of the two users I got from the group header.

I have a little wrinkle on that, naturally… in my setup the Group header has a comma separateed list of groups, “AllUsers,SomeOtherApp-Approver,MyApp-Editor”… so it seems like I’ll have to further modify RemoteUserMiddleware if I go that route, or make make some separate middleware, which sounds daunting to me.

Anyway, I’ve never worked with Django users/groups, any advice?

Assuming you’re either:

  • Running this behind a proxy such as nginx or haproxy that will verify the headers are appropriate
  • You have absolutely no concerns about the security of your application

Then yes, this would work. You can check the header in your middleware and assign an appropriate user object for that session based upon that header. You are correct that you’ll need to do some work on this yourself (custom middleware), but it certainly seems doable.

Thanks; yes there is no way get to the app except via an application server controlled by our network guys, so people can’t just form a malicious request and type in headers to pass to me.

Let me know if it sounds like I’m not understanding the concern.

Nope, sounds like you’ve got a good handle on this.