Views

Views of the django_helmholtz_aai app to be imported via the url config (see django_helmholtz_aai.urls). We define two views here: The HelmholtzLoginView that redirects to the Helmholtz AAI, and the HelmholtzAuthentificationView that handles the user login after successful login at the Helmholtz AAI.

Classes:

`HelmholtzAuthentificationView`(**kwargs)	Authentification view for the Helmholtz AAI.
`HelmholtzLoginView`(**kwargs)	A login view for the Helmholtz AAI that forwards to the OAuth login.

class django_helmholtz_aai.views.HelmholtzAuthentificationView(**kwargs)

Bases: django.contrib.auth.mixins.PermissionRequiredMixin, django.views.generic.base.View

Authentification view for the Helmholtz AAI.

Classes:

PermissionDeniedReasons(value)

Reasons why permissions are denied to login.

Attributes:

`aai_user`
`is_new_user`	True if the Helmholtz AAI user has never logged in before.
`permission_denied_message_templates`	Message templates that explain why a user is not allowed to login.
`permission_denied_reason`	The reason why the user cannot login.
`userinfo`	The userinfo as obtained from the Helmholtz AAI.

Methods:

`create_user`(userinfo)	Create a Django user for a Helmholtz AAI User.
`get`(request)	Login the Helmholtz AAI user and update the data.
`get_permission_denied_message`()	Get the permission denied message for a specific reason.
`handle_no_permission`()	Handle the response if the permission has been denied.
`has_permission`()	Check if the user has permission to login.
`login_user`(user)	Login the Helmholtz AAI user to the Django Application.
`synchronize_vos`()	Synchronize the memberships in the virtual organizations.
`update_user`()	Update the user from the userinfo provided by the Helmholtz AAI.

class PermissionDeniedReasons(value)

Bases: str, enum.Enum

Reasons why permissions are denied to login.

Attributes:

`cannot_find_user`	a user with the given email could not be found
`email_changed_and_taken`	the email changed and is already taken on the website
`email_exists`	the user is new and the email already exists
`email_not_verified`	the email has not yet been verified
`new_user`	the user is new and user creation is disabled by `HELMHOLTZ_CREATE_USERS`
`vo_not_allowed`	the virtual organization is not part of `HELMHOLTZ_ALLOWED_VOS_REGEXP`

cannot_find_user = 'cannot_find_user': a user with the given email could not be found

email_changed_and_taken = 'email_changed_and_taken': the email changed and is already taken on the website

email_exists = 'email_exists': the user is new and the email already exists

email_not_verified = 'email_not_verified': the email has not yet been verified

new_user = 'new_user': the user is new and user creation is disabled by HELMHOLTZ_CREATE_USERS

vo_not_allowed = 'vo_not_allowed': the virtual organization is not part of HELMHOLTZ_ALLOWED_VOS_REGEXP

aai_user: models.HelmholtzUser

create_user(userinfo: Dict[str, Any]) → django_helmholtz_aai.models.HelmholtzUser

Create a Django user for a Helmholtz AAI User.

This method uses the create_aai_user() to create a new user.

Notes

Emits the aai_user_created signal

get(request)

Login the Helmholtz AAI user and update the data.

This method logs in the aai user (or creates one if it does not exist already). Afterwards we update the user info from the information on the Helmholtz AAI using the update_user() and synchronize_vos() methods.

get_permission_denied_message()

Get the permission denied message for a specific reason.

This method is called by the super-classes handle_no_permission() method.

handle_no_permission()

Handle the response if the permission has been denied.

This reimplemented method adds the permission_denied_message to the messages of the request using djangos messaging framework.

has_permission() → bool

Check if the user has permission to login.

This method checks, if the user belongs to the specified HELMHOLTZ_ALLOWED_VOS and verifies that the email does not exist (if this is desired, see HELMHOLTZ_EMAIL_DUPLICATES_ALLOWED setting).

is_new_user: True if the Helmholtz AAI user has never logged in before.

login_user(user: django_helmholtz_aai.models.HelmholtzUser)

Login the Helmholtz AAI user to the Django Application.

Login is done via the top-level django_helmholtz_aai.login() function.

Notes

Emits the aai_user_logged_in signal

permission_denied_message_templates: dict[PermissionDeniedReasons, str] = {PermissionDeniedReasons.cannot_find_user: 'A user with the email {email} is not available on this website and the account creation is disabled. Please sign up or contact the website administrators.', PermissionDeniedReasons.email_changed_and_taken: 'You email in the Helmholtz AAI changed to {email}. A user with this email already exists and on this website. Please contact the website administrators.', PermissionDeniedReasons.email_exists: 'A user with the email {email} already exists.', PermissionDeniedReasons.email_not_verified: 'Your email has not been verified.', PermissionDeniedReasons.new_user: 'Your email {email} does not yet have a user account on this website and the account creation is disabled. Please sign up or contact the website administrators.', PermissionDeniedReasons.vo_not_allowed: 'Your virtual organizations are not allowed to log into this website.'}

Message templates that explain why a user is not allowed to login.

via the Helmholtz AAI. Use in the get_permission_denied_message() method.

permission_denied_reason: PermissionDeniedReasons

The reason why the user cannot login.

This attribute is set via the has_permission() method

synchronize_vos()

Synchronize the memberships in the virtual organizations.

This method checks the eduperson_entitlement of the AAI userinfo and

creates the missing virtual organizations
removes the user from virtual organizations that he or she does not belong to anymore
adds the user to the virtual organizations that are new.

Notes

As we remove users from virtual organizations, this might end up in a lot of VOs without any users. One can remove these VOs via: