MoinMoin.auth package


MoinMoin.auth.http module

MoinMoin - http authentication


HTTPAuthMoin is HTTP auth done by moin (not by your web server).

Moin will request HTTP Basic Auth and use the HTTP Basic Auth header it receives to authenticate username/password against the moin user profiles.

from MoinMoin.auth.http import HTTPAuthMoin auth = [HTTPAuthMoin()]

class MoinMoin.auth.http.HTTPAuthMoin(autocreate=False, realm='MoinMoin', coding='iso-8859-1', **kw)[source]

Bases: MoinMoin.auth.BaseAuth

authenticate via http (basic) auth

name = 'http'
request(user_obj, **kw)[source]

MoinMoin.auth.ldap_login module

MoinMoin.auth.log module

MoinMoin - logging auth plugin

This does nothing except logging the auth parameters (the password is NOT logged, of course).

class MoinMoin.auth.log.AuthLog(**kw)[source]

Bases: MoinMoin.auth.BaseAuth

just log the call, do nothing else

log(action, user_obj, kw)[source]
login(user_obj, **kw)[source]
logout(user_obj, **kw)[source]
name = 'log'
request(user_obj, **kw)[source]

MoinMoin.auth.openidrp module

MoinMoin.auth.smb_mount module

MoinMoin - auth plugin for (un)mounting a smb share

(u)mount a SMB server’s share for username (using username/password for authentication at the SMB server). This can be used if you need access to files on some share via the wiki, but needs more code to be useful.

class MoinMoin.auth.smb_mount.SMBMount(server, share, mountpoint_fn, dir_user, domain, dir_mode='0700', file_mode='0600', iocharset='utf-8', coding='utf-8', log='/dev/null', **kw)[source]

Bases: MoinMoin.auth.BaseAuth

auth plugin for (un)mounting an smb share, this is a wrapper around mount.cifs -o <options> //server/share mountpoint

See man mount.cifs for details.

do_smb(username, password, login)[source]
login(user_obj, **kw)[source]
logout(user_obj, **kw)[source]

Module contents

MoinMoin - modular authentication handling

Each authentication method is an object instance containing four methods:

  • login(user_obj, **kw)
  • logout(user_obj, **kw)
  • request(user_obj, **kw)
  • login_hint()

The kw arguments that are passed in are currently:

attended: boolean indicating whether a user (attended=True) or
a machine is requesting login, multistage auth is not currently possible for machine logins [login only]
username: the value of the ‘username’ form field (or None)
[login only]
password: the value of the ‘password’ form field (or None)
[login only]
cookie: a Cookie.SimpleCookie instance containing the cookie
that the browser sent
multistage: boolean indicating multistage login continuation
[may not be present, login only]

login_hint() should return a HTML text that is displayed to the user right below the login form, it should tell the user what to do in case of a forgotten password and how to create an account (if applicable.)

More may be added.

The request method is called for each request except login/logout.

The ‘request’ and ‘logout’ methods must return a tuple (user_obj, continue) where ‘user_obj’ can be:

  • None, to throw away any previous user_obj from previous auth methods
  • the passed in user_obj for no changes
  • a newly created MoinMoin.user.User instance

and ‘continue’ is a boolean to indicate whether the next authentication method should be tried.

The ‘login’ method must return an instance of MoinMoin.auth.LoginReturn which contains the members:

  • user_obj
  • continue_flag
  • multistage
  • message
  • redirect_to

There are some helpful subclasses derived from this class for the most common cases, namely ContinueLogin(), CancelLogin(), MultistageFormLogin() and MultistageRedirectLogin().

The user_obj and continue_flag members have the same semantics as for the request and logout methods.

The messages that are returned by the various auth methods will be displayed to the user, since they will all be displayed usually auth methods will use the message feature only along with returning False for the continue flag.

Note, however, that when no username is entered or the username is not found in the database, it may be appropriate to return with a message and the continue flag set to true (ContinueLogin) because a subsequent auth plugin might work even without the username (e.g. an openid auth plugin).

The multistage member must evaluate to false or be callable. If it is callable, this indicates that the authentication method requires a second login stage. In that case, the multistage item will be called and should return an instance of MoinMoin.widget.html.FORM and the generic code will append some required hidden fields to it. It is also permissible to return some valid HTML, but that feature has very limited use since it breaks the authentication method chain.

Note that because multistage login does not depend on anonymous session support, it is possible that users jump directly into the second stage by giving the appropriate parameters to the login action. Hence, auth methods should take care to recheck everything and not assume the user has gone through all previous stages.

If the multistage login requires querying an external site that involves a redirect, the redirect_to member may be set instead of the multistage member. If this is set it must be a URL that user should be redirected to. Since the user must be able to come back to the authentication, any “%return” in the URL is replaced with the url-encoded form of the URL to the next authentication stage, any “%return_form” is replaced with the url-plus-encoded form (spaces encoded as +) of the same URL.

After the user has submitted the required form or has been redirected back from the external site, execution of the auth login methods resumes with the auth item that requested the multistage login and its login method is called with the ‘multistage’ keyword parameter set to True.

Each authentication method instance must also contain the members:

  • login_inputs: a list of required inputs, currently supported are
    • ‘username’: username entry field
    • ‘password’: password entry field
    • ‘special_no_input’: manual login is required
      but no form fields need to be filled in (e.g. openid with forced provider) in this case the theme may provide a short- cut omitting the login form
  • logout_possible: boolean indicating whether this auth methods
    supports logging out
  • name: name of the auth method, must be the same as given as the
    user object’s auth_method keyword parameter.

To simplify creating new authentication methods you can inherit from MoinMoin.auth.BaseAuth that does nothing for all three methods, but allows you to override only some methods.

cfg.auth is a list of authentication object instances whose methods are called in the order they are listed. The session method is called for every request, when logging in or out these are called before the session method.

When creating a new MoinMoin.user.User object, you can give a keyword argument “auth_attribs” to User.__init__ containing a list of user attributes that are determined and fixed by this auth method and may not be changed by the user in their preferences. You also have to give the keyword argument “auth_method” containing the name of the authentication method.

class MoinMoin.auth.BaseAuth(trusted=False, **kw)[source]

Bases: object

login(user_obj, **kw)[source]
login_inputs = []
logout(user_obj, **kw)[source]
logout_possible = False
name = None
request(user_obj, **kw)[source]
class MoinMoin.auth.CancelLogin(message)[source]

Bases: MoinMoin.auth.LoginReturn

CancelLogin - cancel login showing a message

class MoinMoin.auth.ContinueLogin(user_obj, message=None)[source]

Bases: MoinMoin.auth.LoginReturn

ContinueLogin - helper for auth method login that just continues

class MoinMoin.auth.GivenAuth(env_var=None, user_name=None, autocreate=False, strip_maildomain=False, strip_windomain=False, titlecase=False, remove_blanks=False, coding='utf-8', **kw)[source]

Bases: MoinMoin.auth.BaseAuth

reuse a given authentication, e.g. http basic auth (or any other auth) done by the web server, that sets REMOTE_USER environment variable. This is the default behaviour. You can also specify to read another environment variable (env_var). Alternatively you can directly give a fixed user name (user_name) that will be considered as authenticated.


decode the name we got from the environment var to unicode

name = 'given'
request(user_obj, **kw)[source]

transform the name we got (unicode in, unicode out)

Note: if you need something more special, you could create your own
auth class, inherit from this class and overwrite this function.
class MoinMoin.auth.LoginReturn(user_obj, continue_flag, message=None, multistage=None, redirect_to=None)[source]

Bases: object

LoginReturn - base class for auth method login() return value

class MoinMoin.auth.MoinAuth(**kw)[source]

Bases: MoinMoin.auth.BaseAuth

handle login from moin login form

login(user_obj, **kw)[source]
login_inputs = ['username', 'password']
logout_possible = True
name = 'moin'
class MoinMoin.auth.MultistageFormLogin(multistage)[source]

Bases: MoinMoin.auth.LoginReturn

MultistageFormLogin - require user to fill in another form

class MoinMoin.auth.MultistageRedirectLogin(url)[source]

Bases: MoinMoin.auth.LoginReturn

MultistageRedirectLogin - redirect user to another site before continuing login

MoinMoin.auth.get_multistage_continuation_url(auth_name, extra_fields={})[source]

get_continuation_url - return a multistage continuation URL

This function returns a URL that when loaded continues a multistage authentication at the auth method requesting it (parameter auth_name.) Additional fields are added to the URL from the extra_fields dict.

  • auth_name – name of the auth method requesting the continuation
  • extra_fields – extra GET fields to add to the URL
MoinMoin.auth.handle_login(userobj, **kw)[source]

Process a ‘login’ request by going through the configured authentication methods in turn. The passable keyword arguments are explained in more detail at the top of this file.


Logout the passed user from every configured authentication method.


Handle the per-request callbacks of the configured authentication methods.