-
Notifications
You must be signed in to change notification settings - Fork 12
Restricting Users by Groups
You can setup an allowlist, or whitelist, to restrict which users can login to your portal. This is handy if you want to protect data in your portal to only a specific list of logged in users. Users who authenticate but are not in the lists you define are redirected to a public page where they can request access.
Allowlists are setup using Globus Groups. You can create Globus Groups here.
Add the following to your portal's settings.py file:
# Fetch additional user information from Globus (needed for groups).
SOCIAL_AUTH_GLOBUS_SESSIONS = True
MIDDLEWARE = [
...
# The middleware handles all Globus related authentication exceptions.
'globus_portal_framework.middleware.GlobusAuthExceptionMiddleware',
]
SOCIAL_AUTH_GLOBUS_ALLOWED_GROUPS = [
{
'name': 'My Allowlist',
'uuid': '650aacc6-f74c-4d77-a6ad-412daac84f15'
}
]
New users will now be restricted to the users defined in your groups.
Restricting which users can login does not affect the visible-to set on search records. If the visible-to is set to "public" users can still access records even if blocked from the allowlist.
Setting SOCIAL_AUTH_GLOBUS_SESSIONS generates new Django users with different IDs, which are not compatible with existing Django users. If you have existing users, you will need to have them login with the new system, migrate the data on their account, and delete the old account. You will need to do the same thing in reverse if you decide to stop using sessions.