from django.conf import settings from django.contrib import admin, messages from django.contrib.admin.options import IS_POPUP_VAR from django.contrib.admin.utils import unquote from django.contrib.auth import update_session_auth_hash from django.contrib.auth.forms import ( AdminPasswordChangeForm, UserChangeForm, ) from django.core.exceptions import PermissionDenied from django.db import router, transaction from django.http import Http404, HttpResponseRedirect from django.template.response import TemplateResponse from django.urls import path, reverse from django.utils.decorators import method_decorator from django.utils.html import escape from django.utils.translation import gettext, gettext_lazy as _ from django.views.decorators.csrf import csrf_protect from django.views.decorators.debug import sensitive_post_parameters from rolepermissions.admin import RolePermissionsUserAdminMixin from pythonpro.core.facade import UserRoleException from pythonpro.core.forms import UserSignupForm from pythonpro.core.models import User, UserInteraction csrf_protect_m = method_decorator(csrf_protect) sensitive_post_parameters_m = method_decorator(sensitive_post_parameters()) @admin.register(User) class UserAdmin(RolePermissionsUserAdminMixin, admin.ModelAdmin): add_form_template = 'admin/auth/user/add_form.html' change_user_password_template = None fieldsets = ( (None, {'fields': ('first_name', 'email', 'password', 'source')}), (_('Permissions'), { 'fields': ('is_active', 'is_staff', 'is_superuser', 'groups', 'user_permissions') }), (_('Important dates'), {'fields': ('last_login', 'date_joined')}), ) add_fieldsets = ( (None, { 'classes': ('wide',), 'fields': ('first_name', 'email', 'source'), }), ) form = UserChangeForm add_form = UserSignupForm change_password_form = AdminPasswordChangeForm list_display = ('email', 'first_name', 'source', 'date_joined', 'is_staff',) list_filter = ('groups', 'source', 'is_staff', 'is_superuser', 'is_active',) search_fields = ('first_name', 'email') ordering = ('first_name',) filter_horizontal = ('groups', 'user_permissions',) actions = ['make_fellow', 'make_bootcamper', 'make_webdev', 'make_member', 'make_data_scientist', 'make_pythonista'] def make_webdev(self, request, queryset): from pythonpro.domain import user_domain for user in queryset: try: user_domain.promote_webdev(user, 'django_admin') except UserRoleException: pass # No need to handle on admin def make_fellow(self, request, queryset): from pythonpro.domain import user_domain for user in queryset: try: user_domain.promote_fellow(user, 'django_admin') except UserRoleException: pass # No need to handle on admin def make_bootcamper(self, request, queryset): from pythonpro.domain import user_domain for user in queryset: try: user_domain.promote_bootcamper(user, 'django_admin') except UserRoleException: pass # No need to handle on admin def make_pythonista(self, request, queryset): from pythonpro.domain import user_domain for user in queryset: try: user_domain.promote_pythonista(user, 'django_admin') except UserRoleException: pass # No need to handle on admin def make_data_scientist(self, request, queryset): from pythonpro.domain import user_domain for user in queryset: try: user_domain.promote_data_scientist(user, 'django_admin') except UserRoleException: pass # No need to handle on admin def make_member(self, request, queryset): from pythonpro.domain import user_domain for user in queryset: try: user_domain.promote_member(user, 'django_admin') except UserRoleException: pass # No need to handle on admin def get_fieldsets(self, request, obj=None): if not obj: return self.add_fieldsets return super().get_fieldsets(request, obj) def get_form(self, request, obj=None, **kwargs): """ Use special form during user creation """ defaults = {} if obj is None: defaults['form'] = self.add_form defaults.update(kwargs) return super().get_form(request, obj, **defaults) def get_urls(self): return [ path( '/password/', self.admin_site.admin_view(self.user_change_password), name='auth_user_password_change', ), ] + super().get_urls() def lookup_allowed(self, lookup, value): # See #20078: we don't want to allow any lookups involving passwords. if lookup.startswith('password'): return False return super().lookup_allowed(lookup, value) @sensitive_post_parameters_m @csrf_protect_m def add_view(self, request, form_url='', extra_context=None): with transaction.atomic(using=router.db_for_write(self.model)): return self._add_view(request, form_url, extra_context) def _add_view(self, request, form_url='', extra_context=None): # It's an error for a user to have add permission but NOT change # permission for users. If we allowed such users to add users, they # could create superusers, which would mean they would essentially have # the permission to change users. To avoid the problem entirely, we # disallow users from adding users if they don't have change # permission. if not self.has_change_permission(request): if self.has_add_permission(request) and settings.DEBUG: # Raise Http404 in debug mode so that the user gets a helpful # error message. raise Http404( 'Your user does not have the "Change user" permission. In ' 'order to add users, Django requires that your user ' 'account have both the "Add user" and "Change user" ' 'permissions set.') raise PermissionDenied if extra_context is None: extra_context = {} username_field = self.model._meta.get_field(self.model.USERNAME_FIELD) defaults = { 'auto_populated_fields': (), 'username_help_text': username_field.help_text, } extra_context.update(defaults) return super().add_view(request, form_url, extra_context) @sensitive_post_parameters_m def user_change_password(self, request, id, form_url=''): if not self.has_change_permission(request): raise PermissionDenied user = self.get_object(request, unquote(id)) if user is None: raise Http404(_('%(name)s object with primary key %(key)r does not exist.') % { 'name': self.model._meta.verbose_name, 'key': escape(id), }) if request.method == 'POST': form = self.change_password_form(user, request.POST) if form.is_valid(): form.save() change_message = self.construct_change_message(request, form, None) self.log_change(request, user, change_message) msg = gettext('Password changed successfully.') messages.success(request, msg) update_session_auth_hash(request, form.user) return HttpResponseRedirect( reverse( '%s:%s_%s_change' % ( self.admin_site.name, user._meta.app_label, user._meta.model_name, ), args=(user.pk,), ) ) else: form = self.change_password_form(user) fieldsets = [(None, {'fields': list(form.base_fields)})] adminForm = admin.helpers.AdminForm(form, fieldsets, {}) context = { 'title': _('Change password: %s') % escape(user.get_username()), 'adminForm': adminForm, 'form_url': form_url, 'form': form, 'is_popup': (IS_POPUP_VAR in request.POST or IS_POPUP_VAR in request.GET), 'add': True, 'change': False, 'has_delete_permission': False, 'has_change_permission': True, 'has_absolute_url': False, 'opts': self.model._meta, 'original': user, 'save_as': False, 'show_save': True, } context.update(self.admin_site.each_context(request)) request.current_app = self.admin_site.name return TemplateResponse( request, self.change_user_password_template or 'admin/auth/user/change_password.html', context, ) def response_add(self, request, obj, post_url_continue=None): """ Determine the HttpResponse for the add_view stage. It mostly defers to its superclass implementation but is customized because the User model has a slightly different workflow. """ # We should allow further modification of the user just added i.e. the # 'Save' button should behave like the 'Save and continue editing' # button except in two scenarios: # * The user has pressed the 'Save and add another' button # * We are adding a user in a popup if '_addanother' not in request.POST and IS_POPUP_VAR not in request.POST: request.POST = request.POST.copy() request.POST['_continue'] = 1 return super().response_add(request, obj, post_url_continue) def has_delete_permission(self, request, obj=None): return False @admin.register(UserInteraction) class UserInteractionAdmin(admin.ModelAdmin): list_display = 'creation user category'.split() ordering = ('-creation',) list_filter = ('category',) actions = None search_fields = ('user__email',) def has_add_permission(self, request): return False def has_delete_permission(self, request, obj=None): return False def has_change_permission(self, request, obj=None): return False