OpenSlides/openslides/users/views.py

from django.contrib import messages
from django.contrib.auth import login as auth_login
from django.contrib.auth import logout as auth_logout
from django.contrib.auth.forms import AuthenticationForm, PasswordChangeForm
from django.utils.translation import ugettext as _
from django.utils.translation import activate, ugettext_lazy
from rest_framework import status

from openslides.utils.rest_api import ModelViewSet, Response
from openslides.utils.views import (
    APIView,
    CSVImportView,
    FormView,
    LoginMixin,
    PDFView,
    UpdateView,
)

from .csv_import import import_users
from .forms import UsersettingsForm
from .models import Group, User
from .pdf import users_passwords_to_pdf, users_to_pdf
from .serializers import (
    GroupSerializer,
    UserFullSerializer,
    UserShortSerializer,
)


# Views to generate PDFs

class UsersListPDF(PDFView):
    """
    Generate the userliste as PDF.
    """
    required_permission = 'users.can_see_extra_data'
    filename = ugettext_lazy("user-list")
    document_title = ugettext_lazy('List of Users')

    def append_to_pdf(self, pdf):
        """
        Append PDF objects.
        """
        users_to_pdf(pdf)


class UsersPasswordsPDF(PDFView):
    """
    Generate the access data welcome paper for all users as PDF.
    """
    required_permission = 'users.can_manage'
    filename = ugettext_lazy("User-access-data")
    top_space = 0

    def build_document(self, pdf_document, story):
        pdf_document.build(story)

    def append_to_pdf(self, pdf):
        """
        Append PDF objects.
        """
        users_passwords_to_pdf(pdf)


# Viewsets for the rest api

class UserViewSet(ModelViewSet):
    """
    API endpoint to list, retrieve, create, update and delete users.
    """
    queryset = User.objects.all()

    def check_permissions(self, request):
        """
        Calls self.permission_denied() if the requesting user has not the
        permission to see users and in case of create, update or destroy
        requests the permission to see extra user data and to manage users.
        """
        if (not request.user.has_perm('users.can_see_name') or
                (self.action in ('create', 'update', 'destroy') and not
                 (request.user.has_perm('users.can_manage') and
                  request.user.has_perm('users.can_see_extra_data')))):
            self.permission_denied(request)

    def get_serializer_class(self):
        """
        Returns different serializer classes with respect to action and user's
        permissions.
        """
        if (self.action in ('create', 'update') or
                self.request.user.has_perm('users.can_see_extra_data')):
            serializer_class = UserFullSerializer
        else:
            serializer_class = UserShortSerializer
        return serializer_class


class GroupViewSet(ModelViewSet):
    """
    API endpoint to list, retrieve, create, update and delete groups.
    """
    queryset = Group.objects.all()
    serializer_class = GroupSerializer

    def check_permissions(self, request):
        """
        Calls self.permission_denied() if the requesting user has not the
        permission to see users and in case of create, update or destroy
        requests the permission to see extra user data and to manage users.
        """
        if (not request.user.has_perm('users.can_see_name') or
                (self.action in ('create', 'update', 'destroy') and not
                 (request.user.has_perm('users.can_manage') and
                  request.user.has_perm('users.can_see_extra_data')))):
            self.permission_denied(request)

    def destroy(self, request, *args, **kwargs):
        """
        Protects builtin groups 'Anonymous' (pk=1) and 'Registered' (pk=2)
        from being deleted.
        """
        instance = self.get_object()
        if instance.pk in (1, 2,):
            self.permission_denied(request)
        else:
            self.perform_destroy(instance)
            response = Response(status=status.HTTP_204_NO_CONTENT)
        return response


# API Views

class UserLoginView(APIView):
    """
    Login the user via ajax.
    """
    http_method_names = ['post']

    def post(self, *args, **kwargs):
        form = AuthenticationForm(self.request, data=self.request.data)
        if form.is_valid():
            self.user = form.get_user()
            auth_login(self.request, self.user)
            self.success = True
        else:
            self.success = False
        return super().post(*args, **kwargs)

    def get_context_data(self, **context):
        context['success'] = self.success
        if self.success:
            context['user_id'] = self.user.pk
        return super().get_context_data(**context)


class UserLogoutView(APIView):
    """
    Logout the user via ajax.
    """
    http_method_names = ['post']

    def post(self, *args, **kwargs):
        auth_logout(self.request)
        return super().post(*args, **kwargs)


class WhoAmIView(APIView):
    """
    Returns the user id in the session.
    """
    http_method_names = ['get']

    def get_context_data(self, **context):
        """
        Appends the user id into the context.

        Uses None for the anonymous user.
        """
        return super().get_context_data(
            user_id=self.request.user.pk,
            **context)


# Deprecated views. Will be removed after the implementation in angularjs

class UserCSVImportView(CSVImportView):
    """
    Import users via CSV.
    """
    required_permission = 'users.can_manage'
    success_url_name = 'user_list'
    template_name = 'users/user_form_csv_import.html'
    import_function = staticmethod(import_users)


class UserSettingsView(LoginMixin, UpdateView):
    required_permission = None
    template_name = 'users/settings.html'
    success_url_name = 'user_settings'
    model = User
    form_class = UsersettingsForm
    url_name_args = []

    def get_initial(self):
        initial = super().get_initial()
        initial['language'] = self.request.session.get('django_language', self.request.LANGUAGE_CODE)
        return initial

    def form_valid(self, form):
        self.request.LANGUAGE_CODE = self.request.session['django_language'] = form.cleaned_data['language']
        activate(self.request.LANGUAGE_CODE)
        return super().form_valid(form)

    def get_object(self):
        return self.request.user


class UserPasswordSettingsView(LoginMixin, FormView):
    required_permission = None
    template_name = 'users/password_change.html'
    success_url_name = 'core_dashboard'
    form_class = PasswordChangeForm

    def form_valid(self, form):
        form.save()
        messages.success(self.request, _('Password successfully changed.'))
        return super().form_valid(form)

    def get_form_kwargs(self):
        kwargs = super().get_form_kwargs()
        kwargs['user'] = self.request.user
        return kwargs
Add code 2011-07-31 10:46:29 +02:00			`from django.contrib import messages`
Implemented auth via AngularJS Also added the derective osPerms to check if the current user has permissions. Removed old Django views and urls for user. Created utils.views.APIView which should be used instead of the AjaxView. Fixes: #1470 Fixes: #1454 2015-02-12 22:42:54 +01:00			`from django.contrib.auth import login as auth_login`
			`from django.contrib.auth import logout as auth_logout`
			`from django.contrib.auth.forms import AuthenticationForm, PasswordChangeForm`
			`from django.utils.translation import ugettext as _`
			`from django.utils.translation import activate, ugettext_lazy`
Updated REST API for group create, update and delete. 2015-02-17 00:45:53 +01:00			`from rest_framework import status`
#111: Move pdf creation code from utils to participant app. 2012-04-20 23:23:50 +02:00
Updated REST API for group create, update and delete. 2015-02-17 00:45:53 +01:00			`from openslides.utils.rest_api import ModelViewSet, Response`
Refactory of the participant app * New user model (used Django's AbstractBaseUser) * Renamed the app to users * removed person api See #861 Fixed #576 #478 2014-10-11 14:34:49 +02:00			`from openslides.utils.views import (`
Fixes users password PDF view. Fixes: #1496 2015-02-27 09:20:49 +01:00			`APIView,`
Implemented auth via AngularJS Also added the derective osPerms to check if the current user has permissions. Removed old Django views and urls for user. Created utils.views.APIView which should be used instead of the AjaxView. Fixes: #1470 Fixes: #1454 2015-02-12 22:42:54 +01:00			`CSVImportView,`
			`FormView,`
			`LoginMixin,`
			`PDFView,`
			`UpdateView,`
			`)`
Refactory of the participant app * New user model (used Django's AbstractBaseUser) * Renamed the app to users * removed person api See #861 Fixed #576 #478 2014-10-11 14:34:49 +02:00
Added CSV import, fixed #1186. Also cleaned up motion and user CSV import. 2014-03-27 20:30:15 +01:00			`from .csv_import import import_users`
Implemented auth via AngularJS Also added the derective osPerms to check if the current user has permissions. Removed old Django views and urls for user. Created utils.views.APIView which should be used instead of the AjaxView. Fixes: #1470 Fixes: #1454 2015-02-12 22:42:54 +01:00			`from .forms import UsersettingsForm`
Refactory of the participant app * New user model (used Django's AbstractBaseUser) * Renamed the app to users * removed person api See #861 Fixed #576 #478 2014-10-11 14:34:49 +02:00			`from .models import Group, User`
Implemented auth via AngularJS Also added the derective osPerms to check if the current user has permissions. Removed old Django views and urls for user. Created utils.views.APIView which should be used instead of the AjaxView. Fixes: #1470 Fixes: #1454 2015-02-12 22:42:54 +01:00			`from .pdf import users_passwords_to_pdf, users_to_pdf`
			`from .serializers import (`
			`GroupSerializer,`
			`UserFullSerializer,`
Fixes users password PDF view. Fixes: #1496 2015-02-27 09:20:49 +01:00			`UserShortSerializer,`
Implemented auth via AngularJS Also added the derective osPerms to check if the current user has permissions. Removed old Django views and urls for user. Created utils.views.APIView which should be used instead of the AjaxView. Fixes: #1470 Fixes: #1454 2015-02-12 22:42:54 +01:00			`)`
Add code 2011-07-31 10:46:29 +02:00
cleaned up the participant app. Sort of... 2012-07-07 15:26:00 +02:00
Use ui-router to handle django urls See: #1453 2015-02-14 10:10:08 +01:00			`# Views to generate PDFs`

Refactory of the participant app * New user model (used Django's AbstractBaseUser) * Renamed the app to users * removed person api See #861 Fixed #576 #478 2014-10-11 14:34:49 +02:00			`class UsersListPDF(PDFView):`
cleaned up the participant app. Sort of... 2012-07-07 15:26:00 +02:00			`"""`
rewrote participant status view as class based view 2012-08-10 19:19:41 +02:00			`Generate the userliste as PDF.`
cleaned up the participant app. Sort of... 2012-07-07 15:26:00 +02:00			`"""`
Refactored REST api in agenda, core and users app. 2015-01-17 14:25:05 +01:00			`required_permission = 'users.can_see_extra_data'`
Refactory of the participant app * New user model (used Django's AbstractBaseUser) * Renamed the app to users * removed person api See #861 Fixed #576 #478 2014-10-11 14:34:49 +02:00			`filename = ugettext_lazy("user-list")`
			`document_title = ugettext_lazy('List of Users')`
Add code 2011-07-31 10:46:29 +02:00
Fixed #947: Move pdf functions of participant app to new pdf.py 2013-11-15 20:15:21 +01:00			`def append_to_pdf(self, pdf):`
			`"""`
			`Append PDF objects.`
			`"""`
Refactory of the participant app * New user model (used Django's AbstractBaseUser) * Renamed the app to users * removed person api See #861 Fixed #576 #478 2014-10-11 14:34:49 +02:00			`users_to_pdf(pdf)`
cleaned up the participant app. Sort of... 2012-07-07 15:26:00 +02:00
rewrote participant status view as class based view 2012-08-10 19:19:41 +02:00
Refactory of the participant app * New user model (used Django's AbstractBaseUser) * Renamed the app to users * removed person api See #861 Fixed #576 #478 2014-10-11 14:34:49 +02:00			`class UsersPasswordsPDF(PDFView):`
cleaned up the participant app. Sort of... 2012-07-07 15:26:00 +02:00			`"""`
Refactory of the participant app * New user model (used Django's AbstractBaseUser) * Renamed the app to users * removed person api See #861 Fixed #576 #478 2014-10-11 14:34:49 +02:00			`Generate the access data welcome paper for all users as PDF.`
cleaned up the participant app. Sort of... 2012-07-07 15:26:00 +02:00			`"""`
Refactory of the participant app * New user model (used Django's AbstractBaseUser) * Renamed the app to users * removed person api See #861 Fixed #576 #478 2014-10-11 14:34:49 +02:00			`required_permission = 'users.can_manage'`
			`filename = ugettext_lazy("User-access-data")`
rewrote participant status view as class based view 2012-08-10 19:19:41 +02:00			`top_space = 0`
Implement rights for anonymous as requested by #45 2011-11-14 16:37:12 +01:00
rewrote participant status view as class based view 2012-08-10 19:19:41 +02:00			`def build_document(self, pdf_document, story):`
			`pdf_document.build(story)`
Add code 2011-07-31 10:46:29 +02:00
Fixed #947: Move pdf functions of participant app to new pdf.py 2013-11-15 20:15:21 +01:00			`def append_to_pdf(self, pdf):`
			`"""`
			`Append PDF objects.`
			`"""`
Refactory of the participant app * New user model (used Django's AbstractBaseUser) * Renamed the app to users * removed person api See #861 Fixed #576 #478 2014-10-11 14:34:49 +02:00			`users_passwords_to_pdf(pdf)`
Add code 2011-07-31 10:46:29 +02:00
cleaned up the participant app. Sort of... 2012-07-07 15:26:00 +02:00
Use ui-router to handle django urls See: #1453 2015-02-14 10:10:08 +01:00			`# Viewsets for the rest api`
rewrote user csv import The import does not delete the existing users anymore, but append the users as new users. 2012-08-10 19:49:46 +02:00
Updated ViewSets to Django REST Framework 3.0.5. Refactored imports from openslides/utils/rest_api.py for better overriding them later. Fixed #1450. Updated requirements. 2015-02-12 18:48:14 +01:00			`class UserViewSet(ModelViewSet):`
Added api viewset for users. 2015-01-06 00:11:22 +01:00			`"""`
Refactored serializers and autoupdate. Added api for groups. Refactored serializers now using 'id' instead of 'url'. Rework of tornado autoupdate functionality. Implemented extra data in SockJS messages. 2015-02-04 00:08:38 +01:00			`API endpoint to list, retrieve, create, update and delete users.`
Added api viewset for users. 2015-01-06 00:11:22 +01:00			`"""`
			`queryset = User.objects.all()`

			`def check_permissions(self, request):`
			`"""`
Added REST api for motion, mediafile and config app. Refactor REST api in other apps. 2015-01-24 16:35:50 +01:00			`Calls self.permission_denied() if the requesting user has not the`
			`permission to see users and in case of create, update or destroy`
			`requests the permission to see extra user data and to manage users.`
Added api viewset for users. 2015-01-06 00:11:22 +01:00			`"""`
Refactored REST api in agenda, core and users app. 2015-01-17 14:25:05 +01:00			`if (not request.user.has_perm('users.can_see_name') or`
			`(self.action in ('create', 'update', 'destroy') and not`
			`(request.user.has_perm('users.can_manage') and`
			`request.user.has_perm('users.can_see_extra_data')))):`
Added api viewset for users. 2015-01-06 00:11:22 +01:00			`self.permission_denied(request)`

Refactored REST api in agenda, core and users app. 2015-01-17 14:25:05 +01:00			`def get_serializer_class(self):`
			`"""`
Refactored parts of users app. Refactored user creation and update via REST API. Used new serializer. Cleaned up management commands, signals and imports. Moved code from 'api.py' to 'models.py'. Changed usage of group 'Registered'. Now the users don't have to be members to gain its permissions. Used customized auth backend for this. Added and changed some tests. 2015-02-12 20:57:05 +01:00			`Returns different serializer classes with respect to action and user's`
			`permissions.`
Refactored REST api in agenda, core and users app. 2015-01-17 14:25:05 +01:00			`"""`
Fix anonymous user for rest requests 2015-05-05 10:42:31 +02:00			`if (self.action in ('create', 'update') or`
			`self.request.user.has_perm('users.can_see_extra_data')):`
Refactored REST api in agenda, core and users app. 2015-01-17 14:25:05 +01:00			`serializer_class = UserFullSerializer`
			`else:`
			`serializer_class = UserShortSerializer`
			`return serializer_class`

Added api viewset for users. 2015-01-06 00:11:22 +01:00
Updated ViewSets to Django REST Framework 3.0.5. Refactored imports from openslides/utils/rest_api.py for better overriding them later. Fixed #1450. Updated requirements. 2015-02-12 18:48:14 +01:00			`class GroupViewSet(ModelViewSet):`
Refactored serializers and autoupdate. Added api for groups. Refactored serializers now using 'id' instead of 'url'. Rework of tornado autoupdate functionality. Implemented extra data in SockJS messages. 2015-02-04 00:08:38 +01:00			`"""`
			`API endpoint to list, retrieve, create, update and delete groups.`
			`"""`
			`queryset = Group.objects.all()`
			`serializer_class = GroupSerializer`

			`def check_permissions(self, request):`
			`"""`
			`Calls self.permission_denied() if the requesting user has not the`
			`permission to see users and in case of create, update or destroy`
			`requests the permission to see extra user data and to manage users.`
			`"""`
			`if (not request.user.has_perm('users.can_see_name') or`
			`(self.action in ('create', 'update', 'destroy') and not`
			`(request.user.has_perm('users.can_manage') and`
			`request.user.has_perm('users.can_see_extra_data')))):`
			`self.permission_denied(request)`

Updated REST API for group create, update and delete. 2015-02-17 00:45:53 +01:00			`def destroy(self, request, args, *kwargs):`
			`"""`
			`Protects builtin groups 'Anonymous' (pk=1) and 'Registered' (pk=2)`
			`from being deleted.`
			`"""`
			`instance = self.get_object()`
			`if instance.pk in (1, 2,):`
			`self.permission_denied(request)`
			`else:`
			`self.perform_destroy(instance)`
			`response = Response(status=status.HTTP_204_NO_CONTENT)`
			`return response`

Refactored serializers and autoupdate. Added api for groups. Refactored serializers now using 'id' instead of 'url'. Rework of tornado autoupdate functionality. Implemented extra data in SockJS messages. 2015-02-04 00:08:38 +01:00
Use ui-router to handle django urls See: #1453 2015-02-14 10:10:08 +01:00			`# API Views`
Implemented auth via AngularJS Also added the derective osPerms to check if the current user has permissions. Removed old Django views and urls for user. Created utils.views.APIView which should be used instead of the AjaxView. Fixes: #1470 Fixes: #1454 2015-02-12 22:42:54 +01:00
			`class UserLoginView(APIView):`
			`"""`
			`Login the user via ajax.`
			`"""`
			`http_method_names = ['post']`

			`def post(self, args, *kwargs):`
			`form = AuthenticationForm(self.request, data=self.request.data)`
			`if form.is_valid():`
			`self.user = form.get_user()`
			`auth_login(self.request, self.user)`
			`self.success = True`
			`else:`
			`self.success = False`
			`return super().post(args, *kwargs)`

			`def get_context_data(self, **context):`
			`context['success'] = self.success`
			`if self.success:`
			`context['user_id'] = self.user.pk`
			`return super().get_context_data(**context)`


			`class UserLogoutView(APIView):`
			`"""`
			`Logout the user via ajax.`
			`"""`
			`http_method_names = ['post']`

			`def post(self, args, *kwargs):`
			`auth_logout(self.request)`
			`return super().post(args, *kwargs)`


			`class WhoAmIView(APIView):`
			`"""`
			`Returns the user id in the session.`
			`"""`
			`http_method_names = ['get']`

			`def get_context_data(self, **context):`
			`"""`
			`Appends the user id into the context.`

			`Uses None for the anonymous user.`
			`"""`
			`return super().get_context_data(`
			`user_id=self.request.user.pk,`
			`**context)`
Use ui-router to handle django urls See: #1453 2015-02-14 10:10:08 +01:00

			`# Deprecated views. Will be removed after the implementation in angularjs`

			`class UserCSVImportView(CSVImportView):`
			`"""`
			`Import users via CSV.`
			`"""`
			`required_permission = 'users.can_manage'`
			`success_url_name = 'user_list'`
			`template_name = 'users/user_form_csv_import.html'`
			`import_function = staticmethod(import_users)`


			`class UserSettingsView(LoginMixin, UpdateView):`
			`required_permission = None`
			`template_name = 'users/settings.html'`
			`success_url_name = 'user_settings'`
			`model = User`
			`form_class = UsersettingsForm`
			`url_name_args = []`

			`def get_initial(self):`
			`initial = super().get_initial()`
			`initial['language'] = self.request.session.get('django_language', self.request.LANGUAGE_CODE)`
			`return initial`

			`def form_valid(self, form):`
			`self.request.LANGUAGE_CODE = self.request.session['django_language'] = form.cleaned_data['language']`
			`activate(self.request.LANGUAGE_CODE)`
			`return super().form_valid(form)`

			`def get_object(self):`
			`return self.request.user`


			`class UserPasswordSettingsView(LoginMixin, FormView):`
			`required_permission = None`
			`template_name = 'users/password_change.html'`
			`success_url_name = 'core_dashboard'`
			`form_class = PasswordChangeForm`

			`def form_valid(self, form):`
			`form.save()`
			`messages.success(self.request, _('Password successfully changed.'))`
			`return super().form_valid(form)`

			`def get_form_kwargs(self):`
			`kwargs = super().get_form_kwargs()`
			`kwargs['user'] = self.request.user`
			`return kwargs`