2015-02-12 22:42:54 +01:00
|
|
|
from django.contrib.auth import login as auth_login
|
|
|
|
from django.contrib.auth import logout as auth_logout
|
2015-06-16 10:37:23 +02:00
|
|
|
from django.contrib.auth.forms import AuthenticationForm
|
2015-06-18 22:39:58 +02:00
|
|
|
from django.utils.translation import ugettext as _
|
2015-06-16 10:37:23 +02:00
|
|
|
from django.utils.translation import ugettext_lazy
|
2015-02-17 00:45:53 +01:00
|
|
|
from rest_framework import status
|
2012-04-20 23:23:50 +02:00
|
|
|
|
2015-06-30 20:04:14 +02:00
|
|
|
from openslides.core.config import config
|
2015-06-18 22:39:58 +02:00
|
|
|
from openslides.utils.rest_api import ModelViewSet, Response, detail_route
|
2015-06-16 10:37:23 +02:00
|
|
|
from openslides.utils.views import APIView, PDFView
|
2014-10-11 14:34:49 +02:00
|
|
|
|
|
|
|
from .models import Group, User
|
2015-02-12 22:42:54 +01:00
|
|
|
from .pdf import users_passwords_to_pdf, users_to_pdf
|
|
|
|
from .serializers import (
|
|
|
|
GroupSerializer,
|
|
|
|
UserFullSerializer,
|
2015-02-27 09:20:49 +01:00
|
|
|
UserShortSerializer,
|
2015-02-12 22:42:54 +01:00
|
|
|
)
|
2011-07-31 10:46:29 +02:00
|
|
|
|
2012-07-07 15:26:00 +02:00
|
|
|
|
2015-02-14 10:10:08 +01:00
|
|
|
# Views to generate PDFs
|
|
|
|
|
2014-10-11 14:34:49 +02:00
|
|
|
class UsersListPDF(PDFView):
|
2012-07-07 15:26:00 +02:00
|
|
|
"""
|
2012-08-10 19:19:41 +02:00
|
|
|
Generate the userliste as PDF.
|
2012-07-07 15:26:00 +02:00
|
|
|
"""
|
2015-01-17 14:25:05 +01:00
|
|
|
required_permission = 'users.can_see_extra_data'
|
2014-10-11 14:34:49 +02:00
|
|
|
filename = ugettext_lazy("user-list")
|
|
|
|
document_title = ugettext_lazy('List of Users')
|
2011-07-31 10:46:29 +02:00
|
|
|
|
2013-11-15 20:15:21 +01:00
|
|
|
def append_to_pdf(self, pdf):
|
|
|
|
"""
|
|
|
|
Append PDF objects.
|
|
|
|
"""
|
2014-10-11 14:34:49 +02:00
|
|
|
users_to_pdf(pdf)
|
2012-07-07 15:26:00 +02:00
|
|
|
|
2012-08-10 19:19:41 +02:00
|
|
|
|
2014-10-11 14:34:49 +02:00
|
|
|
class UsersPasswordsPDF(PDFView):
|
2012-07-07 15:26:00 +02:00
|
|
|
"""
|
2014-10-11 14:34:49 +02:00
|
|
|
Generate the access data welcome paper for all users as PDF.
|
2012-07-07 15:26:00 +02:00
|
|
|
"""
|
2014-10-11 14:34:49 +02:00
|
|
|
required_permission = 'users.can_manage'
|
|
|
|
filename = ugettext_lazy("User-access-data")
|
2012-08-10 19:19:41 +02:00
|
|
|
top_space = 0
|
2011-11-14 16:37:12 +01:00
|
|
|
|
2012-08-10 19:19:41 +02:00
|
|
|
def build_document(self, pdf_document, story):
|
|
|
|
pdf_document.build(story)
|
2011-07-31 10:46:29 +02:00
|
|
|
|
2013-11-15 20:15:21 +01:00
|
|
|
def append_to_pdf(self, pdf):
|
|
|
|
"""
|
|
|
|
Append PDF objects.
|
|
|
|
"""
|
2014-10-11 14:34:49 +02:00
|
|
|
users_passwords_to_pdf(pdf)
|
2011-07-31 10:46:29 +02:00
|
|
|
|
2012-07-07 15:26:00 +02:00
|
|
|
|
2015-02-14 10:10:08 +01:00
|
|
|
# Viewsets for the rest api
|
2012-08-10 19:49:46 +02:00
|
|
|
|
2015-02-12 18:48:14 +01:00
|
|
|
class UserViewSet(ModelViewSet):
|
2015-01-06 00:11:22 +01:00
|
|
|
"""
|
2015-02-04 00:08:38 +01:00
|
|
|
API endpoint to list, retrieve, create, update and delete users.
|
2015-01-06 00:11:22 +01:00
|
|
|
"""
|
|
|
|
queryset = User.objects.all()
|
|
|
|
|
|
|
|
def check_permissions(self, request):
|
|
|
|
"""
|
2015-01-24 16:35:50 +01:00
|
|
|
Calls self.permission_denied() if the requesting user has not the
|
|
|
|
permission to see users and in case of create, update or destroy
|
|
|
|
requests the permission to see extra user data and to manage users.
|
2015-01-06 00:11:22 +01:00
|
|
|
"""
|
2015-01-17 14:25:05 +01:00
|
|
|
if (not request.user.has_perm('users.can_see_name') or
|
|
|
|
(self.action in ('create', 'update', 'destroy') and not
|
|
|
|
(request.user.has_perm('users.can_manage') and
|
|
|
|
request.user.has_perm('users.can_see_extra_data')))):
|
2015-01-06 00:11:22 +01:00
|
|
|
self.permission_denied(request)
|
|
|
|
|
2015-01-17 14:25:05 +01:00
|
|
|
def get_serializer_class(self):
|
|
|
|
"""
|
2015-02-12 20:57:05 +01:00
|
|
|
Returns different serializer classes with respect to action and user's
|
|
|
|
permissions.
|
2015-01-17 14:25:05 +01:00
|
|
|
"""
|
2015-05-05 10:42:31 +02:00
|
|
|
if (self.action in ('create', 'update') or
|
|
|
|
self.request.user.has_perm('users.can_see_extra_data')):
|
2015-01-17 14:25:05 +01:00
|
|
|
serializer_class = UserFullSerializer
|
|
|
|
else:
|
|
|
|
serializer_class = UserShortSerializer
|
|
|
|
return serializer_class
|
|
|
|
|
2015-06-18 22:39:58 +02:00
|
|
|
@detail_route(methods=['post'])
|
|
|
|
def reset_password(self, request, pk=None):
|
|
|
|
"""
|
|
|
|
View to reset the password (using the default password).
|
|
|
|
"""
|
|
|
|
if not request.user.has_perm('users.can_manage'):
|
|
|
|
self.permission_denied(request)
|
|
|
|
user = self.get_object()
|
|
|
|
user.set_password(user.default_password)
|
|
|
|
user.save()
|
|
|
|
return Response({'detail': _('Password successfully reset.')})
|
|
|
|
|
2015-01-06 00:11:22 +01:00
|
|
|
|
2015-02-12 18:48:14 +01:00
|
|
|
class GroupViewSet(ModelViewSet):
|
2015-02-04 00:08:38 +01:00
|
|
|
"""
|
|
|
|
API endpoint to list, retrieve, create, update and delete groups.
|
|
|
|
"""
|
|
|
|
queryset = Group.objects.all()
|
|
|
|
serializer_class = GroupSerializer
|
|
|
|
|
|
|
|
def check_permissions(self, request):
|
|
|
|
"""
|
|
|
|
Calls self.permission_denied() if the requesting user has not the
|
|
|
|
permission to see users and in case of create, update or destroy
|
|
|
|
requests the permission to see extra user data and to manage users.
|
|
|
|
"""
|
2015-06-30 20:04:14 +02:00
|
|
|
# Any logged in user can retrive groups.
|
|
|
|
# Anonymous user can retrive groups when they are activated.
|
|
|
|
if (self.action in ('retrieve', 'list') and
|
|
|
|
(config['general_system_enable_anonymous'] or
|
|
|
|
self.request.user.is_authenticated())):
|
|
|
|
return
|
|
|
|
|
|
|
|
# Users with the permissions 'can_manage' and 'can_see_extra_data' can
|
|
|
|
# edit groups.
|
|
|
|
if (self.action in ('create', 'update', 'destroy', 'partial_update') and
|
|
|
|
request.user.has_perm('users.can_see_name') and
|
|
|
|
request.user.has_perm('users.can_manage') and
|
|
|
|
request.user.has_perm('users.can_see_extra_data')):
|
|
|
|
return
|
|
|
|
|
|
|
|
# Raise permission_denied in any other case.
|
|
|
|
self.permission_denied(request)
|
2015-02-04 00:08:38 +01:00
|
|
|
|
2015-02-17 00:45:53 +01:00
|
|
|
def destroy(self, request, *args, **kwargs):
|
|
|
|
"""
|
|
|
|
Protects builtin groups 'Anonymous' (pk=1) and 'Registered' (pk=2)
|
|
|
|
from being deleted.
|
|
|
|
"""
|
|
|
|
instance = self.get_object()
|
|
|
|
if instance.pk in (1, 2,):
|
|
|
|
self.permission_denied(request)
|
|
|
|
else:
|
|
|
|
self.perform_destroy(instance)
|
|
|
|
response = Response(status=status.HTTP_204_NO_CONTENT)
|
|
|
|
return response
|
|
|
|
|
2015-02-04 00:08:38 +01:00
|
|
|
|
2015-02-14 10:10:08 +01:00
|
|
|
# API Views
|
2015-02-12 22:42:54 +01:00
|
|
|
|
|
|
|
class UserLoginView(APIView):
|
|
|
|
"""
|
|
|
|
Login the user via ajax.
|
|
|
|
"""
|
|
|
|
http_method_names = ['post']
|
|
|
|
|
|
|
|
def post(self, *args, **kwargs):
|
|
|
|
form = AuthenticationForm(self.request, data=self.request.data)
|
|
|
|
if form.is_valid():
|
|
|
|
self.user = form.get_user()
|
|
|
|
auth_login(self.request, self.user)
|
|
|
|
self.success = True
|
|
|
|
else:
|
|
|
|
self.success = False
|
|
|
|
return super().post(*args, **kwargs)
|
|
|
|
|
|
|
|
def get_context_data(self, **context):
|
|
|
|
context['success'] = self.success
|
|
|
|
if self.success:
|
|
|
|
context['user_id'] = self.user.pk
|
|
|
|
return super().get_context_data(**context)
|
|
|
|
|
|
|
|
|
|
|
|
class UserLogoutView(APIView):
|
|
|
|
"""
|
|
|
|
Logout the user via ajax.
|
|
|
|
"""
|
|
|
|
http_method_names = ['post']
|
|
|
|
|
|
|
|
def post(self, *args, **kwargs):
|
|
|
|
auth_logout(self.request)
|
|
|
|
return super().post(*args, **kwargs)
|
|
|
|
|
|
|
|
|
|
|
|
class WhoAmIView(APIView):
|
|
|
|
"""
|
|
|
|
Returns the user id in the session.
|
|
|
|
"""
|
|
|
|
http_method_names = ['get']
|
|
|
|
|
|
|
|
def get_context_data(self, **context):
|
|
|
|
"""
|
|
|
|
Appends the user id into the context.
|
|
|
|
|
|
|
|
Uses None for the anonymous user.
|
|
|
|
"""
|
|
|
|
return super().get_context_data(
|
|
|
|
user_id=self.request.user.pk,
|
|
|
|
**context)
|