OpenSlides/openslides/users/serializers.py

from django.contrib.auth.hashers import make_password
from django.contrib.auth.models import Permission

from ..utils.autoupdate import inform_changed_data
from ..utils.rest_api import (
    IdPrimaryKeyRelatedField,
    JSONField,
    ModelSerializer,
    RelatedField,
    ValidationError,
)
from ..utils.validate import validate_html
from .models import Group, PersonalNote, User


USERCANSEESERIALIZER_FIELDS = (
    "id",
    "username",
    "title",
    "first_name",
    "last_name",
    "structure_level",
    "number",
    "about_me",
    "groups",
    "is_present",
    "is_committee",
)


USERCANSEEEXTRASERIALIZER_FIELDS = USERCANSEESERIALIZER_FIELDS + (
    "gender",
    "email",
    "last_email_send",
    "comment",
    "is_active",
    "auth_type",
)


class UserFullSerializer(ModelSerializer):
    """
    Serializer for users.models.User objects.

    Serializes all relevant fields for manager.
    """

    groups = IdPrimaryKeyRelatedField(
        many=True,
        required=False,
        queryset=Group.objects.exclude(pk=1),
        help_text=(
            "The groups this user belongs to. A user will "
            "get all permissions granted to each of "
            "his/her groups."
        ),
    )

    class Meta:
        model = User
        fields = USERCANSEEEXTRASERIALIZER_FIELDS + (
            "default_password",
            "session_auth_hash",
        )
        read_only_fields = ("last_email_send", "auth_type")

    def validate(self, data):
        """
        Checks if the given data is empty. Generates the
        username if it is empty.
        """

        try:
            action = self.context["view"].action
        except (KeyError, AttributeError):
            action = None

        # Check if we are in Patch context, if not, check if we have the mandatory fields
        if action != "partial_update":
            if not (
                data.get("username") or data.get("first_name") or data.get("last_name")
            ):
                raise ValidationError(
                    {"detail": "Username, given name and surname can not all be empty."}
                )

        # Generate username. But only if it is not set and the serializer is not
        # called in a PATCH context (partial_update).

        if not data.get("username") and action != "partial_update":
            data["username"] = User.objects.generate_username(
                data.get("first_name", ""), data.get("last_name", "")
            )

        # check the about_me html
        if "about_me" in data:
            data["about_me"] = validate_html(data["about_me"])

        return data

    def prepare_password(self, validated_data):
        """
        Sets the default password.
        """
        # Prepare setup password.
        if not validated_data.get("default_password"):
            validated_data["default_password"] = User.objects.make_random_password()
        validated_data["password"] = make_password(validated_data["default_password"])
        return validated_data

    def create(self, validated_data):
        """
        Creates the user.
        """
        # Perform creation in the database and return new user.
        user = super().create(self.prepare_password(validated_data))
        # TODO: This autoupdate call is redundant (required by issue #2727). See #2736.
        inform_changed_data(user)
        return user


class PermissionRelatedField(RelatedField):
    """
    A custom field to use for the permission relationship.
    """

    default_error_messages = {
        "incorrect_value": 'Incorrect value "{value}". Expected app_label.codename string.',
        "does_not_exist": 'Invalid permission "{value}". Object does not exist.',
    }

    def to_representation(self, value):
        """
        Returns the permission code string (app_label.codename).
        """
        return ".".join((value.content_type.app_label, value.codename))

    def to_internal_value(self, data):
        """
        Returns the permission object represented by data. The argument data is
        what is sent by the client. This method expects permission code strings
        (app_label.codename) like to_representation() returns.
        """
        try:
            app_label, codename = data.split(".")
        except ValueError:
            self.fail("incorrect_value", value=data)
        try:
            permission = Permission.objects.get(
                content_type__app_label=app_label, codename=codename
            )
        except Permission.DoesNotExist:
            self.fail("does_not_exist", value=data)
        return permission


class GroupSerializer(ModelSerializer):
    """
    Serializer for django.contrib.auth.models.Group objects.
    """

    permissions = PermissionRelatedField(
        many=True, queryset=Permission.objects.all(), required=False
    )

    class Meta:
        model = Group
        fields = ("id", "name", "permissions")

    def update(self, *args, **kwargs):
        """
        Customized update method. We just refresh the instance from the
        database because of an unknown bug in Django REST framework.
        """
        instance = super().update(*args, **kwargs)
        return Group.objects.get(pk=instance.pk)


class PersonalNoteSerializer(ModelSerializer):
    """
    Serializer for users.models.PersonalNote objects.
    """

    notes = JSONField()

    class Meta:
        model = PersonalNote
        fields = ("id", "user", "notes")
        read_only_fields = ("user",)
Refactored parts of users app. Refactored user creation and update via REST API. Used new serializer. Cleaned up management commands, signals and imports. Moved code from 'api.py' to 'models.py'. Changed usage of group 'Registered'. Now the users don't have to be members to gain its permissions. Used customized auth backend for this. Added and changed some tests. 2015-02-12 20:57:05 +01:00			`from django.contrib.auth.hashers import make_password`
Cleaned up users app. 2015-09-16 00:55:27 +02:00			`from django.contrib.auth.models import Permission`
Remove old thinks not needed for the 2.0 release: * django templates * widgets * views * mppt * main_menu * projector 1.x api Sorted all imports Add a ending slash to each url with a redirect view 2015-06-16 10:37:23 +02:00
Hot fix for cache update while user import (Fixes #2727). 2016-12-04 20:04:00 +01:00			`from ..utils.autoupdate import inform_changed_data`
Cleaned up users app. 2015-09-16 00:55:27 +02:00			`from ..utils.rest_api import (`
Use always user.groups_id (Fixes #2081) - Fix rest api: send always groups_id (instead of groups). - Fix JS-Data-Store: Add hasMany relations for user.groups. - Fix templates: use field 'groups_id' instead of 'groups'. 2016-04-14 21:29:28 +02:00			`IdPrimaryKeyRelatedField,`
Rework on personal notes. Fixed #3262. 2017-05-23 14:07:06 +02:00			`JSONField,`
Remove old thinks not needed for the 2.0 release: * django templates * widgets * views * mppt * main_menu * projector 1.x api Sorted all imports Add a ending slash to each url with a redirect view 2015-06-16 10:37:23 +02:00			`ModelSerializer,`
			`RelatedField,`
			`ValidationError,`
			`)`
Added html validation for users and personal notes 2019-11-06 15:55:03 +01:00			`from ..utils.validate import validate_html`
Resort python import for isort 4.3.11 (fixes #4467) One dot imports are again behind two dot imports since this new isort release. 2019-03-06 14:53:24 +01:00			`from .models import Group, PersonalNote, User`
Added api viewset for users. 2015-01-06 00:11:22 +01:00
Update to channels 2 * geis does not work with channels2 and never will be (it has to be python now) * pytest * rewrote cache system * use username instead of pk for admin user in tests 2018-07-09 23:22:26 +02:00
Refactored user serializers for different client permissions. See #1871. 2016-08-31 16:53:02 +02:00			`USERCANSEESERIALIZER_FIELDS = (`
Run black 2019-01-06 16:22:33 +01:00			`"id",`
			`"username",`
			`"title",`
			`"first_name",`
			`"last_name",`
			`"structure_level",`
			`"number",`
			`"about_me",`
			`"groups",`
			`"is_present",`
			`"is_committee",`
Adds a cache system to the CollectionElement and add a Collection class that can be used to call a collection used this for the list and receive rest api. 2016-09-18 16:00:31 +02:00			`)`
Added api for assignments. Also small changes in agenda REST api. 2015-01-17 14:25:05 +01:00
Refactored parts of users app. Refactored user creation and update via REST API. Used new serializer. Cleaned up management commands, signals and imports. Moved code from 'api.py' to 'models.py'. Changed usage of group 'Registered'. Now the users don't have to be members to gain its permissions. Used customized auth backend for this. Added and changed some tests. 2015-02-12 20:57:05 +01:00
Adds a cache system to the CollectionElement and add a Collection class that can be used to call a collection used this for the list and receive rest api. 2016-09-18 16:00:31 +02:00			`USERCANSEEEXTRASERIALIZER_FIELDS = USERCANSEESERIALIZER_FIELDS + (`
Added gender field for users. 2019-01-18 17:58:45 +01:00			`"gender",`
Run black 2019-01-06 16:22:33 +01:00			`"email",`
			`"last_email_send",`
			`"comment",`
			`"is_active",`
saml 2019-08-20 12:00:54 +02:00			`"auth_type",`
Adds a cache system to the CollectionElement and add a Collection class that can be used to call a collection used this for the list and receive rest api. 2016-09-18 16:00:31 +02:00			`)`
Refactored parts of users app. Refactored user creation and update via REST API. Used new serializer. Cleaned up management commands, signals and imports. Moved code from 'api.py' to 'models.py'. Changed usage of group 'Registered'. Now the users don't have to be members to gain its permissions. Used customized auth backend for this. Added and changed some tests. 2015-02-12 20:57:05 +01:00
Refactored user serializers for different client permissions. See #1871. 2016-08-31 16:53:02 +02:00
			`class UserFullSerializer(ModelSerializer):`
			`"""`
			`Serializer for users.models.User objects.`

			`Serializes all relevant fields for manager.`
			`"""`
Run black 2019-01-06 16:22:33 +01:00
Refactored user serializers for different client permissions. See #1871. 2016-08-31 16:53:02 +02:00			`groups = IdPrimaryKeyRelatedField(`
			`many=True,`
Removed restricted fields from PUT request where a users wants to update himself. Fixed #2986 and #2984. 2017-02-24 15:04:12 +01:00			`required=False,`
Refactored user serializers for different client permissions. See #1871. 2016-08-31 16:53:02 +02:00			`queryset=Group.objects.exclude(pk=1),`
use f-string syntax for strings 2019-01-12 23:01:42 +01:00			`help_text=(`
Run black 2019-01-06 16:22:33 +01:00			`"The groups this user belongs to. A user will "`
			`"get all permissions granted to each of "`
			`"his/her groups."`
			`),`
			`)`
Refactored user serializers for different client permissions. See #1871. 2016-08-31 16:53:02 +02:00
			`class Meta:`
			`model = User`
Run black 2019-01-06 16:22:33 +01:00			`fields = USERCANSEEEXTRASERIALIZER_FIELDS + (`
			`"default_password",`
			`"session_auth_hash",`
			`)`
saml 2019-08-20 12:00:54 +02:00			`read_only_fields = ("last_email_send", "auth_type")`
Refactored user serializers for different client permissions. See #1871. 2016-08-31 16:53:02 +02:00
Refactored parts of users app. Refactored user creation and update via REST API. Used new serializer. Cleaned up management commands, signals and imports. Moved code from 'api.py' to 'models.py'. Changed usage of group 'Registered'. Now the users don't have to be members to gain its permissions. Used customized auth backend for this. Added and changed some tests. 2015-02-12 20:57:05 +01:00			`def validate(self, data):`
			`"""`
patch userdetails without unnecessary double verification 2018-02-14 12:18:48 +01:00			`Checks if the given data is empty. Generates the`
Refactored user serializers for different client permissions. See #1871. 2016-08-31 16:53:02 +02:00			`username if it is empty.`
Refactored parts of users app. Refactored user creation and update via REST API. Used new serializer. Cleaned up management commands, signals and imports. Moved code from 'api.py' to 'models.py'. Changed usage of group 'Registered'. Now the users don't have to be members to gain its permissions. Used customized auth backend for this. Added and changed some tests. 2015-02-12 20:57:05 +01:00			`"""`
Fix anonymous user for rest requests 2015-05-05 10:42:31 +02:00
			`try:`
Run black 2019-01-06 16:22:33 +01:00			`action = self.context["view"].action`
Fix anonymous user for rest requests 2015-05-05 10:42:31 +02:00			`except (KeyError, AttributeError):`
			`action = None`

patch userdetails without unnecessary double verification 2018-02-14 12:18:48 +01:00			`# Check if we are in Patch context, if not, check if we have the mandatory fields`
Run black 2019-01-06 16:22:33 +01:00			`if action != "partial_update":`
			`if not (`
			`data.get("username") or data.get("first_name") or data.get("last_name")`
			`):`
			`raise ValidationError(`
use f-string syntax for strings 2019-01-12 23:01:42 +01:00			`{"detail": "Username, given name and surname can not all be empty."}`
Run black 2019-01-06 16:22:33 +01:00			`)`
patch userdetails without unnecessary double verification 2018-02-14 12:18:48 +01:00
			`# Generate username. But only if it is not set and the serializer is not`
			`# called in a PATCH context (partial_update).`

Run black 2019-01-06 16:22:33 +01:00			`if not data.get("username") and action != "partial_update":`
			`data["username"] = User.objects.generate_username(`
			`data.get("first_name", ""), data.get("last_name", "")`
			`)`
Added html validation for users and personal notes 2019-11-06 15:55:03 +01:00
			`# check the about_me html`
			`if "about_me" in data:`
			`data["about_me"] = validate_html(data["about_me"])`

Refactored parts of users app. Refactored user creation and update via REST API. Used new serializer. Cleaned up management commands, signals and imports. Moved code from 'api.py' to 'models.py'. Changed usage of group 'Registered'. Now the users don't have to be members to gain its permissions. Used customized auth backend for this. Added and changed some tests. 2015-02-12 20:57:05 +01:00			`return data`

Massimport for users 2017-04-19 09:28:21 +02:00			`def prepare_password(self, validated_data):`
Refactored parts of users app. Refactored user creation and update via REST API. Used new serializer. Cleaned up management commands, signals and imports. Moved code from 'api.py' to 'models.py'. Changed usage of group 'Registered'. Now the users don't have to be members to gain its permissions. Used customized auth backend for this. Added and changed some tests. 2015-02-12 20:57:05 +01:00			`"""`
Massimport for users 2017-04-19 09:28:21 +02:00			`Sets the default password.`
Refactored parts of users app. Refactored user creation and update via REST API. Used new serializer. Cleaned up management commands, signals and imports. Moved code from 'api.py' to 'models.py'. Changed usage of group 'Registered'. Now the users don't have to be members to gain its permissions. Used customized auth backend for this. Added and changed some tests. 2015-02-12 20:57:05 +01:00			`"""`
			`# Prepare setup password.`
Run black 2019-01-06 16:22:33 +01:00			`if not validated_data.get("default_password"):`
Bulk views for users: state, password and delete 2019-07-17 11:24:01 +02:00			`validated_data["default_password"] = User.objects.make_random_password()`
Run black 2019-01-06 16:22:33 +01:00			`validated_data["password"] = make_password(validated_data["default_password"])`
Massimport for users 2017-04-19 09:28:21 +02:00			`return validated_data`

			`def create(self, validated_data):`
			`"""`
			`Creates the user.`
			`"""`
Refactored parts of users app. Refactored user creation and update via REST API. Used new serializer. Cleaned up management commands, signals and imports. Moved code from 'api.py' to 'models.py'. Changed usage of group 'Registered'. Now the users don't have to be members to gain its permissions. Used customized auth backend for this. Added and changed some tests. 2015-02-12 20:57:05 +01:00			`# Perform creation in the database and return new user.`
Massimport for users 2017-04-19 09:28:21 +02:00			`user = super().create(self.prepare_password(validated_data))`
Hot fix for cache update while user import (Fixes #2727). 2016-12-04 20:04:00 +01:00			`# TODO: This autoupdate call is redundant (required by issue #2727). See #2736.`
			`inform_changed_data(user)`
			`return user`
Refactored parts of users app. Refactored user creation and update via REST API. Used new serializer. Cleaned up management commands, signals and imports. Moved code from 'api.py' to 'models.py'. Changed usage of group 'Registered'. Now the users don't have to be members to gain its permissions. Used customized auth backend for this. Added and changed some tests. 2015-02-12 20:57:05 +01:00

Updated ViewSets to Django REST Framework 3.0.5. Refactored imports from openslides/utils/rest_api.py for better overriding them later. Fixed #1450. Updated requirements. 2015-02-12 18:48:14 +01:00			`class PermissionRelatedField(RelatedField):`
Refactored serializers and autoupdate. Added api for groups. Refactored serializers now using 'id' instead of 'url'. Rework of tornado autoupdate functionality. Implemented extra data in SockJS messages. 2015-02-04 00:08:38 +01:00			`"""`
			`A custom field to use for the permission relationship.`
			`"""`
Run black 2019-01-06 16:22:33 +01:00
Updated REST API for group create, update and delete. 2015-02-17 00:45:53 +01:00			`default_error_messages = {`
use f-string syntax for strings 2019-01-12 23:01:42 +01:00			`"incorrect_value": 'Incorrect value "{value}". Expected app_label.codename string.',`
			`"does_not_exist": 'Invalid permission "{value}". Object does not exist.',`
Run black 2019-01-06 16:22:33 +01:00			`}`
Updated REST API for group create, update and delete. 2015-02-17 00:45:53 +01:00
Refactored serializers and autoupdate. Added api for groups. Refactored serializers now using 'id' instead of 'url'. Rework of tornado autoupdate functionality. Implemented extra data in SockJS messages. 2015-02-04 00:08:38 +01:00			`def to_representation(self, value):`
			`"""`
Updated REST API for group create, update and delete. 2015-02-17 00:45:53 +01:00			`Returns the permission code string (app_label.codename).`
Refactored serializers and autoupdate. Added api for groups. Refactored serializers now using 'id' instead of 'url'. Rework of tornado autoupdate functionality. Implemented extra data in SockJS messages. 2015-02-04 00:08:38 +01:00			`"""`
Run black 2019-01-06 16:22:33 +01:00			`return ".".join((value.content_type.app_label, value.codename))`
Refactored serializers and autoupdate. Added api for groups. Refactored serializers now using 'id' instead of 'url'. Rework of tornado autoupdate functionality. Implemented extra data in SockJS messages. 2015-02-04 00:08:38 +01:00
Updated REST API for group create, update and delete. 2015-02-17 00:45:53 +01:00			`def to_internal_value(self, data):`
			`"""`
			`Returns the permission object represented by data. The argument data is`
			`what is sent by the client. This method expects permission code strings`
			`(app_label.codename) like to_representation() returns.`
			`"""`
			`try:`
Run black 2019-01-06 16:22:33 +01:00			`app_label, codename = data.split(".")`
Updated REST API for group create, update and delete. 2015-02-17 00:45:53 +01:00			`except ValueError:`
Run black 2019-01-06 16:22:33 +01:00			`self.fail("incorrect_value", value=data)`
Updated REST API for group create, update and delete. 2015-02-17 00:45:53 +01:00			`try:`
Run black 2019-01-06 16:22:33 +01:00			`permission = Permission.objects.get(`
			`content_type__app_label=app_label, codename=codename`
			`)`
Updated REST API for group create, update and delete. 2015-02-17 00:45:53 +01:00			`except Permission.DoesNotExist:`
Run black 2019-01-06 16:22:33 +01:00			`self.fail("does_not_exist", value=data)`
Updated REST API for group create, update and delete. 2015-02-17 00:45:53 +01:00			`return permission`

Refactored serializers and autoupdate. Added api for groups. Refactored serializers now using 'id' instead of 'url'. Rework of tornado autoupdate functionality. Implemented extra data in SockJS messages. 2015-02-04 00:08:38 +01:00
Updated ViewSets to Django REST Framework 3.0.5. Refactored imports from openslides/utils/rest_api.py for better overriding them later. Fixed #1450. Updated requirements. 2015-02-12 18:48:14 +01:00			`class GroupSerializer(ModelSerializer):`
Refactored serializers and autoupdate. Added api for groups. Refactored serializers now using 'id' instead of 'url'. Rework of tornado autoupdate functionality. Implemented extra data in SockJS messages. 2015-02-04 00:08:38 +01:00			`"""`
			`Serializer for django.contrib.auth.models.Group objects.`
			`"""`
Run black 2019-01-06 16:22:33 +01:00
Fix group creation Fixes an error that was preventing groups from being created. Groups did require a list of permissions which is now optional 2020-01-08 10:46:11 +01:00			`permissions = PermissionRelatedField(`
			`many=True, queryset=Permission.objects.all(), required=False`
			`)`
Refactored serializers and autoupdate. Added api for groups. Refactored serializers now using 'id' instead of 'url'. Rework of tornado autoupdate functionality. Implemented extra data in SockJS messages. 2015-02-04 00:08:38 +01:00
			`class Meta:`
			`model = Group`
Run black 2019-01-06 16:22:33 +01:00			`fields = ("id", "name", "permissions")`
Fixed group update method. Fixed #2541. 2016-11-08 22:36:57 +01:00
			`def update(self, args, *kwargs):`
			`"""`
			`Customized update method. We just refresh the instance from the`
			`database because of an unknown bug in Django REST framework.`
			`"""`
			`instance = super().update(args, *kwargs)`
			`return Group.objects.get(pk=instance.pk)`
Rework on personal notes. Fixed #3262. 2017-05-23 14:07:06 +02:00

			`class PersonalNoteSerializer(ModelSerializer):`
			`"""`
			`Serializer for users.models.PersonalNote objects.`
			`"""`
Run black 2019-01-06 16:22:33 +01:00
Rework on personal notes. Fixed #3262. 2017-05-23 14:07:06 +02:00			`notes = JSONField()`

			`class Meta:`
			`model = PersonalNote`
Run black 2019-01-06 16:22:33 +01:00			`fields = ("id", "user", "notes")`
			`read_only_fields = ("user",)`