123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230 |
- from django.conf import settings
- from django.contrib import admin, messages
- from django.contrib.admin.options import IS_POPUP_VAR
- from django.contrib.admin.utils import unquote
- from django.contrib.auth import update_session_auth_hash
- from django.contrib.auth.forms import (
- AdminPasswordChangeForm,
- UserChangeForm,
- UserCreationForm,
- )
- from django.contrib.auth.models import Group, User
- from django.core.exceptions import PermissionDenied
- from django.db import router, transaction
- from django.http import Http404, HttpResponseRedirect
- from django.template.response import TemplateResponse
- from django.urls import path, reverse
- from django.utils.decorators import method_decorator
- from django.utils.html import escape
- from django.utils.translation import gettext
- from django.utils.translation import gettext_lazy as _
- from django.views.decorators.csrf import csrf_protect
- from django.views.decorators.debug import sensitive_post_parameters
-
- csrf_protect_m = method_decorator(csrf_protect)
- sensitive_post_parameters_m = method_decorator(sensitive_post_parameters())
-
-
- @admin.register(Group)
- class GroupAdmin(admin.ModelAdmin):
- search_fields = ("name",)
- ordering = ("name",)
- filter_horizontal = ("permissions",)
-
- def formfield_for_manytomany(self, db_field, request=None, **kwargs):
- if db_field.name == "permissions":
- qs = kwargs.get("queryset", db_field.remote_field.model.objects)
- # Avoid a major performance hit resolving permission names which
- # triggers a content_type load:
- kwargs["queryset"] = qs.select_related("content_type")
- return super().formfield_for_manytomany(db_field, request=request, **kwargs)
-
-
- @admin.register(User)
- class UserAdmin(admin.ModelAdmin):
- add_form_template = "admin/auth/user/add_form.html"
- change_user_password_template = None
- fieldsets = (
- (None, {"fields": ("username", "password")}),
- (_("Personal info"), {"fields": ("first_name", "last_name", "email")}),
- (
- _("Permissions"),
- {
- "fields": (
- "is_active",
- "is_staff",
- "is_superuser",
- "groups",
- "user_permissions",
- ),
- },
- ),
- (_("Important dates"), {"fields": ("last_login", "date_joined")}),
- )
- add_fieldsets = (
- (
- None,
- {
- "classes": ("wide",),
- "fields": ("username", "password1", "password2"),
- },
- ),
- )
- form = UserChangeForm
- add_form = UserCreationForm
- change_password_form = AdminPasswordChangeForm
- list_display = ("username", "email", "first_name", "last_name", "is_staff")
- list_filter = ("is_staff", "is_superuser", "is_active", "groups")
- search_fields = ("username", "first_name", "last_name", "email")
- ordering = ("username",)
- filter_horizontal = (
- "groups",
- "user_permissions",
- )
-
- def get_fieldsets(self, request, obj=None):
- if not obj:
- return self.add_fieldsets
- return super().get_fieldsets(request, obj)
-
- def get_form(self, request, obj=None, **kwargs):
- """
- Use special form during user creation
- """
- defaults = {}
- if obj is None:
- defaults["form"] = self.add_form
- defaults.update(kwargs)
- return super().get_form(request, obj, **defaults)
-
- def get_urls(self):
- return [
- path(
- "<id>/password/",
- self.admin_site.admin_view(self.user_change_password),
- name="auth_user_password_change",
- ),
- ] + super().get_urls()
-
- def lookup_allowed(self, lookup, value):
- # Don't allow lookups involving passwords.
- return not lookup.startswith("password") and super().lookup_allowed(
- lookup, value
- )
-
- @sensitive_post_parameters_m
- @csrf_protect_m
- def add_view(self, request, form_url="", extra_context=None):
- with transaction.atomic(using=router.db_for_write(self.model)):
- return self._add_view(request, form_url, extra_context)
-
- def _add_view(self, request, form_url="", extra_context=None):
- # It's an error for a user to have add permission but NOT change
- # permission for users. If we allowed such users to add users, they
- # could create superusers, which would mean they would essentially have
- # the permission to change users. To avoid the problem entirely, we
- # disallow users from adding users if they don't have change
- # permission.
- if not self.has_change_permission(request):
- if self.has_add_permission(request) and settings.DEBUG:
- # Raise Http404 in debug mode so that the user gets a helpful
- # error message.
- raise Http404(
- 'Your user does not have the "Change user" permission. In '
- "order to add users, Django requires that your user "
- 'account have both the "Add user" and "Change user" '
- "permissions set."
- )
- raise PermissionDenied
- if extra_context is None:
- extra_context = {}
- username_field = self.model._meta.get_field(self.model.USERNAME_FIELD)
- defaults = {
- "auto_populated_fields": (),
- "username_help_text": username_field.help_text,
- }
- extra_context.update(defaults)
- return super().add_view(request, form_url, extra_context)
-
- @sensitive_post_parameters_m
- def user_change_password(self, request, id, form_url=""):
- user = self.get_object(request, unquote(id))
- if not self.has_change_permission(request, user):
- raise PermissionDenied
- if user is None:
- raise Http404(
- _("%(name)s object with primary key %(key)r does not exist.")
- % {
- "name": self.model._meta.verbose_name,
- "key": escape(id),
- }
- )
- if request.method == "POST":
- form = self.change_password_form(user, request.POST)
- if form.is_valid():
- form.save()
- change_message = self.construct_change_message(request, form, None)
- self.log_change(request, user, change_message)
- msg = gettext("Password changed successfully.")
- messages.success(request, msg)
- update_session_auth_hash(request, form.user)
- return HttpResponseRedirect(
- reverse(
- "%s:%s_%s_change"
- % (
- self.admin_site.name,
- user._meta.app_label,
- user._meta.model_name,
- ),
- args=(user.pk,),
- )
- )
- else:
- form = self.change_password_form(user)
-
- fieldsets = [(None, {"fields": list(form.base_fields)})]
- adminForm = admin.helpers.AdminForm(form, fieldsets, {})
-
- context = {
- "title": _("Change password: %s") % escape(user.get_username()),
- "adminForm": adminForm,
- "form_url": form_url,
- "form": form,
- "is_popup": (IS_POPUP_VAR in request.POST or IS_POPUP_VAR in request.GET),
- "is_popup_var": IS_POPUP_VAR,
- "add": True,
- "change": False,
- "has_delete_permission": False,
- "has_change_permission": True,
- "has_absolute_url": False,
- "opts": self.model._meta,
- "original": user,
- "save_as": False,
- "show_save": True,
- **self.admin_site.each_context(request),
- }
-
- request.current_app = self.admin_site.name
-
- return TemplateResponse(
- request,
- self.change_user_password_template
- or "admin/auth/user/change_password.html",
- context,
- )
-
- def response_add(self, request, obj, post_url_continue=None):
- """
- Determine the HttpResponse for the add_view stage. It mostly defers to
- its superclass implementation but is customized because the User model
- has a slightly different workflow.
- """
- # We should allow further modification of the user just added i.e. the
- # 'Save' button should behave like the 'Save and continue editing'
- # button except in two scenarios:
- # * The user has pressed the 'Save and add another' button
- # * We are adding a user in a popup
- if "_addanother" not in request.POST and IS_POPUP_VAR not in request.POST:
- request.POST = request.POST.copy()
- request.POST["_continue"] = 1
- return super().response_add(request, obj, post_url_continue)
|