netbox-community-netbox/netbox/users/views.py

from django.contrib import messages
from django.contrib.auth import login as auth_login, logout as auth_logout, update_session_auth_hash
from django.contrib.auth.decorators import login_required
from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin
from django.http import HttpResponseForbidden, HttpResponseRedirect
from django.shortcuts import get_object_or_404, redirect, render
from django.urls import reverse
from django.utils.decorators import method_decorator
from django.utils.http import is_safe_url
from django.views.decorators.debug import sensitive_post_parameters
from django.views.generic import View

from secrets.forms import UserKeyForm
from secrets.models import SessionKey, UserKey
from utilities.forms import ConfirmationForm
from .forms import LoginForm, PasswordChangeForm, TokenForm
from .models import Token


#
# Login/logout
#

class LoginView(View):
    template_name = 'login.html'

    @method_decorator(sensitive_post_parameters('password'))
    def dispatch(self, *args, **kwargs):
        return super().dispatch(*args, **kwargs)

    def get(self, request):
        form = LoginForm(request)

        return render(request, self.template_name, {
            'form': form,
        })

    def post(self, request):
        form = LoginForm(request, data=request.POST)
        if form.is_valid():

            # Determine where to direct user after successful login
            redirect_to = request.POST.get('next', '')
            if not is_safe_url(url=redirect_to, allowed_hosts=request.get_host()):
                redirect_to = reverse('home')

            # Authenticate user
            auth_login(request, form.get_user())
            messages.info(request, "Logged in as {}.".format(request.user))

            return HttpResponseRedirect(redirect_to)

        return render(request, self.template_name, {
            'form': form,
        })


class LogoutView(View):

    def get(self, request):

        # Log out the user
        auth_logout(request)
        messages.info(request, "You have logged out.")

        # Delete session key cookie (if set) upon logout
        response = HttpResponseRedirect(reverse('home'))
        response.delete_cookie('session_key')

        return response


#
# User profiles
#

@method_decorator(login_required, name='dispatch')
class ProfileView(View):
    template_name = 'users/profile.html'

    def get(self, request):

        return render(request, self.template_name, {
            'active_tab': 'profile',
        })


@method_decorator(login_required, name='dispatch')
class ChangePasswordView(View):
    template_name = 'users/change_password.html'

    def get(self, request):
        form = PasswordChangeForm(user=request.user)

        return render(request, self.template_name, {
            'form': form,
            'active_tab': 'change_password',
        })

    def post(self, request):
        form = PasswordChangeForm(user=request.user, data=request.POST)
        if form.is_valid():
            form.save()
            update_session_auth_hash(request, form.user)
            messages.success(request, "Your password has been changed successfully.")
            return redirect('user:profile')

        return render(request, self.template_name, {
            'form': form,
            'active_tab': 'change_password',
        })


@method_decorator(login_required, name='dispatch')
class UserKeyView(View):
    template_name = 'users/userkey.html'

    def get(self, request):
        try:
            userkey = UserKey.objects.get(user=request.user)
        except UserKey.DoesNotExist:
            userkey = None

        return render(request, self.template_name, {
            'userkey': userkey,
            'active_tab': 'userkey',
        })


class UserKeyEditView(View):
    template_name = 'users/userkey_edit.html'

    @method_decorator(login_required)
    def dispatch(self, request, *args, **kwargs):
        try:
            self.userkey = UserKey.objects.get(user=request.user)
        except UserKey.DoesNotExist:
            self.userkey = UserKey(user=request.user)

        return super().dispatch(request, *args, **kwargs)

    def get(self, request):
        form = UserKeyForm(instance=self.userkey)

        return render(request, self.template_name, {
            'userkey': self.userkey,
            'form': form,
            'active_tab': 'userkey',
        })

    def post(self, request):
        form = UserKeyForm(data=request.POST, instance=self.userkey)
        if form.is_valid():
            uk = form.save(commit=False)
            uk.user = request.user
            uk.save()
            messages.success(request, "Your user key has been saved.")
            return redirect('user:userkey')

        return render(request, self.template_name, {
            'userkey': self.userkey,
            'form': form,
            'active_tab': 'userkey',
        })


@method_decorator(login_required, name='dispatch')
class SessionKeyDeleteView(LoginRequiredMixin, View):

    def get(self, request):

        sessionkey = get_object_or_404(SessionKey, userkey__user=request.user)
        form = ConfirmationForm()

        return render(request, 'users/sessionkey_delete.html', {
            'obj_type': sessionkey._meta.verbose_name,
            'form': form,
            'return_url': reverse('user:userkey'),
        })

    def post(self, request):

        sessionkey = get_object_or_404(SessionKey, userkey__user=request.user)
        form = ConfirmationForm(request.POST)
        if form.is_valid():

            # Delete session key
            sessionkey.delete()
            messages.success(request, "Session key deleted")

            # Delete cookie
            response = redirect('user:userkey')
            response.delete_cookie('session_key')

            return response

        return render(request, 'users/sessionkey_delete.html', {
            'obj_type': sessionkey._meta.verbose_name,
            'form': form,
            'return_url': reverse('user:userkey'),
        })


#
# API tokens
#

class TokenListView(LoginRequiredMixin, View):

    def get(self, request):

        tokens = Token.objects.filter(user=request.user)

        return render(request, 'users/api_tokens.html', {
            'tokens': tokens,
            'active_tab': 'api_tokens',
        })


class TokenEditView(LoginRequiredMixin, View):

    def get(self, request, pk=None):

        if pk is not None:
            if not request.user.has_perm('users.change_token'):
                return HttpResponseForbidden()
            token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
        else:
            if not request.user.has_perm('users.add_token'):
                return HttpResponseForbidden()
            token = Token(user=request.user)

        form = TokenForm(instance=token)

        return render(request, 'utilities/obj_edit.html', {
            'obj': token,
            'obj_type': token._meta.verbose_name,
            'form': form,
            'return_url': reverse('user:token_list'),
        })

    def post(self, request, pk=None):

        if pk is not None:
            token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
            form = TokenForm(request.POST, instance=token)
        else:
            token = Token()
            form = TokenForm(request.POST)

        if form.is_valid():
            token = form.save(commit=False)
            token.user = request.user
            token.save()

            msg = "Modified token {}".format(token) if pk else "Created token {}".format(token)
            messages.success(request, msg)

            if '_addanother' in request.POST:
                return redirect(request.path)
            else:
                return redirect('user:token_list')

        return render(request, 'utilities/obj_edit.html', {
            'obj': token,
            'obj_type': token._meta.verbose_name,
            'form': form,
            'return_url': reverse('user:token_list'),
        })


class TokenDeleteView(PermissionRequiredMixin, View):
    permission_required = 'users.delete_token'

    def get(self, request, pk):

        token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
        initial_data = {
            'return_url': reverse('user:token_list'),
        }
        form = ConfirmationForm(initial=initial_data)

        return render(request, 'utilities/obj_delete.html', {
            'obj': token,
            'obj_type': token._meta.verbose_name,
            'form': form,
            'return_url': reverse('user:token_list'),
        })

    def post(self, request, pk):

        token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)
        form = ConfirmationForm(request.POST)
        if form.is_valid():
            token.delete()
            messages.success(request, "Token deleted")
            return redirect('user:token_list')

        return render(request, 'utilities/obj_delete.html', {
            'obj': token,
            'obj_type': token._meta.verbose_name,
            'form': form,
            'return_url': reverse('user:token_list'),
        })
Initial push to public repo 2016-03-01 11:23:03 -05:00			`from django.contrib import messages`
			`from django.contrib.auth import login as auth_login, logout as auth_logout, update_session_auth_hash`
			`from django.contrib.auth.decorators import login_required`
Closes #2479: Add user permissions for creating/modifying API tokens 2018-10-05 11:06:59 -04:00			`from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin`
			`from django.http import HttpResponseForbidden, HttpResponseRedirect`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00			`from django.shortcuts import get_object_or_404, redirect, render`
Resolved RemovedInDjango20Warning deprecation warnings 2017-04-05 14:40:25 -04:00			`from django.urls import reverse`
Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`from django.utils.decorators import method_decorator`
Initial push to public repo 2016-03-01 11:23:03 -05:00			`from django.utils.http import is_safe_url`
Fixes #2880: Sanitize user password if an exception is raised during login 2019-02-13 11:34:16 -05:00			`from django.views.decorators.debug import sensitive_post_parameters`
Initial work on user control panel for tokens 2017-03-07 23:30:53 -05:00			`from django.views.generic import View`
Initial push to public repo 2016-03-01 11:23:03 -05:00
			`from secrets.forms import UserKeyForm`
Allow user to delete session key 2017-03-14 14:01:06 -04:00			`from secrets.models import SessionKey, UserKey`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00			`from utilities.forms import ConfirmationForm`
			`from .forms import LoginForm, PasswordChangeForm, TokenForm`
Initial work on user control panel for tokens 2017-03-07 23:30:53 -05:00			`from .models import Token`
Initial push to public repo 2016-03-01 11:23:03 -05:00

			`#`
			`# Login/logout`
			`#`

Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`class LoginView(View):`
			`template_name = 'login.html'`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Fixes #2880: Sanitize user password if an exception is raised during login 2019-02-13 11:34:16 -05:00			`@method_decorator(sensitive_post_parameters('password'))`
			`def dispatch(self, args, *kwargs):`
			`return super().dispatch(args, *kwargs)`

Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`def get(self, request):`
			`form = LoginForm(request)`

			`return render(request, self.template_name, {`
			`'form': form,`
			`})`

			`def post(self, request):`
Initial push to public repo 2016-03-01 11:23:03 -05:00			`form = LoginForm(request, data=request.POST)`
			`if form.is_valid():`

			`# Determine where to direct user after successful login`
			`redirect_to = request.POST.get('next', '')`
Update django is_safe_url calls to new API (#2546) 2018-11-05 15:52:00 +02:00			`if not is_safe_url(url=redirect_to, allowed_hosts=request.get_host()):`
Fixes #615: Account for BASE_PATH in static URLs and during login 2016-10-13 16:27:09 -04:00			`redirect_to = reverse('home')`
Initial push to public repo 2016-03-01 11:23:03 -05:00
			`# Authenticate user`
			`auth_login(request, form.get_user())`
Import unicode_literals 2017-05-24 11:33:11 -04:00			`messages.info(request, "Logged in as {}.".format(request.user))`
Initial push to public repo 2016-03-01 11:23:03 -05:00
			`return HttpResponseRedirect(redirect_to)`

Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`return render(request, self.template_name, {`
			`'form': form,`
			`})`
Initial push to public repo 2016-03-01 11:23:03 -05:00

Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`class LogoutView(View):`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`def get(self, request):`
Fixes #1740: Delete session_key cookie on logout 2017-12-05 14:19:24 -05:00
			`# Log out the user`
Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`auth_logout(request)`
Import unicode_literals 2017-05-24 11:33:11 -04:00			`messages.info(request, "You have logged out.")`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Fixes #1740: Delete session_key cookie on logout 2017-12-05 14:19:24 -05:00			`# Delete session key cookie (if set) upon logout`
			`response = HttpResponseRedirect(reverse('home'))`
			`response.delete_cookie('session_key')`

			`return response`
Initial push to public repo 2016-03-01 11:23:03 -05:00

			`#`
			`# User profiles`
			`#`

Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`@method_decorator(login_required, name='dispatch')`
			`class ProfileView(View):`
			`template_name = 'users/profile.html'`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`def get(self, request):`

			`return render(request, self.template_name, {`
			`'active_tab': 'profile',`
			`})`
Initial push to public repo 2016-03-01 11:23:03 -05:00

Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`@method_decorator(login_required, name='dispatch')`
			`class ChangePasswordView(View):`
			`template_name = 'users/change_password.html'`

			`def get(self, request):`
			`form = PasswordChangeForm(user=request.user)`

			`return render(request, self.template_name, {`
			`'form': form,`
			`'active_tab': 'change_password',`
			`})`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`def post(self, request):`
Initial push to public repo 2016-03-01 11:23:03 -05:00			`form = PasswordChangeForm(user=request.user, data=request.POST)`
			`if form.is_valid():`
			`form.save()`
			`update_session_auth_hash(request, form.user)`
Import unicode_literals 2017-05-24 11:33:11 -04:00			`messages.success(request, "Your password has been changed successfully.")`
Renamed user URL namespace 2017-03-14 12:36:44 -04:00			`return redirect('user:profile')`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`return render(request, self.template_name, {`
			`'form': form,`
			`'active_tab': 'change_password',`
			`})`
Initial push to public repo 2016-03-01 11:23:03 -05:00

Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`@method_decorator(login_required, name='dispatch')`
			`class UserKeyView(View):`
			`template_name = 'users/userkey.html'`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`def get(self, request):`
			`try:`
			`userkey = UserKey.objects.get(user=request.user)`
			`except UserKey.DoesNotExist:`
			`userkey = None`

			`return render(request, self.template_name, {`
			`'userkey': userkey,`
			`'active_tab': 'userkey',`
			`})`
Initial push to public repo 2016-03-01 11:23:03 -05:00

Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`class UserKeyEditView(View):`
			`template_name = 'users/userkey_edit.html'`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`@method_decorator(login_required)`
			`def dispatch(self, request, args, *kwargs):`
			`try:`
			`self.userkey = UserKey.objects.get(user=request.user)`
			`except UserKey.DoesNotExist:`
			`self.userkey = UserKey(user=request.user)`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Closes #2614: Simplify calls of super() for Python 3 2018-11-27 10:52:24 -05:00			`return super().dispatch(request, args, *kwargs)`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`def get(self, request):`
			`form = UserKeyForm(instance=self.userkey)`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`return render(request, self.template_name, {`
			`'userkey': self.userkey,`
			`'form': form,`
			`'active_tab': 'userkey',`
			`})`

			`def post(self, request):`
			`form = UserKeyForm(data=request.POST, instance=self.userkey)`
Initial push to public repo 2016-03-01 11:23:03 -05:00			`if form.is_valid():`
			`uk = form.save(commit=False)`
			`uk.user = request.user`
			`uk.save()`
Import unicode_literals 2017-05-24 11:33:11 -04:00			`messages.success(request, "Your user key has been saved.")`
Renamed user URL namespace 2017-03-14 12:36:44 -04:00			`return redirect('user:userkey')`
Initial push to public repo 2016-03-01 11:23:03 -05:00
Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`return render(request, self.template_name, {`
			`'userkey': self.userkey,`
			`'form': form,`
			`'active_tab': 'userkey',`
			`})`
Improved UserAction display 2016-05-24 09:45:40 -04:00

Converted all user views to CBVs 2017-05-19 15:47:19 -04:00			`@method_decorator(login_required, name='dispatch')`
Allow user to delete session key 2017-03-14 14:01:06 -04:00			`class SessionKeyDeleteView(LoginRequiredMixin, View):`

			`def get(self, request):`

			`sessionkey = get_object_or_404(SessionKey, userkey__user=request.user)`
			`form = ConfirmationForm()`

			`return render(request, 'users/sessionkey_delete.html', {`
			`'obj_type': sessionkey._meta.verbose_name,`
			`'form': form,`
			`'return_url': reverse('user:userkey'),`
			`})`

			`def post(self, request):`

			`sessionkey = get_object_or_404(SessionKey, userkey__user=request.user)`
			`form = ConfirmationForm(request.POST)`
			`if form.is_valid():`

			`# Delete session key`
			`sessionkey.delete()`
			`messages.success(request, "Session key deleted")`

			`# Delete cookie`
			`response = redirect('user:userkey')`
Finished work on secrets views; removed path from cookie assignment 2017-03-21 15:30:36 -04:00			`response.delete_cookie('session_key')`
Allow user to delete session key 2017-03-14 14:01:06 -04:00
			`return response`

			`return render(request, 'users/sessionkey_delete.html', {`
			`'obj_type': sessionkey._meta.verbose_name,`
			`'form': form,`
			`'return_url': reverse('user:userkey'),`
			`})`


Initial work on user control panel for tokens 2017-03-07 23:30:53 -05:00			`#`
			`# API tokens`
			`#`

Finished user control panel for tokens 2017-03-08 11:34:47 -05:00			`class TokenListView(LoginRequiredMixin, View):`
Initial work on user control panel for tokens 2017-03-07 23:30:53 -05:00
			`def get(self, request):`

			`tokens = Token.objects.filter(user=request.user)`

			`return render(request, 'users/api_tokens.html', {`
			`'tokens': tokens,`
			`'active_tab': 'api_tokens',`
			`})`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00

			`class TokenEditView(LoginRequiredMixin, View):`

			`def get(self, request, pk=None):`

			`if pk is not None:`
Closes #2479: Add user permissions for creating/modifying API tokens 2018-10-05 11:06:59 -04:00			`if not request.user.has_perm('users.change_token'):`
			`return HttpResponseForbidden()`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00			`token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)`
			`else:`
Closes #2479: Add user permissions for creating/modifying API tokens 2018-10-05 11:06:59 -04:00			`if not request.user.has_perm('users.add_token'):`
			`return HttpResponseForbidden()`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00			`token = Token(user=request.user)`

			`form = TokenForm(instance=token)`

			`return render(request, 'utilities/obj_edit.html', {`
			`'obj': token,`
			`'obj_type': token._meta.verbose_name,`
			`'form': form,`
Updated user URLs 2017-03-14 12:59:10 -04:00			`'return_url': reverse('user:token_list'),`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00			`})`

			`def post(self, request, pk=None):`

			`if pk is not None:`
			`token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)`
			`form = TokenForm(request.POST, instance=token)`
			`else:`
Fixes #1362: Raise validation error when attempting to create an API key that's too short 2017-07-19 11:03:13 -04:00			`token = Token()`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00			`form = TokenForm(request.POST)`

			`if form.is_valid():`
			`token = form.save(commit=False)`
			`token.user = request.user`
			`token.save()`

Fixes #1161: Fix "add another" behavior when creating an API token 2017-05-10 22:22:49 -04:00			`msg = "Modified token {}".format(token) if pk else "Created token {}".format(token)`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00			`messages.success(request, msg)`

Fixes #1161: Fix "add another" behavior when creating an API token 2017-05-10 22:22:49 -04:00			`if '_addanother' in request.POST:`
			`return redirect(request.path)`
			`else:`
			`return redirect('user:token_list')`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00
Fixes #1362: Raise validation error when attempting to create an API key that's too short 2017-07-19 11:03:13 -04:00			`return render(request, 'utilities/obj_edit.html', {`
			`'obj': token,`
			`'obj_type': token._meta.verbose_name,`
			`'form': form,`
			`'return_url': reverse('user:token_list'),`
			`})`

Finished user control panel for tokens 2017-03-08 11:34:47 -05:00
Closes #2479: Add user permissions for creating/modifying API tokens 2018-10-05 11:06:59 -04:00			`class TokenDeleteView(PermissionRequiredMixin, View):`
			`permission_required = 'users.delete_token'`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00
			`def get(self, request, pk):`

			`token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)`
			`initial_data = {`
Updated user URLs 2017-03-14 12:59:10 -04:00			`'return_url': reverse('user:token_list'),`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00			`}`
			`form = ConfirmationForm(initial=initial_data)`

			`return render(request, 'utilities/obj_delete.html', {`
			`'obj': token,`
			`'obj_type': token._meta.verbose_name,`
			`'form': form,`
Updated user URLs 2017-03-14 12:59:10 -04:00			`'return_url': reverse('user:token_list'),`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00			`})`

			`def post(self, request, pk):`

			`token = get_object_or_404(Token.objects.filter(user=request.user), pk=pk)`
			`form = ConfirmationForm(request.POST)`
			`if form.is_valid():`
			`token.delete()`
			`messages.success(request, "Token deleted")`
Updated user URLs 2017-03-14 12:59:10 -04:00			`return redirect('user:token_list')`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00
			`return render(request, 'utilities/obj_delete.html', {`
			`'obj': token,`
			`'obj_type': token._meta.verbose_name,`
			`'form': form,`
Updated user URLs 2017-03-14 12:59:10 -04:00			`'return_url': reverse('user:token_list'),`
Finished user control panel for tokens 2017-03-08 11:34:47 -05:00			`})`