from django.core.exceptions import PermissionDenied
from django.core.urlresolvers import reverse, NoReverseMatch
-# this block of stuff is needed for UserAdmin
-from django.db import transaction
-from django.utils.decorators import method_decorator
-from django.views.decorators.csrf import csrf_protect
-from django.views.decorators.debug import sensitive_post_parameters
-csrf_protect_m = method_decorator(csrf_protect)
-sensitive_post_parameters_m = method_decorator(sensitive_post_parameters())
-
import django_evolution
def backend_icon(obj): # backend_status, enacted, updated):
value = ''
return mark_safe(str(value) + super(PlainTextWidget, self).render(name, value, attrs))
-class PermissionCheckingAdmin(admin.ModelAdmin):
+class PermissionCheckingAdminMixin(object):
# call save_by_user and delete_by_user instead of save and delete
def has_add_permission(self, request, obj=None):
formset.save_m2m()
def get_actions(self,request):
- actions = super(PermissionCheckingAdmin,self).get_actions(request)
+ actions = super(PermissionCheckingAdminMixin,self).get_actions(request)
if self.__user_is_readonly(request):
if 'delete_selected' in actions:
self.inlines = self.inlines_save
try:
- return super(PermissionCheckingAdmin, self).change_view(request, object_id, extra_context=extra_context)
+ return super(PermissionCheckingAdminMixin, self).change_view(request, object_id, extra_context=extra_context)
except PermissionDenied:
pass
if request.method == 'POST':
raise PermissionDenied
request.readonly = True
- return super(PermissionCheckingAdmin, self).change_view(request, object_id, extra_context=extra_context)
+ return super(PermissionCheckingAdminMixin, self).change_view(request, object_id, extra_context=extra_context)
def __user_is_readonly(self, request):
return request.user.isReadOnlyUser()
return mark_safe(backend_icon(obj))
backend_status_icon.short_description = ""
-class ReadOnlyAwareAdmin(PermissionCheckingAdmin):
+class ReadOnlyAwareAdmin(PermissionCheckingAdminMixin, admin.ModelAdmin):
+ # Note: Make sure PermissionCheckingAdminMixin is listed before
+ # admin.ModelAdmin in the class declaration.
+
pass
class PlanetStackBaseAdmin(ReadOnlyAwareAdmin):
suit_classes = 'suit-tab suit-tab-dashboards'
fields = ['user', 'dashboardView', 'order']
-class UserAdmin(PlanetStackBaseAdmin):
+class UserAdmin(PermissionCheckingAdminMixin, UserAdmin):
+ # Note: Make sure PermissionCheckingAdminMixin is listed before
+ # admin.ModelAdmin in the class declaration.
+
class Meta:
app_label = "core"
- add_form_template = 'admin/auth/user/add_form.html'
- change_user_password_template = None
-
# The forms to add and change user instances
form = UserChangeForm
add_form = UserCreationForm
- change_password_form = AdminPasswordChangeForm
# The fields to be used in displaying the User model.
# These override the definitions on the base UserAdmin
def queryset(self, request):
return User.select_by_user(request.user)
- # ------------------------------------------------------------------------
- # stuff copied from ModelAdmin.UserAdmin
- # ------------------------------------------------------------------------
- def get_fieldsets(self, request, obj=None):
- if not obj:\r
- return self.add_fieldsets\r
- return super(UserAdmin, self).get_fieldsets(request, obj)
-
- def get_form(self, request, obj=None, **kwargs):
- """\r
- Use special form during user creation\r
- """\r
- defaults = {}\r
- if obj is None:\r
- defaults['form'] = self.add_form\r
- defaults.update(kwargs)\r
- return super(UserAdmin, self).get_form(request, obj, **defaults)\r
-\r
- def get_urls(self):\r
- from django.conf.urls import patterns\r
- return patterns('',\r
- (r'^(\d+)/password/$',\r
- self.admin_site.admin_view(self.user_change_password))\r
- ) + super(UserAdmin, self).get_urls()\r
-\r
- def lookup_allowed(self, lookup, value):\r
- # See #20078: we don't want to allow any lookups involving passwords.\r
- if lookup.startswith('password'):\r
- return False\r
- return super(UserAdmin, self).lookup_allowed(lookup, value)\r
-\r
- @sensitive_post_parameters_m\r
- @csrf_protect_m\r
- @transaction.atomic\r
- def add_view(self, request, form_url='', extra_context=None):\r
- # It's an error for a user to have add permission but NOT change\r
- # permission for users. If we allowed such users to add users, they\r
- # could create superusers, which would mean they would essentially have\r
- # the permission to change users. To avoid the problem entirely, we\r
- # disallow users from adding users if they don't have change\r
- # permission.\r
- if not self.has_change_permission(request):\r
- if self.has_add_permission(request) and settings.DEBUG:\r
- # Raise Http404 in debug mode so that the user gets a helpful\r
- # error message.\r
- raise Http404(\r
- 'Your user does not have the "Change user" permission. In '\r
- 'order to add users, Django requires that your user '\r
- 'account have both the "Add user" and "Change user" '\r
- 'permissions set.')\r
- raise PermissionDenied\r
- if extra_context is None:\r
- extra_context = {}\r
- username_field = self.model._meta.get_field(self.model.USERNAME_FIELD)\r
- defaults = {\r
- 'auto_populated_fields': (),\r
- 'username_help_text': username_field.help_text,\r
- }\r
- extra_context.update(defaults)\r
- return super(UserAdmin, self).add_view(request, form_url,\r
- extra_context)\r
-\r
- @sensitive_post_parameters_m\r
- def user_change_password(self, request, id, form_url=''):\r
- if not self.has_change_permission(request):\r
- raise PermissionDenied\r
- user = get_object_or_404(self.get_queryset(request), pk=id)\r
- if request.method == 'POST':\r
- form = self.change_password_form(user, request.POST)\r
- if form.is_valid():\r
- form.save()\r
- change_message = self.construct_change_message(request, form, None)\r
- self.log_change(request, user, change_message)\r
- msg = ugettext('Password changed successfully.')\r
- messages.success(request, msg)\r
- update_session_auth_hash(request, form.user)\r
- return HttpResponseRedirect('..')\r
- else:\r
- form = self.change_password_form(user)\r
-\r
- fieldsets = [(None, {'fields': list(form.base_fields)})]\r
- adminForm = admin.helpers.AdminForm(form, fieldsets, {})\r
-\r
- context = {\r
- 'title': _('Change password: %s') % escape(user.get_username()),\r
- 'adminForm': adminForm,\r
- 'form_url': form_url,\r
- 'form': form,\r
- 'is_popup': (IS_POPUP_VAR in request.POST or\r
- IS_POPUP_VAR in request.GET),\r
- 'add': True,\r
- 'change': False,\r
- 'has_delete_permission': False,\r
- 'has_change_permission': True,\r
- 'has_absolute_url': False,\r
- 'opts': self.model._meta,\r
- 'original': user,\r
- 'save_as': False,\r
- 'show_save': True,\r
- }\r
- context.update(admin.site.each_context())\r
- return TemplateResponse(request,\r
- self.change_user_password_template or\r
- 'admin/auth/user/change_password.html',\r
- context, current_app=self.admin_site.name)\r
-\r
- def response_add(self, request, obj, post_url_continue=None):\r
- """\r
- Determines the HttpResponse for the add_view stage. It mostly defers to\r
- its superclass implementation but is customized because the User model\r
- has a slightly different workflow.\r
- """\r
- # We should allow further modification of the user just added i.e. the\r
- # 'Save' button should behave like the 'Save and continue editing'\r
- # button except in two scenarios:\r
- # * The user has pressed the 'Save and add another' button\r
- # * We are adding a user in a popup\r
- if '_addanother' not in request.POST and IS_POPUP_VAR not in request.POST:\r
- request.POST['_continue'] = 1\r
- return super(UserAdmin, self).response_add(request, obj,\r
- post_url_continue)
-
- # ------------------------------------------------------------------------
- # end stuff copied from ModelAdmin.UserAdmin
- # ------------------------------------------------------------------------
-
-
class DashboardViewAdmin(PlanetStackBaseAdmin):
fieldsets = [('Dashboard View Details',
{'fields': ['backend_status_text', 'name', 'url'],