def __init__(self, created_by, *args, **kwargs):
self.created_by = created_by
super(UserCreationForm, self).__init__(*args, **kwargs)
self.fields.pop('password1')
self.fields.pop('password2')
CommonHelpers.help_text_on_hover(self.fields)
def form_valid(self, form):
user = form.save()
logger.info("Password Reset Done for %s", str(user.username))
CommonHelpers.send_confirmation_mail(user)
return super().form_valid(form)
def create_user(self,
username,
email,
password,
user_type,
first_name='',
last_name='',
phone_number=None,
date_of_birth=None,
validate=True,
is_active=False,
send_password_mail=True,
send_otp_mail=False,
created_by=None):
if not email or not username:
raise ValueError('Users must have an email and a username')
if password is None:
password = self.make_random_password()
validate = False
username = username.lower()
user = self.model(
first_name=first_name,
last_name=last_name,
email=self.normalize_email(email),
username=username,
phone_number=phone_number,
date_of_birth=date_of_birth,
user_type=user_type,
assigned_to=created_by,
)
if validate:
validate_password(password)
user.set_password(password)
# Activate User on email confirmation, bypass for superuser
user.is_active = is_active
user.save(using=self.db)
TOTPDevice.objects.create(name='Phone', user=user, confirmed=False)
if not user.is_internal_user():
account = Account.objects.create(user=user)
Card.objects.create(account=account)
if send_password_mail:
CommonHelpers.send_password_mail(user)
if send_otp_mail:
CommonHelpers.send_confirmation_mail(user)
return user
def clean_user_type(self):
user_type = self.cleaned_data['user_type']
if CommonHelpers.is_int_equal(user_type, MyUser.ADMIN):
self.created_by = None
elif CommonHelpers.is_int_equal(user_type, MyUser.EMPLOYEE):
managers = MyUser.objects.filter(assigned_to=self.created_by,
user_type=MyUser.MANAGER)
if managers:
index = random.randint(0, len(managers) - 1)
manager = managers[index]
self.created_by = manager
else:
raise ValidationError('Managers do not exist')
elif CommonHelpers.is_int_equal(
user_type,
MyUser.INDIVIDUAL_USER) or CommonHelpers.is_int_equal(
user_type, MyUser.MERCHANT):
managers = MyUser.objects.filter(assigned_to=self.created_by,
user_type=MyUser.MANAGER)
temp_managers = []
for manager in managers:
employees = MyUser.objects.filter(
assigned_to=manager, user_type=MyUser.EMPLOYEE).count()
if employees > 0:
temp_managers += [manager]
managers = temp_managers
if managers:
index = random.randint(0, len(managers) - 1)
manager = managers[index]
employees = MyUser.objects.filter(assigned_to=manager,
user_type=MyUser.EMPLOYEE)
if employees:
index = random.randint(0, len(employees) - 1)
employee = employees[index]
self.created_by = employee
else:
raise ValidationError('Employees do not exist')
else:
raise ValidationError('Managers do not exist')
return user_type
def get(self, request, user_id):
user = request.user
if CommonHelpers.is_int_equal(user_id, user.id) or user.is_admin():
if not AccountHelpers.is_user_having_account(user_id):
return render(request, 'error.html', {
'err': 'User has no accounts',
})
links = AccountHelpers.get_user_accounts(user_id)
return render(request, 'list_template.html', {
'title': 'User Accounts',
'links': links,
})
elif user.is_employee() or user.is_manager():
if not AccountHelpers.is_user_having_account(user_id):
return render(request, 'error.html', {
'err': 'User has no accounts',
})
links = AccountHelpers.get_user_assigned_accounts(user_id, user)
return render(request, 'list_template.html', {
'title': 'User Accounts',
'links': links,
})
else:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this.',
})
def post(self, request):
user = request.user
target_user = MyUser.objects.filter(id=user.id, user_type=MyUser.MERCHANT, is_active=True).exclude(username=MyUser.ANON).first()
if not target_user:
return render(request, "error.html", {
'err': "You cannot add client accounts"
})
form = PaymentAccountsForm(request.POST)
if form.is_valid():
acc_number = form.cleaned_data['account_number']
account = get_account_from_number(acc_number)
if check_same_user_account(target_user.id, acc_number):
return render(request, 'error.html', {
'err': 'Please don\'t enter your own accounts.',
})
if check_duplicate(target_user.id, acc_number):
return render(request, 'error.html', {
'err': 'Account exists in your list',
})
form = CreateRequestForm(data={
'request_type': UserRequest.CREATE,
'model_type': UserRequest.ACCOUNT,
})
if form.is_valid():
user_request = form.save(commit=False)
user_request.from_user = target_user
user_request.to_user = account.user
user_request.account_obj = account
if CommonHelpers.is_request_duplicate(user_request):
messages.warning(request, 'Request Already Sent')
return HttpResponseRedirect(reverse('app:HomeView'))
user_request.save()
messages.success(request, 'Request Sent To %s' % user_request.to_user)
logger.info("Request for new adding client account %s sent by %s", str(account.user.username), str(target_user.username))
return HttpResponseRedirect(reverse('app:HomeView'))
else:
return render(request, "error.html", {
'err': "Request could not be sent"
})
return render(request, 'form_template.html', {
'title': 'User Accounts',
'form': form,
})
def post(self, request, user_id):
user = request.user
if CommonHelpers.is_int_equal(user.id,
user_id) and not user.is_internal_user():
form = CreateRequestForm(
data={
'request_type': UserRequest.CREATE,
'model_type': UserRequest.ACCOUNT,
})
if form.is_valid():
user_request = form.save(commit=False)
user_request.from_user = user
user_request.to_user = user.assigned_to
if CommonHelpers.is_request_duplicate(user_request):
messages.warning(request, 'Request Already Sent')
return HttpResponseRedirect(reverse('app:HomeView'))
user_request.save()
messages.success(request,
'Request Sent To %s' % user_request.to_user)
logger.info("Request for new account sent by %s",
str(user.username))
return HttpResponseRedirect(reverse('app:HomeView'))
return render(request, 'form_template.html', {
'title': 'Add Account',
'form': form,
'readonly': True,
})
else:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
def post(self, request):
user = request.user
if user.is_admin():
form = SignUpForms.PasswordResetRequestForm(request.POST)
if form.is_valid():
target_user = form.cleaned_data['user']
with db_transaction.atomic():
target_user = MyUser.objects.filter(id=target_user.id).select_for_update().first()
if target_user:
target_user.is_active = False
target_user.save()
TOTPDevice.objects.filter(user=target_user).delete()
TOTPDevice.objects.create(name='Phone', user=target_user, confirmed=False)
else:
return render(request, 'error.html', {
'err': 'Action could not be completed',
})
CommonHelpers.send_password_mail(target_user)
messages.success(request, 'Request Initiated')
logger.info("Password Reset Initiated for %s by admin %s", str(target_user.username), str(request.user.username))
return HttpResponseRedirect(reverse('app:HomeView'))
return render(request, 'form_template.html', {
'title': 'Reset User',
'form': form,
})
else:
return render(request, 'error.html', {
'err': 'You do not have permission for this',
})
def post(self, request, user_id):
user = request.user
target_user = MyUser.objects.filter(
id=user_id, is_active=True).exclude(username=MyUser.ANON).exclude(
user_type=MyUser.ADMIN).first()
if not target_user:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
if user.is_internal_user() and not user.is_admin():
send_request_to = user.assigned_to
form = RequestForm(
data={
'to_user': send_request_to.id,
'request_type': UserRequest.READ,
'model_type': UserRequest.USER,
'for_url': request.build_absolute_uri(),
})
if form.is_valid():
user_request = form.save(commit=False)
user_request.from_user = user
user_request.user_obj = target_user
if CommonHelpers.is_request_duplicate(user_request):
messages.warning(request, 'Request Already Sent')
return HttpResponseRedirect(reverse('app:HomeView'))
user_request.save()
messages.success(request,
'Request Sent To %s' % user_request.to_user)
logger.info("User Profile View Request sent by %s for %s",
str(user.username), str(target_user.username))
return HttpResponseRedirect(reverse('app:HomeView'))
return render(request, 'form_template.html', {
'title': 'Request For Access',
'form': form,
'readonly': True,
})
else:
return render(request, 'error.html', {
'err': 'You do not have permissions for this',
})
def get(self, request):
user = request.user
if user.is_admin():
links = CommonHelpers.get_pii_link()
return render(request, 'list_template.html', {
'title': 'All Users with PII',
'links': links,
})
else:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
def get(self, request, uidb, token):
INTERNAL_RESET_URL_TOKEN = 'set-otp'
INTERNAL_RESET_SESSION_TOKEN = '_otp_reset_token'
try:
uid = force_text(urlsafe_base64_decode(uidb))
user = MyUser.objects.get(pk=uid)
except (TypeError, ValueError, OverflowError, MyUser.DoesNotExist):
user = None
if user is not None:
if token == INTERNAL_RESET_URL_TOKEN:
session_token = self.request.session.get(INTERNAL_RESET_SESSION_TOKEN)
if otp_token_generator.check_token(user, session_token):
device = SignUpHelpers.get_otp_device(user.id)
user.is_active = True
user.save()
CommonHelpers.login_and_verify_without_otp(request, user, 'django.contrib.auth.backends.ModelBackend')
request.session['_otp_verified'] = True
return render(request, 'qrcode.html', {
'device': device,
'hide_navbar_function_buttons': True,
})
else:
if otp_token_generator.check_token(user, token):
self.request.session[INTERNAL_RESET_SESSION_TOKEN] = token
redirect_url = self.request.path.replace(token, INTERNAL_RESET_URL_TOKEN)
return HttpResponseRedirect(redirect_url)
return render(request, 'error.html', {
'err': 'Invalid Link. You Hacker.'
})
def get(self, request, user_id, account_id):
user = request.user
if CommonHelpers.is_int_equal(user_id, user.id) or user.is_admin():
account = AccountHelpers.get_account(user_id, account_id)
if account:
form = UserAccountForm(instance=account)
return render(
request, 'form_template.html', {
'title': 'Account',
'form': form,
'hide_btn': True,
'readonly': True,
})
else:
return render(request, 'error.html', {
'err': 'Account does not exist.',
})
elif user.is_employee() or user.is_manager():
account = AccountHelpers.get_assigned_account_details(
user_id, account_id, user)
if account:
form = UserAccountForm(instance=account)
return render(
request, 'form_template.html', {
'title': 'Account',
'form': form,
'hide_btn': True,
'readonly': True,
})
else:
return render(
request, 'error.html', {
'err':
'Account does not exist or You do not have permissions to access it.',
})
else:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this.',
})
def get(self, request, user_id):
user = request.user
target_user = MyUser.objects.filter(
id=user_id, is_active=True).exclude(username=MyUser.ANON).exclude(
user_type=MyUser.ADMIN).first()
if not target_user:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
if user.has_perm('edit_user',
target_user) or CommonHelpers.is_int_equal(
user_id, user.id) or user.is_admin():
form = EditUserProfileForm(instance=target_user, user_id=user_id)
return render(request, 'form_template.html', {
'title': 'Edit User Profile',
'form': form,
})
elif user.is_internal_user() and not target_user.is_internal_user():
send_request_to = user.assigned_to
form = RequestForm(
initial={
'to_user': send_request_to,
'request_type': UserRequest.UPDATE,
'model_type': UserRequest.USER,
'for_url': request.build_absolute_uri(),
})
return render(request, 'form_template.html', {
'title': 'Request For Access',
'form': form,
'readonly': True,
})
else:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
def get(self, request, user_id):
user = request.user
if CommonHelpers.is_int_equal(user.id,
user_id) and not user.is_internal_user():
form = CreateRequestForm(
initial={
'request_type': UserRequest.CREATE,
'model_type': UserRequest.ACCOUNT,
})
return render(request, 'form_template.html', {
'title': 'Add Account',
'form': form,
'readonly': True,
})
else:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
def get(self, request):
user = request.user
links = []
balance = None
if user.is_admin():
template = 'dashboard.html'
title = 'Admin'
links = CommonHelpers.get_admin_links()
elif user.is_manager():
template = 'dashboard.html'
title = 'Manager'
links = CommonHelpers.get_manager_links()
elif user.is_employee():
template = 'dashboard.html'
title = 'Employee'
links = CommonHelpers.get_employee_links()
elif user.is_merchant():
template = 'dashboard.html'
title = 'Merchant'
links = CommonHelpers.get_merchant_links(user.id)
balance = CommonHelpers.get_user_total_balance(user.id)
elif user.is_individual_user():
template = 'dashboard.html'
title = 'Individual User'
links = CommonHelpers.get_individual_user_links(user.id)
balance = CommonHelpers.get_user_total_balance(user.id)
else:
template = 'error.html'
title = ''
return render(request, template, {
'title': title,
'links': links,
'balance': balance,
})
def post(self, request, transaction_id):
user = request.user
if user.is_internal_user():
transaction = Transaction.objects.filter(id=transaction_id, is_approved=False).select_for_update().first()
if 'Approve' in request.POST:
approve_transaction = True
elif 'Decline' in request.POST:
approve_transaction = False
else:
transaction = Transaction.objects.filter(id=transaction_id).first()
if transaction is None:
return render(request, 'error.html', {
'err': 'Transaction does not exist.',
})
request_admin = False
if 'Request Admin' in request.POST:
request_admin = True
send_request_to = transaction.created_by
if request_admin and not user.is_admin():
send_request_to = user.get_assigned_admin()
form = RequestForm(data={
'to_user': send_request_to.id,
'request_type': UserRequest.READ,
'model_type': UserRequest.TRANSACTION,
'for_url': request.build_absolute_uri(),
})
if form.is_valid():
user_request = form.save(commit=False)
user_request.from_user = user
user_request.transaction_obj = transaction
if CommonHelpers.is_request_duplicate(user_request):
messages.warning(request, 'Request Already Sent')
return HttpResponseRedirect(reverse('app:HomeView'))
user_request.save()
messages.success(request, 'Request Sent To %s' % user_request.to_user)
logger.info("Request to view transaction created by %s", str(user.username))
return HttpResponseRedirect(reverse('app:HomeView'))
return render(request, 'form_template.html', {
'title': 'Request For Access',
'form': form,
'readonly': True,
'extra_btn_title': 'Request Admin',
})
if transaction is None:
return render(request, 'error.html', {
'err': 'Transaction already resolved.'
})
verified_to_transact = False
if transaction.is_risky():
if transaction.created_by.get_assigned_manager() == user or user.is_admin():
verified_to_transact = True
else:
if transaction.created_by.assigned_to == user or user.is_admin():
verified_to_transact = True
elif transaction.created_by.get_assigned_manager() == user and user.has_perm('read_transaction', transaction):
remove_perm('read_transaction', user, transaction)
verified_to_transact = True
if verified_to_transact:
# PKI Verify
pki_token = request.POST.get('pki_token', None)
internal_pki_token = request.session.get(self.INTERNAL_PKI_TOKEN, None)
if pki_token is None or internal_pki_token is None:
return render(request, 'error.html', {
'err': 'PKI Verification Failed. Try to reset your PKI and try again.'
})
if PKIHelpers.verify_pki(pki_token, internal_pki_token):
print('PKI Verified')
else:
return render(request, 'error.html', {
'err': 'PKI Verification Failed. Try to reset your PKI and try again.'
})
extra_form = TransactionForms.VerifyOTPForm(request, data=request.POST)
if extra_form.is_valid():
pass
else:
messages.error(request, 'Incorrect OTP')
return HttpResponseRedirect(reverse('app:TransactionPending'))
if approve_transaction:
# Perform Transaction
if TransactionHelpers.perform_transaction(transaction):
with db_transaction.atomic():
transaction = Transaction.objects.filter(id=transaction.id, is_approved=False).select_for_update().first()
if transaction:
transaction.approve(user)
transaction.complete()
else:
return render(request, 'error.html', {
'err': 'Action could not be completed',
})
# Remove view permissions from manager when not approved by them
if transaction.created_by.get_assigned_manager().has_perm('read_transaction', transaction):
remove_perm('read_transaction', transaction.created_by.get_assigned_manager(), transaction)
CommonHelpers.send_transaction_complete_mail(transaction)
messages.success(request, 'Transaction Approved')
logger.info("Transaction %s from %s to %s for amount %s approved by %s", str(transaction.id), str(transaction.from_account), str(transaction.to_account), str(transaction.amount), str(user.username))
return HttpResponseRedirect(reverse('app:TransactionPending'))
else:
return render(request, 'error.html', {
'err': 'This transaction cannot be completed because of low balance or is already completed.',
})
else:
# Decline Transaction
if not transaction.is_approved:
if TransactionHelpers.delete_transaction(transaction):
CommonHelpers.send_transaction_declined_mail(transaction)
messages.success(request, 'Transaction Declined')
logger.info("Transaction %s declined by : %s", str(transaction.id), str(user.username))
return HttpResponseRedirect(reverse('app:TransactionPending'))
return render(request, 'error.html', {
'err': 'Transaction cannot be declined because it is already approved.',
})
return render(request, 'error.html', {
'err': 'You do not have permission for this.',
})
def post(self, request, user_request_id):
user = request.user
# Takes care of case that user == user_request.to_user
user_request = UserHelpers.get_user_request_to_user_using_id(
user_request_id, user)
if user_request:
if 'Approve' in request.POST:
approve_request = True
elif 'Decline' in request.POST:
approve_request = False
else:
return render(request, 'error.html',
{'err': 'You did something wrong, bro.'})
if user_request.is_approved:
return render(request, 'error.html', {
'err': 'Request Already Approved',
})
if approve_request:
if UserHelpers.assign_permissions(user_request):
user_request.approve(user)
CommonHelpers.send_request_approval_mail(user_request)
messages.success(request, 'Request Approved')
# Intermediate Delete Request
if user_request.request_type == UserRequest.DELETE and user_request.model_type == UserRequest.USER:
messages.success(
request, 'Request Sent To %s' %
str(user_request.to_user.get_assigned_admin()))
# Delete completed
if user_request.request_type == UserRequest.COMPLETE_DELETE and user_request.model_type == UserRequest.USER:
logger.info('User %s deleted by %s',
str(user_request.user_obj.username),
str(user_request.to_user.username))
logger.info("User request %s approved by %s ",
user_request.__str__(), str(user.username))
return HttpResponseRedirect(
reverse('app:UserRequestsReceivedView'))
return render(request, 'error.html', {
'err': 'Request could not be approved',
})
else:
if not user_request.is_approved:
UserHelpers.delete_request(user_request)
CommonHelpers.send_request_declined_mail(user_request)
messages.success(request, 'Request Declined')
logger.info("User request %s declined by %s",
user_request.__str__(), str(user.username))
return HttpResponseRedirect(
reverse('app:UserRequestsReceivedView'))
else:
return render(
request, 'error.html', {
'err':
'Request cannot be declined because it is already approved.',
})
return render(request, 'error.html', {
'err': 'Does not exist',
})
def post(self, request, user_id):
user = request.user
target_user = MyUser.objects.filter(
id=user_id, is_active=True).exclude(username=MyUser.ANON).exclude(
user_type=MyUser.ADMIN).first()
if not target_user:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
if user.is_admin():
form = EditUserProfileForm(data=request.POST, user_id=user_id)
if form.is_valid():
edit_user = form.save(commit=False)
edit_user.user = target_user
edit_user.save()
UserHelpers.update_user_from_edited_version(edit_user)
messages.success(request, 'User Successfully Updated')
logger.info("User Profile Edited by %s for %s",
str(user.username), str(target_user.username))
return HttpResponseRedirect(reverse('app:HomeView'))
return render(request, 'form_template.html', {
'title': 'Edit User Profile',
'form': form,
})
elif user.has_perm('edit_user',
target_user) or CommonHelpers.is_int_equal(
user_id, user.id):
remove_perm('edit_user', user, target_user)
form = EditUserProfileForm(data=request.POST, user_id=user_id)
if form.is_valid():
edit_user = form.save(commit=False)
edit_user.user = target_user
edit_user.save()
send_request_to = user.get_assigned_admin()
form = RequestForm(
data={
'to_user': send_request_to.id,
'request_type': UserRequest.COMPLETE_UPDATE,
'model_type': UserRequest.USER,
'for_url': request.build_absolute_uri(),
})
if form.is_valid():
user_request = form.save(commit=False)
user_request.from_user = user
user_request.user_obj = target_user
if CommonHelpers.is_request_duplicate(user_request):
messages.warning(request, 'Request Already Sent')
return HttpResponseRedirect(reverse('app:HomeView'))
user_request.save()
messages.success(
request, 'Request Sent To %s' % user_request.to_user)
logger.info(
"User Profile Edit Request sent by %s for %s to %s",
str(user.username), str(target_user.username),
str(user_request.to_user))
return HttpResponseRedirect(reverse('app:HomeView'))
return render(request, 'form_template.html', {
'title': 'Edit User Profile',
'form': form,
})
elif user.is_internal_user() and not target_user.is_internal_user():
send_request_to = user.assigned_to
form = RequestForm(
data={
'to_user': send_request_to.id,
'request_type': UserRequest.UPDATE,
'model_type': UserRequest.USER,
'for_url': request.build_absolute_uri(),
})
if form.is_valid():
user_request = form.save(commit=False)
user_request.from_user = user
user_request.user_obj = target_user
if CommonHelpers.is_request_duplicate(user_request):
messages.warning(request, 'Request Already Sent')
return HttpResponseRedirect(reverse('app:HomeView'))
user_request.save()
messages.success(request,
'Request Sent To %s' % user_request.to_user)
logger.info(
"User Profile Edit Access Request sent by %s for %s to %s",
str(user.username), str(target_user.username),
str(user_request.to_user))
return HttpResponseRedirect(reverse('app:HomeView'))
return render(request, 'form_template.html', {
'title': 'Request For Access',
'form': form,
'readonly': True,
})
else:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
def post(self, request):
user = request.user
if user.is_admin():
form = UserDeleteForm(request.POST)
if form.is_valid():
target_user = form.cleaned_data['user']
if UserHelpers.safely_delete_user(target_user):
messages.success(request, 'User Deleted')
logger.info('User %s deleted by %s',
str(target_user.username), str(user.username))
return HttpResponseRedirect(reverse('app:HomeView'))
else:
return render(request, 'error.html', {
'err': 'User could not be deleted',
})
return render(request, 'form_template.html', {
'title': 'Delete User',
'form': form,
})
elif not user.is_internal_user():
form = VerifyOTPForm(request, data=request.POST)
if form.is_valid():
send_request_to = user.assigned_to
form = RequestForm(
data={
'to_user': send_request_to.id,
'request_type': UserRequest.DELETE,
'model_type': UserRequest.USER,
})
if form.is_valid():
user_request = form.save(commit=False)
user_request.from_user = user
user_request.user_obj = user
if CommonHelpers.is_request_duplicate(user_request):
messages.warning(request, 'Request Already Sent')
return HttpResponseRedirect(reverse('app:HomeView'))
user_request.save()
messages.success(
request, 'Request Sent To %s' % user_request.to_user)
logger.info("User Delete Request sent by %s for %s to %s",
str(user.username), str(user.username),
str(user_request.to_user))
return HttpResponseRedirect(reverse('app:HomeView'))
else:
return render(request, 'error.html', {
'err': 'User could not be deleted',
})
else:
messages.error(request, 'Incorrect OTP')
return HttpResponseRedirect(reverse('app:HomeView'))
else:
return render(request, 'error.html', {
'err': 'You do not have permissions for this.',
})
def get(self, request, transaction_id):
user = request.user
transaction = TransactionHelpers.get_transaction(transaction_id)
if user.is_internal_user():
if transaction:
form = TransactionForms.InternalRequestForm(user=user, instance=transaction)
# Not already approved
if not transaction.is_approved:
# PKI
user_encrypted_data, server_encrypted_data = PKIHelpers.get_encrypted_token(user)
if user_encrypted_data is None or server_encrypted_data is None:
return render(request, 'error.html', {
'err': 'PKI has not been configured. Set it up to perform transactions.',
})
request.session[self.INTERNAL_PKI_TOKEN] = server_encrypted_data
use_pki = PKIHelpers.get_pki_dictionary(user_encrypted_data)
extra_form = TransactionForms.VerifyOTPForm()
if transaction.is_risky():
if transaction.created_by.get_assigned_manager() == user or user.is_admin():
return render(request, 'form_template.html', {
'title': 'Approve Transaction',
'form': form,
'readonly': True,
'btn_title': 'Approve',
'extra_btn_title': 'Decline',
'use_pki': use_pki,
'extra_form': extra_form,
'extra_form_virtual_keyboard': True,
'extra_form_readonly': False,
})
elif transaction.created_by.assigned_to == user or user.is_admin():
return render(request, 'form_template.html', {
'title': 'Approve Transaction',
'form': form,
'readonly': True,
'btn_title': 'Approve',
'extra_btn_title': 'Decline',
'use_pki': use_pki,
'extra_form': extra_form,
'extra_form_virtual_keyboard': True,
'extra_form_readonly': False,
})
elif transaction.created_by.get_assigned_manager() == user and user.has_perm('read_transaction', transaction):
return render(request, 'form_template.html', {
'title': 'Approve Transaction',
'form': form,
'readonly': True,
'btn_title': 'Approve',
'extra_btn_title': 'Decline',
'use_pki': use_pki,
'extra_form': extra_form,
'extra_form_virtual_keyboard': True,
'extra_form_readonly': False,
})
elif transaction.created_by == user:
return render(request, 'form_template.html', {
'title': 'Transaction',
'form': form,
'readonly': True,
'hide_btn': True,
})
elif transaction.created_by.get_assigned_manager() == user:
send_request_to = transaction.created_by
form = RequestForm(initial={
'to_user': send_request_to,
'request_type': UserRequest.READ,
'model_type': UserRequest.TRANSACTION,
'for_url': request.build_absolute_uri(),
})
return render(request, 'form_template.html', {
'title': 'Request For Access',
'form': form,
'readonly': True,
'extra_btn_title': 'Request Admin',
})
return render(request, 'error.html', {
'err': 'You do not have permissions to view or approve this transaction.'
})
else:
if user.is_admin():
return render(request, 'form_template.html', {
'title': 'Transaction',
'form': form,
'hide_btn': True,
'readonly': True,
})
elif transaction.created_by == user or transaction.approved_by == user:
return render(request, 'form_template.html', {
'title': 'Transaction',
'form': form,
'hide_btn': True,
'readonly': True,
})
elif user.has_perm('read_transaction', transaction):
remove_perm('read_transaction', user, transaction)
return render(request, 'form_template.html', {
'title': 'Transaction',
'form': form,
'readonly': True,
'hide_btn': True,
})
else:
send_request_to = transaction.created_by
form = RequestForm(initial={
'to_user': send_request_to,
'request_type': UserRequest.READ,
'model_type': UserRequest.TRANSACTION,
'for_url': request.build_absolute_uri(),
})
return render(request, 'form_template.html', {
'title': 'Request For Access',
'form': form,
'readonly': True,
'extra_btn_title': 'Request Admin',
})
else:
if transaction:
from_user_id = -1
to_user_id = -1
if transaction.from_account:
from_user = transaction.from_account.user
from_user_id = from_user.id
if transaction.to_account:
to_user = transaction.to_account.user
to_user_id = to_user.id
if CommonHelpers.is_int_equal(user.id, from_user_id) or CommonHelpers.is_int_equal(user.id, to_user_id):
form = TransactionForms.ExternalRequestForm(user=user, instance=transaction)
return render(request, 'form_template.html', {
'title': 'Transaction',
'form': form,
'hide_btn': True,
'readonly': True,
})
return render(request, 'error.html', {
'err': 'You do not have permission to view this.',
})
# Does not exist
return render(request, 'error.html', {
'err': 'Transaction does not exist.',
})
def post(self, request, uidb1, uidb2, token):
INTERNAL_RESET_URL_TOKEN = 'approve-request'
INTERNAL_RESET_SESSION_TOKEN = '_approve_request_token'
try:
uid = force_text(urlsafe_base64_decode(uidb1))
from_user = MyUser.objects.get(pk=uid)
except (TypeError, ValueError, OverflowError, MyUser.DoesNotExist):
from_user = None
try:
uid = force_text(urlsafe_base64_decode(uidb2))
target_user = MyUser.objects.get(pk=uid)
except (TypeError, ValueError, OverflowError, MyUser.DoesNotExist):
target_user = None
if from_user is not None and target_user is not None:
pii_obj = PII.objects.filter(user=target_user).first()
pii_token_generator = PIITokenGenerator(pii_obj)
if token == INTERNAL_RESET_URL_TOKEN:
session_token = self.request.session.get(
INTERNAL_RESET_SESSION_TOKEN)
if pii_token_generator.check_token(from_user, session_token):
if pii_obj:
user_request = UserRequest(
from_user=from_user,
request_type=UserRequest.READ,
model_type=UserRequest.PII_ACCESS,
pii_obj=pii_obj,
)
if UserHelpers.assign_permissions(user_request):
CommonHelpers.send_request_approval_mail(
user_request)
messages.success(request, 'Request Approved')
logger.info(
"PII request of %s approved by Government for %s",
str(user_request.from_user),
str(target_user.username))
return HttpResponseRedirect(
reverse('app:HomeView'))
else:
return render(
request, 'error.html', {
'err': 'Action could not be completed',
})
else:
return render(request, 'error.html', {
'err': 'User has not entered PII.',
})
else:
if pii_token_generator.check_token(from_user, token):
self.request.session[INTERNAL_RESET_SESSION_TOKEN] = token
redirect_url = self.request.path.replace(
token, INTERNAL_RESET_URL_TOKEN)
return HttpResponseRedirect(redirect_url)
return render(request, 'error.html',
{'err': 'Invalid Link. You Hacker.'})
def get(self, request, user_id):
user = request.user
target_user = MyUser.objects.filter(
id=user_id,
is_active=True).filter(user_type=MyUser.INDIVIDUAL_USER).exclude(
username=MyUser.ANON).first()
if not target_user:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
value = PII.objects.filter(user=target_user).first()
if CommonHelpers.is_int_equal(user_id, user.id):
if value:
form = TransactionForms.VerifyOTPForm()
return render(
request, 'form_template.html', {
'title': 'Confirm OTP',
'form': form,
'form_virtual_keyboard': True,
})
else:
form = PiiForm()
return render(request, 'form_template.html', {
'title': 'PII',
'form': form,
})
elif user.has_perm('read_pii', value):
remove_perm('read_pii', user, value)
# Update login time to invalidate link
update_last_login(None, user)
if value:
form = PiiForm(instance=value)
return render(
request, 'form_template.html', {
'title': 'PII',
'form': form,
'readonly': True,
'hide_btn': True,
})
else:
return render(request, 'error.html', {
'err': 'User has not entered PII.',
})
elif user.is_admin():
if value:
form = RequestForm(
initial={
'to_user': '******',
'request_type': UserRequest.READ,
'model_type': UserRequest.PII_ACCESS,
'for_url': request.build_absolute_uri(),
})
return render(
request, 'form_template.html', {
'title': 'Request For Access',
'form': form,
'readonly': True,
})
else:
return render(request, 'error.html', {
'err': 'User has not entered PII.',
})
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
def get(self, request, user_id):
user = request.user
target_user = MyUser.objects.filter(
id=user_id, is_active=True).exclude(username=MyUser.ANON).first()
if not target_user:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
edit_link = ('Edit',
reverse('app:UserProfileEdit',
kwargs={
'user_id': target_user.id,
}))
if CommonHelpers.is_int_equal(
user_id,
user.id) or user.is_admin() and not target_user.is_admin():
form = UserProfileForm(instance=target_user, user_id=user_id)
return render(
request, 'form_template.html', {
'title': 'User Profile',
'form': form,
'hide_btn': True,
'readonly': True,
'link': edit_link,
})
elif user.has_perm('read_user', target_user) or user.has_perm(
'edit_user', target_user):
remove_perm('read_user', user, target_user)
form = UserProfileForm(instance=target_user, user_id=user_id)
return render(
request, 'form_template.html', {
'title': 'User Profile',
'form': form,
'hide_btn': True,
'readonly': True,
'link': edit_link,
})
elif user.is_internal_user() and not target_user.is_internal_user():
send_request_to = user.assigned_to
form = RequestForm(
initial={
'to_user': send_request_to,
'request_type': UserRequest.READ,
'model_type': UserRequest.USER,
'for_url': request.build_absolute_uri(),
})
return render(request, 'form_template.html', {
'title': 'Request For Access',
'form': form,
'readonly': True,
})
else:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
def post(self, request, user_id):
user = request.user
target_user = MyUser.objects.filter(
id=user_id,
is_active=True).filter(user_type=MyUser.INDIVIDUAL_USER).exclude(
username=MyUser.ANON).first()
if not target_user:
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
value = PII.objects.filter(user=target_user).first()
if CommonHelpers.is_int_equal(user_id, user.id):
if value:
form = TransactionForms.VerifyOTPForm(request,
data=request.POST)
if form.is_valid():
form = PiiForm(instance=value)
return render(
request, 'form_template.html', {
'title': 'PII',
'form': form,
'readonly': True,
'hide_btn': True,
})
messages.error(request, 'Incorrect OTP')
return HttpResponseRedirect(reverse('app:HomeView'))
else:
form = PiiForm(data=request.POST)
if form.is_valid():
instance = form.save(commit=False)
instance.user = user
instance.save()
messages.success(request, 'PII Submitted')
logger.info("PII added by %s", str(target_user.username))
return HttpResponseRedirect(reverse('app:HomeView'))
return render(request, 'form_template.html', {
'title': 'PII',
'form': form,
})
elif user.is_admin():
if value:
CommonHelpers.send_pii_request_mail(user, target_user, value)
messages.success(request, 'Request Sent To Government')
logger.info("PII request for %s sent by %s",
str(target_user.username), str(user.username))
return HttpResponseRedirect(reverse('app:HomeView'))
else:
return render(request, 'error.html', {
'err': 'User has not entered PII.',
})
return render(request, 'error.html', {
'err': 'You do not have permissions to view this',
})
