def __init__(self, created_by, *args, **kwargs): self.created_by = created_by super(UserCreationForm, self).__init__(*args, **kwargs) self.fields.pop('password1') self.fields.pop('password2') CommonHelpers.help_text_on_hover(self.fields)
def form_valid(self, form): user = form.save() logger.info("Password Reset Done for %s", str(user.username)) CommonHelpers.send_confirmation_mail(user) return super().form_valid(form)
def create_user(self, username, email, password, user_type, first_name='', last_name='', phone_number=None, date_of_birth=None, validate=True, is_active=False, send_password_mail=True, send_otp_mail=False, created_by=None): if not email or not username: raise ValueError('Users must have an email and a username') if password is None: password = self.make_random_password() validate = False username = username.lower() user = self.model( first_name=first_name, last_name=last_name, email=self.normalize_email(email), username=username, phone_number=phone_number, date_of_birth=date_of_birth, user_type=user_type, assigned_to=created_by, ) if validate: validate_password(password) user.set_password(password) # Activate User on email confirmation, bypass for superuser user.is_active = is_active user.save(using=self.db) TOTPDevice.objects.create(name='Phone', user=user, confirmed=False) if not user.is_internal_user(): account = Account.objects.create(user=user) Card.objects.create(account=account) if send_password_mail: CommonHelpers.send_password_mail(user) if send_otp_mail: CommonHelpers.send_confirmation_mail(user) return user
def clean_user_type(self): user_type = self.cleaned_data['user_type'] if CommonHelpers.is_int_equal(user_type, MyUser.ADMIN): self.created_by = None elif CommonHelpers.is_int_equal(user_type, MyUser.EMPLOYEE): managers = MyUser.objects.filter(assigned_to=self.created_by, user_type=MyUser.MANAGER) if managers: index = random.randint(0, len(managers) - 1) manager = managers[index] self.created_by = manager else: raise ValidationError('Managers do not exist') elif CommonHelpers.is_int_equal( user_type, MyUser.INDIVIDUAL_USER) or CommonHelpers.is_int_equal( user_type, MyUser.MERCHANT): managers = MyUser.objects.filter(assigned_to=self.created_by, user_type=MyUser.MANAGER) temp_managers = [] for manager in managers: employees = MyUser.objects.filter( assigned_to=manager, user_type=MyUser.EMPLOYEE).count() if employees > 0: temp_managers += [manager] managers = temp_managers if managers: index = random.randint(0, len(managers) - 1) manager = managers[index] employees = MyUser.objects.filter(assigned_to=manager, user_type=MyUser.EMPLOYEE) if employees: index = random.randint(0, len(employees) - 1) employee = employees[index] self.created_by = employee else: raise ValidationError('Employees do not exist') else: raise ValidationError('Managers do not exist') return user_type
def get(self, request, user_id): user = request.user if CommonHelpers.is_int_equal(user_id, user.id) or user.is_admin(): if not AccountHelpers.is_user_having_account(user_id): return render(request, 'error.html', { 'err': 'User has no accounts', }) links = AccountHelpers.get_user_accounts(user_id) return render(request, 'list_template.html', { 'title': 'User Accounts', 'links': links, }) elif user.is_employee() or user.is_manager(): if not AccountHelpers.is_user_having_account(user_id): return render(request, 'error.html', { 'err': 'User has no accounts', }) links = AccountHelpers.get_user_assigned_accounts(user_id, user) return render(request, 'list_template.html', { 'title': 'User Accounts', 'links': links, }) else: return render(request, 'error.html', { 'err': 'You do not have permissions to view this.', })
def post(self, request): user = request.user target_user = MyUser.objects.filter(id=user.id, user_type=MyUser.MERCHANT, is_active=True).exclude(username=MyUser.ANON).first() if not target_user: return render(request, "error.html", { 'err': "You cannot add client accounts" }) form = PaymentAccountsForm(request.POST) if form.is_valid(): acc_number = form.cleaned_data['account_number'] account = get_account_from_number(acc_number) if check_same_user_account(target_user.id, acc_number): return render(request, 'error.html', { 'err': 'Please don\'t enter your own accounts.', }) if check_duplicate(target_user.id, acc_number): return render(request, 'error.html', { 'err': 'Account exists in your list', }) form = CreateRequestForm(data={ 'request_type': UserRequest.CREATE, 'model_type': UserRequest.ACCOUNT, }) if form.is_valid(): user_request = form.save(commit=False) user_request.from_user = target_user user_request.to_user = account.user user_request.account_obj = account if CommonHelpers.is_request_duplicate(user_request): messages.warning(request, 'Request Already Sent') return HttpResponseRedirect(reverse('app:HomeView')) user_request.save() messages.success(request, 'Request Sent To %s' % user_request.to_user) logger.info("Request for new adding client account %s sent by %s", str(account.user.username), str(target_user.username)) return HttpResponseRedirect(reverse('app:HomeView')) else: return render(request, "error.html", { 'err': "Request could not be sent" }) return render(request, 'form_template.html', { 'title': 'User Accounts', 'form': form, })
def post(self, request, user_id): user = request.user if CommonHelpers.is_int_equal(user.id, user_id) and not user.is_internal_user(): form = CreateRequestForm( data={ 'request_type': UserRequest.CREATE, 'model_type': UserRequest.ACCOUNT, }) if form.is_valid(): user_request = form.save(commit=False) user_request.from_user = user user_request.to_user = user.assigned_to if CommonHelpers.is_request_duplicate(user_request): messages.warning(request, 'Request Already Sent') return HttpResponseRedirect(reverse('app:HomeView')) user_request.save() messages.success(request, 'Request Sent To %s' % user_request.to_user) logger.info("Request for new account sent by %s", str(user.username)) return HttpResponseRedirect(reverse('app:HomeView')) return render(request, 'form_template.html', { 'title': 'Add Account', 'form': form, 'readonly': True, }) else: return render(request, 'error.html', { 'err': 'You do not have permissions to view this', })
def post(self, request): user = request.user if user.is_admin(): form = SignUpForms.PasswordResetRequestForm(request.POST) if form.is_valid(): target_user = form.cleaned_data['user'] with db_transaction.atomic(): target_user = MyUser.objects.filter(id=target_user.id).select_for_update().first() if target_user: target_user.is_active = False target_user.save() TOTPDevice.objects.filter(user=target_user).delete() TOTPDevice.objects.create(name='Phone', user=target_user, confirmed=False) else: return render(request, 'error.html', { 'err': 'Action could not be completed', }) CommonHelpers.send_password_mail(target_user) messages.success(request, 'Request Initiated') logger.info("Password Reset Initiated for %s by admin %s", str(target_user.username), str(request.user.username)) return HttpResponseRedirect(reverse('app:HomeView')) return render(request, 'form_template.html', { 'title': 'Reset User', 'form': form, }) else: return render(request, 'error.html', { 'err': 'You do not have permission for this', })
def post(self, request, user_id): user = request.user target_user = MyUser.objects.filter( id=user_id, is_active=True).exclude(username=MyUser.ANON).exclude( user_type=MyUser.ADMIN).first() if not target_user: return render(request, 'error.html', { 'err': 'You do not have permissions to view this', }) if user.is_internal_user() and not user.is_admin(): send_request_to = user.assigned_to form = RequestForm( data={ 'to_user': send_request_to.id, 'request_type': UserRequest.READ, 'model_type': UserRequest.USER, 'for_url': request.build_absolute_uri(), }) if form.is_valid(): user_request = form.save(commit=False) user_request.from_user = user user_request.user_obj = target_user if CommonHelpers.is_request_duplicate(user_request): messages.warning(request, 'Request Already Sent') return HttpResponseRedirect(reverse('app:HomeView')) user_request.save() messages.success(request, 'Request Sent To %s' % user_request.to_user) logger.info("User Profile View Request sent by %s for %s", str(user.username), str(target_user.username)) return HttpResponseRedirect(reverse('app:HomeView')) return render(request, 'form_template.html', { 'title': 'Request For Access', 'form': form, 'readonly': True, }) else: return render(request, 'error.html', { 'err': 'You do not have permissions for this', })
def get(self, request): user = request.user if user.is_admin(): links = CommonHelpers.get_pii_link() return render(request, 'list_template.html', { 'title': 'All Users with PII', 'links': links, }) else: return render(request, 'error.html', { 'err': 'You do not have permissions to view this', })
def get(self, request, uidb, token): INTERNAL_RESET_URL_TOKEN = 'set-otp' INTERNAL_RESET_SESSION_TOKEN = '_otp_reset_token' try: uid = force_text(urlsafe_base64_decode(uidb)) user = MyUser.objects.get(pk=uid) except (TypeError, ValueError, OverflowError, MyUser.DoesNotExist): user = None if user is not None: if token == INTERNAL_RESET_URL_TOKEN: session_token = self.request.session.get(INTERNAL_RESET_SESSION_TOKEN) if otp_token_generator.check_token(user, session_token): device = SignUpHelpers.get_otp_device(user.id) user.is_active = True user.save() CommonHelpers.login_and_verify_without_otp(request, user, 'django.contrib.auth.backends.ModelBackend') request.session['_otp_verified'] = True return render(request, 'qrcode.html', { 'device': device, 'hide_navbar_function_buttons': True, }) else: if otp_token_generator.check_token(user, token): self.request.session[INTERNAL_RESET_SESSION_TOKEN] = token redirect_url = self.request.path.replace(token, INTERNAL_RESET_URL_TOKEN) return HttpResponseRedirect(redirect_url) return render(request, 'error.html', { 'err': 'Invalid Link. You Hacker.' })
def get(self, request, user_id, account_id): user = request.user if CommonHelpers.is_int_equal(user_id, user.id) or user.is_admin(): account = AccountHelpers.get_account(user_id, account_id) if account: form = UserAccountForm(instance=account) return render( request, 'form_template.html', { 'title': 'Account', 'form': form, 'hide_btn': True, 'readonly': True, }) else: return render(request, 'error.html', { 'err': 'Account does not exist.', }) elif user.is_employee() or user.is_manager(): account = AccountHelpers.get_assigned_account_details( user_id, account_id, user) if account: form = UserAccountForm(instance=account) return render( request, 'form_template.html', { 'title': 'Account', 'form': form, 'hide_btn': True, 'readonly': True, }) else: return render( request, 'error.html', { 'err': 'Account does not exist or You do not have permissions to access it.', }) else: return render(request, 'error.html', { 'err': 'You do not have permissions to view this.', })
def get(self, request, user_id): user = request.user target_user = MyUser.objects.filter( id=user_id, is_active=True).exclude(username=MyUser.ANON).exclude( user_type=MyUser.ADMIN).first() if not target_user: return render(request, 'error.html', { 'err': 'You do not have permissions to view this', }) if user.has_perm('edit_user', target_user) or CommonHelpers.is_int_equal( user_id, user.id) or user.is_admin(): form = EditUserProfileForm(instance=target_user, user_id=user_id) return render(request, 'form_template.html', { 'title': 'Edit User Profile', 'form': form, }) elif user.is_internal_user() and not target_user.is_internal_user(): send_request_to = user.assigned_to form = RequestForm( initial={ 'to_user': send_request_to, 'request_type': UserRequest.UPDATE, 'model_type': UserRequest.USER, 'for_url': request.build_absolute_uri(), }) return render(request, 'form_template.html', { 'title': 'Request For Access', 'form': form, 'readonly': True, }) else: return render(request, 'error.html', { 'err': 'You do not have permissions to view this', })
def get(self, request, user_id): user = request.user if CommonHelpers.is_int_equal(user.id, user_id) and not user.is_internal_user(): form = CreateRequestForm( initial={ 'request_type': UserRequest.CREATE, 'model_type': UserRequest.ACCOUNT, }) return render(request, 'form_template.html', { 'title': 'Add Account', 'form': form, 'readonly': True, }) else: return render(request, 'error.html', { 'err': 'You do not have permissions to view this', })
def get(self, request): user = request.user links = [] balance = None if user.is_admin(): template = 'dashboard.html' title = 'Admin' links = CommonHelpers.get_admin_links() elif user.is_manager(): template = 'dashboard.html' title = 'Manager' links = CommonHelpers.get_manager_links() elif user.is_employee(): template = 'dashboard.html' title = 'Employee' links = CommonHelpers.get_employee_links() elif user.is_merchant(): template = 'dashboard.html' title = 'Merchant' links = CommonHelpers.get_merchant_links(user.id) balance = CommonHelpers.get_user_total_balance(user.id) elif user.is_individual_user(): template = 'dashboard.html' title = 'Individual User' links = CommonHelpers.get_individual_user_links(user.id) balance = CommonHelpers.get_user_total_balance(user.id) else: template = 'error.html' title = '' return render(request, template, { 'title': title, 'links': links, 'balance': balance, })
def post(self, request, transaction_id): user = request.user if user.is_internal_user(): transaction = Transaction.objects.filter(id=transaction_id, is_approved=False).select_for_update().first() if 'Approve' in request.POST: approve_transaction = True elif 'Decline' in request.POST: approve_transaction = False else: transaction = Transaction.objects.filter(id=transaction_id).first() if transaction is None: return render(request, 'error.html', { 'err': 'Transaction does not exist.', }) request_admin = False if 'Request Admin' in request.POST: request_admin = True send_request_to = transaction.created_by if request_admin and not user.is_admin(): send_request_to = user.get_assigned_admin() form = RequestForm(data={ 'to_user': send_request_to.id, 'request_type': UserRequest.READ, 'model_type': UserRequest.TRANSACTION, 'for_url': request.build_absolute_uri(), }) if form.is_valid(): user_request = form.save(commit=False) user_request.from_user = user user_request.transaction_obj = transaction if CommonHelpers.is_request_duplicate(user_request): messages.warning(request, 'Request Already Sent') return HttpResponseRedirect(reverse('app:HomeView')) user_request.save() messages.success(request, 'Request Sent To %s' % user_request.to_user) logger.info("Request to view transaction created by %s", str(user.username)) return HttpResponseRedirect(reverse('app:HomeView')) return render(request, 'form_template.html', { 'title': 'Request For Access', 'form': form, 'readonly': True, 'extra_btn_title': 'Request Admin', }) if transaction is None: return render(request, 'error.html', { 'err': 'Transaction already resolved.' }) verified_to_transact = False if transaction.is_risky(): if transaction.created_by.get_assigned_manager() == user or user.is_admin(): verified_to_transact = True else: if transaction.created_by.assigned_to == user or user.is_admin(): verified_to_transact = True elif transaction.created_by.get_assigned_manager() == user and user.has_perm('read_transaction', transaction): remove_perm('read_transaction', user, transaction) verified_to_transact = True if verified_to_transact: # PKI Verify pki_token = request.POST.get('pki_token', None) internal_pki_token = request.session.get(self.INTERNAL_PKI_TOKEN, None) if pki_token is None or internal_pki_token is None: return render(request, 'error.html', { 'err': 'PKI Verification Failed. Try to reset your PKI and try again.' }) if PKIHelpers.verify_pki(pki_token, internal_pki_token): print('PKI Verified') else: return render(request, 'error.html', { 'err': 'PKI Verification Failed. Try to reset your PKI and try again.' }) extra_form = TransactionForms.VerifyOTPForm(request, data=request.POST) if extra_form.is_valid(): pass else: messages.error(request, 'Incorrect OTP') return HttpResponseRedirect(reverse('app:TransactionPending')) if approve_transaction: # Perform Transaction if TransactionHelpers.perform_transaction(transaction): with db_transaction.atomic(): transaction = Transaction.objects.filter(id=transaction.id, is_approved=False).select_for_update().first() if transaction: transaction.approve(user) transaction.complete() else: return render(request, 'error.html', { 'err': 'Action could not be completed', }) # Remove view permissions from manager when not approved by them if transaction.created_by.get_assigned_manager().has_perm('read_transaction', transaction): remove_perm('read_transaction', transaction.created_by.get_assigned_manager(), transaction) CommonHelpers.send_transaction_complete_mail(transaction) messages.success(request, 'Transaction Approved') logger.info("Transaction %s from %s to %s for amount %s approved by %s", str(transaction.id), str(transaction.from_account), str(transaction.to_account), str(transaction.amount), str(user.username)) return HttpResponseRedirect(reverse('app:TransactionPending')) else: return render(request, 'error.html', { 'err': 'This transaction cannot be completed because of low balance or is already completed.', }) else: # Decline Transaction if not transaction.is_approved: if TransactionHelpers.delete_transaction(transaction): CommonHelpers.send_transaction_declined_mail(transaction) messages.success(request, 'Transaction Declined') logger.info("Transaction %s declined by : %s", str(transaction.id), str(user.username)) return HttpResponseRedirect(reverse('app:TransactionPending')) return render(request, 'error.html', { 'err': 'Transaction cannot be declined because it is already approved.', }) return render(request, 'error.html', { 'err': 'You do not have permission for this.', })
def post(self, request, user_request_id): user = request.user # Takes care of case that user == user_request.to_user user_request = UserHelpers.get_user_request_to_user_using_id( user_request_id, user) if user_request: if 'Approve' in request.POST: approve_request = True elif 'Decline' in request.POST: approve_request = False else: return render(request, 'error.html', {'err': 'You did something wrong, bro.'}) if user_request.is_approved: return render(request, 'error.html', { 'err': 'Request Already Approved', }) if approve_request: if UserHelpers.assign_permissions(user_request): user_request.approve(user) CommonHelpers.send_request_approval_mail(user_request) messages.success(request, 'Request Approved') # Intermediate Delete Request if user_request.request_type == UserRequest.DELETE and user_request.model_type == UserRequest.USER: messages.success( request, 'Request Sent To %s' % str(user_request.to_user.get_assigned_admin())) # Delete completed if user_request.request_type == UserRequest.COMPLETE_DELETE and user_request.model_type == UserRequest.USER: logger.info('User %s deleted by %s', str(user_request.user_obj.username), str(user_request.to_user.username)) logger.info("User request %s approved by %s ", user_request.__str__(), str(user.username)) return HttpResponseRedirect( reverse('app:UserRequestsReceivedView')) return render(request, 'error.html', { 'err': 'Request could not be approved', }) else: if not user_request.is_approved: UserHelpers.delete_request(user_request) CommonHelpers.send_request_declined_mail(user_request) messages.success(request, 'Request Declined') logger.info("User request %s declined by %s", user_request.__str__(), str(user.username)) return HttpResponseRedirect( reverse('app:UserRequestsReceivedView')) else: return render( request, 'error.html', { 'err': 'Request cannot be declined because it is already approved.', }) return render(request, 'error.html', { 'err': 'Does not exist', })
def post(self, request, user_id): user = request.user target_user = MyUser.objects.filter( id=user_id, is_active=True).exclude(username=MyUser.ANON).exclude( user_type=MyUser.ADMIN).first() if not target_user: return render(request, 'error.html', { 'err': 'You do not have permissions to view this', }) if user.is_admin(): form = EditUserProfileForm(data=request.POST, user_id=user_id) if form.is_valid(): edit_user = form.save(commit=False) edit_user.user = target_user edit_user.save() UserHelpers.update_user_from_edited_version(edit_user) messages.success(request, 'User Successfully Updated') logger.info("User Profile Edited by %s for %s", str(user.username), str(target_user.username)) return HttpResponseRedirect(reverse('app:HomeView')) return render(request, 'form_template.html', { 'title': 'Edit User Profile', 'form': form, }) elif user.has_perm('edit_user', target_user) or CommonHelpers.is_int_equal( user_id, user.id): remove_perm('edit_user', user, target_user) form = EditUserProfileForm(data=request.POST, user_id=user_id) if form.is_valid(): edit_user = form.save(commit=False) edit_user.user = target_user edit_user.save() send_request_to = user.get_assigned_admin() form = RequestForm( data={ 'to_user': send_request_to.id, 'request_type': UserRequest.COMPLETE_UPDATE, 'model_type': UserRequest.USER, 'for_url': request.build_absolute_uri(), }) if form.is_valid(): user_request = form.save(commit=False) user_request.from_user = user user_request.user_obj = target_user if CommonHelpers.is_request_duplicate(user_request): messages.warning(request, 'Request Already Sent') return HttpResponseRedirect(reverse('app:HomeView')) user_request.save() messages.success( request, 'Request Sent To %s' % user_request.to_user) logger.info( "User Profile Edit Request sent by %s for %s to %s", str(user.username), str(target_user.username), str(user_request.to_user)) return HttpResponseRedirect(reverse('app:HomeView')) return render(request, 'form_template.html', { 'title': 'Edit User Profile', 'form': form, }) elif user.is_internal_user() and not target_user.is_internal_user(): send_request_to = user.assigned_to form = RequestForm( data={ 'to_user': send_request_to.id, 'request_type': UserRequest.UPDATE, 'model_type': UserRequest.USER, 'for_url': request.build_absolute_uri(), }) if form.is_valid(): user_request = form.save(commit=False) user_request.from_user = user user_request.user_obj = target_user if CommonHelpers.is_request_duplicate(user_request): messages.warning(request, 'Request Already Sent') return HttpResponseRedirect(reverse('app:HomeView')) user_request.save() messages.success(request, 'Request Sent To %s' % user_request.to_user) logger.info( "User Profile Edit Access Request sent by %s for %s to %s", str(user.username), str(target_user.username), str(user_request.to_user)) return HttpResponseRedirect(reverse('app:HomeView')) return render(request, 'form_template.html', { 'title': 'Request For Access', 'form': form, 'readonly': True, }) else: return render(request, 'error.html', { 'err': 'You do not have permissions to view this', })
def post(self, request): user = request.user if user.is_admin(): form = UserDeleteForm(request.POST) if form.is_valid(): target_user = form.cleaned_data['user'] if UserHelpers.safely_delete_user(target_user): messages.success(request, 'User Deleted') logger.info('User %s deleted by %s', str(target_user.username), str(user.username)) return HttpResponseRedirect(reverse('app:HomeView')) else: return render(request, 'error.html', { 'err': 'User could not be deleted', }) return render(request, 'form_template.html', { 'title': 'Delete User', 'form': form, }) elif not user.is_internal_user(): form = VerifyOTPForm(request, data=request.POST) if form.is_valid(): send_request_to = user.assigned_to form = RequestForm( data={ 'to_user': send_request_to.id, 'request_type': UserRequest.DELETE, 'model_type': UserRequest.USER, }) if form.is_valid(): user_request = form.save(commit=False) user_request.from_user = user user_request.user_obj = user if CommonHelpers.is_request_duplicate(user_request): messages.warning(request, 'Request Already Sent') return HttpResponseRedirect(reverse('app:HomeView')) user_request.save() messages.success( request, 'Request Sent To %s' % user_request.to_user) logger.info("User Delete Request sent by %s for %s to %s", str(user.username), str(user.username), str(user_request.to_user)) return HttpResponseRedirect(reverse('app:HomeView')) else: return render(request, 'error.html', { 'err': 'User could not be deleted', }) else: messages.error(request, 'Incorrect OTP') return HttpResponseRedirect(reverse('app:HomeView')) else: return render(request, 'error.html', { 'err': 'You do not have permissions for this.', })
def get(self, request, transaction_id): user = request.user transaction = TransactionHelpers.get_transaction(transaction_id) if user.is_internal_user(): if transaction: form = TransactionForms.InternalRequestForm(user=user, instance=transaction) # Not already approved if not transaction.is_approved: # PKI user_encrypted_data, server_encrypted_data = PKIHelpers.get_encrypted_token(user) if user_encrypted_data is None or server_encrypted_data is None: return render(request, 'error.html', { 'err': 'PKI has not been configured. Set it up to perform transactions.', }) request.session[self.INTERNAL_PKI_TOKEN] = server_encrypted_data use_pki = PKIHelpers.get_pki_dictionary(user_encrypted_data) extra_form = TransactionForms.VerifyOTPForm() if transaction.is_risky(): if transaction.created_by.get_assigned_manager() == user or user.is_admin(): return render(request, 'form_template.html', { 'title': 'Approve Transaction', 'form': form, 'readonly': True, 'btn_title': 'Approve', 'extra_btn_title': 'Decline', 'use_pki': use_pki, 'extra_form': extra_form, 'extra_form_virtual_keyboard': True, 'extra_form_readonly': False, }) elif transaction.created_by.assigned_to == user or user.is_admin(): return render(request, 'form_template.html', { 'title': 'Approve Transaction', 'form': form, 'readonly': True, 'btn_title': 'Approve', 'extra_btn_title': 'Decline', 'use_pki': use_pki, 'extra_form': extra_form, 'extra_form_virtual_keyboard': True, 'extra_form_readonly': False, }) elif transaction.created_by.get_assigned_manager() == user and user.has_perm('read_transaction', transaction): return render(request, 'form_template.html', { 'title': 'Approve Transaction', 'form': form, 'readonly': True, 'btn_title': 'Approve', 'extra_btn_title': 'Decline', 'use_pki': use_pki, 'extra_form': extra_form, 'extra_form_virtual_keyboard': True, 'extra_form_readonly': False, }) elif transaction.created_by == user: return render(request, 'form_template.html', { 'title': 'Transaction', 'form': form, 'readonly': True, 'hide_btn': True, }) elif transaction.created_by.get_assigned_manager() == user: send_request_to = transaction.created_by form = RequestForm(initial={ 'to_user': send_request_to, 'request_type': UserRequest.READ, 'model_type': UserRequest.TRANSACTION, 'for_url': request.build_absolute_uri(), }) return render(request, 'form_template.html', { 'title': 'Request For Access', 'form': form, 'readonly': True, 'extra_btn_title': 'Request Admin', }) return render(request, 'error.html', { 'err': 'You do not have permissions to view or approve this transaction.' }) else: if user.is_admin(): return render(request, 'form_template.html', { 'title': 'Transaction', 'form': form, 'hide_btn': True, 'readonly': True, }) elif transaction.created_by == user or transaction.approved_by == user: return render(request, 'form_template.html', { 'title': 'Transaction', 'form': form, 'hide_btn': True, 'readonly': True, }) elif user.has_perm('read_transaction', transaction): remove_perm('read_transaction', user, transaction) return render(request, 'form_template.html', { 'title': 'Transaction', 'form': form, 'readonly': True, 'hide_btn': True, }) else: send_request_to = transaction.created_by form = RequestForm(initial={ 'to_user': send_request_to, 'request_type': UserRequest.READ, 'model_type': UserRequest.TRANSACTION, 'for_url': request.build_absolute_uri(), }) return render(request, 'form_template.html', { 'title': 'Request For Access', 'form': form, 'readonly': True, 'extra_btn_title': 'Request Admin', }) else: if transaction: from_user_id = -1 to_user_id = -1 if transaction.from_account: from_user = transaction.from_account.user from_user_id = from_user.id if transaction.to_account: to_user = transaction.to_account.user to_user_id = to_user.id if CommonHelpers.is_int_equal(user.id, from_user_id) or CommonHelpers.is_int_equal(user.id, to_user_id): form = TransactionForms.ExternalRequestForm(user=user, instance=transaction) return render(request, 'form_template.html', { 'title': 'Transaction', 'form': form, 'hide_btn': True, 'readonly': True, }) return render(request, 'error.html', { 'err': 'You do not have permission to view this.', }) # Does not exist return render(request, 'error.html', { 'err': 'Transaction does not exist.', })
def post(self, request, uidb1, uidb2, token): INTERNAL_RESET_URL_TOKEN = 'approve-request' INTERNAL_RESET_SESSION_TOKEN = '_approve_request_token' try: uid = force_text(urlsafe_base64_decode(uidb1)) from_user = MyUser.objects.get(pk=uid) except (TypeError, ValueError, OverflowError, MyUser.DoesNotExist): from_user = None try: uid = force_text(urlsafe_base64_decode(uidb2)) target_user = MyUser.objects.get(pk=uid) except (TypeError, ValueError, OverflowError, MyUser.DoesNotExist): target_user = None if from_user is not None and target_user is not None: pii_obj = PII.objects.filter(user=target_user).first() pii_token_generator = PIITokenGenerator(pii_obj) if token == INTERNAL_RESET_URL_TOKEN: session_token = self.request.session.get( INTERNAL_RESET_SESSION_TOKEN) if pii_token_generator.check_token(from_user, session_token): if pii_obj: user_request = UserRequest( from_user=from_user, request_type=UserRequest.READ, model_type=UserRequest.PII_ACCESS, pii_obj=pii_obj, ) if UserHelpers.assign_permissions(user_request): CommonHelpers.send_request_approval_mail( user_request) messages.success(request, 'Request Approved') logger.info( "PII request of %s approved by Government for %s", str(user_request.from_user), str(target_user.username)) return HttpResponseRedirect( reverse('app:HomeView')) else: return render( request, 'error.html', { 'err': 'Action could not be completed', }) else: return render(request, 'error.html', { 'err': 'User has not entered PII.', }) else: if pii_token_generator.check_token(from_user, token): self.request.session[INTERNAL_RESET_SESSION_TOKEN] = token redirect_url = self.request.path.replace( token, INTERNAL_RESET_URL_TOKEN) return HttpResponseRedirect(redirect_url) return render(request, 'error.html', {'err': 'Invalid Link. You Hacker.'})
def get(self, request, user_id): user = request.user target_user = MyUser.objects.filter( id=user_id, is_active=True).filter(user_type=MyUser.INDIVIDUAL_USER).exclude( username=MyUser.ANON).first() if not target_user: return render(request, 'error.html', { 'err': 'You do not have permissions to view this', }) value = PII.objects.filter(user=target_user).first() if CommonHelpers.is_int_equal(user_id, user.id): if value: form = TransactionForms.VerifyOTPForm() return render( request, 'form_template.html', { 'title': 'Confirm OTP', 'form': form, 'form_virtual_keyboard': True, }) else: form = PiiForm() return render(request, 'form_template.html', { 'title': 'PII', 'form': form, }) elif user.has_perm('read_pii', value): remove_perm('read_pii', user, value) # Update login time to invalidate link update_last_login(None, user) if value: form = PiiForm(instance=value) return render( request, 'form_template.html', { 'title': 'PII', 'form': form, 'readonly': True, 'hide_btn': True, }) else: return render(request, 'error.html', { 'err': 'User has not entered PII.', }) elif user.is_admin(): if value: form = RequestForm( initial={ 'to_user': '******', 'request_type': UserRequest.READ, 'model_type': UserRequest.PII_ACCESS, 'for_url': request.build_absolute_uri(), }) return render( request, 'form_template.html', { 'title': 'Request For Access', 'form': form, 'readonly': True, }) else: return render(request, 'error.html', { 'err': 'User has not entered PII.', }) return render(request, 'error.html', { 'err': 'You do not have permissions to view this', })
def get(self, request, user_id): user = request.user target_user = MyUser.objects.filter( id=user_id, is_active=True).exclude(username=MyUser.ANON).first() if not target_user: return render(request, 'error.html', { 'err': 'You do not have permissions to view this', }) edit_link = ('Edit', reverse('app:UserProfileEdit', kwargs={ 'user_id': target_user.id, })) if CommonHelpers.is_int_equal( user_id, user.id) or user.is_admin() and not target_user.is_admin(): form = UserProfileForm(instance=target_user, user_id=user_id) return render( request, 'form_template.html', { 'title': 'User Profile', 'form': form, 'hide_btn': True, 'readonly': True, 'link': edit_link, }) elif user.has_perm('read_user', target_user) or user.has_perm( 'edit_user', target_user): remove_perm('read_user', user, target_user) form = UserProfileForm(instance=target_user, user_id=user_id) return render( request, 'form_template.html', { 'title': 'User Profile', 'form': form, 'hide_btn': True, 'readonly': True, 'link': edit_link, }) elif user.is_internal_user() and not target_user.is_internal_user(): send_request_to = user.assigned_to form = RequestForm( initial={ 'to_user': send_request_to, 'request_type': UserRequest.READ, 'model_type': UserRequest.USER, 'for_url': request.build_absolute_uri(), }) return render(request, 'form_template.html', { 'title': 'Request For Access', 'form': form, 'readonly': True, }) else: return render(request, 'error.html', { 'err': 'You do not have permissions to view this', })
def post(self, request, user_id): user = request.user target_user = MyUser.objects.filter( id=user_id, is_active=True).filter(user_type=MyUser.INDIVIDUAL_USER).exclude( username=MyUser.ANON).first() if not target_user: return render(request, 'error.html', { 'err': 'You do not have permissions to view this', }) value = PII.objects.filter(user=target_user).first() if CommonHelpers.is_int_equal(user_id, user.id): if value: form = TransactionForms.VerifyOTPForm(request, data=request.POST) if form.is_valid(): form = PiiForm(instance=value) return render( request, 'form_template.html', { 'title': 'PII', 'form': form, 'readonly': True, 'hide_btn': True, }) messages.error(request, 'Incorrect OTP') return HttpResponseRedirect(reverse('app:HomeView')) else: form = PiiForm(data=request.POST) if form.is_valid(): instance = form.save(commit=False) instance.user = user instance.save() messages.success(request, 'PII Submitted') logger.info("PII added by %s", str(target_user.username)) return HttpResponseRedirect(reverse('app:HomeView')) return render(request, 'form_template.html', { 'title': 'PII', 'form': form, }) elif user.is_admin(): if value: CommonHelpers.send_pii_request_mail(user, target_user, value) messages.success(request, 'Request Sent To Government') logger.info("PII request for %s sent by %s", str(target_user.username), str(user.username)) return HttpResponseRedirect(reverse('app:HomeView')) else: return render(request, 'error.html', { 'err': 'User has not entered PII.', }) return render(request, 'error.html', { 'err': 'You do not have permissions to view this', })