def render_change_form(self, request, context, add=False, change=False, form_url='', obj=None):
opts = self.model._meta
app_label = opts.app_label
preserved_filters = self.get_preserved_filters(request)
form_url = add_preserved_filters({'preserved_filters': preserved_filters, 'opts': opts}, form_url)
view_on_site_url = self.get_view_on_site_url(obj)
context.update({
'add': add,
'change': change,
'has_add_permission': self.has_add_permission(request),
'has_change_permission': self.has_change_permission(request, obj),
'has_delete_permission': self.has_delete_permission(request, obj),
'has_file_field': True, # FIXME - this should check if form or formsets have a FileField,
'has_absolute_url': view_on_site_url is not None,
'absolute_url': view_on_site_url,
'form_url': form_url,
'opts': opts,
'content_type_id': get_content_type_for_model(self.model).pk,
'save_as': self.save_as,
'save_on_top': self.save_on_top,
'to_field_var': TO_FIELD_VAR,
'is_popup_var': IS_POPUP_VAR,
'app_label': app_label,
})
if add and self.add_form_template is not None:
form_template = self.add_form_template
else:
form_template = self.change_form_template
return TemplateResponse(request, form_template or [
"keops/%s/%s/change_form.html" % (app_label, opts.model_name),
"keops/%s/change_form.html" % app_label,
"keops/change_form.html"
], context, current_app=self.admin_site.name)
def get_template_values(request, organization_pk):
org = get_object_or_404(Organization.query(request, readonly=True), pk=organization_pk)
assert isinstance(org, Organization)
# noinspection PyProtectedMember
model_admin = admin.site._registry[Organization]
assert isinstance(model_admin, OrganizationAdmin)
# noinspection PyProtectedMember
opts = model_admin.model._meta
app_label = opts.app_label
preserved_filters = model_admin.get_preserved_filters(request)
form_url = add_preserved_filters({'preserved_filters': preserved_filters, 'opts': opts}, '?')
view_on_site_url = model_admin.get_view_on_site_url(org)
template_values = {
'is_popup': 0,
'add': False,
'change': True,
'has_change_permission': model_admin.has_change_permission(request, org),
'has_delete_permission': False,
'has_add_permission': False,
'has_file_field': False,
'has_absolute_url': view_on_site_url is not None,
'absolute_url': view_on_site_url,
'form_url': form_url,
'opts': opts,
'content_type_id': get_content_type_for_model(Task).pk,
'save_as': True,
'save_on_top': False,
'media': model_admin.media,
'to_field_var': TO_FIELD_VAR,
'is_popup_var': IS_POPUP_VAR,
'app_label': app_label,
'show_save': False,
}
return template_values
def process_response(self, request, response):
if response.status_code != 404:
return response
if not self.is_post_detail_view(request):
return response
if request.user.is_staff:
try:
log_entry = LogEntry.objects.filter(user=request.user).order_by("-pk")[0]
except IndexError:
log_entry = None
if (
log_entry
and log_entry.action_flag == DELETION
and log_entry.content_type_id == get_content_type_for_model(self.model).pk
):
try:
redirect_url = reverse("blog:posts_list")
except NoReverseMatch:
redirect_url = "/"
msg = _('The %(name)s "%(obj)s" was deleted.') % {
"name": force_text(self.model._meta.verbose_name),
"obj": log_entry.object_repr,
}
messages.error(request, msg)
return HttpResponseRedirect(redirect_url)
return response
def test_log_actions(self):
ma = ModelAdmin(Band, self.site)
mock_request = MockRequest()
mock_request.user = User.objects.create(username='******')
content_type = get_content_type_for_model(self.band)
tests = (
(ma.log_addition, ADDITION, {'added': {}}),
(ma.log_change, CHANGE, {'changed': {'fields': ['name', 'bio']}}),
(ma.log_deletion, DELETION, str(self.band)),
)
for method, flag, message in tests:
with self.subTest(name=method.__name__):
created = method(mock_request, self.band, message)
fetched = LogEntry.objects.filter(action_flag=flag).latest('id')
self.assertEqual(created, fetched)
self.assertEqual(fetched.action_flag, flag)
self.assertEqual(fetched.content_type, content_type)
self.assertEqual(fetched.object_id, str(self.band.pk))
self.assertEqual(fetched.user, mock_request.user)
if flag == DELETION:
self.assertEqual(fetched.change_message, '')
self.assertEqual(fetched.object_repr, message)
else:
self.assertEqual(fetched.change_message, str(message))
self.assertEqual(fetched.object_repr, str(self.band))
def history_view(self, request, object_id, extra_context=None):
"The 'history' admin view for this model."
from django.contrib.admin.models import LogEntry
# First check if the user can see this history.
model = self.model
obj = get_object_or_404(self.get_queryset(request),
pk=unquote(object_id))
if not self.has_change_permission(request, obj):
raise PermissionDenied
# Then get the history for this object.
opts = model._meta
app_label = opts.app_label
action_list = LogEntry.objects.filter(
object_id=unquote(str(obj.identity)),
# this is the change for our override;
content_type=get_content_type_for_model(model)
).select_related().order_by('action_time')
ctx = self.admin_site.each_context(request)
context = dict(ctx,
title=('Change history: %s') % force_text(obj),
action_list=action_list,
module_name=capfirst(
force_text(opts.verbose_name_plural)),
object=obj,
opts=opts,
preserved_filters=self.get_preserved_filters(request),
)
context.update(extra_context or {})
return TemplateResponse(request, self.object_history_template or [
"admin/%s/%s/object_history.html" % (app_label, opts.model_name),
"admin/%s/object_history.html" % app_label,
"admin/object_history.html"
], context)
def get_context_data(self, **kwargs):
"""
Gets context data required for the admin view
:param kwargs: Default keyword args
:type kwargs: {}
:return: Dict of data for the admin template
"""
context_data = super(AdminView, self).get_context_data(**kwargs)
opts = self.admin_site.model._meta
context_data.update({
'add': False,
'change': False,
'has_add_permission': self.admin_site.has_add_permission(self.request),
'has_change_permission': self.admin_site.has_change_permission(self.request),
'has_delete_permission': self.admin_site.has_delete_permission(self.request),
'has_absolute_url': False,
'absolute_url': None,
'opts': opts,
'content_type_id': get_content_type_for_model(self.admin_site.model).pk,
'save_as': self.admin_site.save_as,
'save_on_top': self.admin_site.save_on_top,
'to_field_var': TO_FIELD_VAR,
'is_popup_var': IS_POPUP_VAR,
'is_popup': False,
'app_label': opts.app_label,
})
return context_data
def log_create(self, request, new_object):
LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(new_object).pk,
object_id=new_object.pk,
object_repr=force_text(new_object),
action_flag=ADDITION
)
def log_deletion(request, obj):
LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(obj).pk,
object_id=obj.pk,
object_repr=force_text(obj),
action_flag=DELETION,
)
def log_unlinking(request, main_object, linking_object):
LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(main_object).pk,
object_id=main_object.pk,
object_repr=force_text(main_object),
action_flag=CHANGE,
change_message="Unlinked \"%s\"" % force_text(linking_object),
)
def _create_log_entry(self, request, object, action_flag):
from django.contrib.admin.models import LogEntry
LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(object).pk,
object_id=object.pk,
object_repr=force_text(object),
action_flag=action_flag,
)
def form_valid(self, form, *args, **kwargs):
self.object = form.save()
LogEntry.objects.log_action(
user_id=self.pk,
content_type_id=get_content_type_for_model(self.object).pk,
object_id=self.object.pk,
object_repr=force_text(self.object),
action_flag=ADDITION
)
return self.produce_response()
def _log_change(self, request):
object = self.get_object()
LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(object).pk,
object_id=object.pk,
object_repr=force_text(object),
action_flag=CHANGE,
change_message="Changed fields",
)
def log_change(request, obj):
message = ""
LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(obj).pk,
object_id=obj.pk,
object_repr=force_text(obj),
action_flag=CHANGE,
change_message=message,
)
def test_get_actions_requires_change_perm(self):
user = User.objects.create_user(username='******', email='*****@*****.**', password='******')
mock_request = MockRequest()
mock_request.user = user
mock_request.GET = {}
ma = ModelAdmin(Band, self.site)
self.assertEqual(list(ma.get_actions(mock_request).keys()), [])
p = Permission.objects.get(codename='change_band', content_type=get_content_type_for_model(Band()))
user.user_permissions.add(p)
mock_request.user = User.objects.get(pk=user.pk)
self.assertEqual(list(ma.get_actions(mock_request).keys()), ['delete_selected'])
def log(self, request, message, action, instance=None):
from django.contrib.admin.models import LogEntry
instance = instance or self.get_object()
LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(instance).pk,
object_id=instance.pk,
object_repr=force_text(instance),
action_flag=action,
change_message=message,
)
def get_view_on_site_url(self, obj=None):
if obj is None or not self.view_on_site:
return None
if callable(self.view_on_site):
return self.view_on_site(obj)
elif self.view_on_site and obj.active and obj.close_date >= timezone.now().date():
return reverse('admin:view_on_site', kwargs={
'content_type_id': get_content_type_for_model(obj).pk,
'object_id': obj.pk
})
else:
return None
def log_deletion(self, request, object, object_repr):
"""
Log that an object will be logical deleted. Note that this method must be
called before the logical deletion.
The default implementation creates an admin LogEntry object.
"""
from django.contrib.admin.models import LogEntry
return LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(object).pk,
object_id=object.pk,
object_repr=object_repr,
action_flag=LOGICAL_DELETION,
)
def process_scan(filepath: str):
with open(filepath, "rb") as fd:
sha512 = hashlib.sha512()
for data in iter(lambda: fd.read(4096), b""):
sha512.update(data)
sha512_str = sha512.hexdigest()
if ScannedDocument.objects.filter(sha512=sha512_str).count() > 0:
return False
obj = ScannedDocument(
filepath=filepath, sha512=sha512_str, page_count=1, deleted=False, step=ScannedDocument.ANALYZING
)
obj.save()
original = Image.open(filepath)
original.show()
width, height = original.size # Get dimensions
corner_size = width // 3
qr_image = original.crop((width - corner_size, height - corner_size, width, height))
with tempfile.NamedTemporaryFile(
dir=settings.FILE_UPLOAD_TEMP_DIR, suffix=".png", prefix="pigi1300-copy-barcode-", delete=True
) as fd:
name = fd.name
qr_image.save(name, "PNG")
output_bytes = subprocess.check_output(["zbarimg", name, "-q"], stderr=subprocess.PIPE)
os.remove(name)
# noinspection PyUnresolvedReferences
output_str = output_bytes.decode("utf-8")
document = None
for line in output_str.splitlines():
if not line.startswith("QR-Code:"):
continue
line = line[len("QR-Code:") :]
if not registry.is_2d(line):
continue
cls, value = registry.parse_2d(line)
document = cls.from_2d(value)
break
if document:
obj.content_type_id = (get_content_type_for_model(document).pk,)
obj.object_id = document.pk
obj.object_repr = force_text(document)
document.scans.add(obj)
obj.step = ScannedDocument.READY
obj.save()
return obj
def remove_account_lockouts(self, request, instances):
accounts = []
for instance in instances:
attempts = FailedLoginAttempt.objects.filter(user=instance)
if attempts.count():
attempts.delete()
LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(instance).pk, object_id=instance.pk,
object_repr=_('Remove lockouts'),
action_flag=CHANGE_LOG_ENTRY,
)
accounts.append(instance)
if accounts:
messages.info(request, 'Removed account lockout for %s' %
', '.join(map(str, accounts)))
else:
messages.info(request, 'No account lockouts to remove')
def render_change_form(self, request, context, add=False, change=False, form_url="", obj=None):
opts = self.model._meta
app_label = opts.app_label
preserved_filters = self.get_preserved_filters(request)
form_url = add_preserved_filters({"preserved_filters": preserved_filters, "opts": opts}, form_url)
view_on_site_url = self.get_view_on_site_url(obj)
context.update(
{
"add": add,
"change": change,
"publish": getattr(obj, "published", False),
"has_add_permission": self.has_add_permission(request),
"has_change_permission": self.has_change_permission(request, obj),
"has_delete_permission": self.has_delete_permission(request, obj),
"has_file_field": True, # FIXME - this should check if form or formsets have a FileField,
"has_absolute_url": view_on_site_url is not None,
"absolute_url": view_on_site_url,
"form_url": form_url,
"opts": opts,
"content_type_id": get_content_type_for_model(self.model).pk,
"save_as": self.save_as,
"save_on_top": self.save_on_top,
"to_field_var": TO_FIELD_VAR,
"is_popup_var": IS_POPUP_VAR,
"app_label": app_label,
}
)
if add and self.add_form_template is not None:
form_template = self.add_form_template
else:
form_template = self.change_form_template
request.current_app = self.admin_site.name
return TemplateResponse(
request,
form_template
or [
"admin/%s/%s/change_form.html" % (app_label, opts.model_name),
"admin/%s/change_form.html" % app_label,
"admin/change_form.html",
],
context,
)
def log_bulk_addition(self, request, objects):
# noinspection PyProtectedMember
change_message = json.dumps([{
'added': {
'name': force_text(added_object._meta.verbose_name),
'object': force_text(added_object),
}
} for added_object in objects])
from .util import shorten_text
object_repr = ", ".join([shorten_text(force_text(added_object), 5) for added_object in objects])
return LogEntry.objects.create(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(objects[0]).pk,
object_repr=object_repr[:200],
action_flag=ADDITION,
change_message=change_message,
)
def history_view(self, request, object_id, extra_context=None):
"The 'history' admin view for this model."
# First check if the object exists and the user can see its history.
model = self.model
obj = self.get_object(request, unquote(object_id))
if obj is None:
raise Http404(_('%(name)s object with primary key %(key)r does not exist.') % {
'name': force_text(model._meta.verbose_name),
'key': escape(object_id),
})
if not self.has_change_permission(request, obj):
raise PermissionDenied
# Then get the history for this object.
opts = model._meta
app_label = opts.app_label
action_list = LogEntry.objects.using(request.database).filter(
object_id=unquote(object_id),
content_type=get_content_type_for_model(model)
).select_related().order_by('action_time')
context = dict(self.admin_site.each_context(request),
title=capfirst(force_text(opts.verbose_name) + " " + unquote(object_id)),
action_list=action_list,
module_name=capfirst(force_text(opts.verbose_name_plural)),
object=obj,
app_label=app_label,
opts=opts,
active_tab='history',
object_id=object_id,
model=ContentType.objects.get_for_model(model).model,
)
context.update(extra_context or {})
request.current_app = self.admin_site.name
return TemplateResponse(request, self.object_history_template or [
"admin/%s/%s/object_history.html" % (app_label, opts.model_name),
"admin/%s/object_history.html" % app_label,
"admin/object_history.html"
], context)
def history_view(self, request, object_id, extra_context=None):
"The 'history' admin view for this model."
# First check if the user can see this history.
model = self.model
obj = self.get_object(request, unquote(object_id))
if obj is None:
return self._get_obj_does_not_exist_redirect(request, model._meta, object_id)
if not self.has_change_permission(request, obj):
raise PermissionDenied
# Then get the history for this object.
opts = model._meta
app_label = opts.app_label
action_list = LogEntry.objects.using(request.database).filter(
object_id=unquote(object_id),
content_type=get_content_type_for_model(model)
).select_related().order_by('action_time')
context = dict(
self.admin_site.each_context(request),
# Translators: Translation included with Django
title=force_text(opts.verbose_name) + " " + unquote(object_id),
post_title=_('Change history'),
action_list=action_list,
module_name=capfirst(force_text(opts.verbose_name_plural)),
object=obj,
object_id=object_id,
opts=opts,
active_tab='history',
preserved_filters=self.get_preserved_filters(request),
)
context.update(extra_context or {})
request.current_app = self.admin_site.name
return TemplateResponse(request, self.object_history_template or [
"admin/%s/%s/object_history.html" % (app_label, opts.model_name),
"admin/%s/object_history.html" % app_label,
"admin/object_history.html"
], context)
def perform_destroy(self, instance):
context = {
'service_name': instance.role.application.name.lower(),
}
send_email(
instance.email, 'mtp_auth/account_request_denied.txt',
capfirst(gettext('Account access for %(service_name)s was denied') % context),
context=context,
html_template='mtp_auth/account_request_denied.html',
anymail_tags=['account-request-denied'],
)
LogEntry.objects.log_action(
user_id=self.request.user.pk,
content_type_id=get_content_type_for_model(instance).pk,
object_id=instance.pk,
object_repr=gettext('Declined account request from %(username)s') % {
'username': instance.username,
},
action_flag=DELETION_LOG_ENTRY,
)
super().perform_destroy(instance)
def log_access_key_move(self, request, unbound, target):
# noinspection PyProtectedMember
change_message = [{
'changed': {
'name': force_text(target._meta.verbose_name),
'object': force_text(target),
'fields': ["access_key"],
},
'deleted': {
'name': force_text(unbound._meta.verbose_name),
'object': force_text(unbound)
}
}]
return LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(target).pk,
object_id=target.pk,
object_repr=force_text(target),
action_flag=CHANGE,
change_message=change_message,
)
def form_valid(self, form):
with transaction.atomic():
old_value = self.object.value
changed_data = self.keys_changed(old_value, form.cleaned_data)
self.object.raw_value = registry.serialize(data=form.cleaned_data)
self.object.full_clean()
self.object.save()
LogEntry.objects.log_action(
user_id=self.request.user.pk,
content_type_id=get_content_type_for_model(self.object).pk,
object_id=self.object.pk,
object_repr=force_text(self.object),
action_flag=CHANGE,
change_message="Changed %(changed)s" % {
'old': force_text(old_value),
'new': force_text(self.object.raw_value),
'changed': force_text(registry.serialize(changed_data))
}
)
msg_dict = {'name': force_text(self.object._meta.verbose_name),
'obj': force_text(self.object.pretty_key())}
msg = _('The %(name)s "%(obj)s" was changed successfully.') % msg_dict
messages.success(self.request, msg)
return super(UpdateSetting, self).form_valid(form=form)
def activity_handler_new_upload(sender, instance, created, **kwargs):
if created and instance.content_type in [get_content_type_for_model(Channel), get_content_type_for_model(Task)]:
action.send(instance.user, verb=verbs.UPLOAD, action_object=instance, target=instance.content_object)
def create_action(sender, instance, created, **kwargs):
if created:
if sender == Summary:
user = instance.proposed_by
elif sender == Paper or sender == PaperSubmission:
user = instance.uploaded_by
else:
if sender == Thread:
thread = instance
if thread.is_removed:
content_id = f"{type(thread).__name__}_{thread.id}"
decisions_api.apply_bad_content_decision(
thread.created_by, content_id)
events_api.track_flag_content(
thread.created_by,
content_id,
1,
)
user = instance.created_by
"""
If we're creating an action for the first time,
check if we've been referred
"""
referral_content_types = [
get_content_type_for_model(Thread),
get_content_type_for_model(Reply),
get_content_type_for_model(Comment),
get_content_type_for_model(Paper),
get_content_type_for_model(ResearchhubPost),
get_content_type_for_model(Hypothesis),
]
if (user is not None and user.invited_by and not Action.objects.filter(
user=user, content_type__in=referral_content_types).exists()
and sender in [
Thread, Reply, Comment, Paper, ResearchhubPost, Hypothesis
]):
timestamp = time()
if calculate_show_referral(user.invited_by):
referred = Distributor(
distributions.Referral,
user,
user.invited_by,
timestamp,
None,
)
referred.distribute()
referrer = Distributor(
distributions.Referral,
user.invited_by,
user.invited_by,
timestamp,
None,
)
referrer.distribute()
vote_types = [PaperVote, ReactionVote, BulletPointVote, SummaryVote]
display = (False if
(sender in vote_types or sender == PaperSubmission
or sender != ReactionVote and
(hasattr(instance, "is_removed") and instance.is_removed))
else True)
action = Action.objects.create(item=instance,
user=user,
display=display)
hubs = []
if sender == Paper:
hubs = instance.hubs.all()
elif sender != BulletPointVote and sender != SummaryVote:
hubs = get_related_hubs(instance)
if hubs:
action.hubs.add(*hubs)
create_notification(sender, instance, created, action, **kwargs)
return action
def get_info(vuln_raw):
data = json.loads(vuln_raw)
now = datetime.now(utc)
tdelta = now - timedelta(days=365)
liste = StringIO.StringIO()
db = StringIO.StringIO()
debug = StringIO.StringIO()
# get my user
try:
user = User.objects.get(username='******')
except User.DoesNotExist:
# We have to make this customer
print "Making user cisco_import.."
user = User.objects.create(username='******')
# get Cisco vendor ID
try:
cisco = Vendor.objects.get(vendor_name='Cisco')
except Vendor.DoesNotExist:
# We have to make this customer
print "Making customer Cisco.."
cisco = Vendor.objects.create(vendor_name='Cisco')
for vuln in sorted(data, reverse=True, key=getdate):
print "Starting on %s" % (vuln['advisory_id'])
products = []
for product in vuln['product_names']:
product = product.strip(' \t\n\r')
#print "Check if the product \"%s\" is a part of the database" % (product)
#Check if product is part of database
try:
p = Product.objects.get(product_vendor=cisco,
product_name=product)
except Product.DoesNotExist:
print "Product \"%s\" is NOT a part of the database, adding" % (
product)
p = Product.objects.create(product_vendor=cisco,
product_name=product)
change_message = construct_change_message(None, None, True)
log_addition(user, p, change_message)
products.append(p)
cves = []
for cve in vuln['cves']:
cve = cve.strip(' \t\n\r')
#Check if cve is part of database
try:
p = CVE.objects.get(cve_id=cve)
except CVE.DoesNotExist:
print "Creating new CVE signature %s" % (cve)
p = CVE.objects.create(cve_id=cve)
change_message = construct_change_message(None, None, True)
log_addition(user, p, change_message)
cves.append(p)
bugs = []
for bug in vuln['bug_ids']:
bug = bug.strip(' \t\n\r')
#Check if bug is part of database
try:
p = Bug.objects.get(bug_id=bug, bug_vendor=cisco)
except Bug.DoesNotExist:
print "Creating new BUG id %s" % (bug)
p = Bug.objects.create(bug_id=bug, bug_vendor=cisco)
change_message = construct_change_message(None, None, True)
log_addition(user, p, change_message)
bugs.append(p)
cwes = []
for cwe in vuln['cwe']:
cwe = cwe.strip(' \t\n\r')
#Check if cwe is part of database
try:
p = CWE.objects.get(cwe_id=cwe)
except CWE.DoesNotExist:
print "Creating new CWE %s" % (cwe)
p = CWE.objects.create(cwe_id=cwe)
change_message = construct_change_message(None, None, True)
log_addition(user, p, change_message)
cwes.append(p)
ipssigs = []
for ipssig in vuln['ips_signatures']:
#print "Check if the IPS signature \"%s\" is a part of the database" % (ipssig)
if type(ipssig) is dict:
legacy_ips_id = ipssig['legacy_ips_id'].strip(' \t\n\r')
elif type(ipssig) is str:
legacy_ips_id = ipssig.strip(' \t\n\r')
ipssig = {
"legacy_ips_id": legacy_ips_id,
"legacy_ips_url": "",
"release_version": "",
"software_version": "",
}
else:
legacy_ips_id = "NA"
ipssig = {
"legacy_ips_id": legacy_ips_id,
"legacy_ips_url": "",
"release_version": "",
"software_version": "",
}
#Check if ipssig is part of database
try:
p = Ips_signature.objects.get(legacy_ips_id=legacy_ips_id)
except Ips_signature.DoesNotExist:
print "Creating new IPS signature %s" % (legacy_ips_id)
p = Ips_signature.objects.create(
legacy_ips_id=legacy_ips_id,
legacy_ips_url=ipssig['legacy_ips_url'],
release_version=ipssig['release_version'],
software_version=ipssig['software_version'])
change_message = construct_change_message(None, None, True)
log_addition(user, p, change_message)
ipssigs.append(p)
first_published = parse(vuln['first_published'])
last_updated = parse(vuln['last_updated'])
# Check if this advisory exists, if not, make it
advisory_id = vuln['advisory_id'].strip(' \t\n\r')
try:
advisory = Ciscoadvisory.objects.get(advisory_id=advisory_id)
except Ciscoadvisory.DoesNotExist:
print "Creating new Advisory ID %s" % (advisory_id)
advisory = Ciscoadvisory.objects.create(
advisory_id=advisory_id,
advisory_vendor=cisco,
advisory_title=vuln['advisory_title'],
cvrf_url=vuln['cvrf_url'],
cvss_base_score=vuln['cvss_base_score'],
first_published=first_published,
last_updated=last_updated,
publication_url=vuln['publication_url'],
sir=vuln['sir'],
summary=vuln['summary'])
for bug in bugs:
advisory.bug_ids.add(bug)
for cve in cves:
advisory.cves.add(cve)
for cwe in cwes:
advisory.cwe.add(cwe)
for ips in ipssigs:
advisory.ips_signatures.add(ips)
for product in products:
advisory.product_names.add(product)
advisory.save()
change_message = construct_change_message(None, None, True)
log_addition(user, advisory, change_message)
# Check if the advisory has been updated
if advisory.last_updated < last_updated:
change_message = []
print "Updating advisory ID %s" % (advisory_id)
if vuln['advisory_title'] != advisory.advisory_title:
advisory.advisory_title = vuln['advisory_title']
change_message.append(
{'changed': {
'fields': 'advisory_title',
}})
if advisory.cvrf_url != vuln['cvrf_url']:
advisory.cvrf_url = vuln['cvrf_url']
change_message.append({'changed': {
'fields': 'cvrf_url',
}})
if advisory.cvss_base_score != vuln['cvss_base_score']:
advisory.cvss_base_score = vuln['cvss_base_score']
change_message.append(
{'changed': {
'fields': 'cvss_base_score',
}})
if list(advisory.bug_ids.all()) != list(bugs):
advisory.bug_ids.set(bugs)
change_message.append({'changed': {
'fields': 'bug_ids',
}})
if list(advisory.cves.all()) != list(cves):
advisory.cves.set(cves)
change_message.append({'changed': {
'fields': 'cves',
}})
if list(advisory.cwe.all()) != list(cwes):
advisory.cwe.set(cwes)
change_message.append({'changed': {
'fields': 'cwe',
}})
if advisory.first_published != first_published:
advisory.first_published = first_published
change_message.append(
{'changed': {
'fields': 'first_published',
}})
if advisory.ips_signatures != ipssigs:
advisory.ips_signatures = ipssigs
change_message.append(
{'changed': {
'fields': 'ips_signatures',
}})
if advisory.last_updated != last_updated:
advisory.last_updated = last_updated
change_message.append(
{'changed': {
'fields': 'last_updated',
}})
if list(advisory.product_names.all()) != list(products):
advisory.product_names.set(products)
change_message.append(
{'changed': {
'fields': 'product_names',
}})
if advisory.publication_url != vuln['publication_url']:
advisory.publication_url = vuln['publication_url']
change_message.append(
{'changed': {
'fields': 'publication_url',
}})
if advisory.sir != vuln['sir']:
advisory.sir = vuln['sir']
change_message.append({'changed': {
'fields': 'sir',
}})
if advisory.summary != vuln['summary']:
advisory.summary = vuln['summary']
change_message.append({'changed': {
'fields': 'summary',
}})
advisory.save()
log_change(user, advisory, change_message)
#now we'll have to make all assessments of this advisory invalid
a = Advisory.objects.get(
object_id=advisory.pk,
content_type=get_content_type_for_model(Ciscoadvisory))
assessments = a.assessment_set.all()
for assessment in assessments:
print "Invalidating assessment %s" % (assessment)
assessment.valid = Assessment.NO
assessment.save()
def partial_update(self, request, *args, **kwargs):
instance = self.get_object()
user_admin = request.data.get('user_admin', '').lower() == 'true'
try:
user = User.objects.get_by_natural_key(instance.username)
if request.user.pk == user.pk:
raise RestValidationError({
api_settings.NON_FIELD_ERRORS_KEY:
_('You cannot confirm changes to yourself')
})
if user.is_superuser:
raise RestValidationError({
api_settings.NON_FIELD_ERRORS_KEY:
_('Super users cannot be edited')
})
serializer_kwargs = {'instance': user}
user.is_active = True
user.save()
user_existed = True
except User.DoesNotExist:
serializer_kwargs = {}
user_existed = False
if instance.prison:
prisons = [instance.prison]
else:
prisons = None
user_serializer = UserSerializer(data=dict(
first_name=instance.first_name,
last_name=instance.last_name,
email=instance.email,
username=instance.username,
role=instance.role.name,
prisons=prisons,
user_admin=user_admin,
),
context={
'request': request,
'from_account_request': True
},
**serializer_kwargs)
user_serializer.is_valid()
user = user_serializer.save()
context = {
'username': user.username,
'service_name': instance.role.application.name.lower(),
'login_url': instance.role.login_url,
}
if user_existed:
send_email(
user.email,
'mtp_auth/user_moved.txt',
capfirst(
gettext(
'Your new %(service_name)s account is ready to use') %
context),
context=context,
html_template='mtp_auth/user_moved.html',
anymail_tags=['user-moved'],
)
LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(user).pk,
object_id=user.pk,
object_repr=gettext('Accepted account request for %(username)s') %
{
'username': user.username,
},
action_flag=CHANGE_LOG_ENTRY,
)
instance.delete()
return Response({})
def render_change_form(self,
request,
context,
add=False,
change=False,
form_url='',
obj=None):
""" Overridden to consider instances with view permissions """
opts = self.model._meta
app_label = opts.app_label
preserved_filters = self.get_preserved_filters(request)
form_url = add_preserved_filters(
{
'preserved_filters': preserved_filters,
'opts': opts
}, form_url)
view_on_site_url = self.get_view_on_site_url(obj)
context.update({
'add':
add,
'change':
change,
'has_add_permission':
self.has_add_permission(request),
'has_change_permission':
self.has_change_permission(request, obj),
'has_delete_permission':
self.has_delete_permission(request, obj),
'has_view_permission':
self.has_view_permission(request, obj),
'has_file_field':
True, # FIXME - this should check if form or formsets have a FileField,
'has_absolute_url':
view_on_site_url is not None,
'absolute_url':
view_on_site_url,
'form_url':
form_url,
'opts':
opts,
'content_type_id':
get_content_type_for_model(self.model).pk,
'save_as':
self.save_as,
'save_on_top':
self.save_on_top,
'to_field_var':
TO_FIELD_VAR,
'is_popup_var':
IS_POPUP_VAR,
'app_label':
app_label,
})
if add and self.add_form_template is not None:
form_template = self.add_form_template
else:
form_template = self.change_form_template
request.current_app = self.admin_site.name
return TemplateResponse(
request, form_template or [
"admin/%s/%s/change_form.html" % (app_label, opts.model_name),
"admin/%s/change_form.html" % app_label,
"admin/change_form.html"
], context)
def content_type(self):
return get_content_type_for_model(self.model)
def create_materialized_view( # noqa
self, user_id, old_obj, new_obj, change_message: str):
new_obj: MaterializedQuery = next(serializers.deserialize("json",
new_obj)).object
self.update_state(
state=states.STARTED,
meta=f"Processing Materialized Query {new_obj.matviewname}.",
)
with cache.lock("updating:materialized_view:worker:lock:" +
new_obj.matviewname):
worker_var = "updating:materialized_view:worker:" + new_obj.matviewname
cache.get(worker_var)
cache.set(worker_var, self.request.id)
with cache.lock("updating:materialized_view:lock:" + new_obj.matviewname):
if cache.get(worker_var) != self.request.id:
self.update_state(
state=states.IGNORED,
meta=
f"There is another worker with more recent changes for the Materialized Query {new_obj.matviewname}.",
)
raise Ignore()
add = old_obj is None
with transaction.atomic(using=router.db_for_write(MaterializedQuery)
), connections["achilles"].cursor() as cursor:
if not add:
if (old_obj["matviewname"] != new_obj.matviewname
and old_obj["definition"] == new_obj.definition):
cursor.execute(
f"ALTER MATERIALIZED VIEW {old_obj['matviewname']} RENAME TO {new_obj.matviewname}"
)
elif old_obj["definition"] != new_obj.definition:
# don't drop the old view yet. rename the view to a random name
# just as a backup if there is something wrong with the new
# query or name
allowed_characters = string.ascii_letters + "_"
tmp_name = "".join(
random.choice(allowed_characters) for _ in range(30))
cursor.execute(
f"ALTER MATERIALIZED VIEW {old_obj['matviewname']} RENAME TO {tmp_name}"
)
try:
cursor.execute(
f"CREATE MATERIALIZED VIEW {new_obj.matviewname} AS {new_obj.definition}"
)
except ProgrammingError as e:
# no need to rename back the materialized view since the transaction will rollback
self.update_state(
state=states.FAILURE,
meta={
"exc_type":
type(e).__name__,
"exc_message":
f"Error while changing the materialized view {new_obj.matviewname} in the underlying database.",
},
traceback=e,
)
raise Ignore()
cursor.execute(f"DROP MATERIALIZED VIEW {tmp_name}")
else:
raise Ignore()
else:
try:
cursor.execute(
f"CREATE MATERIALIZED VIEW {new_obj.matviewname} AS {new_obj.definition}"
)
except ProgrammingError as e:
self.update_state(
state=states.FAILURE,
meta={
"exc_type":
type(e).__name__,
"exc_message":
f"Error while creating the materialized view {new_obj.matviewname} in the underlying database.",
},
traceback=e,
)
raise Ignore()
if add:
self.update_state(
state=states.SUCCESS,
meta=
f"Materialized view {new_obj.matviewname} successfully created.",
)
LogEntry.objects.log_action(
user_id=user_id,
content_type_id=get_content_type_for_model(new_obj).pk,
object_id=new_obj.pk,
object_repr=str(new_obj),
action_flag=ADDITION,
change_message=change_message,
)
else:
self.update_state(
state=states.SUCCESS,
meta=
f"Materialized view {new_obj.matviewname} successfully change.",
)
LogEntry.objects.log_action(
user_id=user_id,
content_type_id=get_content_type_for_model(new_obj).pk,
object_id=new_obj.pk,
object_repr=str(new_obj),
action_flag=CHANGE,
change_message=change_message,
)
raise Ignore()
def render_change_form(self,
request,
context,
add=False,
change=False,
form_url='',
obj=None):
opts = self.model._meta
app_label = opts.app_label
preserved_filters = self.get_preserved_filters(request)
form_url = add_preserved_filters(
{
'preserved_filters': preserved_filters,
'opts': opts
}, form_url)
view_on_site_url = self.get_view_on_site_url(obj)
context.update({
'add':
add,
'change':
change,
'has_add_permission':
self.has_add_permission(request),
'has_change_permission':
self.has_change_permission(request, obj),
'has_delete_permission':
self.has_delete_permission(request, obj),
'has_file_field':
True, # FIXME - this should check if form or formsets have a FileField,
'has_absolute_url':
view_on_site_url is not None,
'absolute_url':
view_on_site_url,
'form_url':
form_url,
'opts':
opts,
'content_type_id':
get_content_type_for_model(self.model).pk,
'save_as':
self.save_as,
'save_on_top':
self.save_on_top,
'to_field_var':
TO_FIELD_VAR,
'is_popup_var':
IS_POPUP_VAR,
'app_label':
app_label,
})
if add and self.add_form_template is not None:
form_template = self.add_form_template
else:
form_template = self.change_form_template
request.current_app = self.admin_site.name
###### add to context some information to show pictures
request_url = request.path
request_url = request_url.split('/')
if (request_url[len(request_url) - 2] == 'change'):
row_pk = request_url[4]
result_blob = self.model.objects.get(pk=row_pk).blob_value(
width=500, height=300)
context['manual_file_field'] = result_blob
else:
context['manual_file_field'] = ''
return TemplateResponse(
request, form_template or [
"admin/%s/%s/change_form.html" % (app_label, opts.model_name),
"admin/%s/change_form.html" % app_label,
"admin/change_form.html"
], context)
from django.test import TestCase
from django.contrib.admin.models import LogEntry, CHANGE
from django.contrib.admin.options import get_content_type_for_model
from typeidea.blog.models import Post
post = Post.objects.get(id=1)
log_entries = LogEntry.objects.filter(
content_type_id = get_content_type_for_model(post).pk,
object_id = post.id
)
print(log_entries)
def view_view(self, request, object_id, form_url='', extra_context=None):
extra_context = extra_context or {}
extra_context['has_add_permission'] = self.has_add_permission(request)
'''
Code copied from ChangeForm
'''
to_field = request.POST.get(TO_FIELD_VAR,
request.GET.get(TO_FIELD_VAR))
if to_field and not self.to_field_allowed(request, to_field):
raise DisallowedModelAdminToField(
"The field %s cannot be referenced." % to_field)
model = self.model
opts = model._meta
add = object_id is None
if add:
if not self.has_add_permission(request):
raise PermissionDenied
obj = None
else:
obj = self.get_object(request, unquote(object_id), to_field)
if not self.has_view_permission(request, obj):
raise PermissionDenied
if obj is None:
raise Http404(
_('%(name)s object with primary key %(key)r does not exist.'
) % {
'name': force_text(opts.verbose_name),
'key': escape(object_id)
})
# if request.method == 'POST' and "_saveasnew" in request.POST:
# return self.add_view(request, form_url=reverse('admin:%s_%s_add' % (
# opts.app_label, opts.model_name), current_app=self.admin_site.name))
context = dict(
self.admin_site.each_context(request),
title=obj,
app_label=opts.app_label,
object_id=object_id,
original=obj,
is_popup=(IS_POPUP_VAR in request.POST
or IS_POPUP_VAR in request.GET),
to_field=to_field,
# media=media,
preserved_filters=self.get_preserved_filters(request),
)
context.update(extra_context or {})
opts = self.model._meta
app_label = opts.app_label
preserved_filters = self.get_preserved_filters(request)
form_url = add_preserved_filters(
{
'preserved_filters': preserved_filters,
'opts': opts
}, form_url)
view_on_site_url = self.get_view_on_site_url(obj)
context.update({
'add':
add,
'change':
not add,
'has_add_permission':
self.has_add_permission(request),
'has_change_permission':
self.has_change_permission(request, obj),
'has_delete_permission':
self.has_delete_permission(request, obj),
'has_file_field':
True,
'has_absolute_url':
view_on_site_url is not None,
'absolute_url':
view_on_site_url,
'form_url':
form_url,
'opts':
opts,
'content_type_id':
get_content_type_for_model(self.model).pk,
'save_as':
self.save_as,
'save_on_top':
self.save_on_top,
'to_field_var':
TO_FIELD_VAR,
'is_popup_var':
IS_POPUP_VAR,
'app_label':
app_label,
})
request.current_app = self.admin_site.name
return TemplateResponse(
request, self.view_template or [
"ra/%s/%s/view.html" % (opts.app_label, opts.model_name),
"ra/%s/view.html" % opts.app_label,
'ra/view.html',
f"{app_settings.RA_THEME}/view.html",
], context)
def cb_changeform_view(self, request, *args, **kwargs):
"""
Like a change view in the admin.
"""
view_class = kwargs.get('view_class')
add = kwargs.get('add', True)
obj = kwargs.get('original', None)
object_id = kwargs.get('object_id', None)
title = kwargs.get('title', None)
if hasattr(view_class, 'form_class'):
form = view_class.form_class()
else:
form = None
formsets = []
opts = self.model._meta
TO_FIELD_VAR = False
IS_POPUP_VAR = False
change = not True
view_on_site_url = None
form_url = ''
app_label = opts.app_label
if form is not None:
adminForm = helpers.AdminForm(form,
formsets, {},
None,
model_admin=self)
media = self.media + adminForm.media
admin_error_list = helpers.AdminErrorList(form, formsets)
else:
adminForm = None
media = self.media
admin_error_list = None
to_field = request.POST.get(TO_FIELD_VAR,
request.GET.get(TO_FIELD_VAR))
inline_formsets = None
# From ``changeform_view``
if title is None:
title = (_('Bulk add %s') if add else _('Bulk change %s')
) % force_text(opts.verbose_name_plural)
context = dict(
self.admin_site.each_context(request),
title=title,
adminform=adminForm,
object_id=object_id,
original=obj,
is_popup=(IS_POPUP_VAR in request.POST
or IS_POPUP_VAR in request.GET),
to_field=to_field,
media=media,
inline_admin_formsets=inline_formsets,
errors=admin_error_list,
preserved_filters=self.get_preserved_filters(request),
)
# From ``render_change_form``
context.update({
'add':
add,
'change':
change,
'has_add_permission':
self.has_add_permission(request),
'has_change_permission':
self.has_change_permission(request, obj),
'has_delete_permission':
self.has_delete_permission(request, obj),
'has_file_field':
True, # FIXME - this should check if form or formsets have a FileField,
'has_absolute_url':
view_on_site_url is not None,
'absolute_url':
view_on_site_url,
'form_url':
form_url,
'opts':
opts,
'content_type_id':
get_content_type_for_model(self.model).pk,
'save_as':
self.save_as,
'save_on_top':
self.save_on_top,
'to_field_var':
TO_FIELD_VAR,
'is_popup_var':
IS_POPUP_VAR,
'app_label':
app_label,
'media':
self.media,
})
original_get_context_data = view_class.get_context_data
def _monkey_patch_get_context_data(instance, *args, **kwargs):
data = original_get_context_data(instance, *args, **kwargs)
data.update(context)
return data
view_class.get_context_data = _monkey_patch_get_context_data
return view_class.as_view()(request)
def retrieve_endorsement(user, item):
return Endorsement.objects.get(
object_id=item.id,
content_type=get_content_type_for_model(item),
created_by=user.id,
)
def partial_update(self, request, *args, **kwargs):
instance = self.get_object()
user_admin = request.data.get('user_admin', '').lower() == 'true'
try:
user = User.objects.get_by_natural_key(instance.username)
if request.user.pk == user.pk:
raise RestValidationError({'username': _('You cannot confirm changes to yourself')})
if user.is_superuser:
raise RestValidationError({'username': _('Super users cannot be edited')})
# inactive users get re-activated
user.is_active = True
user.save()
# existing non-superadmins have their prisons, applications and groups replaced
user.groups.clear()
PrisonUserMapping.objects.filter(user=user).delete()
ApplicationUserMapping.objects.filter(user=user).delete()
user_existed = True
password = None
except User.DoesNotExist:
user = User.objects.create(
first_name=instance.first_name,
last_name=instance.last_name,
email=instance.email,
username=instance.username,
)
password = generate_new_password()
user.set_password(password)
user.save()
user_existed = False
role = instance.role
role.assign_to_user(user)
if user_admin:
user.groups.add(Group.objects.get(name='UserAdmin'))
PrisonUserMapping.objects.assign_prisons_from_user(request.user, user)
context = {
'username': user.username,
'password': password,
'service_name': role.application.name.lower(),
'login_url': role.login_url,
}
if user_existed:
context.pop('password')
send_email(
user.email, 'mtp_auth/user_moved.txt',
capfirst(gettext('Your new %(service_name)s account is ready to use') % context),
context=context, html_template='mtp_auth/user_moved.html',
anymail_tags=['user-moved'],
)
else:
send_email(
user.email, 'mtp_auth/new_user.txt',
capfirst(gettext('Your new %(service_name)s account is ready to use') % context),
context=context, html_template='mtp_auth/new_user.html',
anymail_tags=['new-user'],
)
LogEntry.objects.log_action(
user_id=request.user.pk,
content_type_id=get_content_type_for_model(user).pk,
object_id=user.pk,
object_repr=gettext('Accepted account request for %(username)s') % {
'username': user.username,
},
action_flag=CHANGE_LOG_ENTRY,
)
instance.delete()
return Response({})
def retrieve_flag(user, item):
return Flag.objects.get(
object_id=item.id,
content_type=get_content_type_for_model(item),
created_by=user.id,
)
def dummy_for(obj, name: str) -> "RatingDummy":
content_type = get_content_type_for_model(obj)
return RatingDummy.objects.get_or_create(content_type=content_type, object_id=obj.id, name=name)[0]
def get_change_form_context(self, context):
"""
This methods attempts to gather the same context the admin site
gathers when it renders a changeform. The Django admin
doesn't have a pretty way of getting this data since it is
so tightly coupled with template rendering.
"""
form = context['form']
request = self.request
model = self.admin.model
opts = model._meta
app_label = opts.app_label
obj = context.get('object', None)
form_url = self.get_form_url(context)
view_on_site_url = self.admin.get_view_on_site_url(obj)
fieldsets = self.get_fieldsets()
formsets, inline_instances = self.admin._create_formsets(
request, obj, change=not self.hide_inline_formsets)
readonly_fields = self.get_readonly_fields()
admin_form = admin_helpers.AdminForm(
form,
list(fieldsets),
self.admin.get_prepopulated_fields(request, obj),
readonly_fields,
model_admin=self.admin,
)
media = self.admin.media + admin_form.media
# The inline formset code is copied from django's code. It has
# not been used in practice yet and has no tests
inline_formsets = self.admin.get_inline_formsets(
request, formsets, inline_instances, obj)
for inline_formset in inline_formsets: # pragma: no cover
media = media + inline_formset.media
has_editable_inline_admin_formsets = True if inline_formsets else False
has_file_field = admin_form.form.is_multipart() or any(
admin_formset.formset.is_multipart()
for admin_formset in inline_formsets)
# The admin admin also sets this variable
request.current_app = self.admin.admin_site.name
return {
**self.admin.admin_site.each_context(request),
'title':
self.display_name,
'adminform':
admin_form,
'original':
obj,
'is_popup':
False,
'to_field':
None,
'media':
media,
'inline_admin_formsets':
inline_formsets,
'errors':
admin_helpers.AdminErrorList(form, formsets),
'preserved_filters':
self.admin.get_preserved_filters(request),
'add':
False,
'change':
bool(obj),
'has_view_permission':
self.admin.has_view_permission(request, obj),
'has_add_permission':
self.admin.has_add_permission(request),
'has_change_permission':
self.admin.has_change_permission(request, obj),
'has_delete_permission':
self.admin.has_delete_permission(request, obj),
'has_editable_inline_admin_formsets':
(has_editable_inline_admin_formsets),
'has_file_field':
has_file_field,
'has_absolute_url':
view_on_site_url is not None,
'absolute_url':
view_on_site_url,
'form_url':
form_url,
'opts':
opts,
'content_type_id':
(admin_options.get_content_type_for_model(self.admin.model).pk),
'save_as':
self.save_as,
'save_on_top':
self.save_on_top,
'to_field_var':
admin_options.TO_FIELD_VAR,
'is_popup_var':
admin_options.IS_POPUP_VAR,
'app_label':
app_label,
'hide_object_tools':
self.hide_object_tools,
}
