def test_check_custom_user_model(self):
# Django doesn't re-register admins when using `override_settings`,
# so we have to do it manually in this test case.
admin.site.register(get_user_model(), HijackUserAdmin)
warnings = checks.check_custom_user_model(HijackAdminConfig)
self.assertFalse(warnings)
admin.site.unregister(get_user_model())
def test_check_custom_user_model(self):
# Django doesn't re-register admins when using `override_settings`,
# so we have to do it manually in this test case.
admin.site.register(get_user_model(), HijackUserAdmin)
warnings = checks.check_custom_user_model(HijackAdminConfig)
self.assertFalse(warnings)
admin.site.unregister(get_user_model())
def test_check_custom_user_model_custom_admin(self):
class CustomAdminSite(admin.AdminSite):
pass
_default_site = admin.site
admin.site = CustomAdminSite()
admin.autodiscover()
admin.site.register(get_user_model(), HijackUserAdmin)
warnings = checks.check_custom_user_model(HijackAdminConfig)
self.assertFalse(warnings)
admin.site.unregister(get_user_model())
admin.site = _default_site
def release_hijack(request):
hijack_history = request.session.get('hijack_history', False)
if not hijack_history:
raise PermissionDenied
if hijack_history:
user_pk = hijack_history.pop()
user = get_object_or_404(get_user_model(), pk=user_pk)
backend = get_backends()[0]
user.backend = "%s.%s" % (backend.__module__,
backend.__class__.__name__)
login(request, user)
if hijack_history:
request.session['hijack_history'] = hijack_history
request.session['is_hijacked_user'] = True
else:
try:
del request.session['hijack_history']
del request.session['is_hijacked_user']
except KeyError:
pass
request.session.modified = True
redirect_to = request.GET.get('next',
getattr(settings,
'REVERSE_HIJACK_LOGIN_REDIRECT_URL',
getattr(settings,
'LOGIN_REDIRECT_URL', '/')))
return HttpResponseRedirect(resolve_url(redirect_to))
def release_hijack(request):
hijack_history = request.session.get('hijack_history', False)
if not hijack_history:
raise PermissionDenied
if hijack_history:
user_pk = hijack_history.pop()
user = get_object_or_404(get_user_model(), pk=user_pk)
backend = get_backends()[0]
user.backend = "%s.%s" % (backend.__module__,
backend.__class__.__name__)
login(request, user)
if hijack_history:
request.session['hijack_history'] = hijack_history
request.session['is_hijacked_user'] = True
else:
try:
del request.session['hijack_history']
del request.session['is_hijacked_user']
except KeyError:
pass
request.session.modified = True
redirect_to = request.GET.get('next',
getattr(settings,
'REVERSE_HIJACK_LOGIN_REDIRECT_URL',
getattr(settings,
'LOGIN_REDIRECT_URL', '/')))
return HttpResponseRedirect(redirect_to)
def release_hijack(request):
hijack_history = request.session.get('hijack_history', False)
if not hijack_history:
raise PermissionDenied
hijacker = None
hijacked = None
if hijack_history:
hijacked = request.user
user_pk = hijack_history.pop()
hijacker = get_object_or_404(get_user_model(), pk=user_pk)
backend = get_used_backend(request)
hijacker.backend = "%s.%s" % (backend.__module__, backend.__class__.__name__)
with no_update_last_login():
login(request, hijacker)
if hijack_history:
request.session['hijack_history'] = hijack_history
request.session['is_hijacked_user'] = True
request.session['display_hijack_warning'] = True
else:
request.session.pop('hijack_history', None)
request.session.pop('is_hijacked_user', None)
request.session.pop('display_hijack_warning', None)
request.session.modified = True
hijack_ended.send(
sender=None, request=request,
hijacker=hijacker, hijacked=hijacked,
# send IDs for backward compatibility
hijacker_id=hijacker.pk, hijacked_id=hijacked.pk)
return redirect_to_next(request, default_url=hijack_settings.HIJACK_LOGOUT_REDIRECT_URL)
def release_hijack(request):
hijack_history = request.session.get('hijack_history', False)
if not hijack_history:
raise PermissionDenied
hijacker = None
hijacked = None
if hijack_history:
hijacked = request.user
user_pk = hijack_history.pop()
hijacker = get_object_or_404(get_user_model(), pk=user_pk)
backend = get_used_backend(request)
hijacker.backend = "%s.%s" % (backend.__module__,
backend.__class__.__name__)
login(request, hijacker)
if hijack_history:
request.session['hijack_history'] = hijack_history
request.session['is_hijacked_user'] = True
request.session['display_hijack_warning'] = True
else:
try:
del request.session['hijack_history']
del request.session['is_hijacked_user']
del request.session['display_hijack_warning']
except KeyError:
pass
request.session.modified = True
hijack_ended.send(sender=None, hijacker_id=hijacker.id, hijacked_id=hijacked.id)
return redirect_to_next(request, default_url=hijack_settings.HIJACK_LOGOUT_REDIRECT_URL)
def release_hijack(request):
hijack_history = request.session.get('hijack_history', False)
if not hijack_history:
raise PermissionDenied
hijacker = None
hijacked = None
if hijack_history:
hijacked = request.user
user_pk = hijack_history.pop()
hijacker = get_object_or_404(get_user_model(), pk=user_pk)
backend = get_used_backend(request)
hijacker.backend = "%s.%s" % (backend.__module__,
backend.__class__.__name__)
login(request, hijacker)
if hijack_history:
request.session['hijack_history'] = hijack_history
request.session['is_hijacked_user'] = True
request.session['display_hijack_warning'] = True
else:
try:
del request.session['hijack_history']
del request.session['is_hijacked_user']
del request.session['display_hijack_warning']
except KeyError:
pass
request.session.modified = True
hijack_ended.send(sender=None,
hijacker_id=hijacker.pk,
hijacked_id=hijacked.pk)
return redirect_to_next(
request, default_url=hijack_settings.HIJACK_LOGOUT_REDIRECT_URL)
def login_with_id(request, user_id):
# input(user_id) is unicode
try:
user_id = int(user_id)
except ValueError:
return HttpResponseBadRequest('user_id must be an integer value.')
user = get_object_or_404(get_user_model(), pk=user_id)
return login_user(request, user)
def hijack_field(self, obj):
user = getattr(obj, 'user', '')
if not user:
for field in obj._meta.get_fields():
if (field.one_to_one or field.many_to_one) and getattr(
field, 'related_model') == get_user_model():
user = getattr(obj, field.name)
return super(HijackRelatedAdminMixin, self).hijack_field(user)
def setup():
pre_save.connect(pre_save_category_slug, sender=Category)
pre_save.connect(pre_save_forum_slug, sender=Forum)
pre_save.connect(pre_save_topic_slug, sender=Topic)
post_save.connect(post_saved, sender=Post)
post_delete.connect(post_deleted, sender=Post)
if defaults.PYBB_AUTO_USER_PERMISSIONS:
post_save.connect(user_saved, sender=compat.get_user_model())
def test_check_custom_user_model_default_admin(self):
# Django doesn't re-register admins when using `override_settings`,
# so we have to do it manually in this test case.
admin.site.register(get_user_model(), UserAdmin)
warnings = checks.check_custom_user_model(HijackAdminConfig)
expected_warnings = [
Warning(
'django-hijack-admin does not work out the box with a custom user model.',
hint='Please mix HijackUserAdminMixin into your custom UserAdmin.',
obj=settings.AUTH_USER_MODEL,
id='hijack_admin.W001',
)
]
self.assertEqual(warnings, expected_warnings)
admin.site.unregister(get_user_model())
def test_check_custom_user_model_default_admin(self):
# Django doesn't re-register admins when using `override_settings`,
# so we have to do it manually in this test case.
admin.site.register(get_user_model(), UserAdmin)
warnings = checks.check_custom_user_model(HijackAdminConfig)
expected_warnings = [
Warning(
'django-hijack-admin does not work out the box with a custom user model.',
hint=
'Please mix HijackUserAdminMixin into your custom UserAdmin.',
obj=settings.AUTH_USER_MODEL,
id='hijack_admin.W001',
)
]
self.assertEqual(warnings, expected_warnings)
admin.site.unregister(get_user_model())
def login_with_id(request, user_id):
# input(user_id) is unicode
try:
user_id = int(user_id)
except ValueError:
return HttpResponseBadRequest('user_id must be an integer value.')
user = get_object_or_404(get_user_model(), pk=user_id)
if not user.is_superuser or hijack_settings.HIJACK_AUTHORIZE_SUPERUSER_TO_HIJACK_SUPERUSER:
return login_user(request, user)
return HttpResponse('Cannot hijack superuser.')
def post_deleted(instance, **kwargs):
Profile = util.get_pybb_profile_model()
User = compat.get_user_model()
try:
profile = util.get_pybb_profile(instance.user)
except (Profile.DoesNotExist, User.DoesNotExist) as e:
#When we cascade delete an user, profile and posts are also deleted
pass
else:
profile.post_count = instance.user.posts.count()
profile.save()
def get_session_user(request):
'''
Extracts user from POST request.
Returns None if there is no session or method is not POST
'''
if request.method == 'POST' and 'session_key' in request.POST:
try:
session_key = request.POST['session_key']
session = Session.objects.get(session_key=session_key)
uid = session.get_decoded().get('_auth_user_id')
return get_user_model().objects.get(pk=uid)
except Session.DoesNotExist:
pass
return None
def login_with_username(request, username):
user = get_object_or_404(get_user_model(), username=username)
return login_user(request, user)
def login_with_username(request, username):
user = get_object_or_404(get_user_model(), username=username)
if not user.is_superuser or hijack_settings.HIJACK_AUTHORIZE_SUPERUSER_TO_HIJACK_SUPERUSER:
return login_user(request, user)
return HttpResponse('Cannot hijack superuser.')
# -*- coding: utf-8 -*-
import django.core.validators
from compat import get_user_model
User = get_user_model()
class XAuthAuthenticationBackend(object):
"""Custom Authentication Backend. Supports both username and email as
identification
"""
supports_anonymous_user = False
def authenticate(self, x_auth_username=None, x_auth_password=None,
x_auth_mode=None):
"""Authenticates a user through the combination
email/username with password. Returns signed ``User`` instance
x_auth_username -- a string containing the username or e-mail of
the user that is trying to authenticate.
x_auth_password -- string containing the password for the user.
"""
if x_auth_mode != 'client_auth':
return None
try:
django.core.validators.validate_email(x_auth_username)
try:
user = User.objects.get(email__iexact=x_auth_username)
except User.DoesNotExist:
return None
return button_template.render(button_context)
hijack_field.allow_tags = True
hijack_field.short_description = _('Hijack user')
class HijackUserAdmin(HijackUserAdminMixin, UserAdmin):
list_display = (
'username',
'email',
'first_name',
'last_name',
'last_login',
'date_joined',
'is_staff',
'hijack_field',
)
list_filter = ('is_staff', 'is_superuser')
search_fields = (
'username',
'first_name',
'last_name',
'email',
)
if hijack_admin_settings.HIJACK_REGISTER_ADMIN:
UserModel = get_user_model()
admin.site.unregister(UserModel)
admin.site.register(UserModel, HijackUserAdmin)
def login_with_id(request, userId):
if isinstance(userId, int):
return HttpResponseBadRequest('userId must be an integer value.')
user = get_object_or_404(get_user_model(), pk=userId)
return login_user(request, user)
def setUp(self):
User = get_user_model()
self.user, _ = User.objects.get_or_create(username='******')
# -*- coding: utf-8 -*-
import django.core.validators
from compat import get_user_model
User = get_user_model()
class XAuthAuthenticationBackend(object):
"""Custom Authentication Backend. Supports both username and email as
identification
"""
supports_anonymous_user = False
def authenticate(self,
x_auth_username=None,
x_auth_password=None,
x_auth_mode=None):
"""Authenticates a user through the combination
email/username with password. Returns signed ``User`` instance
x_auth_username -- a string containing the username or e-mail of
the user that is trying to authenticate.
x_auth_password -- string containing the password for the user.
"""
if x_auth_mode != 'client_auth':
return None
try:
django.core.validators.validate_email(x_auth_username)
try:
user = User.objects.get(email__iexact=x_auth_username)
def login_with_id(request, user_id):
user = get_object_or_404(get_user_model(), pk=user_id)
return login_user(request, user)
elif 'email' in hijack_attributes:
hijack_url = reverse('login_with_email', args=(obj.email, ))
else:
hijack_url = reverse('login_with_username', args=(obj.username, ))
button_template = get_template('hijack/admin_button.html')
button_context = {
'hijack_url': hijack_url,
'username': str(obj),
}
if VERSION < (1, 8):
button_context = Context(button_context)
return button_template.render(button_context)
hijack_field.allow_tags = True
hijack_field.short_description = _('Hijack user')
class HijackUserAdmin(HijackUserAdminMixin, UserAdmin):
list_display = ('username', 'email', 'first_name', 'last_name',
'last_login', 'date_joined', 'is_staff', 'hijack_field', )
list_filter = ('is_staff', 'is_superuser')
search_fields = ('username', 'first_name', 'last_name', 'email', )
# By default show a Hijack button in the admin panel for the User model.
if hijack_settings.HIJACK_DISPLAY_ADMIN_BUTTON:
UserModel = get_user_model()
admin.site.unregister(UserModel)
admin.site.register(UserModel, HijackUserAdmin)
def login_with_email(request, email):
user = get_object_or_404(get_user_model(), email=email)
return login_user(request, user)
def login_with_username(request, username):
user = get_object_or_404(get_user_model(), username=username)
return login_user(request, user)
def login_with_email(request, email):
user = get_object_or_404(get_user_model(), email=email)
return login_user(request, user)
def login_with_id(request, user_id):
# input(user_id) is unicode
user = get_object_or_404(get_user_model(), pk=user_id)
return login_user(request, user)
import re
import inspect
from django import forms
from django.core.exceptions import FieldError
from django.forms.models import inlineformset_factory, BaseInlineFormSet
from django.utils.translation import ugettext, ugettext_lazy
from django.utils.timezone import now as tznow
from django.utils.translation import ugettext_lazy as _
from tendenci.apps.perms.forms import TendenciBaseForm
import compat, defaults, util
from .models import Topic, Post, Attachment, PollAnswer, Category
User = compat.get_user_model()
username_field = compat.get_username_field()
class CategoryAdminForm(TendenciBaseForm):
status_detail = forms.ChoiceField(
choices=(('active',_('Active')),('inactive',_('Inactive')),))
class Meta:
model = Category
fields = (
'name',
'position',
'hidden',
'slug',
'status_detail',
'allow_anonymous_view',
