2008-12-25 14:17:42 +08:00
|
|
|
from django.conf import settings
|
2014-04-02 08:46:34 +08:00
|
|
|
from django.conf.urls import url
|
2015-01-28 20:35:27 +08:00
|
|
|
from django.contrib import admin, messages
|
2013-06-20 04:09:40 +08:00
|
|
|
from django.contrib.admin.options import IS_POPUP_VAR
|
2015-02-13 01:14:19 +08:00
|
|
|
from django.contrib.admin.utils import unquote
|
2014-04-01 08:16:09 +08:00
|
|
|
from django.contrib.auth import update_session_auth_hash
|
2015-01-28 20:35:27 +08:00
|
|
|
from django.contrib.auth.forms import (
|
|
|
|
AdminPasswordChangeForm, UserChangeForm, UserCreationForm,
|
|
|
|
)
|
|
|
|
from django.contrib.auth.models import Group, User
|
2008-07-19 07:54:34 +08:00
|
|
|
from django.core.exceptions import PermissionDenied
|
2015-01-28 20:35:27 +08:00
|
|
|
from django.db import transaction
|
|
|
|
from django.http import Http404, HttpResponseRedirect
|
2011-04-23 02:17:16 +08:00
|
|
|
from django.template.response import TemplateResponse
|
2015-12-30 23:51:16 +08:00
|
|
|
from django.urls import reverse
|
2010-02-09 23:02:39 +08:00
|
|
|
from django.utils.decorators import method_decorator
|
2015-02-13 01:14:19 +08:00
|
|
|
from django.utils.encoding import force_text
|
2015-01-28 20:35:27 +08:00
|
|
|
from django.utils.html import escape
|
2008-07-19 07:54:34 +08:00
|
|
|
from django.utils.translation import ugettext, ugettext_lazy as _
|
2010-01-13 07:35:29 +08:00
|
|
|
from django.views.decorators.csrf import csrf_protect
|
2011-06-09 06:18:46 +08:00
|
|
|
from django.views.decorators.debug import sensitive_post_parameters
|
2008-07-19 07:54:34 +08:00
|
|
|
|
2010-02-09 23:02:39 +08:00
|
|
|
csrf_protect_m = method_decorator(csrf_protect)
|
2013-08-03 02:46:17 +08:00
|
|
|
sensitive_post_parameters_m = method_decorator(sensitive_post_parameters())
|
2010-02-09 23:02:39 +08:00
|
|
|
|
2012-10-13 11:44:50 +08:00
|
|
|
|
2015-08-31 08:00:39 +08:00
|
|
|
@admin.register(Group)
|
2008-07-19 07:54:34 +08:00
|
|
|
class GroupAdmin(admin.ModelAdmin):
|
|
|
|
search_fields = ('name',)
|
|
|
|
ordering = ('name',)
|
|
|
|
filter_horizontal = ('permissions',)
|
|
|
|
|
2011-08-15 17:01:12 +08:00
|
|
|
def formfield_for_manytomany(self, db_field, request=None, **kwargs):
|
|
|
|
if db_field.name == 'permissions':
|
2015-02-26 22:19:17 +08:00
|
|
|
qs = kwargs.get('queryset', db_field.remote_field.model.objects)
|
2011-08-15 17:01:12 +08:00
|
|
|
# Avoid a major performance hit resolving permission names which
|
|
|
|
# triggers a content_type load:
|
|
|
|
kwargs['queryset'] = qs.select_related('content_type')
|
2012-01-02 22:21:50 +08:00
|
|
|
return super(GroupAdmin, self).formfield_for_manytomany(
|
|
|
|
db_field, request=request, **kwargs)
|
2011-08-15 17:01:12 +08:00
|
|
|
|
|
|
|
|
2015-08-31 08:00:39 +08:00
|
|
|
@admin.register(User)
|
2008-07-19 07:54:34 +08:00
|
|
|
class UserAdmin(admin.ModelAdmin):
|
2010-01-13 07:35:29 +08:00
|
|
|
add_form_template = 'admin/auth/user/add_form.html'
|
|
|
|
change_user_password_template = None
|
2008-07-19 07:54:34 +08:00
|
|
|
fieldsets = (
|
|
|
|
(None, {'fields': ('username', 'password')}),
|
|
|
|
(_('Personal info'), {'fields': ('first_name', 'last_name', 'email')}),
|
2012-01-02 22:21:50 +08:00
|
|
|
(_('Permissions'), {'fields': ('is_active', 'is_staff', 'is_superuser',
|
|
|
|
'groups', 'user_permissions')}),
|
2008-07-19 07:54:34 +08:00
|
|
|
(_('Important dates'), {'fields': ('last_login', 'date_joined')}),
|
|
|
|
)
|
2010-01-13 07:35:29 +08:00
|
|
|
add_fieldsets = (
|
|
|
|
(None, {
|
|
|
|
'classes': ('wide',),
|
2013-12-09 01:20:06 +08:00
|
|
|
'fields': ('username', 'password1', 'password2'),
|
|
|
|
}),
|
2010-01-13 07:35:29 +08:00
|
|
|
)
|
2008-08-26 01:10:20 +08:00
|
|
|
form = UserChangeForm
|
2008-08-10 12:22:21 +08:00
|
|
|
add_form = UserCreationForm
|
2008-08-10 17:43:48 +08:00
|
|
|
change_password_form = AdminPasswordChangeForm
|
2008-07-19 07:54:34 +08:00
|
|
|
list_display = ('username', 'email', 'first_name', 'last_name', 'is_staff')
|
2012-09-08 00:42:06 +08:00
|
|
|
list_filter = ('is_staff', 'is_superuser', 'is_active', 'groups')
|
2008-07-19 07:54:34 +08:00
|
|
|
search_fields = ('username', 'first_name', 'last_name', 'email')
|
|
|
|
ordering = ('username',)
|
2012-10-10 23:49:26 +08:00
|
|
|
filter_horizontal = ('groups', 'user_permissions',)
|
2008-08-24 05:45:36 +08:00
|
|
|
|
2010-01-13 07:35:29 +08:00
|
|
|
def get_fieldsets(self, request, obj=None):
|
|
|
|
if not obj:
|
|
|
|
return self.add_fieldsets
|
|
|
|
return super(UserAdmin, self).get_fieldsets(request, obj)
|
|
|
|
|
|
|
|
def get_form(self, request, obj=None, **kwargs):
|
|
|
|
"""
|
|
|
|
Use special form during user creation
|
|
|
|
"""
|
|
|
|
defaults = {}
|
2010-01-20 06:19:26 +08:00
|
|
|
if obj is None:
|
2013-07-19 00:59:45 +08:00
|
|
|
defaults['form'] = self.add_form
|
2010-01-13 07:35:29 +08:00
|
|
|
defaults.update(kwargs)
|
|
|
|
return super(UserAdmin, self).get_form(request, obj, **defaults)
|
|
|
|
|
2009-01-15 04:22:25 +08:00
|
|
|
def get_urls(self):
|
2014-04-02 08:46:34 +08:00
|
|
|
return [
|
2015-09-12 07:33:12 +08:00
|
|
|
url(
|
|
|
|
r'^(.+)/password/$',
|
|
|
|
self.admin_site.admin_view(self.user_change_password),
|
|
|
|
name='auth_user_password_change',
|
|
|
|
),
|
2014-04-02 08:46:34 +08:00
|
|
|
] + super(UserAdmin, self).get_urls()
|
2008-08-24 05:45:36 +08:00
|
|
|
|
2013-03-28 00:23:59 +08:00
|
|
|
def lookup_allowed(self, lookup, value):
|
|
|
|
# See #20078: we don't want to allow any lookups involving passwords.
|
|
|
|
if lookup.startswith('password'):
|
|
|
|
return False
|
|
|
|
return super(UserAdmin, self).lookup_allowed(lookup, value)
|
|
|
|
|
2013-08-03 02:46:17 +08:00
|
|
|
@sensitive_post_parameters_m
|
2010-02-09 23:02:39 +08:00
|
|
|
@csrf_protect_m
|
2013-03-12 02:58:08 +08:00
|
|
|
@transaction.atomic
|
2010-01-13 07:35:29 +08:00
|
|
|
def add_view(self, request, form_url='', extra_context=None):
|
2008-12-25 14:04:11 +08:00
|
|
|
# It's an error for a user to have add permission but NOT change
|
|
|
|
# permission for users. If we allowed such users to add users, they
|
|
|
|
# could create superusers, which would mean they would essentially have
|
|
|
|
# the permission to change users. To avoid the problem entirely, we
|
|
|
|
# disallow users from adding users if they don't have change
|
|
|
|
# permission.
|
2008-07-19 07:54:34 +08:00
|
|
|
if not self.has_change_permission(request):
|
2008-12-25 14:17:42 +08:00
|
|
|
if self.has_add_permission(request) and settings.DEBUG:
|
|
|
|
# Raise Http404 in debug mode so that the user gets a helpful
|
|
|
|
# error message.
|
2012-01-02 22:21:50 +08:00
|
|
|
raise Http404(
|
|
|
|
'Your user does not have the "Change user" permission. In '
|
|
|
|
'order to add users, Django requires that your user '
|
|
|
|
'account have both the "Add user" and "Change user" '
|
|
|
|
'permissions set.')
|
2008-07-19 07:54:34 +08:00
|
|
|
raise PermissionDenied
|
2010-01-13 07:35:29 +08:00
|
|
|
if extra_context is None:
|
|
|
|
extra_context = {}
|
2012-10-13 11:44:50 +08:00
|
|
|
username_field = self.model._meta.get_field(self.model.USERNAME_FIELD)
|
2010-01-13 07:35:29 +08:00
|
|
|
defaults = {
|
2008-07-19 07:54:34 +08:00
|
|
|
'auto_populated_fields': (),
|
2012-10-13 11:44:50 +08:00
|
|
|
'username_help_text': username_field.help_text,
|
2010-01-13 07:35:29 +08:00
|
|
|
}
|
|
|
|
extra_context.update(defaults)
|
2012-01-02 22:21:50 +08:00
|
|
|
return super(UserAdmin, self).add_view(request, form_url,
|
|
|
|
extra_context)
|
2008-08-24 05:45:36 +08:00
|
|
|
|
2013-08-03 02:46:17 +08:00
|
|
|
@sensitive_post_parameters_m
|
2012-02-10 02:56:32 +08:00
|
|
|
def user_change_password(self, request, id, form_url=''):
|
2009-04-19 05:04:40 +08:00
|
|
|
if not self.has_change_permission(request):
|
2008-08-10 17:43:48 +08:00
|
|
|
raise PermissionDenied
|
2015-02-13 01:14:19 +08:00
|
|
|
user = self.get_object(request, unquote(id))
|
|
|
|
if user is None:
|
|
|
|
raise Http404(_('%(name)s object with primary key %(key)r does not exist.') % {
|
|
|
|
'name': force_text(self.model._meta.verbose_name),
|
|
|
|
'key': escape(id),
|
|
|
|
})
|
2008-08-10 17:43:48 +08:00
|
|
|
if request.method == 'POST':
|
|
|
|
form = self.change_password_form(user, request.POST)
|
|
|
|
if form.is_valid():
|
2012-01-02 22:21:50 +08:00
|
|
|
form.save()
|
2012-10-24 23:11:41 +08:00
|
|
|
change_message = self.construct_change_message(request, form, None)
|
2014-04-25 20:20:25 +08:00
|
|
|
self.log_change(request, user, change_message)
|
2008-08-10 17:43:48 +08:00
|
|
|
msg = ugettext('Password changed successfully.')
|
2009-12-10 00:57:23 +08:00
|
|
|
messages.success(request, msg)
|
2014-04-01 08:16:09 +08:00
|
|
|
update_session_auth_hash(request, form.user)
|
2015-02-10 00:28:03 +08:00
|
|
|
return HttpResponseRedirect(
|
2015-02-13 01:14:19 +08:00
|
|
|
reverse(
|
2015-10-27 06:38:30 +08:00
|
|
|
'%s:%s_%s_change' % (
|
2015-02-13 01:14:19 +08:00
|
|
|
self.admin_site.name,
|
2015-10-27 06:38:30 +08:00
|
|
|
user._meta.app_label,
|
2015-02-13 01:14:19 +08:00
|
|
|
user._meta.model_name,
|
|
|
|
),
|
|
|
|
args=(user.pk,),
|
|
|
|
)
|
2015-02-10 00:28:03 +08:00
|
|
|
)
|
2008-08-10 17:43:48 +08:00
|
|
|
else:
|
|
|
|
form = self.change_password_form(user)
|
2010-01-13 07:35:29 +08:00
|
|
|
|
2012-08-08 22:33:15 +08:00
|
|
|
fieldsets = [(None, {'fields': list(form.base_fields)})]
|
2010-01-13 07:35:29 +08:00
|
|
|
adminForm = admin.helpers.AdminForm(form, fieldsets, {})
|
|
|
|
|
2011-04-23 02:17:16 +08:00
|
|
|
context = {
|
2012-11-10 23:48:46 +08:00
|
|
|
'title': _('Change password: %s') % escape(user.get_username()),
|
2010-01-13 07:35:29 +08:00
|
|
|
'adminForm': adminForm,
|
2012-07-03 07:33:44 +08:00
|
|
|
'form_url': form_url,
|
2008-08-10 17:43:48 +08:00
|
|
|
'form': form,
|
2013-10-16 04:36:49 +08:00
|
|
|
'is_popup': (IS_POPUP_VAR in request.POST or
|
|
|
|
IS_POPUP_VAR in request.GET),
|
2008-08-10 17:43:48 +08:00
|
|
|
'add': True,
|
|
|
|
'change': False,
|
|
|
|
'has_delete_permission': False,
|
|
|
|
'has_change_permission': True,
|
|
|
|
'has_absolute_url': False,
|
|
|
|
'opts': self.model._meta,
|
|
|
|
'original': user,
|
|
|
|
'save_as': False,
|
|
|
|
'show_save': True,
|
2011-04-23 02:17:16 +08:00
|
|
|
}
|
2015-10-27 06:38:30 +08:00
|
|
|
context.update(self.admin_site.each_context(request))
|
2014-12-15 00:48:51 +08:00
|
|
|
|
|
|
|
request.current_app = self.admin_site.name
|
|
|
|
|
2016-03-29 06:33:29 +08:00
|
|
|
return TemplateResponse(
|
|
|
|
request,
|
2011-04-23 02:17:16 +08:00
|
|
|
self.change_user_password_template or
|
2012-12-04 07:39:03 +08:00
|
|
|
'admin/auth/user/change_password.html',
|
2016-03-29 06:33:29 +08:00
|
|
|
context,
|
|
|
|
)
|
2008-08-10 17:43:48 +08:00
|
|
|
|
2012-12-23 03:00:08 +08:00
|
|
|
def response_add(self, request, obj, post_url_continue=None):
|
2010-11-20 06:45:51 +08:00
|
|
|
"""
|
|
|
|
Determines the HttpResponse for the add_view stage. It mostly defers to
|
|
|
|
its superclass implementation but is customized because the User model
|
|
|
|
has a slightly different workflow.
|
|
|
|
"""
|
2011-02-24 09:00:57 +08:00
|
|
|
# We should allow further modification of the user just added i.e. the
|
|
|
|
# 'Save' button should behave like the 'Save and continue editing'
|
|
|
|
# button except in two scenarios:
|
|
|
|
# * The user has pressed the 'Save and add another' button
|
|
|
|
# * We are adding a user in a popup
|
2013-06-20 04:09:40 +08:00
|
|
|
if '_addanother' not in request.POST and IS_POPUP_VAR not in request.POST:
|
2010-11-20 06:45:51 +08:00
|
|
|
request.POST['_continue'] = 1
|
2012-12-23 03:00:08 +08:00
|
|
|
return super(UserAdmin, self).response_add(request, obj,
|
|
|
|
post_url_continue)
|