new api secret system, multiple api secrets, limited scopes, etc...

src/c3nav/control/forms.py

@@ -158,6 +158,7 @@ class AccessPermissionForm(Form):
                                      unique_key=unique_key)
 
     def get_signed_data(self, key=None):
+        # todo: yep, we stil need to fix this
         if not self.author.permissions.api_secret:
             raise ValueError('Author has no api secret.')
         data = {

src/c3nav/control/middleware.py

@@ -17,22 +17,24 @@ class UserPermissionsMiddleware:
     def __init__(self, get_response):
         self.get_response = get_response
 
-    def get_user_permissions(self, request):
+    @staticmethod
+    def get_user_permissions(request):
         try:
             return getattr(request, '_user_permissions_cache')
         except AttributeError:
             pass
         result = UserPermissions.get_for_user(request.user)
-        self._user_permissions_cache = result
+        request._user_permissions_cache = result
         return result
 
-    def get_user_space_accesses(self, request):
+    @staticmethod
+    def get_user_space_accesses(request):
         try:
             return getattr(request, '_user_space_accesses_cache')
         except AttributeError:
             pass
         result = UserSpaceAccess.get_for_user(request.user)
-        self._user_space_accesses_cache = result
+        request._user_space_accesses_cache = result
         return result
 
     def __call__(self, request):

src/c3nav/control/templates/control/user.html

@@ -30,36 +30,6 @@
         </p>
     {% endif %}
 
-    {% if request.user_permissions.grant_permissions or request.user == user and user.permissions.api_secret %}
-        <h4>{% trans 'API secret' %}</h4>
-        <p>
-            {% if user.permissions.api_secret %}
-                {% if request.user == user %}
-                    {% trans 'This user has an API secret.' %}
-                {% else %}
-                    {% trans 'You have an API secret.' %}
-                {% endif %}
-                {% trans 'You can not see it, but generate a new one.' %}
-            {% else %}
-                {% trans 'This user has not an API secret.' %}
-                {% trans 'You can create one.' %}
-            {% endif %}
-        </p>
-        <form method="POST">
-            {% csrf_token %}
-            <select name="api_secret" style="width: auto;">
-                <option value="">---</option>
-                {% if user.permissions.api_secret %}
-                    <option value="regenerate">{% trans 'Regenerate API secret' %}</option>
-                    <option value="delete">{% trans 'Delete API secret' %}</option>
-                {% else %}
-                    <option value="generate">{% trans 'Generate API secret' %}</option>
-                {% endif %}
-            </select>
-            <button type="submit">{% trans 'Update API secret' %}</button>
-        </form>
-    {% endif %}
-
     <a name="access"></a>
     <h4>{% trans 'Access Permissions' %}</h4>
     {% if access_restriction %}

src/c3nav/control/views/access.py

@@ -21,6 +21,7 @@ def grant_access(request):  # todo: make class based view
         if form.is_valid():
             token = form.get_token()
             token.save()
+            # todo: this still needs fixing
             if settings.DEBUG and request.user_permissions.api_secret:
                 signed_data = form.get_signed_data()
                 print('/?'+urlencode({'access': signed_data}))

src/c3nav/control/views/users.py

@@ -1,5 +1,3 @@
-import string
-
 from django.contrib import messages
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.models import User
@@ -7,7 +5,6 @@ from django.db import IntegrityError, transaction
 from django.db.models import Prefetch
 from django.shortcuts import get_object_or_404, redirect, render
 from django.utils import timezone
-from django.utils.crypto import get_random_string
 from django.utils.translation import gettext_lazy as _
 from django.views.generic import ListView
 
@@ -60,37 +57,6 @@ def user_detail(request, user):  # todo: make class based view
                         messages.error(request, _('You cannot delete this Access Permission.'))
                 return redirect(request.path_info+'?restriction='+str(permission.pk)+'#access')
 
-        api_secret_action = request.POST.get('api_secret')
-        if (api_secret_action and (request.user_permissions.grant_permissions or
-                                   (request.user == user and user.permissions.api_secret))):
-
-            permissions = user.permissions
-
-            if api_secret_action == 'generate' and permissions.api_secret:
-                messages.error(request, _('This user already has an API secret.'))
-                return redirect(request.path_info)
-
-            if api_secret_action in ('delete', 'regenerate') and not permissions.api_secret:
-                messages.error(request, _('This user does not have an API secret.'))
-                return redirect(request.path_info)
-
-            with transaction.atomic():
-                if api_secret_action in ('generate', 'regenerate'):
-                    api_secret = '%d-%s' % (user.pk, get_random_string(62, string.ascii_letters+string.digits))
-                    permissions.api_secret = api_secret
-                    permissions.save()
-
-                    messages.success(request, _('The new API secret is: %s – '
-                                                'be sure to note it down now, it won\'t be shown again.') % api_secret)
-
-                elif api_secret_action == 'delete':
-                    permissions.api_secret = None
-                    permissions.save()
-
-                    messages.success(request, _('API secret successfully deleted!'))
-
-                return redirect(request.path_info)
-
     ctx = {
         'user': user,
     }