new api secret system, multiple api secrets, limited scopes, etc...

2023-11-30 22:02:40 +01:00 · 2023-11-30 22:02:40 +01:00 · 43791583e0
commit 43791583e0
parent 4307a7fc4d
22 changed files with 404 additions and 156 deletions
--- a/src/c3nav/control/views/access.py
+++ b/src/c3nav/control/views/access.py
@ -21,6 +21,7 @@ def grant_access(request):  # todo: make class based view
        if form.is_valid():
            token = form.get_token()
            token.save()
+            # todo: this still needs fixing
            if settings.DEBUG and request.user_permissions.api_secret:
                signed_data = form.get_signed_data()
                print('/?'+urlencode({'access': signed_data}))
--- a/src/c3nav/control/views/users.py
+++ b/src/c3nav/control/views/users.py
@ -1,5 +1,3 @@
-import string
-
 from django.contrib import messages
 from django.contrib.auth.decorators import login_required
 from django.contrib.auth.models import User
@ -7,7 +5,6 @@ from django.db import IntegrityError, transaction
 from django.db.models import Prefetch
 from django.shortcuts import get_object_or_404, redirect, render
 from django.utils import timezone
-from django.utils.crypto import get_random_string
 from django.utils.translation import gettext_lazy as _
 from django.views.generic import ListView

@ -60,37 +57,6 @@ def user_detail(request, user):  # todo: make class based view
                        messages.error(request, _('You cannot delete this Access Permission.'))
                return redirect(request.path_info+'?restriction='+str(permission.pk)+'#access')

-        api_secret_action = request.POST.get('api_secret')
-        if (api_secret_action and (request.user_permissions.grant_permissions or
-                                   (request.user == user and user.permissions.api_secret))):
-
-            permissions = user.permissions
-
-            if api_secret_action == 'generate' and permissions.api_secret:
-                messages.error(request, _('This user already has an API secret.'))
-                return redirect(request.path_info)
-
-            if api_secret_action in ('delete', 'regenerate') and not permissions.api_secret:
-                messages.error(request, _('This user does not have an API secret.'))
-                return redirect(request.path_info)
-
-            with transaction.atomic():
-                if api_secret_action in ('generate', 'regenerate'):
-                    api_secret = '%d-%s' % (user.pk, get_random_string(62, string.ascii_letters+string.digits))
-                    permissions.api_secret = api_secret
-                    permissions.save()
-
-                    messages.success(request, _('The new API secret is: %s – '
-                                                'be sure to note it down now, it won\'t be shown again.') % api_secret)
-
-                elif api_secret_action == 'delete':
-                    permissions.api_secret = None
-                    permissions.save()
-
-                    messages.success(request, _('API secret successfully deleted!'))
-
-                return redirect(request.path_info)
-
    ctx = {
        'user': user,
    }