2025-summer/team-3
12
Fork 0
Code Issues Pull requests Projects Releases Activity

manage api secrets

Browse source
This commit is contained in:
Laura Klünder 2017-12-19 12:58:28 +01:00
parent 1df655ac5a
commit f9124da333
2 changed files with 63 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

30
src/c3nav/control/templates/control/user.html
View file

@ -23,6 +23,36 @@
</p>
{% endif %}
{% if request.user_permissions.grant_permissions or request.user == user %}
<h4>{% trans 'API secret' %}</h4>
<p>
{% if request.user_permissions.api_secret %}
{% if request.user == user %}
{% trans 'This user has an API secret.' %}
{% else %}
{% trans 'You have an API secret.' %}
{% endif %}
{% trans 'You can not see it, but generate a new one.' %}
{% else %}
{% trans 'This user has not an API secret.' %}
{% trans 'You can create one.' %}
{% endif %}
</p>
<form method="POST">
{% csrf_token %}
<select name="api_secret" style="width: auto;">
<option value="">---</option>
{% if request.user_permissions.api_secret %}
<option value="regenerate">{% trans 'Regenerate API secret' %}</option>
<option value="delete">{% trans 'Delete API secret' %}</option>
{% else %}
<option value="generate">{% trans 'Generate API secret' %}</option>
{% endif %}
</select>
<button type="submit">{% trans 'Update API secret' %}</button>
</form>
{% endif %}
<h4>{% trans 'Access Permissions' %}</h4>
{% if user.accesspermissions.all %}
<form method="post">

33
src/c3nav/control/views.py
View file

@ -1,3 +1,4 @@
import string
from functools import wraps
from django.contrib import messages
@ -9,6 +10,7 @@ from django.db import transaction
from django.db.models import Prefetch
from django.shortcuts import get_object_or_404, redirect, render
from django.urls import reverse
from django.utils.crypto import get_random_string
from django.utils.translation import ugettext_lazy as _
from c3nav.control.forms import AccessPermissionForm, AnnouncementForm, UserPermissionsForm
@ -76,6 +78,37 @@ def user_detail(request, user):
messages.error(request, _('You cannot delete this Access Permission.'))
return redirect(request.path_info)
api_secret_action = request.POST.get('api_secret')
if (api_secret_action and (request.user_permissions.grant_permissions or
request.user == user and user.permissions.api_secret)):
permissions = user.permissions
if api_secret_action == 'generate' and permissions.api_secret:
messages.error(request, _('This user already has an API secret.'))
return redirect(request.path_info)
if api_secret_action in ('delete', 'regenerate') and not permissions.api_secret:
messages.error(request, _('This user does not have an API secret.'))
return redirect(request.path_info)
with transaction.atomic():
if api_secret_action in ('generate', 'regenerate'):
api_secret = get_random_string(64, string.ascii_letters+string.digits)
permissions.api_secret = api_secret
permissions.save()
messages.success(request, _('The new API secret is: %s '
'be sure to note it down now, it won\'t be shown again.') % api_secret)
elif api_secret_action == 'delete':
permissions.api_secret = None
permissions.save()
messages.success(request, _('API secret successfully deleted!'))
return redirect(request.path_info)
ctx = {
'user': user,
}