manage api secrets

2017-12-19 12:58:28 +01:00 · 2017-12-19 12:58:28 +01:00 · f9124da333
commit f9124da333
parent 1df655ac5a
2 changed files with 63 additions and 0 deletions
--- a/src/c3nav/control/views.py
+++ b/src/c3nav/control/views.py
@ -1,3 +1,4 @@
+import string
 from functools import wraps

 from django.contrib import messages
@ -9,6 +10,7 @@ from django.db import transaction
 from django.db.models import Prefetch
 from django.shortcuts import get_object_or_404, redirect, render
 from django.urls import reverse
+from django.utils.crypto import get_random_string
 from django.utils.translation import ugettext_lazy as _

 from c3nav.control.forms import AccessPermissionForm, AnnouncementForm, UserPermissionsForm
@ -76,6 +78,37 @@ def user_detail(request, user):
                        messages.error(request, _('You cannot delete this Access Permission.'))
                return redirect(request.path_info)

+        api_secret_action = request.POST.get('api_secret')
+        if (api_secret_action and (request.user_permissions.grant_permissions or
+                                   request.user == user and user.permissions.api_secret)):
+
+            permissions = user.permissions
+
+            if api_secret_action == 'generate' and permissions.api_secret:
+                messages.error(request, _('This user already has an API secret.'))
+                return redirect(request.path_info)
+
+            if api_secret_action in ('delete', 'regenerate') and not permissions.api_secret:
+                messages.error(request, _('This user does not have an API secret.'))
+                return redirect(request.path_info)
+
+            with transaction.atomic():
+                if api_secret_action in ('generate', 'regenerate'):
+                    api_secret = get_random_string(64, string.ascii_letters+string.digits)
+                    permissions.api_secret = api_secret
+                    permissions.save()
+
+                    messages.success(request, _('The new API secret is: %s – '
+                                                'be sure to note it down now, it won\'t be shown again.') % api_secret)
+
+                elif api_secret_action == 'delete':
+                    permissions.api_secret = None
+                    permissions.save()
+
+                    messages.success(request, _('API secret successfully deleted!'))
+
+                return redirect(request.path_info)
+
    ctx = {
        'user': user,
    }