From 1d26bbc17a119970c2b86072fc68ff0f2581c9d8 Mon Sep 17 00:00:00 2001 From: Benjamin Bach Date: Thu, 8 Aug 2024 08:37:24 +0200 Subject: [PATCH] WIP: View, form and template for invitations, add exceptions for linting rules --- pyproject.toml | 9 ++++-- src/membership/emails.py | 26 +++++++++++++-- src/membership/forms.py | 19 +++++++++++ .../0009_membership_referral_code.py | 32 +++++++++++++++++++ src/membership/models.py | 4 +++ .../emails/{invitation.txt => invite.txt} | 0 .../templates/membership/invite.html | 14 ++++++++ src/membership/views.py | 29 +++++++++++++++-- src/project/settings.py | 4 +++ 9 files changed, 131 insertions(+), 6 deletions(-) create mode 100644 src/membership/forms.py create mode 100644 src/membership/migrations/0009_membership_referral_code.py rename src/membership/templates/membership/emails/{invitation.txt => invite.txt} (100%) create mode 100644 src/membership/templates/membership/invite.html diff --git a/pyproject.toml b/pyproject.toml index 7ebb19b..a5431e3 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -141,14 +141,19 @@ ignore = [ "EM102", # Exception must not use a f-string literal, assign to variable first "COM812", # missing-trailing-comma (https://docs.astral.sh/ruff/formatter/#conflicting-lint-rules) "ISC001", # single-line-implicit-string-concatenation (https://docs.astral.sh/ruff/formatter/#conflicting-lint-rules) + "D100", # Missing docstring in public module + "D101", # Missing docstring in public class + "D102", # Missing docstring in public method "D105", # Missing docstring in magic method "D106", # Missing docstring in public nested class + "D107", # Missing docstring in `__init__` "FIX", # TODO, FIXME, XXX "TD", # TODO, FIXME, XXX "ANN002", # Missing type annotation for `*args` "ANN003", # Missing type annotation for `**kwargs` - "FBT001", # Misbehaves: Complains about positional arguments that are keyworded. - "FBT002", # Misbehaves: Complains about positional arguments that are keyworded. + "FBT001", # Misbehaves: Boolean-typed positional argument in function definition + "FBT002", # Misbehaves: Boolean-typed positional argument in function definition + "TRY003", # Avoid specifying long messages outside the exception class ] [tool.ruff.lint.isort] diff --git a/src/membership/emails.py b/src/membership/emails.py index 20a243a..486108a 100644 --- a/src/membership/emails.py +++ b/src/membership/emails.py @@ -6,6 +6,7 @@ """ from django.contrib import messages +from django.contrib.auth.tokens import default_token_generator from django.contrib.sites.shortcuts import get_current_site from django.core.mail.message import EmailMessage from django.http import HttpRequest @@ -13,11 +14,15 @@ from django.template import loader from django.utils import translation from django.utils.translation import gettext_lazy as _ +from src.membership.models import Membership + class BaseEmail(EmailMessage): """Send emails via templated body and subjects. This base class is extended for all email functionality. + Because all emails are sent to the Member object, we can keep them gathered here, even when they are generated by + other apps (like the accounting app). """ template = "membership/email/base.txt" @@ -25,7 +30,7 @@ class BaseEmail(EmailMessage): template_subject = None default_subject = "SET SUBJECT HERE" - def __init__(self, request: HttpRequest, *args, **kwargs) -> None: # noqa: D107 + def __init__(self, request: HttpRequest, *args, **kwargs) -> None: self.context = kwargs.pop("context", {}) self.user = kwargs.pop("user", None) if self.user: @@ -76,7 +81,7 @@ class BaseEmail(EmailMessage): subject = str(self.default_subject) return subject - def send_with_feedback(self, success_msg: str | None = None, no_message: bool = False) -> None: + def send_with_feedback(self, *, success_msg: str | None = None, no_message: bool = False) -> None: """Send email, possibly adding feedback via django.contrib.messages.""" if not success_msg: success_msg = _("Email successfully sent to {}").format(", ".join(self.to)) @@ -86,3 +91,20 @@ class BaseEmail(EmailMessage): messages.success(self.request, success_msg) except RuntimeError: messages.error(self.request, _("Not sent, something wrong with the mail server.")) + + +class InviteEmail(BaseEmail): + template = "membership/emails/invite.txt" + default_subject = _("Invite to data.coop membership") + + def __init__(self, membership: Membership, request: HttpRequest, *args, **kwargs) -> None: + self.membership = membership + kwargs["user"] = membership.user + super().__init__(request, *args, **kwargs) + + def get_context_data(self) -> dict: + c = super().get_context_data() + c["membership"] = self.membership + c["token"] = default_token_generator.make_token(self.membership.user) + c["referral_code"] = self.membership.referral_code + return c diff --git a/src/membership/forms.py b/src/membership/forms.py new file mode 100644 index 0000000..23b8b2e --- /dev/null +++ b/src/membership/forms.py @@ -0,0 +1,19 @@ +from allauth.account.forms import SetPasswordForm + + +class CreatePasswordForm(SetPasswordForm): + """Create a new password for a user account that is created through an invite.""" + + def __init__(self, *args, **kwargs) -> None: + self.membership = kwargs.pop("membership") + super().__init__(*args, **kwargs) + + def save(self) -> None: + """Save instance to db. + + Note: You can hack a re-activation of a deactivated account + by getting a valid token before deactivation (from the reset password form). + We can block this by also setting Membership.revoked=False when deactivating someone's account. + """ + self.user.is_active = True + super().save() diff --git a/src/membership/migrations/0009_membership_referral_code.py b/src/membership/migrations/0009_membership_referral_code.py new file mode 100644 index 0000000..f8c0e07 --- /dev/null +++ b/src/membership/migrations/0009_membership_referral_code.py @@ -0,0 +1,32 @@ +# Generated by Django 5.1rc1 on 2024-08-07 22:32 + +import uuid +from django.db import migrations, models + + +def create_uuid(apps, schema_editor): + Membership = apps.get_model('membership', 'Membership') + for membership in Membership.objects.all(): + membership.referral_code = uuid.uuid4() + membership.save() + + +class Migration(migrations.Migration): + + dependencies = [ + ('membership', '0008_alter_membership_membership_type'), + ] + + operations = [ + migrations.AddField( + model_name='membership', + name='referral_code', + field=models.UUIDField(blank=True, null=True, unique=True, default=uuid.uuid4, editable=False), + ), + migrations.RunPython(create_uuid), + migrations.AddField( + model_name='membership', + name='referral_code', + field=models.UUIDField(unique=True, default=uuid.uuid4, editable=False), + ), + ] diff --git a/src/membership/models.py b/src/membership/models.py index 9483d0f..fca8c74 100644 --- a/src/membership/models.py +++ b/src/membership/models.py @@ -1,5 +1,6 @@ """Models for the membership app.""" +import uuid from typing import ClassVar from typing import Self @@ -122,6 +123,9 @@ class Membership(CreatedModifiedAbstract): user = models.ForeignKey("auth.User", on_delete=models.PROTECT, related_name="memberships") + # This code is used for inviting a user to create an account for this membership. + referral_code = models.UUIDField(unique=True, default=uuid.uuid4, editable=False) + membership_type = models.ForeignKey( "membership.MembershipType", related_name="memberships", diff --git a/src/membership/templates/membership/emails/invitation.txt b/src/membership/templates/membership/emails/invite.txt similarity index 100% rename from src/membership/templates/membership/emails/invitation.txt rename to src/membership/templates/membership/emails/invite.txt diff --git a/src/membership/templates/membership/invite.html b/src/membership/templates/membership/invite.html new file mode 100644 index 0000000..d9cbce0 --- /dev/null +++ b/src/membership/templates/membership/invite.html @@ -0,0 +1,14 @@ +{% extends "base.html" %} +{% load i18n %} + +{% block head_title %} + {% trans "Membership" %} +{% endblock %} + +{% block content %} + +
+

Membership invite

+ +
+{% endblock %} diff --git a/src/membership/views.py b/src/membership/views.py index 0c5ebf9..3331844 100644 --- a/src/membership/views.py +++ b/src/membership/views.py @@ -4,6 +4,11 @@ from __future__ import annotations from typing import TYPE_CHECKING +from django.contrib import messages +from django.contrib.auth.tokens import default_token_generator +from django.http import HttpResponseNotAllowed +from django.shortcuts import get_object_or_404 +from django.shortcuts import redirect from django.utils.translation import gettext_lazy as _ from django_ratelimit.decorators import ratelimit from django_view_decorator import namespaced_decorator_factory @@ -11,6 +16,8 @@ from utils.view_utils import RenderConfig from utils.view_utils import RowAction from utils.view_utils import render +from .forms import CreatePasswordForm +from .models import Membership from .permissions import ADMINISTRATE_MEMBERS from .selectors import get_member from .selectors import get_members @@ -118,11 +125,11 @@ def members_admin_detail(request: HttpRequest, member_id: int) -> HttpResponse: @ratelimit(group="membership", key="ip", rate="10/d", method="ALL", block=True) @member_view( - paths="invite//", + paths="invite///", name="membership-invite", login_required=False, ) -def invite(request: HttpRequest, token: str) -> HttpResponse: +def invite(request: HttpRequest, referral_code: str, token: str) -> HttpResponse: """View to invite a member to create a membership. The token belongs to a non-active Member object. If the token is valid, @@ -130,8 +137,26 @@ def invite(request: HttpRequest, token: str) -> HttpResponse: We ratelimit this view so it's not possible to brute-force tokens. """ + # Firstly, we get the membership by the referral code. + membership = get_object_or_404(Membership, referral_code=referral_code, user__is_active=False, revoked=False) + + token_valid = default_token_generator.check_token(membership.user, token) + + if not token_valid: + raise HttpResponseNotAllowed("Token not valid - maybe it expired?") + + if request.method == "POST": + form = CreatePasswordForm(membership=membership, user=membership, data=request.POST) + if form.is_valid(): + messages.info(request, _("Password is set for your account and you can now login.")) + return redirect("account_login") + else: + form = CreatePasswordForm(user=membership) + context = { "token": token, + "membership": membership, + "form": form, } return render( request=request, diff --git a/src/project/settings.py b/src/project/settings.py index 4f558a1..d6a800c 100644 --- a/src/project/settings.py +++ b/src/project/settings.py @@ -182,6 +182,10 @@ LOGGING = { STRIPE_API_KEY = env.str("STRIPE_API_KEY") STRIPE_ENDPOINT_SECRET = env.str("STRIPE_ENDPOINT_SECRET") +# The number of seconds a password reset link is valid for (default: 3 days). +# We've extended this to 7 days because invites then last for 1 week. +PASSWORD_RESET_TIMEOUT = 60 * 60 * 24 * 7 + if DEBUG: INSTALLED_APPS += ["debug_toolbar", "django_browser_reload"] MIDDLEWARE += [