Cedar now uses Django's Perms and groups.

You'll have to do some manual editing to give yourself superuser.

- /admin/ now uses perms and groups. So you can fine tune who has access to what model.
- Moved the metadata button to the user sidebar
- Removed metaview lists from showing in user settings and in the metadata page.
This commit is contained in:
some weird guy
2023-09-15 16:03:37 -07:00
parent 4bd55cbed1
commit 61ca96d37d
9 changed files with 155 additions and 179 deletions
+113 -55
View File
@@ -1,71 +1,110 @@
from django.apps import apps
from django.contrib import admin
#from django.contrib.auth.admin import UserAdmin
from django.contrib.auth.models import Group
#from django.forms import ModelForm, PasswordInput
from django.contrib.auth.admin import UserAdmin as BaseUserAdmin
from django.contrib.auth.forms import AdminPasswordChangeForm
from django.contrib.auth.models import Group, Permission
from django.contrib import messages
from django.http import HttpResponseRedirect
from django.conf import settings
from . import models
# Override admin login page
from closedverse_main.views import login_page
admin.autodiscover()
admin.site.login = login_page
"""
class UserForm(ModelForm):
class Meta:
model = models.User
fields = '__all__'
widgets = {
'password': PasswordInput(),
}
"""
@admin.action(description='Void selected Invites')
@admin.action(description='Void selected Invites', permissions=["change"])
def Void_invite(modeladmin, request, queryset):
queryset.update(void = True)
@admin.action(description='Restore selected Invites')
@admin.action(description='Restore selected Invites', permissions=["change"])
def Restore_invite(modeladmin, request, queryset):
queryset.update(void = False, used = False)
@admin.action(description='Hide selected items')
@admin.action(description='Hide selected items', permissions=["change"])
def Hide_content(modeladmin, request, queryset):
queryset.update(is_rm = True)
@admin.action(description='Show selected items')
@admin.action(description='Show selected items', permissions=["change"])
def Show_content(modeladmin, request, queryset):
queryset.update(is_rm = False)
@admin.action(description='Disable comments')
@admin.action(description='Disable comments', permissions=["change"])
def Disable_comments(modeladmin, request, queryset):
queryset.update(lock_comments = 2)
@admin.action(description='Enable comments')
@admin.action(description='Enable comments', permissions=["change"])
def Enable_comments(modeladmin, request, queryset):
queryset.update(lock_comments = 0)
@admin.action(description='Feature selected communities')
@admin.action(description='Feature selected communities', permissions=["change"])
def Feature_community(modeladmin, request, queryset):
queryset.update(is_feature = True)
@admin.action(description='Unfeature selected communities')
@admin.action(description='Unfeature selected communities', permissions=["change"])
def Unfeature_community(modeladmin, request, queryset):
queryset.update(is_feature = False)
@admin.action(description='Force login')
@admin.action(description='Force login', permissions=["change"])
def force_login(modeladmin, request, queryset):
queryset.update(require_auth = True)
@admin.action(description='Unforce login')
@admin.action(description='Unforce login', permissions=["change"])
def unforce_login(modeladmin, request, queryset):
queryset.update(require_auth = False)
@admin.action(description='Disable user')
@admin.action(description='Disable user', permissions=["change"])
def Disable_user(modeladmin, request, queryset):
queryset.update(active = False)
@admin.action(description='Enable user')
queryset.update(is_active = False)
@admin.action(description='Enable user', permissions=["change"])
def Enable_user(modeladmin, request, queryset):
queryset.update(active = True)
queryset.update(is_active = True)
@admin.action(description='Demote user', permissions=["change"])
def Demote_user(modeladmin, request, queryset):
queryset.update(is_superuser = False)
queryset.update(is_staff = False)
queryset.update(level = 0)
class UserAdmin(admin.ModelAdmin):
search_fields = ('id', 'username', 'nickname', 'email', )
list_display = ('id', 'username', 'nickname', 'warned', 'level', 'staff', 'active', )
exclude = ('addr', 'signup_addr', 'password', )
actions = [Disable_user, Enable_user]
#exclude = ('staff', )
# Not yet
#form = UserForm
class UserAdmin(BaseUserAdmin):
search_fields = ('id', 'username', 'nickname', 'email', 'addr', 'signup_addr')
list_display = ('id', 'username', 'nickname', 'level', 'is_active', 'is_staff', 'is_superuser')
actions = [Disable_user, Enable_user, Demote_user]
raw_id_fields = ('role', )
readonly_fields = ('last_login', 'created', )
fieldsets = (
(None, {'fields': ('nickname', 'username', 'password')}),
('Personal info', {'fields': ('email', ('addr', 'signup_addr'))}),
('Cosmetic', {'fields': (('role', 'avatar', 'has_mh'), 'color', 'theme', 'bg_url',)}),
('Data', {'fields': ('last_login', 'created', 'hide_online')}),
('Permissions', {'fields': (('is_active', 'is_staff', 'is_superuser', 'can_invite'), 'level', 'c_tokens', 'groups', 'user_permissions')}),
)
# yes this is stupid...
def get_queryset(self, request):
# Filter the list of users displayed based on the current user's level and superuser status.
qs = super().get_queryset(request)
if request.user.is_superuser:
return qs
return qs.filter(level__lt=request.user.level)
def has_change_permission(self, request, obj=None):
if not obj:
return super().has_change_permission(request, obj)
# Superusers can edit anyone
if request.user.is_superuser:
return True
# Users cannot edit superusers or users with a higher level than themselves
if obj.is_superuser or obj.level >= request.user.level:
return False
return super().has_change_permission(request, obj)
def has_delete_permission(self, request, obj=None):
if not obj:
return super().has_delete_permission(request, obj)
# Superusers can delete anyone
if request.user.is_superuser:
return True
# Users cannot delete superusers or users with a higher level than themselves
if obj.is_superuser or obj.level >= request.user.level:
return False
return super().has_delete_permission(request, obj)
def get_readonly_fields(self, request, obj=None):
# Get the default readonly fields
readonly_fields = super().get_readonly_fields(request, obj)
# If the user is not a superuser, add the fields to the readonly list
if not request.user.is_superuser:
readonly_fields += ('level', 'is_staff', 'is_superuser', 'groups', 'user_permissions', 'password')
return readonly_fields
class ProfileAdmin(admin.ModelAdmin):
search_fields = ('id', 'user__username__icontains', 'comment', 'origin_id',)
raw_id_fields = ('user', 'favorite',)
@@ -142,12 +181,30 @@ class RoleAdmin(admin.ModelAdmin):
exclude = ('is_static', )
class BanAdmin(admin.ModelAdmin):
# Hide that shit for now, Eventually I plan to get rid of the user_tools_meta thing completely and just show IP addresses for staff like any normal site.
exclude = ('ip_address', )
raw_id_fields = ('to', 'by')
list_display = ('by', 'to', 'reason', 'expiry_date', 'active')
#class BlockAdmin(admin.ModelAdmin)
def save_model(self, request, obj, form, change):
# Set the 'by' field to the currently logged-in user
obj.by = request.user
admin.site.unregister(Group)
# Check if the user being banned is a superuser or has a higher level than the user issuing the ban
if obj.to.is_superuser or obj.to.level > request.user.level:
messages.error(request, "You cannot ban a superuser or a user with a higher level.")
return
super().save_model(request, obj, form, change)
def response_add(self, request, obj, post_url_continue=None):
# If there was an error, redirect back to the 'add' page
if messages.get_messages(request):
return HttpResponseRedirect(request.path)
return super().response_add(request, obj, post_url_continue)
class LoginAdmin(admin.ModelAdmin):
raw_id_fields = ('user',)
list_display = ('user', 'addr', 'user_agent', )
search_fields = ('user__username', 'addr', 'user_agent', )
admin.site.register(models.Role, RoleAdmin)
admin.site.register(models.User, UserAdmin)
@@ -158,24 +215,25 @@ admin.site.register(models.Complaint, ComplaintAdmin)
admin.site.register(models.Message, MessageAdmin)
admin.site.register(models.Conversation, ConversationAdmin)
admin.site.register(models.Notification, NotificationAdmin)
#admin.site.register(models.LoginAttempt, LoginAdmin)
admin.site.register(models.LoginAttempt, LoginAdmin)
admin.site.register(models.UserBlock)
admin.site.register(models.AuditLog, AuditAdmin)
admin.site.register(models.ProfileHistory, HistoryAdmin)
admin.site.register(models.Yeah)
admin.site.register(models.Follow)
admin.site.register(models.FriendRequest)
admin.site.register(models.Post, PostAdmin)
admin.site.register(models.Comment, CommentAdmin)
admin.site.register(models.Ads, AdsAdmin)
admin.site.register(models.Ban, BanAdmin)
admin.site.register(models.Warning)
if settings.DEBUG:
admin.site.register(models.Yeah)
admin.site.register(models.Follow)
admin.site.register(models.FriendRequest)
admin.site.register(models.Friendship, ConversationAdmin)
#admin.site.register(models.Notification)
admin.site.register(models.Poll)
admin.site.register(models.PollVote)
admin.site.register(models.Ads, AdsAdmin)
# This will show fucking everything, just don't give other people perms to see content types, sessions, and all that shit.
# This is so the superuser, owner of the site can see everything.
app_models = apps.get_models()
for model in app_models:
try:
admin.site.register(model)
except admin.sites.AlreadyRegistered:
pass