admin user edit page (bug 672821)

Andy McKay · Andy McKay · commit 306f35a9553d · 2011-07-27T11:15:02.000+01:00
diff --git a/apps/amo/decorators.py b/apps/amo/decorators.py
@@ -50,6 +50,19 @@ def wrapper(request, *args, **kw):
     return wrapper
 
 
+def permission_required(app, action):
+    def decorator(f):
+        @functools.wraps(f)
+        def wrapper(request, *args, **kw):
+            from access import acl
+            if acl.action_allowed(request, app, action):
+                return f(request, *args, **kw)
+            else:
+                return http.HttpResponseForbidden()
+        return wrapper
+    return decorator
+
+
 def json_view(f):
     @functools.wraps(f)
     def wrapper(*args, **kw):
@@ -93,6 +106,7 @@ def set_modified_on(f):
     Looks up objects defined in the set_modified_on kwarg.
     """
     from amo.tasks import set_modified_on_object
+
     @functools.wraps(f)
     def wrapper(*args, **kw):
         objs = kw.pop('set_modified_on', None)
diff --git a/apps/amo/tests/test_decorators.py b/apps/amo/tests/test_decorators.py
@@ -82,7 +82,7 @@ def test_decorator_syntax(self):
     def test_no_redirect_success(self):
         func = decorators.login_required(redirect=False)(self.f)
         self.request.user.is_authenticated.return_value = True
-        response = func(self.request)
+        func(self.request)
         assert self.f.called
 
 
@@ -106,3 +106,30 @@ def test_not_set_modified_on(self):
         for user in users:
             date = UserProfile.objects.get(pk=user.pk).modified.date()
             assert date < datetime.today().date()
+
+
+class TestPermissionRequired(test_utils.TestCase):
+
+    def setUp(self):
+        self.f = mock.Mock()
+        self.f.__name__ = 'function'
+        self.request = mock.Mock()
+
+    @mock.patch('access.acl.action_allowed')
+    def test_permission_not_allowed(self, action_allowed):
+        action_allowed.return_value = False
+        func = decorators.permission_required('', '')(self.f)
+        eq_(func(self.request).status_code, 403)
+
+    @mock.patch('access.acl.action_allowed')
+    def test_permission_allowed(self, action_allowed):
+        action_allowed.return_value = True
+        func = decorators.permission_required('', '')(self.f)
+        func(self.request)
+        assert self.f.called
+
+    @mock.patch('access.acl.action_allowed')
+    def test_permission_allowed_correctly(self, action_allowed):
+        func = decorators.permission_required('Admin', '%')(self.f)
+        func(self.request)
+        action_allowed.assert_called_with(self.request, 'Admin', '%')
diff --git a/apps/users/admin.py b/apps/users/admin.py
@@ -11,6 +11,8 @@
 class UserAdmin(admin.ModelAdmin):
     list_display = ('__unicode__', 'email')
     search_fields = ('^email',)
+    # A custom field used in search json in zadmin, not django.admin.
+    search_fields_response = 'email'
     inlines = (GroupUserInline,)
 
     # XXX TODO: Ability to edit the picture
diff --git a/apps/users/forms.py b/apps/users/forms.py
@@ -325,6 +325,30 @@ def save(self):
         return u
 
 
+class AdminUserEditForm(UserEditForm):
+    admin_log = forms.CharField(required=True, label=_('Reason for change'),
+                                widget=forms.Textarea())
+    confirmationcode = forms.CharField(required=False, max_length=255,
+                                       label=_('Confirmation code'))
+    notes = forms.CharField(required=False, widget=forms.Textarea())
+    anonymize = forms.BooleanField(required=False)
+
+    def clean_anonymize(self):
+        if (self.cleaned_data['anonymize'] and
+            set(self.changed_data) !=
+            set(['admin_log', 'notifications', 'anonymize'])):
+            raise forms.ValidationError(_('To anonymize, enter an admin log, '
+                                          'but do not change any other field'))
+        return self.cleaned_data['anonymize']
+
+    def save(self, *args, **kw):
+        profile = super(AdminUserEditForm, self).save()
+        if self.cleaned_data['anonymize']:
+            profile.anonymize()  # this also logs.
+
+        return profile
+
+
 class BlacklistedUsernameAddForm(forms.Form):
     """Form for adding blacklisted username in bulk fashion."""
     usernames = forms.CharField(widget=forms.Textarea(
diff --git a/apps/users/templates/users/edit_impala.html b/apps/users/templates/users/edit_impala.html
@@ -170,6 +170,32 @@ <h2>{{ _('My Account') }}</h2>
             {% endtrans %}
           </p>
         </fieldset>
+
+        {% if 'admin_log' in form.fields %}
+            <fieldset id="acct-admin">
+              <legend>{{ _('Admin') }}</legend>
+              <p>{{ form.admin_log.label }} {{ required() }}</p>
+              {{ form.admin_log.errors }}
+              {{ form.admin_log }}
+
+              <p >{{ form.notes.label }}</p>
+              {{ form.notes.errors }}
+              {{ form.notes }}
+
+              <ul>
+                <li>
+                  <label for="id_confirmationcode">{{ form.confirmationcode.label }}</label>
+                  {{ form.confirmationcode.errors }}
+                  {{ form.confirmationcode }}
+                </li>
+                <li>
+                  <label for="id_anonymize">{{ form.anonymize.label }}</label>
+                  {{ form.anonymize.errors }}
+                  {{ form.anonymize }}
+                </li>
+              </ul>
+            </fieldset>
+        {% endif %}
       </div>{# /#user-profile #}
       <div class="listing-footer">
         <button type="submit" class="button prominent">{{ _('Update') }}</button>
diff --git a/apps/users/templates/users/profile.html b/apps/users/templates/users/profile.html
@@ -29,17 +29,11 @@ <h4>{{ _('In a little more detail...') }}</h4>
           </div>
         {% endif %}
 
-        {% if edit_any_user or own_profile %}
+        {% if own_profile %}
           <p class="editprofile">
             {% if own_profile %}
               <a href="{{ url("users.edit") }}">{{ _('Edit Profile') }}</a>
             {% endif %}
-            {% if edit_any_user %}
-              {# TODO XXX Once zamboni can delete users, uncomment this line.  bug 595035 #}
-              {# <a href="{{ url("admin:users_userprofile_change", profile.id) }}">{{ _('Manage User') }}</a> #}
-              <a href="{{ remora_url("/admin/users/%s" % profile.id) }}">{{ _('Manage User') }}</a>
-
-            {% endif %}
           </p>
         {% endif %}
         {% if abuse_form %}
diff --git a/apps/users/tests/test_views.py b/apps/users/tests/test_views.py
@@ -5,6 +5,7 @@
 from django.core.cache import cache
 from django.contrib.auth.models import User
 from django.contrib.auth.tokens import default_token_generator
+from django.forms.models import model_to_dict
 from django.test.client import Client
 from django.utils.http import int_to_base36
 
@@ -167,6 +168,56 @@ def test_edit_notifications_non_dev(self):
         assert len(res.context['form'].errors['notifications'])
 
 
+class TestEditAdmin(UserViewBase):
+    fixtures = ['base/users']
+
+    def setUp(self):
+        self.client.login(username='admin@mozilla.com', password='password')
+        self.regular = self.get_user()
+        self.url = reverse('users.admin_edit_impala', args=[self.regular.pk])
+
+    def get_data(self):
+        data = model_to_dict(self.regular)
+        data['admin_log'] = 'test'
+        for key in ['password', 'resetcode_expires']:
+            del data[key]
+        return data
+
+    def get_user(self):
+        # Using pk so that we can still get the user after anonymize.
+        return UserProfile.objects.get(pk=999)
+
+    def test_edit(self):
+        res = self.client.get(self.url)
+        eq_(res.status_code, 200)
+
+    def test_edit_forbidden(self):
+        self.client.logout()
+        self.client.login(username='editor@mozilla.com', password='password')
+        res = self.client.get(self.url)
+        eq_(res.status_code, 403)
+
+    def test_edit_forbidden_anon(self):
+        self.client.logout()
+        res = self.client.get(self.url)
+        eq_(res.status_code, 302)
+
+    def test_anonymize(self):
+        data = self.get_data()
+        data['anonymize'] = True
+        res = self.client.post(self.url, data)
+        eq_(res.status_code, 302)
+        eq_(self.get_user().password, "sha512$Anonymous$Password")
+
+    def test_anonymize_fails(self):
+        data = self.get_data()
+        data['anonymize'] = True
+        data['email'] = 'something@else.com'
+        res = self.client.post(self.url, data)
+        eq_(res.status_code, 200)
+        eq_(self.get_user().password, self.regular.password)  # Hasn't changed.
+
+
 class TestPasswordAdmin(UserViewBase):
     fixtures = ['base/users']
 
diff --git a/apps/users/urls.py b/apps/users/urls.py
@@ -22,6 +22,8 @@
 
 impala_users_patterns = patterns('',
     url('^edit$', views.edit_impala, name='users.edit_impala'),
+    url('^edit(?:/(?P<user_id>\d+))?$', views.admin_edit_impala,
+                        name='users.admin_edit_impala'),
 )
 
 users_patterns = patterns('',
diff --git a/apps/users/views.py b/apps/users/views.py
@@ -19,7 +19,8 @@
 
 import amo
 from amo import messages
-from amo.decorators import login_required, json_view, write
+from amo.decorators import (json_view, login_required, permission_required,
+                            write)
 from amo.forms import AbuseForm
 from amo.urlresolvers import reverse
 from amo.utils import send_mail, send_abuse_report
@@ -183,6 +184,25 @@ def edit_impala(request):
                         {'form': form, 'amouser': amouser})
 
 
+@write
+@login_required
+@permission_required('Admin', 'EditAnyUser')
+def admin_edit_impala(request, user_id):
+    amouser = get_object_or_404(UserProfile, pk=user_id)
+
+    if request.method == 'POST':
+        form = forms.AdminUserEditForm(request.POST, request.FILES,
+                                       request=request, instance=amouser)
+        if form.is_valid():
+            form.save()
+            messages.success(request, _('Profile Updated'))
+            return http.HttpResponseRedirect(reverse('zadmin.index'))
+    else:
+        form = forms.AdminUserEditForm(instance=amouser)
+    return jingo.render(request, 'users/edit_impala.html',
+                        {'form': form, 'amouser': amouser})
+
+
 @write
 @login_required
 def edit(request):
@@ -413,7 +433,6 @@ def profile(request, user_id):
     else:
         fav_coll = []
 
-    edit_any_user = acl.action_allowed(request, 'Admin', 'EditAnyUser')
     own_profile = request.user.is_authenticated() and (
         request.amo_user.id == user.id)
 
@@ -434,8 +453,7 @@ def get_addons(reviews):
     reviews = user.reviews.transform(get_addons)
 
     data = {'profile': user, 'own_coll': own_coll, 'reviews': reviews,
-            'fav_coll': fav_coll, 'edit_any_user': edit_any_user,
-            'addons': addons, 'own_profile': own_profile,
+            'fav_coll': fav_coll, 'addons': addons, 'own_profile': own_profile,
             'abuse_form': AbuseForm(request=request)}
 
     return jingo.render(request, 'users/profile.html', data)
diff --git a/apps/zadmin/templates/zadmin/index.html b/apps/zadmin/templates/zadmin/index.html
@@ -24,12 +24,28 @@
 
 
 {% block content %}
-<h2>Admin Pages</h2>
-<dl>
-  {% for title, link, desc in links|sort %}
-    <dt><a href="{{ link }}">{{ title }}</a></dt>
-    <dd>{{ desc }}</dd>
-  {% endfor %}
-</dl>
 
+{% include "messages.html" %}
+
+<div class="content">
+    <section>
+    <h2>Admin Pages</h2>
+    <dl>
+        {% for title, link, desc in links|sort %}
+          <dt><a href="{{ link }}">{{ title }}</a></dt>
+          <dd>{{ desc }}</dd>
+        {% endfor %}
+    </dl>
+    </section>
+    <aside>
+        <h2>Search Users</h2>
+        <form method="get" action="{{ url('users.admin_edit_impala') }}"
+              data-search-url="{{ url('zadmin.search', 'users', 'userprofile') }}">
+            <div>
+                <input class="searchbar" type="text" value="" name="q" size="40">
+                <p class="help">Enter the first four characters and select the user from the dropdown.</p>
+            </div>
+        </form>
+    </aside>
+</div>
 {% endblock %}
diff --git a/apps/zadmin/tests/test_views.py b/apps/zadmin/tests/test_views.py
@@ -1139,3 +1139,24 @@ def test_create_consumer(self):
                                'description': 'Test description',
                                'status': 'accepted'})
         eq_(Consumer.objects.count(), 1)
+
+
+class TestLookup(test_utils.TestCase):
+    fixtures = ['base/users']
+
+    def setUp(self):
+        assert self.client.login(username='admin@mozilla.com',
+                                 password='password')
+        self.url = reverse('zadmin.search', args=['auth', 'user'])
+
+    def test_logged_out(self):
+        self.client.logout()
+        eq_(self.client.get('%s?q=admin' % self.url).status_code, 403)
+
+    def test_search(self):
+        for q, c in [('', 3), ('admin@mozilla.com', 1)]:
+            res = self.client.get('%s?q=%s' % (self.url, q))
+            eq_(res.status_code, 200)
+            content = json.loads(res.content)
+            eq_(len(content), c)
+            eq_(content[0], {u'value': 4043307, u'label': u'admin'})
diff --git a/apps/zadmin/urls.py b/apps/zadmin/urls.py
@@ -52,6 +52,8 @@
 
     # The Django admin.
     url('^models/', include(admin.site.urls)),
+    url('^models/(?P<app_id>.+)/(?P<model_id>.+)/search.json$',
+        views.general_search, name='zadmin.search'),
 )
 
 
diff --git a/apps/zadmin/views.py b/apps/zadmin/views.py
@@ -8,9 +8,11 @@
 # I'm so glad we named a function in here settings...
 from django.conf import settings as site_settings
 from django.contrib import admin
+from django.db.models.loading import cache as app_cache
 from django.shortcuts import redirect, get_object_or_404
 from django.utils.encoding import smart_str
 from django.views import debug
+from django.views.decorators.cache import never_cache
 
 import commonware.log
 import elasticutils
@@ -492,3 +494,29 @@ def oauth_consumer_create(request):
 
     return jingo.render(request, 'zadmin/oauth-consumer-create.html',
                         {'form': form})
+
+
+@never_cache
+@json_view
+def general_search(request, app_id, model_id):
+    if not admin.site.has_permission(request):
+        return http.HttpResponseForbidden()
+
+    model = app_cache.get_model(app_id, model_id)
+    if not model:
+        return http.Http404()
+
+    limit = 10
+    obj = admin.site._registry[model]
+    ChangeList = obj.get_changelist(request)
+    # This is a hideous api, but uses the builtin admin search_fields API.
+    # Expecting this to get replaced by ES so soon, that I'm not going to lose
+    # too much sleep about it.
+    cl = ChangeList(request, obj.model, [], [], [], [],
+                    obj.search_fields, [], limit, [], obj)
+    qs = cl.get_query_set()
+    # Override search_fields_response on the ModelAdmin object
+    # if you'd like to pass something else back to the front end.
+    lookup = getattr(obj, 'search_fields_response', None)
+    return [{'value':o.pk, 'label':getattr(o, lookup) if lookup else str(o)}
+            for o in qs[:limit]]
diff --git a/media/css/zamboni/admin-mozilla.css b/media/css/zamboni/admin-mozilla.css
diff --git a/media/js/zamboni/admin.js b/media/js/zamboni/admin.js

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,8 @@`
`22`	`22`
`23`	`23`	`impala_users_patterns = patterns('',`
`24`	`24`	`url('^edit$', views.edit_impala, name='users.edit_impala'),`
	`25`	`+ url('^edit(?:/(?P<user_id>\d+))?$', views.admin_edit_impala,`
	`26`	`+ name='users.admin_edit_impala'),`
`25`	`27`	`)`
`26`	`28`
`27`	`29`	`users_patterns = patterns('',`