Make binder compatible with django-hijack > 3

Author: Stefan Majoor

binder/plugins/views/userview.py

@@ -38,44 +38,87 @@ def respond_with_user(self, request, user_id):
 class MasqueradeMixin(UserBaseMixin):
 	__metaclass__ = ABCMeta
 
+	def _maquerade_legacy(self, request, user_to_masquerade_as):
+		"""
+		This is to only used for django <=4, django-hijack <= 2
+		"""
+		from hijack.helpers import login_user
+		login_user(request, user_to_masquerade_as)  # Ignore returned redirect response object
+		return self.respond_with_user(request, user_to_masquerade_as.id)
+
 	@detail_route(name='masquerade')
 	@no_scoping_required()
 	def masquerade(self, request, pk=None):
-		from hijack.helpers import login_user
+		self._require_model_perm('masquerade', request)
 
 		if request.method != 'POST':
 			raise BinderMethodNotAllowed()
 
 		try:
-			user = self.model._default_manager.get(pk=pk)
+			user_to_masquerade_as = self.get_queryset(request).get(pk=pk)
 		except self.model.DoesNotExist:
 			raise BinderNotFound()
 
-		self._require_model_perm('masquerade', request)
+		try:
+			from hijack.views import AcquireUserView
+		except ImportError:
+			return self._maquerade_legacy(request, user_to_masquerade_as)
+
+		class AcquireUserViewAdapter(AcquireUserView):
+			"""Simple adapter which makes the django-hijack acquire endpoint compatible with the django-binder-api"""
+			def get_object(self):
+				return user_to_masquerade_as
+
+			def get_redirect_url(self):
+				return ''
+
+		AcquireUserViewAdapter().post(request)
+		return self.respond_with_user(request, user_to_masquerade_as.id)
+
+	def _end_masquerade(self, request) -> bool:
+		"""
+		Ends the masquerade for the user, returns a boolean indicating if this was successfull
+		"""
+		try:
+			from hijack.views import ReleaseUserView
+		except ImportError:
+			# Legacy way to do it in django <=4, django-hijack <= 2
+			from hijack.helpers import release_hijack
+			try:
+				release_hijack(request)
+				return True
+			except PermissionDenied:
+				return False
+
+		class ReleaseUserViewAdapter(ReleaseUserView):
+			def get_redirect_url(self):
+				return ''
+
+		try:
+			ReleaseUserViewAdapter().post(request)
+			return True
+		except IndexError:
+			# Raised by the release user view adapter if you are not hijacked currently.
+			return False
 
-		login_user(request, user)  # Ignore returned redirect response object
-		return self.respond_with_user(request, user.id)
 
 	@list_route(name='endmasquerade')
 	@no_scoping_required()
 	def endmasquerade(self, request):
-		from hijack.helpers import release_hijack
-
 		if request.method != 'POST':
 			raise BinderMethodNotAllowed()
 
 		self._require_model_perm('unmasquerade', request)
 
-		release_hijack(request)  # Ignore returned redirect response object
+		self._end_masquerade(request)
 		return self.respond_with_user(request, request.user.id)
 
 	def _logout(self, request):
-		from hijack.helpers import release_hijack
-		# Release masquerade on logout if masquerading
-		try:
-			release_hijack(request)
-		except PermissionDenied:  # Means we are not hijacked
-			super()._logout(request)
+		if self._end_masquerade(request):
+			# If we were masqueraded -> that counts as our logout.
+			return
+
+		super()._logout(request)
 
 
 

setup.py

@@ -44,7 +44,7 @@
 	],
 	extras_require={
 		'test': [
-			'django-hijack >= 2.1.10, < 3.0.0',
+			'django-hijack >= 2.1.10',
 			(
 				'mysqlclient >= 1.3.12'
 				if os.environ.get('BINDER_TEST_MYSQL', '0') == '1' else