Merge pull request #2560 from IFRCGo/feature/admin-page-to-query-users

Admin page to query users by permissions

Author: szabozoltan69

api/admin_reports.py

@@ -0,0 +1,190 @@
+import io
+from typing import Any, Iterable
+
+from django.contrib import admin
+from django.contrib.admin.views.decorators import staff_member_required
+from django.contrib.auth.models import Group, Permission
+from django.db.models import Q
+from django.http import HttpRequest, HttpResponse
+from django.shortcuts import render
+from django.utils.translation import gettext_lazy as _
+from openpyxl import Workbook
+from rest_framework import permissions, renderers, viewsets
+from rest_framework.response import Response
+
+
+def _user_has_access(user: Any) -> bool:
+    """Allow superusers, regional admins, or users with Pending view permission."""
+    if not user.is_authenticated:
+        return False
+    if user.is_superuser:
+        return True
+    # Pending users permission (model view perm)
+    if user.has_perm("registrations.view_pending"):
+        return True
+    # Regional admin via explicit relation or permission codename
+    try:
+        from api.models import UserRegion  # inline import to avoid cycles
+
+        if UserRegion.objects.filter(user=user).exists():
+            return True
+    except Exception:
+        pass
+    # Fallback check: any perm codename starting with region_admin_
+    region_admin_perms = Permission.objects.filter(codename__startswith="region_admin_")
+    if user.user_permissions.filter(id__in=region_admin_perms).exists():
+        return True
+    if Group.objects.filter(id__in=user.groups.all()).filter(permissions__in=region_admin_perms).exists():
+        return True
+    return False
+
+
+def _build_queryset(selected_group_ids: Iterable[int], include_superusers: bool):
+    from django.contrib.auth import get_user_model
+
+    User = get_user_model()
+
+    qs = User.objects.all()
+
+    # Build a single OR filter instead of union of QuerySets
+    q = Q()
+    if selected_group_ids:
+        q |= Q(groups__in=selected_group_ids)
+    if include_superusers:
+        q |= Q(is_superuser=True)
+
+    if q:
+        qs = qs.filter(q)
+
+    return qs.distinct().order_by("id")
+
+
+def _render_csv(users_qs) -> HttpResponse:
+    import csv
+
+    response = HttpResponse(content_type="text/csv")
+    response["Content-Disposition"] = 'attachment; filename="users_per_permission.csv"'
+    writer = csv.writer(response)
+    writer.writerow(["ID", "Username", "Email", "Name", "Organization", "Active", "Staff"])  # headers
+    for u in users_qs:
+        name = f"{u.first_name} {u.last_name}".strip()
+        org = getattr(getattr(u, "profile", None), "org", "") or ""
+        writer.writerow([u.id, u.username, u.email, name, org, u.is_active, u.is_staff])
+    return response
+
+
+def _render_xlsx(users_qs) -> HttpResponse:
+    from openpyxl.worksheet.worksheet import Worksheet
+
+    wb = Workbook()
+    ws: Worksheet = wb.active  # type: ignore[assignment]
+    # Avoid setting title if type checker is unsure
+    try:
+        ws.title = "Users"
+    except Exception:
+        pass
+    headers = ["ID", "Username", "Email", "Name", "Organization", "Active", "Staff"]
+    ws.append(headers)  # type: ignore[attr-defined]
+    for u in users_qs:
+        name = f"{u.first_name} {u.last_name}".strip()
+        org = getattr(getattr(u, "profile", None), "org", "") or ""
+        row = [u.id, u.username, u.email, name, org, u.is_active, u.is_staff]
+        ws.append(row)  # type: ignore[attr-defined]
+
+    buf = io.BytesIO()
+    wb.save(buf)
+    buf.seek(0)
+    response = HttpResponse(
+        buf.getvalue(),
+        content_type="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+    )
+    response["Content-Disposition"] = 'attachment; filename="users_per_permission.xlsx"'
+    return response
+
+
+REPORT_TITLE = _("Users per permission")
+
+
+@staff_member_required
+def users_per_permission_view(request: HttpRequest):
+    # Gate access for staff who also meet custom criteria
+    if not _user_has_access(request.user):
+        return HttpResponse(status=403)
+
+    context = admin.site.each_context(request)
+    context.update(
+        {
+            "title": REPORT_TITLE,
+        }
+    )
+
+    all_groups = Group.objects.order_by("name")
+
+    selected_group_ids = [int(gid) for gid in request.GET.getlist("groups") if gid.isdigit()]
+    include_superusers = request.GET.get("include_superusers") == "1"
+    export = request.GET.get("export")  # "csv" | "xlsx" | None
+
+    users_qs = _build_queryset(selected_group_ids, include_superusers)
+
+    if export == "csv":
+        return _render_csv(users_qs)
+    if export == "xlsx":
+        return _render_xlsx(users_qs)
+
+    # Regular HTML render
+    context.update(
+        {
+            "groups": all_groups,
+            "selected_group_ids": selected_group_ids,
+            "include_superusers": include_superusers,
+            "users": users_qs[:500],  # safety cap for UI
+            "result_count": users_qs.count() if selected_group_ids or include_superusers else 0,
+        }
+    )
+    return render(request, "admin/users_per_permission.html", context)
+
+
+class UsersPerPermissionAccess(permissions.BasePermission):
+    """DRF permission: allow only authenticated users that pass our custom access gate."""
+
+    def has_permission(self, request, view):  # type: ignore[override]
+        allowed = bool(request.user and request.user.is_authenticated and _user_has_access(request.user))
+        return True if allowed else False
+
+
+class UsersPerPermissionViewSet(viewsets.ViewSet):
+    """Read-only endpoint that renders an admin-like page or exports CSV/XLSX."""
+
+    renderer_classes = [renderers.TemplateHTMLRenderer, renderers.JSONRenderer]
+    permission_classes = [UsersPerPermissionAccess]
+
+    def list(self, request: HttpRequest):
+        all_groups = Group.objects.order_by("name")
+        raw_groups = request.query_params.getlist("groups")
+        try:
+            selected_group_ids = [int(g) for g in raw_groups if g]
+        except ValueError:
+            selected_group_ids = []
+
+        include_superusers = str(request.query_params.get("include_superusers", "")).lower() in ("1", "true", "on", "yes")
+        export = str(request.query_params.get("export", "")).lower()  # <-- define export
+
+        users_qs = _build_queryset(selected_group_ids, include_superusers)
+
+        if export == "csv":
+            return _render_csv(users_qs)
+        if export == "xlsx":
+            return _render_xlsx(users_qs)
+
+        context = admin.site.each_context(request)
+        context.update(
+            {
+                "title": REPORT_TITLE,
+                "groups": all_groups,
+                "selected_group_ids": selected_group_ids,
+                "include_superusers": include_superusers,
+                "users": users_qs[:500],
+                "result_count": users_qs.count() if selected_group_ids or include_superusers else 0,
+            }
+        )
+        return Response(context, template_name="admin/users_per_permission.html")

api/templates/admin/users_per_permission.html

@@ -0,0 +1,73 @@
+{% extends "admin/base_site.html" %}
+{% load i18n %}
+{% block title %}{% trans "Users per permission" %}{% endblock %}
+
+{% block content %}
+<div class="app-admin-report">
+  <form method="get" class="form-inline" style="margin-bottom: 1rem;">
+    <div>
+      <label for="id_groups">{% trans "Groups" %}</label><br/>
+      <select id="id_groups" name="groups" multiple size="12" style="min-width: 360px;">
+        {% for g in groups %}
+          <option value="{{ g.id }}" {% if g.id in selected_group_ids %}selected{% endif %}>{{ g.name }}</option>
+        {% endfor %}
+      </select>
+    </div>
+    <div style="margin-left: 1rem;">
+      <label>&nbsp;</label><br/>
+      <label>
+        <input type="checkbox" name="include_superusers" value="1" {% if include_superusers %}checked{% endif %}>
+        {% trans "Include superusers" %}
+      </label>
+      <div style="margin-top: .5rem;">
+        <button type="submit" class="button">{% trans "Apply filters" %}</button>
+      </div>
+      {% if selected_group_ids or include_superusers %}
+      <div style="margin-top: .5rem;">
+        <a class="button" href="?{% for gid in selected_group_ids %}groups={{ gid }}&{% endfor %}{% if include_superusers %}include_superusers=1&{% endif %}export=csv">CSV</a>
+        <a class="button" href="?{% for gid in selected_group_ids %}groups={{ gid }}&{% endfor %}{% if include_superusers %}include_superusers=1&{% endif %}export=xlsx">XLSX</a>
+      </div>
+      {% endif %}
+    </div>
+  </form>
+
+  {% if selected_group_ids or include_superusers %}
+    <p>
+      {% blocktrans %}Showing {{ result_count }} user(s). First 500 listed below.{% endblocktrans %}
+    </p>
+    <div class="results">
+      <table class="listing">
+        <thead>
+          <tr>
+            <th>ID</th>
+            <th>{% trans "Username" %}</th>
+            <th>{% trans "Email address" %}</th>
+            <th>{% trans "Name" %}</th>
+            <th>{% trans "Organization" %}</th>
+            <th>{% trans "Active" %}</th>
+            <th>{% trans "Staff status" %}</th>
+          </tr>
+        </thead>
+        <tbody>
+          {% for u in users %}
+          <tr>
+            <td>{{ u.id }}</td>
+            <td>{{ u.username }}</td>
+            <td>{{ u.email }}</td>
+            <td>{{ u.get_full_name }}</td>
+            <td>{{ u.profile.org|default_if_none:"" }}</td>
+            <!-- yesno:"+,," -> '+' for True, '' for False/None -->
+            <td class="bool-col">{{ u.is_active|yesno:"+,," }}</td>
+            <td class="bool-col">{{ u.is_staff|yesno:"+,," }}</td>
+          </tr>
+          {% empty %}
+          <tr><td colspan="7">{% trans "No users match the current filters." %}</td></tr>
+          {% endfor %}
+        </tbody>
+      </table>
+    </div>
+  {% else %}
+    <p>{% trans "Select one or more Groups to view users. Optionally include superusers." %}</p>
+  {% endif %}
+</div>
+{% endblock %}

main/urls.py

@@ -22,6 +22,7 @@
 from rest_framework import routers
 
 from api import drf_views as api_views
+from api.admin_reports import UsersPerPermissionViewSet
 from api.views import (
     AddCronJobLog,
     AddSubscription,
@@ -123,7 +124,7 @@
 router.register(r"per-formcomponent", per_views.FormComponentViewset, basename="per-formcomponent")
 router.register(r"per-formquestion", per_views.FormQuestionViewset, basename="per-formquestion")
 router.register(r"per-formquestion-group", per_views.FormQuestionGroupViewset, basename="per-formquestion-group")
-router.register(r"aggregated-per-process-status", per_views.PerAggregatedViewSet, basename="aggregated-per-process-status"),
+router.register(r"aggregated-per-process-status", per_views.PerAggregatedViewSet, basename="aggregated-per-process-status")
 router.register(r"per-file", per_views.PerFileViewSet, basename="per-file")
 router.register(r"per-process-status", per_views.PerProcessStatusViewSet, basename="per-process-status")
 router.register(r"public-per-process-status", per_views.PublicPerProcessStatusViewSet, basename="public-per-process-status")
@@ -171,6 +172,9 @@
 router.register(r"pdf-export", api_views.ExportViewSet, basename="export")
 router.register(r"dref3", dref_views.Dref3ViewSet, basename="dref3")
 
+# Query user lists per permission
+router.register(r"users-per-permission", UsersPerPermissionViewSet, basename="users_per_permission")
+
 # Country Plan apis
 router.register(r"country-plan", country_plan_views.CountryPlanViewset, basename="country_plan")