Improvements to core

- added user_type to User model
- permissions make use of user_type
- admins now have is_staff set to True
- changed url of default admin page to api/test/admin
- authentication views: login, logout, forgot password, password reset
-- added seperate authentication views for admin too
-- extracted logic of admin, staff, students auth views to single place
- login views only accepts login for respective user types
- renamed change password to forgot password everywhere
- added proper client urls to verification and password reset emails
- fixed bug where admin was able to edit profile pic of students, staff
- added success message in response for deleting user
- updated requirements.txt

Author: anchithAcharya

api/api/settings.py

@@ -159,4 +159,9 @@
 EMAIL_HOST_PASSWORD = secrets.EMAIL_HOST_PASSWORD
 
 MEDIA_ROOT = Path(BASE_DIR) / 'media'
-MEDIA_URL = '/media/'
+MEDIA_URL = '/media/'
+
+
+# Client URLs to be sent in verification and password reset emails
+FORGOT_PASSWORD_URL = 'http://localhost:8000/type/forgot-password'
+RESET_PASSWORD_URL = 'http://localhost:8000/type/reset-password'

api/api/urls.py

@@ -16,6 +16,7 @@
 from django.contrib import admin
 from django.urls import path, include
 
+from core.urls import urlpatterns as admin_urls
 from student.urls import router as student_router
 from staff.urls import router as staff_router
 from academics.urls import urlpatterns as academics_urls
@@ -24,7 +25,8 @@
 from django.conf.urls.static import  static
 
 urlpatterns = [
-    path('api/admin/', admin.site.urls),
+    path('api/test/admin/', admin.site.urls),
+    path('api/', include(admin_urls)),
     path('api/', include(student_router.urls)),
     path('api/', include(staff_router.urls)),
     path('api/', include(academics_urls)),

api/core/models.py

@@ -26,8 +26,8 @@ def name_validator(value):
 
 # Custom User model manager
 class UserManager(BaseUserManager):
-	def create_user(self, id, email, name, password=None, **extra_fields):
-		user = self.model(id=id, email=email, name=name, password=password, **extra_fields)
+	def create_user(self, id, email, name, user_type, password=None, **extra_fields):
+		user = self.model(id=id, email=email, name=name, user_type=user_type, password=password, **extra_fields)
 
 		if password: user.set_password(password)
 		else: user.set_unusable_password()
@@ -36,19 +36,19 @@ def create_user(self, id, email, name, password=None, **extra_fields):
 		return user
 
 	def create_superuser(self, id, email, name, password, **extra_fields):
-		# extra_fields.setdefault('is_staff', True)
+		extra_fields.setdefault('is_staff', True)
 		extra_fields.setdefault('is_superuser', True)
 
-		# if extra_fields.get('is_staff') is not True:
-		# 	raise ValueError('Superuser must have is_staff=True.')
+		if extra_fields.get('is_staff') is not True:
+			raise ValueError('Superuser must have is_staff=True.')
 
 		if password is None:
 			raise ValueError("Superuser must have a password.")
 
 		if extra_fields.get('is_superuser') is not True:
 			raise ValueError('Superuser must have is_superuser=True.')
 
-		return self.create_user(id, email, name, password, **extra_fields)
+		return self.create_user(id, email, name, 'Admin', password, **extra_fields)
 
 # Custom User model
 class User(AbstractBaseUser, PermissionsMixin):
@@ -57,6 +57,11 @@ class User(AbstractBaseUser, PermissionsMixin):
 	name = models.CharField(max_length=100, null=False, validators=[name_validator])
 
 	is_staff = models.BooleanField(default=False)
+	user_type = models.CharField(max_length=10, null=False, editable=False, choices=(
+		('Admin', 'Admin'),
+		('Student', 'Student'),
+		('Staff', 'Staff'),
+	))
 
 	objects = UserManager()
 

api/core/permissions.py

@@ -3,17 +3,17 @@
 
 class isStaff(IsAuthenticated):
 	def has_permission(self, request, view):
-		return super().has_permission(request, view) and request.user.is_staff
+		return super().has_permission(request, view) and request.user.user_type == 'Staff'
 
 	def has_object_permission(self, request, view, obj):
-		return super().has_object_permission(request, view, obj) and request.user.is_staff
+		return super().has_object_permission(request, view, obj) and request.user.user_type == 'Staff'
 
 class isAdmin(IsAuthenticated):
 	def has_permission(self, request, view):
-		return super().has_permission(request, view) and request.user.is_superuser
+		return super().has_permission(request, view) and request.user.user_type == 'Admin'
 
 	def has_object_permission(self, request, view, obj):
-		return super().has_object_permission(request, view, obj) and request.user.is_superuser
+		return super().has_object_permission(request, view, obj) and request.user.user_type == 'Admin'
 
 class isCreator(IsAuthenticated):
 	def has_object_permission(self, request, view, obj):

api/core/serializers.py

@@ -5,12 +5,12 @@
 class UserCreationSerializer(serializers.ModelSerializer):
 	class Meta:
 		model = get_user_model()
-		exclude = ('password',)
+		exclude = ('password', 'user_type')
 
 class UserUpdationSerializer(serializers.ModelSerializer):
 	class Meta:
 		model = get_user_model()
-		fields = '__all__'
+		exclude = ('user_type',)
 		extra_kwargs = {
 			'password': {'write_only': True},
 		}

api/core/urls.py

@@ -0,0 +1,9 @@
+from django.urls import path
+from core.views import login, logout, forgot_password, password_reset
+
+urlpatterns = [
+	path('admin/login/', login, name='admin_login'),
+	path('admin/logout/', logout, name='admin_logout'),
+	path('admin/forgot_password/', forgot_password, name='admin_forgot_password'),
+	path('admin/password_reset/', password_reset, name='admin_password_reset'),
+]

api/core/views.py

@@ -1,3 +1,174 @@
-from django.shortcuts import render
+from rest_framework.decorators import api_view
 
-# Create your views here.
+from django.db.models import Q
+from django.conf import settings
+from django.utils import timezone
+from rest_framework import status
+from django.core.mail import send_mail
+from rest_framework.response import Response
+from core.models import PasswordResetRequest
+from django.contrib.auth import get_user_model
+from rest_framework.authtoken.models import Token
+from django.core.exceptions import ValidationError
+from django.contrib.auth import authenticate, login as auth_login
+from core.authentication import ExpiringTokenAuthentication
+from django.contrib.auth.password_validation import validate_password
+
+
+def core_login(request, user_type='Admin'):
+	# get id/email and password
+	id = request.data.get('id')
+	password = request.data.get('password')
+
+	errors = {}
+	if not id: errors['id'] = "User id or email is required."
+	if not password: errors['password'] = "Password is required."
+
+	if errors: return Response(errors, status=status.HTTP_400_BAD_REQUEST)
+
+	# get user
+	try:
+		user = get_user_model().objects.get(Q(id=id) | Q(email=id))
+
+	except get_user_model().DoesNotExist:
+		return Response({'id': "User with the given id/email does not exist."}, status=status.HTTP_404_NOT_FOUND)
+
+	# validate user type
+	if user.user_type != user_type:
+		if user_type == 'Admin':
+			return Response({'id': f"User with id {id} is not an admin."}, status=status.HTTP_400_BAD_REQUEST)
+
+		elif user_type == 'Student':
+			return Response({'id': f"User with id {id} is not a student."}, status=status.HTTP_400_BAD_REQUEST)
+
+		elif user_type == 'Staff':
+			return Response({'id': f"User with id {id} is not a staff member."}, status=status.HTTP_400_BAD_REQUEST)
+
+	# authenticate user
+	user = authenticate(username=user.id, password=password)
+
+	if not user:
+		return Response({'password': "Wrong credentials provided."}, status=status.HTTP_401_UNAUTHORIZED)
+
+	# log user in
+	auth_login(request, user)
+
+	# create token
+	token, created = Token.objects.get_or_create(user=user)
+
+	utc_now = timezone.now()    
+	if not created and token.created < utc_now - ExpiringTokenAuthentication.validity_time:
+		token.delete()
+		token = Token.objects.create(user=user)
+		token.created = timezone.now()
+		token.save()
+
+	# set token as cookie and return response
+	response = Response({'token': token.key}, content_type="application/json")
+	response.set_cookie('token', token.key, expires=utc_now+ExpiringTokenAuthentication.validity_time)
+
+	return response
+
+def core_logout(request):
+	request.user.auth_token.delete()
+	return Response({'success': "Logged out successfully"}, status=status.HTTP_200_OK)
+
+def core_forgot_password(request, user_type='Admin'):
+	# get id or email
+	id = request.data.get('id')
+
+	if not id:
+		return Response({'id': "User id or email is required"}, status=status.HTTP_400_BAD_REQUEST)
+
+	# get user
+	try:
+		user = get_user_model().objects.get(Q(id=id) | Q(email=id))
+
+	except get_user_model().DoesNotExist:
+		return Response({'id': "User with the given id/email does not exist."}, status=status.HTTP_404_NOT_FOUND)
+
+
+	# generate password reset request
+	req, created = PasswordResetRequest.objects.get_or_create(user=user)
+
+	first_time = not user.has_usable_password()
+	time_limit = timezone.timedelta(hours=48) if first_time else timezone.timedelta(minutes=30)
+
+	if not created and req.created < timezone.now() - time_limit:
+		req.delete()
+		req = PasswordResetRequest.objects.create(user=user)
+		req.save()
+
+
+	# send email
+	forgot_password_url = settings.FORGOT_PASSWORD_URL.replace('type', user.user_type.lower())
+	reset_password_url = f"{settings.RESET_PASSWORD_URL.replace('type', user.user_type.lower())}?token={req.key}"
+
+	send_mail(
+		f"BIT Online Portal password account verification" if first_time else f"BIT Online Portal password reset",
+		f'''An account has been created for you in the {user_type} Portal of the BIT website.\n\n
+		Please click on the following link to verify the account by setting your password: {reset_password_url}\n\n
+		This link is only valid for the next 48 hours. In order to issue a password-reset request again, visit {forgot_password_url}
+		If you are not {user.name}, then please ignore this email.'''.replace('\t\t', '') if first_time else
+		f'''We have received a request to reset the password for your account in the {user_type} Portal of the BIT website.
+		Please click on the following link to reset your password: {reset_password_url}\n\n
+		This link is only valid for the next 30 minutes. In order to issue a password-reset request again, visit {forgot_password_url}
+		If you did not request a password reset, please ignore this email.'''.replace('\t\t', ''),
+		"superuser.bit@gmail.com",
+		[user.email]
+	)
+	
+	return Response({'success': f"{'Verification' if first_time else 'Password reset'} email sent to {user.email}."}, status=status.HTTP_200_OK)
+
+def core_password_reset(request):
+	token = request.GET.get('token')
+
+	try:
+		req = PasswordResetRequest.objects.get(key=token)
+				
+	except PasswordResetRequest.DoesNotExist:
+		return Response("Invalid password reset request token.", status=status.HTTP_404_NOT_FOUND)
+
+	user = req.user
+	password = request.data.get('password')
+
+	try:
+		validate_password(password, user=user)
+
+	except ValidationError as e:
+		return Response({'password': e}, status=status.HTTP_400_BAD_REQUEST)
+
+	first_time = not user.has_usable_password()
+
+	if settings.TESTING: time_limit = timezone.timedelta(seconds=15) if first_time else timezone.timedelta(seconds=25)
+	else: time_limit = timezone.timedelta(hours=48) if first_time else timezone.timedelta(minutes=30)
+
+	if req.created < timezone.now() - time_limit:
+		req.delete()
+		return Response({'token': "Password reset token expired."}, status=status.HTTP_400_BAD_REQUEST)
+	
+	else:
+		user = req.user
+
+		user.set_password(password)
+		user.save()
+		req.delete()
+
+		return Response({'success': f"Password for user {user} changed successfully."}, status=status.HTTP_200_OK)
+
+
+@api_view(['POST'])
+def login(request):
+	return core_login(request)
+
+@api_view(['POST'])
+def logout(request):
+	return core_logout(request)
+
+@api_view(['POST'])
+def forgot_password(request):
+	return core_forgot_password(request)
+
+@api_view(['POST'])
+def password_reset(request):
+	return core_password_reset(request)

api/db.sqlite3

@@ -25,7 +25,8 @@ def create(self, validated_data):
 		user = get_user_model().objects.create_user(
 			id=validated_data['user']['id'],
 			email=validated_data['user']['email'],
-			name=validated_data['user']['name']
+			name=validated_data['user']['name'],
+			user_type='Staff'
 		)
 
 		return Staff.objects.create(
@@ -73,8 +74,8 @@ class StaffUpdationSerializer_Admin(StaffDefaultSerializer):
 
 	class Meta:
 		model = Staff
-		fields = ('id', 'image', 'name', 'branch')
-		restricted = ('id', 'email', 'phone', 'password')
+		fields = ('id', 'name', 'branch')
+		restricted = ('id', 'image', 'email', 'phone', 'password')
 
 
 # delete old image when adding new image