fix: CSP-compliant data bridge for Django CMS 5 (#285)

* fix: By default, do not register category creation wizard

* refactor views

* Fix tests

* Potential fix for code scanning alert no. 36: Unused global variable

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

* ci: auto fixes from pre-commit hooks

for more information, see https://pre-commit.ci

* feat: Add usage info to changelist

* fix: Improved labels

* Fix typo in labels

* Update tests

* Update djangocms_alias/cms_plugins.py

Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>

* ci: auto fixes from pre-commit hooks

for more information, see https://pre-commit.ci

* Update djangocms_alias/cms_plugins.py

Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>

* remove unused template

---------

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Co-authored-by: sourcery-ai[bot] <58596630+sourcery-ai[bot]@users.noreply.github.com>

Author: 4 people

.gitignore

@@ -15,3 +15,4 @@ htmlcov
 venv*
 node_modules
 .editorconfig
+.vscode/

djangocms_alias/admin.py

@@ -3,6 +3,7 @@
 from cms.utils.urlutils import admin_reverse
 from django import forms
 from django.contrib import admin, messages
+from django.db import models
 from django.http import (
     Http404,
     HttpRequest,
@@ -20,10 +21,8 @@
     LIST_ALIAS_URL_NAME,
     USAGE_ALIAS_URL_NAME,
 )
-from .filters import CategoryFilter, SiteFilter
-from .forms import AliasGrouperAdminForm
+from .filters import CategoryFilter, SiteFilter, UsedFilter
 from .models import Alias, AliasContent, Category
-from .urls import urlpatterns
 from .utils import (
     emit_content_change,
     emit_content_delete,
@@ -36,8 +35,7 @@
     "AliasContentAdmin",
 ]
 
-alias_admin_classes = [GrouperModelAdmin]
-alias_admin_list_display = ["content__name", "category", "admin_list_actions"]
+alias_admin_list_display = ["content__name", "category", "used", "admin_list_actions"]
 djangocms_versioning_enabled = AliasCMSConfig.djangocms_versioning_enabled
 
 if djangocms_versioning_enabled:
@@ -49,6 +47,7 @@
 @admin.register(Category)
 class CategoryAdmin(TranslatableAdmin):
     list_display = ["name"]
+    search_fields = ["translations__name"]
 
     def save_model(self, request, obj, form, change):
         change = not obj._state.adding
@@ -63,26 +62,33 @@ def save_model(self, request, obj, form, change):
 
 
 @admin.register(Alias)
-class AliasAdmin(*alias_admin_classes):
+class AliasAdmin(GrouperModelAdmin):
     list_display = alias_admin_list_display
     list_display_links = None
     list_filter = (
         SiteFilter,
         CategoryFilter,
+        UsedFilter,
     )
     fields = ("content__name", "category", "site", "content__language")
     readonly_fields = ("static_code",)
     search_fields = ["content__name"]
-    form = AliasGrouperAdminForm
+    autocomplete_fields = ["category", "site"]
     extra_grouping_fields = ("language",)
     EMPTY_CONTENT_VALUE = mark_safe(_("<i>Missing language</i>"))
 
-    def get_urls(self) -> list:
-        return urlpatterns + super().get_urls()
-
     def get_actions_list(self) -> list:
         """Add alias usage list actions"""
-        return super().get_actions_list() + [self._get_alias_usage_link]
+        return super().get_actions_list() + [self._get_alias_usage_link, self._get_alias_delete_link]
+
+    def get_queryset(self, request):
+        qs = super().get_queryset(request)
+        # Annotate each Alias with a boolean indicating if related cmsplugins exist
+        return qs.annotate(cmsplugins_count=models.Count("cms_plugins"))
+
+    @admin.display(description=_("Used"), boolean=True, ordering="cmsplugins_count")
+    def used(self, obj: Alias) -> bool:
+        return obj.cmsplugins_count > 0
 
     def has_delete_permission(self, request: HttpRequest, obj: Alias = None) -> bool:
         # Alias can be deleted by users who can add aliases,
@@ -93,7 +99,7 @@ def has_delete_permission(self, request: HttpRequest, obj: Alias = None) -> bool
                     get_model_permission_codename(self.model, "add"),
                 )
             return request.user.is_superuser
-        return False
+        return True
 
     def save_model(self, request: HttpRequest, obj: Alias, form: forms.Form, change: bool) -> None:
         super().save_model(request, obj, form, change)
@@ -129,9 +135,9 @@ def delete_model(self, request: HttpRequest, obj: Alias):
                 sender=self.model,
             )
 
-    def _get_alias_usage_link(self, obj: Alias, request: HttpRequest, disabled: bool = False) -> str:
+    def _get_alias_usage_link(self, obj: Alias, request: HttpRequest) -> str:
         url = admin_reverse(USAGE_ALIAS_URL_NAME, args=[obj.pk])
-        return self.admin_action_button(url, "info", _("View usage"), disabled=disabled)
+        return self.admin_action_button(url, "info", _("View usage"))
 
     def _get_alias_delete_link(self, obj: Alias, request: HttpRequest) -> str:
         url = admin_reverse(DELETE_ALIAS_URL_NAME, args=[obj.pk])

djangocms_alias/cms_config.py

@@ -4,10 +4,7 @@
 from django.conf import settings
 from packaging.version import Version as PackageVersion
 
-from .cms_wizards import (
-    create_alias_category_wizard,
-    create_alias_wizard,
-)
+from .cms_wizards import create_alias_wizard
 from .models import AliasContent, AliasPlugin, copy_alias_content
 from .rendering import add_static_alias_js, render_alias_content
 
@@ -24,7 +21,7 @@ class AliasCMSConfig(CMSAppConfig):
     cms_enabled = True
     cms_toolbar_enabled_models = [(AliasContent, render_alias_content, "alias")]
     moderated_models = [AliasContent]
-    cms_wizards = [create_alias_wizard, create_alias_category_wizard]
+    cms_wizards = [create_alias_wizard]
 
     djangocms_moderation_enabled = getattr(settings, "MODERATING_ALIAS_MODELS_ENABLED", True)
     djangocms_versioning_enabled = getattr(settings, "VERSIONING_ALIAS_MODELS_ENABLED", djangocms_versioning_installed)

djangocms_alias/cms_plugins.py

@@ -1,23 +1,29 @@
-from copy import copy
-
+from cms.models import Page
 from cms.plugin_base import CMSPluginBase, PluginMenuItem
 from cms.plugin_pool import plugin_pool
 from cms.toolbar.utils import get_object_edit_url
+from cms.utils import get_language_from_request
 from cms.utils.permissions import (
     get_model_permission_codename,
     has_plugin_permission,
 )
 from cms.utils.plugins import copy_plugins_to_placeholder
 from cms.utils.urlutils import add_url_parameters, admin_reverse
-from django.utils.translation import (
-    get_language_from_request,
-)
+from django.core.exceptions import PermissionDenied
+from django.http import HttpResponseBadRequest
+from django.shortcuts import get_object_or_404
+from django.template.response import TemplateResponse
+from django.urls import path
 from django.utils.translation import (
     gettext_lazy as _,
 )
 
+from djangocms_alias import constants
+from djangocms_alias.utils import emit_content_change
+
+from . import views
 from .constants import CREATE_ALIAS_URL_NAME, DETACH_ALIAS_PLUGIN_URL_NAME
-from .forms import AliasPluginForm
+from .forms import AliasPluginForm, BaseCreateAliasForm, CreateAliasForm
 from .models import Alias as AliasModel
 from .models import AliasContent, AliasPlugin
 
@@ -40,7 +46,7 @@ def get_render_template(self, context, instance, placeholder):
     @classmethod
     def get_extra_plugin_menu_items(cls, request, plugin):
         if plugin.plugin_type == cls.__name__:
-            alias_content = plugin.alias.get_content()
+            alias_content = plugin.alias.get_content(show_draft_content=True)
             detach_endpoint = admin_reverse(
                 DETACH_ALIAS_PLUGIN_URL_NAME,
                 args=[plugin.pk],
@@ -74,7 +80,7 @@ def get_extra_plugin_menu_items(cls, request, plugin):
 
         data = {
             "plugin": plugin.pk,
-            "language": get_language_from_request(request, check_path=True),
+            "language": get_language_from_request(request),
         }
         endpoint = add_url_parameters(admin_reverse(CREATE_ALIAS_URL_NAME), **data)
         return [
@@ -90,19 +96,20 @@ def get_extra_plugin_menu_items(cls, request, plugin):
     def get_extra_placeholder_menu_items(cls, request, placeholder):
         data = {
             "placeholder": placeholder.pk,
-            "language": get_language_from_request(request, check_path=True),
+            "language": get_language_from_request(request),
         }
         endpoint = add_url_parameters(admin_reverse(CREATE_ALIAS_URL_NAME), **data)
 
-        menu_items = [
-            PluginMenuItem(
-                _("Create Alias"),
-                endpoint,
-                action="modal",
-                attributes={"cms-icon": "alias"},
-            ),
-        ]
-        return menu_items
+        if placeholder.cmsplugin_set.exists():
+            return [
+                PluginMenuItem(
+                    _("Create Alias"),
+                    endpoint,
+                    action="modal",
+                    attributes={"cms-icon": "alias"},
+                ),
+            ]
+        return []
 
     @classmethod
     def can_create_alias(cls, user, plugins=None, replace=False):
@@ -140,26 +147,169 @@ def can_detach(cls, user, target_placeholder, plugins):
 
     @classmethod
     def detach_alias_plugin(cls, plugin, language):
-        source_placeholder = plugin.alias.get_placeholder(language, show_draft_content=True)  # We're in edit mode
+        source_plugins = plugin.alias.get_plugins(language, show_draft_content=True)  # We're in edit mode
         target_placeholder = plugin.placeholder
+        plugin_position = plugin.position
+        target_placeholder.delete_plugin(plugin)
+        if source_plugins:
+            if target_last_plugin := target_placeholder.get_last_plugin(plugin.language):
+                target_placeholder._shift_plugin_positions(
+                    language,
+                    start=plugin_position,
+                    offset=len(source_plugins) + target_last_plugin.position + 1,  # enough space to shift back
+                )
 
-        # Deleting uses a copy of a plugin to preserve pk on existing
-        # ``plugin`` object. This is done due to
-        # plugin.get_plugin_toolbar_info requiring a PK in a passed
-        # instance.
-        target_placeholder.delete_plugin(copy(plugin))
-        target_placeholder._shift_plugin_positions(
-            language,
-            plugin.position,
-            offset=target_placeholder.get_last_plugin_position(language),
-        )
-        if source_placeholder:
-            source_plugins = source_placeholder.get_plugins_list()
-            copied_plugins = copy_plugins_to_placeholder(
+            return copy_plugins_to_placeholder(
                 source_plugins,
                 placeholder=target_placeholder,
                 language=language,
-                start_positions={language: plugin.position},
+                start_positions={language: plugin_position},
             )
-            return copied_plugins
         return []
+
+    def get_plugin_urls(self):
+        return super().get_plugin_urls() + [
+            path(
+                "create-alias/",
+                self.create_alias_view,
+                name=constants.CREATE_ALIAS_URL_NAME,
+            ),
+            path(
+                "aliases/<int:pk>/usage/",
+                self.alias_usage_view,
+                name=constants.USAGE_ALIAS_URL_NAME,
+            ),
+            path(
+                "detach-alias/<int:plugin_pk>/",
+                self.detach_alias_plugin_view,
+                name=constants.DETACH_ALIAS_PLUGIN_URL_NAME,
+            ),
+            path(
+                "select2/",
+                views.AliasSelect2View.as_view(),
+                name=constants.SELECT2_ALIAS_URL_NAME,
+            ),
+            path(
+                "category-select2/",
+                views.CategorySelect2View.as_view(),
+                name=constants.CATEGORY_SELECT2_URL_NAME,
+            ),
+        ]
+
+    def create_alias_view(self, request):
+        if not request.user.is_staff:
+            raise PermissionDenied
+
+        form = BaseCreateAliasForm(request.GET or None)
+
+        initial_data = form.cleaned_data if form.is_valid() else None
+        if request.method == "GET" and not form.is_valid():
+            return HttpResponseBadRequest("Form received unexpected values")
+
+        user = request.user
+
+        create_form = CreateAliasForm(
+            request.POST or None,
+            initial=initial_data,
+            user=user,
+        )
+
+        if not create_form.is_valid():
+            opts = self.model._meta
+            context = {
+                "form": create_form,
+                "has_change_permission": True,
+                "opts": opts,
+                "root_path": admin_reverse("index"),
+                "is_popup": True,
+                "app_label": opts.app_label,
+                "media": (Alias().media + create_form.media),
+            }
+            return TemplateResponse(request, "djangocms_alias/create_alias.html", context)
+
+        plugins = create_form.get_plugins()
+
+        if not plugins:
+            return HttpResponseBadRequest(
+                "Plugins are required to create an alias",
+            )
+
+        replace = create_form.cleaned_data.get("replace")
+        if not Alias.can_create_alias(user, plugins, replace):
+            raise PermissionDenied
+
+        alias, alias_content, alias_plugin = create_form.save()
+        emit_content_change([alias_content])
+
+        if replace:
+            return self.render_close_frame(
+                request,
+                obj=alias_plugin,
+                action="reload",
+            )
+        return TemplateResponse(request, "admin/cms/page/close_frame.html")
+
+    def detach_alias_plugin_view(self, request, plugin_pk):
+        if not request.user.is_staff:
+            raise PermissionDenied
+
+        instance = get_object_or_404(AliasPlugin, pk=plugin_pk)
+
+        if request.method == "GET":
+            opts = self.model._meta
+            context = {
+                "has_change_permission": True,
+                "opts": opts,
+                "root_path": admin_reverse("index"),
+                "is_popup": True,
+                "app_label": opts.app_label,
+                "object_name": _("Alias"),
+                "object": instance.alias,
+            }
+            return TemplateResponse(request, "djangocms_alias/detach_alias.html", context)
+
+        language = get_language_from_request(request)
+
+        plugins = instance.alias.get_plugins(language, show_draft_content=True)
+        can_detach = self.can_detach(request.user, instance.placeholder, plugins)
+
+        if not can_detach:
+            raise PermissionDenied
+
+        self.detach_alias_plugin(
+            plugin=instance,
+            language=language,
+        )
+
+        return self.render_close_frame(
+            request,
+            obj=instance,
+            action="reload",
+        )
+
+    def alias_usage_view(self, request, pk):
+        if not request.user.is_staff:
+            raise PermissionDenied
+
+        alias = get_object_or_404(AliasModel, pk=pk)
+        opts = AliasModel._meta
+        title = _(f"Objects using alias: {alias}")
+        context = {
+            "has_change_permission": True,
+            "opts": opts,
+            "root_path": admin_reverse("index"),
+            "is_popup": True,
+            "app_label": opts.app_label,
+            "object_name": _("Alias"),
+            "object": alias,
+            "title": title,
+            "original": title,
+            "show_back_btn": request.GET.get("back"),
+            "objects_list": sorted(
+                alias.objects_using,
+                # First show Pages on list
+                key=lambda obj: isinstance(obj, Page),
+                reverse=True,
+            ),
+        }
+        return TemplateResponse(request, "djangocms_alias/alias_usage.html", context)