flaskbb/flaskbb/management/views.py

# -*- coding: utf-8 -*-
"""
    flaskbb.management.views
    ~~~~~~~~~~~~~~~~~~~~~~~~

    This module handles the management views.

    :copyright: (c) 2014 by the FlaskBB Team.
    :license: BSD, see LICENSE for more details.
"""
import sys
from datetime import datetime

from flask import (Blueprint, current_app, request, redirect, url_for, flash,
                   jsonify, __version__ as flask_version)
from flask_login import current_user, login_fresh
from flask_plugins import get_all_plugins, get_plugin, get_plugin_from_all
from flask_babelplus import gettext as _
from flask_allows import Permission, Not

from flaskbb import __version__ as flaskbb_version
from flaskbb._compat import iteritems
from flaskbb.forum.forms import UserSearchForm
from flaskbb.utils.settings import flaskbb_config
from flaskbb.utils.requirements import (IsAtleastModerator, IsAdmin,
                                        CanBanUser, CanEditUser,
                                        IsAtleastSuperModerator)
from flaskbb.extensions import db, allows
from flaskbb.utils.helpers import render_template, time_diff, get_online_users
from flaskbb.user.models import Guest, User, Group
from flaskbb.forum.models import Post, Topic, Forum, Category, Report
from flaskbb.management.models import Setting, SettingsGroup
from flaskbb.management.forms import (AddUserForm, EditUserForm, AddGroupForm,
                                      EditGroupForm, EditForumForm,
                                      AddForumForm, CategoryForm)


management = Blueprint("management", __name__)


@management.before_request
def check_fresh_login():
    """Checks if the login is fresh for the current user, otherwise the user
    has to reauthenticate."""
    if not login_fresh():
        return current_app.login_manager.needs_refresh()


@management.route("/")
@allows.requires(IsAtleastModerator)
def overview():
    # user and group stats
    banned_users = User.query.filter(
        Group.banned == True,
        Group.id == User.primary_group_id
    ).count()
    if not current_app.config["REDIS_ENABLED"]:
        online_users = User.query.filter(User.lastseen >= time_diff()).count()
    else:
        online_users = len(get_online_users())

    stats = {
        # user stats
        "all_users": User.query.count(),
        "banned_users": banned_users,
        "online_users": online_users,
        "all_groups": Group.query.count(),
        # forum stats
        "report_count": Report.query.count(),
        "topic_count": Topic.query.count(),
        "post_count": Post.query.count(),
        # misc stats
        "plugins": get_all_plugins(),
        "python_version": "%s.%s" % (sys.version_info[0], sys.version_info[1]),
        "flask_version": flask_version,
        "flaskbb_version": flaskbb_version
    }

    return render_template("management/overview.html", **stats)


@management.route("/settings", methods=["GET", "POST"])
@management.route("/settings/<path:slug>", methods=["GET", "POST"])
@allows.requires(IsAdmin)
def settings(slug=None):
    slug = slug if slug else "general"

    # get the currently active group
    active_group = SettingsGroup.query.filter_by(key=slug).first_or_404()
    # get all groups - used to build the navigation
    all_groups = SettingsGroup.query.all()

    SettingsForm = Setting.get_form(active_group)

    old_settings = Setting.get_settings(active_group)
    new_settings = {}

    form = SettingsForm()

    if form.validate_on_submit():
        for key, values in iteritems(old_settings):
            try:
                # check if the value has changed
                if values['value'] == form[key].data:
                    continue
                else:
                    new_settings[key] = form[key].data
            except KeyError:
                pass
        Setting.update(settings=new_settings, app=current_app)
        flash(_("Settings saved."), "success")
    else:
        for key, values in iteritems(old_settings):
            try:
                form[key].data = values['value']
            except (KeyError, ValueError):
                pass

    return render_template("management/settings.html", form=form,
                           all_groups=all_groups, active_group=active_group)


# Users
@management.route("/users", methods=['GET', 'POST'])
@allows.requires(IsAtleastModerator)
def users():
    page = request.args.get("page", 1, type=int)
    search_form = UserSearchForm()

    if search_form.validate():
        users = search_form.get_results().\
            paginate(page, flaskbb_config['USERS_PER_PAGE'], False)
        return render_template("management/users.html", users=users,
                               search_form=search_form)

    users = User.query. \
        order_by(User.id.asc()).\
        paginate(page, flaskbb_config['USERS_PER_PAGE'], False)

    return render_template("management/users.html", users=users,
                           search_form=search_form)


@management.route("/users/<int:user_id>/edit", methods=["GET", "POST"])
@allows.requires(IsAtleastModerator)
def edit_user(user_id):
    user = User.query.filter_by(id=user_id).first_or_404()

    if not Permission(CanEditUser, identity=current_user):
        flash(_("You are not allowed to edit this user."), "danger")
        return redirect(url_for("management.users"))

    member_group = db.and_(*[db.not_(getattr(Group, p)) for p in
                             ['admin', 'mod', 'super_mod', 'banned', 'guest']])

    filt = db.or_(
        Group.id.in_(g.id for g in current_user.groups), member_group
    )

    if Permission(IsAtleastSuperModerator, identity=current_user):
        filt = db.or_(filt, Group.mod)

    if Permission(IsAdmin, identity=current_user):
        filt = db.or_(filt, Group.admin, Group.super_mod)

    if Permission(CanBanUser, identity=current_user):
        filt = db.or_(filt, Group.banned)

    group_query = Group.query.filter(filt)

    form = EditUserForm(user)
    form.primary_group.query = group_query
    form.secondary_groups.query = group_query
    if form.validate_on_submit():
        form.populate_obj(user)
        user.primary_group_id = form.primary_group.data.id

        # Don't override the password
        if form.password.data:
            user.password = form.password.data

        user.save(groups=form.secondary_groups.data)

        flash(_("User updated."), "success")
        return redirect(url_for("management.edit_user", user_id=user.id))

    return render_template("management/user_form.html", form=form,
                           title=_("Edit User"))


@management.route("/users/delete", methods=["POST"])
@management.route("/users/<int:user_id>/delete", methods=["POST"])
@allows.requires(IsAdmin)
def delete_user(user_id=None):
    # ajax request
    if request.is_xhr:
        ids = request.get_json()["ids"]

        data = []
        for user in User.query.filter(User.id.in_(ids)).all():
            # do not delete current user
            if current_user.id == user.id:
                continue

            if user.delete():
                data.append({
                    "id": user.id,
                    "type": "delete",
                    "reverse": False,
                    "reverse_name": None,
                    "reverse_url": None
                })

        return jsonify(
            message="{} users deleted.".format(len(data)),
            category="success",
            data=data,
            status=200
        )

    user = User.query.filter_by(id=user_id).first_or_404()
    if current_user.id == user.id:
        flash(_("You cannot delete yourself.", "danger"))
        return redirect(url_for("management.users"))

    user.delete()
    flash(_("User deleted."), "success")
    return redirect(url_for("management.users"))


@management.route("/users/add", methods=["GET", "POST"])
@allows.requires(IsAdmin)
def add_user():
    form = AddUserForm()
    if form.validate_on_submit():
        form.save()
        flash(_("User added."), "success")
        return redirect(url_for("management.users"))

    return render_template("management/user_form.html", form=form,
                           title=_("Add User"))


@management.route("/users/banned", methods=["GET", "POST"])
@allows.requires(IsAtleastModerator)
def banned_users():
    page = request.args.get("page", 1, type=int)
    search_form = UserSearchForm()

    users = User.query.filter(
        Group.banned == True,
        Group.id == User.primary_group_id
    ).paginate(page, flaskbb_config['USERS_PER_PAGE'], False)

    if search_form.validate():
        users = search_form.get_results().\
            paginate(page, flaskbb_config['USERS_PER_PAGE'], False)

        return render_template("management/banned_users.html", users=users,
                               search_form=search_form)

    return render_template("management/banned_users.html", users=users,
                           search_form=search_form)


@management.route("/users/ban", methods=["POST"])
@management.route("/users/<int:user_id>/ban", methods=["POST"])
@allows.requires(IsAtleastModerator)
def ban_user(user_id=None):
    if not Permission(CanBanUser, identity=current_user):
        flash(_("You do not have the permissions to ban this user."), "danger")
        return redirect(url_for("management.overview"))

    # ajax request
    if request.is_xhr:
        ids = request.get_json()["ids"]

        data = []
        users = User.query.filter(User.id.in_(ids)).all()
        for user in users:
            # don't let a user ban himself and do not allow a moderator to ban
            # a admin user
            if (
                current_user.id == user.id or
                Permission(IsAdmin, identity=user) and
                Permission(Not(IsAdmin), current_user)
            ):
                continue

            elif user.ban():
                data.append({
                    "id": user.id,
                    "type": "ban",
                    "reverse": "unban",
                    "reverse_name": _("Unban"),
                    "reverse_url": url_for("management.unban_user",
                                           user_id=user.id)
                })

        return jsonify(
            message="{} users banned.".format(len(data)),
            category="success",
            data=data,
            status=200
        )

    user = User.query.filter_by(id=user_id).first_or_404()

    # Do not allow moderators to ban admins
    if Permission(IsAdmin, identity=user) and \
       Permission(Not(IsAdmin), identity=current_user):

        flash(_("A moderator cannot ban an admin user."), "danger")
        return redirect(url_for("management.overview"))

    if not current_user.id == user.id and user.ban():
        flash(_("User is now banned."), "success")
    else:
        flash(_("Could not ban user."), "danger")

    return redirect(url_for("management.banned_users"))


@management.route("/users/unban", methods=["POST"])
@management.route("/users/<int:user_id>/unban", methods=["POST"])
@allows.requires(IsAtleastModerator)
def unban_user(user_id=None):
    if not Permission(CanBanUser, identity=current_user):
        flash(_("You do not have the permissions to unban this user."),
              "danger")
        return redirect(url_for("management.overview"))

    # ajax request
    if request.is_xhr:
        ids = request.get_json()["ids"]

        data = []
        for user in User.query.filter(User.id.in_(ids)).all():
            if user.unban():
                data.append({
                    "id": user.id,
                    "type": "unban",
                    "reverse": "ban",
                    "reverse_name": _("Ban"),
                    "reverse_url": url_for("management.ban_user",
                                           user_id=user.id)
                })

        return jsonify(
            message="{} users unbanned.".format(len(data)),
            category="success",
            data=data,
            status=200
        )

    user = User.query.filter_by(id=user_id).first_or_404()

    if user.unban():
        flash(_("User is now unbanned."), "success")
    else:
        flash(_("Could not unban user."), "danger")

    return redirect(url_for("management.banned_users"))


# Reports
@management.route("/reports")
@allows.requires(IsAtleastModerator)
def reports():
    page = request.args.get("page", 1, type=int)
    reports = Report.query.\
        order_by(Report.id.asc()).\
        paginate(page, flaskbb_config['USERS_PER_PAGE'], False)

    return render_template("management/reports.html", reports=reports)


@management.route("/reports/unread")
@allows.requires(IsAtleastModerator)
def unread_reports():
    page = request.args.get("page", 1, type=int)
    reports = Report.query.\
        filter(Report.zapped == None).\
        order_by(Report.id.desc()).\
        paginate(page, flaskbb_config['USERS_PER_PAGE'], False)

    return render_template("management/unread_reports.html", reports=reports)


@management.route("/reports/<int:report_id>/markread", methods=["POST"])
@management.route("/reports/markread", methods=["POST"])
@allows.requires(IsAtleastModerator)
def report_markread(report_id=None):
    # AJAX request
    if request.is_xhr:
        ids = request.get_json()["ids"]
        data = []

        for report in Report.query.filter(Report.id.in_(ids)).all():
            report.zapped_by = current_user.id
            report.zapped = datetime.utcnow()
            report.save()
            data.append({
                "id": report.id,
                "type": "read",
                "reverse": False,
                "reverse_name": None,
                "reverse_url": None
            })

        return jsonify(
            message="{} reports marked as read.".format(len(data)),
            category="success",
            data=data,
            status=200
        )

    # mark single report as read
    if report_id:
        report = Report.query.filter_by(id=report_id).first_or_404()
        if report.zapped:
            flash(_("Report %(id)s is already marked as read.", id=report.id),
                  "success")
            return redirect(url_for("management.reports"))

        report.zapped_by = current_user.id
        report.zapped = datetime.utcnow()
        report.save()
        flash(_("Report %(id)s marked as read.", id=report.id), "success")
        return redirect(url_for("management.reports"))

    # mark all as read
    reports = Report.query.filter(Report.zapped == None).all()
    report_list = []
    for report in reports:
        report.zapped_by = current_user.id
        report.zapped = datetime.utcnow()
        report_list.append(report)

    db.session.add_all(report_list)
    db.session.commit()

    flash(_("All reports were marked as read."), "success")
    return redirect(url_for("management.reports"))


# Groups
@management.route("/groups")
@allows.requires(IsAdmin)
def groups():
    page = request.args.get("page", 1, type=int)

    groups = Group.query.\
        order_by(Group.id.asc()).\
        paginate(page, flaskbb_config['USERS_PER_PAGE'], False)

    return render_template("management/groups.html", groups=groups)


@management.route("/groups/<int:group_id>/edit", methods=["GET", "POST"])
@allows.requires(IsAdmin)
def edit_group(group_id):
    group = Group.query.filter_by(id=group_id).first_or_404()

    form = EditGroupForm(group)

    if form.validate_on_submit():
        form.populate_obj(group)
        group.save()

        if group.guest:
            Guest.invalidate_cache()

        flash(_("Group updated."), "success")
        return redirect(url_for("management.groups", group_id=group.id))

    return render_template("management/group_form.html", form=form,
                           title=_("Edit Group"))


@management.route("/groups/<int:group_id>/delete", methods=["POST"])
@management.route("/groups/delete", methods=["POST"])
@allows.requires(IsAdmin)
def delete_group(group_id=None):
    if request.is_xhr:
        ids = request.get_json()["ids"]
        if not (set(ids) & set(["1", "2", "3", "4", "5"])):
            data = []
            for group in Group.query.filter(Group.id.in_(ids)).all():
                group.delete()
                data.append({
                    "id": group.id,
                    "type": "delete",
                    "reverse": False,
                    "reverse_name": None,
                    "reverse_url": None
                })

            return jsonify(
                message="{} groups deleted.".format(len(data)),
                category="success",
                data=data,
                status=200
            )
        return jsonify(
            message=_("You cannot delete one of the standard groups."),
            category="danger",
            data=None,
            status=404
        )

    if group_id is not None:
        if group_id <= 5:  # there are 5 standard groups
            flash(_("You cannot delete the standard groups. "
                    "Try renaming it instead.", "danger"))
            return redirect(url_for("management.groups"))

        group = Group.query.filter_by(id=group_id).first_or_404()
        group.delete()
        flash(_("Group deleted."), "success")
        return redirect(url_for("management.groups"))

    flash(_("No group chosen."), "danger")
    return redirect(url_for("management.groups"))


@management.route("/groups/add", methods=["GET", "POST"])
@allows.requires(IsAdmin)
def add_group():
    form = AddGroupForm()
    if form.validate_on_submit():
        form.save()
        flash(_("Group added."), "success")
        return redirect(url_for("management.groups"))

    return render_template("management/group_form.html", form=form,
                           title=_("Add Group"))


# Forums and Categories
@management.route("/forums")
@allows.requires(IsAdmin)
def forums():
    categories = Category.query.order_by(Category.position.asc()).all()
    return render_template("management/forums.html", categories=categories)


@management.route("/forums/<int:forum_id>/edit", methods=["GET", "POST"])
@allows.requires(IsAdmin)
def edit_forum(forum_id):
    forum = Forum.query.filter_by(id=forum_id).first_or_404()

    form = EditForumForm(forum)
    if form.validate_on_submit():
        form.save()
        flash(_("Forum updated."), "success")
        return redirect(url_for("management.edit_forum", forum_id=forum.id))
    else:
        if forum.moderators:
            form.moderators.data = ",".join([
                user.username for user in forum.moderators
            ])
        else:
            form.moderators.data = None

    return render_template("management/forum_form.html", form=form,
                           title=_("Edit Forum"))


@management.route("/forums/<int:forum_id>/delete", methods=["POST"])
@allows.requires(IsAdmin)
def delete_forum(forum_id):
    forum = Forum.query.filter_by(id=forum_id).first_or_404()

    involved_users = User.query.filter(Topic.forum_id == forum.id,
                                       Post.user_id == User.id).all()

    forum.delete(involved_users)

    flash(_("Forum deleted."), "success")
    return redirect(url_for("management.forums"))


@management.route("/forums/add", methods=["GET", "POST"])
@management.route("/forums/<int:category_id>/add", methods=["GET", "POST"])
@allows.requires(IsAdmin)
def add_forum(category_id=None):
    form = AddForumForm()

    if form.validate_on_submit():
        form.save()
        flash(_("Forum added."), "success")
        return redirect(url_for("management.forums"))
    else:
        form.groups.data = Group.query.order_by(Group.id.asc()).all()
        if category_id:
            category = Category.query.filter_by(id=category_id).first()
            form.category.data = category

    return render_template("management/forum_form.html", form=form,
                           title=_("Add Forum"))


@management.route("/category/add", methods=["GET", "POST"])
@allows.requires(IsAdmin)
def add_category():
    form = CategoryForm()

    if form.validate_on_submit():
        form.save()
        flash(_("Category added."), "success")
        return redirect(url_for("management.forums"))

    return render_template("management/category_form.html", form=form,
                           title=_("Add Category"))


@management.route("/category/<int:category_id>/edit", methods=["GET", "POST"])
@allows.requires(IsAdmin)
def edit_category(category_id):
    category = Category.query.filter_by(id=category_id).first_or_404()

    form = CategoryForm(obj=category)

    if form.validate_on_submit():
        form.populate_obj(category)
        flash(_("Category updated."), "success")
        category.save()

    return render_template("management/category_form.html", form=form,
                           title=_("Edit Category"))


@management.route("/category/<int:category_id>/delete", methods=["POST"])
@allows.requires(IsAdmin)
def delete_category(category_id):
    category = Category.query.filter_by(id=category_id).first_or_404()

    involved_users = User.query.filter(Forum.category_id == category.id,
                                       Topic.forum_id == Forum.id,
                                       Post.user_id == User.id).all()

    category.delete(involved_users)
    flash(_("Category with all associated forums deleted."), "success")
    return redirect(url_for("management.forums"))


# Plugins
@management.route("/plugins")
@allows.requires(IsAdmin)
def plugins():
    plugins = get_all_plugins()
    return render_template("management/plugins.html", plugins=plugins)


@management.route("/plugins/<path:plugin>/enable", methods=["POST"])
@allows.requires(IsAdmin)
def enable_plugin(plugin):
    plugin = get_plugin_from_all(plugin)

    if plugin.enabled:
        flash(_("Plugin %(plugin)s is already enabled.", plugin=plugin.name),
              "info")
        return redirect(url_for("management.plugins"))

    try:
        plugin.enable()
        flash(_("Plugin %(plugin)s enabled. Please restart FlaskBB now.",
                plugin=plugin.name), "success")
    except OSError:
        flash(_("It seems that FlaskBB does not have enough filesystem "
                "permissions. Try removing the 'DISABLED' file by "
                "yourself instead."), "danger")

    return redirect(url_for("management.plugins"))


@management.route("/plugins/<path:plugin>/disable", methods=["POST"])
@allows.requires(IsAdmin)
def disable_plugin(plugin):
    try:
        plugin = get_plugin(plugin)
    except KeyError:
        flash(_("Plugin %(plugin)s not found.", plugin=plugin.name), "danger")
        return redirect(url_for("management.plugins"))

    try:
        plugin.disable()
        flash(_("Plugin %(plugin)s disabled. Please restart FlaskBB now.",
                plugin=plugin.name), "success")
    except OSError:
        flash(_("It seems that FlaskBB does not have enough filesystem "
                "permissions. Try creating the 'DISABLED' file by "
                "yourself instead."), "danger")

    return redirect(url_for("management.plugins"))


@management.route("/plugins/<path:plugin>/uninstall", methods=["POST"])
@allows.requires(IsAdmin)
def uninstall_plugin(plugin):
    plugin = get_plugin_from_all(plugin)
    if plugin.uninstallable:
        plugin.uninstall()
        Setting.invalidate_cache()

        flash(_("Plugin has been uninstalled."), "success")
    else:
        flash(_("Cannot uninstall plugin."), "danger")

    return redirect(url_for("management.plugins"))


@management.route("/plugins/<path:plugin>/install", methods=["POST"])
@allows.requires(IsAdmin)
def install_plugin(plugin):
    plugin = get_plugin_from_all(plugin)
    if plugin.installable and not plugin.uninstallable:
        plugin.install()
        Setting.invalidate_cache()

        flash(_("Plugin has been installed."), "success")
    else:
        flash(_("Cannot install plugin."), "danger")

    return redirect(url_for("management.plugins"))