# -*- coding: utf-8 -*- """ Accounts Views This module contains all views for the accounts application, including authentication, user management, role and permission management, and security monitoring. Views included: - Authentication views (login, logout, password management) - User management views (profile, settings, user list) - Role and permission management views - Security monitoring views - API views for AJAX requests Author: Adtlas Development Team Version: 1.0.0 Created: 2024 """ import json import logging from datetime import datetime, timedelta from typing import Dict, Any, Optional, List from django.shortcuts import render, redirect, get_object_or_404 from django.contrib.auth import authenticate, login, logout from django.contrib.auth.models import User from django.contrib.auth.decorators import login_required, user_passes_test from django.contrib.auth.forms import PasswordChangeForm from django.contrib import messages from django.http import JsonResponse, HttpResponse, HttpRequest from django.views.decorators.http import require_http_methods, require_POST from django.views.decorators.csrf import csrf_exempt from django.utils import timezone from django.utils.translation import gettext as _ from django.core.paginator import Paginator, EmptyPage, PageNotAnInteger from django.db.models import Q, Count, Avg from django.db import transaction from django.conf import settings from django.urls import reverse from django.template.loader import render_to_string from django.core.mail import send_mail from django.contrib.auth.tokens import default_token_generator from django.utils.http import urlsafe_base64_encode, urlsafe_base64_decode from django.utils.encoding import force_bytes, force_str from django.core.exceptions import ValidationError from django.views.generic import ListView, DetailView, CreateView, UpdateView, DeleteView from django.contrib.auth.mixins import LoginRequiredMixin, PermissionRequiredMixin from .models import ( UserProfile, Role, Permission, UserRole, RolePermission, UserSession, SecurityLog, APIKey, UserAccess ) from .forms import ( LoginForm, UserProfileForm, RoleForm, PermissionForm, UserRoleForm, APIKeyForm, UserAccessForm, PasswordResetForm ) from .utils import ( get_client_ip, get_user_agent_info, log_security_event, check_rate_limit, generate_api_key, encrypt_password ) from .decorators import permission_required, role_required # Configure logging logger = logging.getLogger(__name__) # ============================================================================ # Authentication Views # ============================================================================ def login_view(request: HttpRequest) -> HttpResponse: """ Handle user login with security features. This view handles user authentication with additional security features including rate limiting, account lockout, and security logging. Args: request (HttpRequest): The HTTP request object Returns: HttpResponse: Login page or redirect to dashboard """ # Redirect if user is already authenticated if request.user.is_authenticated: return redirect('core:dashboard') # Get client information for security logging ip_address = get_client_ip(request) user_agent = request.META.get('HTTP_USER_AGENT', '') # Check rate limiting for this IP address if not check_rate_limit(ip_address, 'login', limit=5, window=300): # 5 attempts per 5 minutes log_security_event( event_type='login_blocked', severity='medium', description=f'Login rate limit exceeded for IP: {ip_address}', ip_address=ip_address, user_agent=user_agent, request_path=request.path ) messages.error(request, _('Too many login attempts. Please try again later.')) return render(request, 'accounts/login.html', {'form': LoginForm()}) if request.method == 'POST': form = LoginForm(request.POST) if form.is_valid(): username = form.cleaned_data['username'] password = form.cleaned_data['password'] remember_me = form.cleaned_data.get('remember_me', False) # Attempt authentication user = authenticate(request, username=username, password=password) if user is not None: # Check if user account is active if not user.is_active: log_security_event( user=user, event_type='login_failed', severity='medium', description='Login attempt on inactive account', ip_address=ip_address, user_agent=user_agent ) messages.error(request, _('Your account has been deactivated.')) return render(request, 'accounts/login.html', {'form': form}) # Check if account is locked try: profile = user.userprofile if profile.is_account_locked(): log_security_event( user=user, event_type='login_blocked', severity='medium', description='Login attempt on locked account', ip_address=ip_address, user_agent=user_agent ) messages.error(request, _('Your account is temporarily locked due to multiple failed login attempts.')) return render(request, 'accounts/login.html', {'form': form}) except UserProfile.DoesNotExist: # Create profile if it doesn't exist UserProfile.objects.create(user=user) profile = user.userprofile # Successful login login(request, user) # Reset failed login attempts profile.failed_login_attempts = 0 profile.account_locked_until = None profile.last_login_ip = ip_address profile.save(update_fields=['failed_login_attempts', 'account_locked_until', 'last_login_ip']) # Set session expiry based on remember_me if not remember_me: request.session.set_expiry(0) # Session expires when browser closes else: request.session.set_expiry(settings.SESSION_COOKIE_AGE) # Create user session record user_agent_info = get_user_agent_info(user_agent) UserSession.objects.create( user=user, session_key=request.session.session_key, ip_address=ip_address, user_agent=user_agent, device_type=user_agent_info.get('device_type', 'unknown'), browser=user_agent_info.get('browser', ''), operating_system=user_agent_info.get('os', ''), expires_at=timezone.now() + timedelta(seconds=request.session.get_expiry_age()) ) # Log successful login log_security_event( user=user, event_type='login_success', severity='low', description='Successful user login', ip_address=ip_address, user_agent=user_agent, session_key=request.session.session_key ) # Redirect to next page or dashboard next_url = request.GET.get('next', reverse('core:dashboard')) messages.success(request, _(f'Welcome back, {user.get_full_name() or user.username}!')) return redirect(next_url) else: # Failed login attempt try: user = User.objects.get(username=username) profile = user.userprofile profile.failed_login_attempts += 1 # Lock account after 5 failed attempts if profile.failed_login_attempts >= 5: profile.account_locked_until = timezone.now() + timedelta(minutes=30) log_security_event( user=user, event_type='account_locked', severity='high', description='Account locked due to multiple failed login attempts', ip_address=ip_address, user_agent=user_agent ) messages.error(request, _('Account locked due to multiple failed login attempts. Please try again in 30 minutes.')) else: remaining_attempts = 5 - profile.failed_login_attempts messages.error(request, _(f'Invalid credentials. {remaining_attempts} attempts remaining.')) profile.save(update_fields=['failed_login_attempts', 'account_locked_until']) log_security_event( user=user, event_type='login_failed', severity='medium', description='Failed login attempt', ip_address=ip_address, user_agent=user_agent ) except User.DoesNotExist: # Log failed login for non-existent user log_security_event( event_type='login_failed', severity='medium', description=f'Login attempt with non-existent username: {username}', ip_address=ip_address, user_agent=user_agent ) messages.error(request, _('Invalid credentials.')) else: messages.error(request, _('Please correct the errors below.')) else: form = LoginForm() return render(request, 'accounts/login.html', {'form': form}) @login_required def logout_view(request: HttpRequest) -> HttpResponse: """ Handle user logout with session cleanup. Args: request (HttpRequest): The HTTP request object Returns: HttpResponse: Redirect to login page """ # Get session information before logout session_key = request.session.session_key ip_address = get_client_ip(request) # Update user session record try: user_session = UserSession.objects.get( user=request.user, session_key=session_key, is_active=True ) user_session.terminate(reason='user') except UserSession.DoesNotExist: pass # Log logout event log_security_event( user=request.user, event_type='logout', severity='low', description='User logout', ip_address=ip_address, session_key=session_key ) # Perform logout user_name = request.user.get_full_name() or request.user.username logout(request) messages.success(request, _(f'Goodbye, {user_name}! You have been logged out successfully.')) return redirect('accounts:login') @login_required def change_password(request: HttpRequest) -> HttpResponse: """ Handle password change with security logging. Args: request (HttpRequest): The HTTP request object Returns: HttpResponse: Password change form or redirect """ if request.method == 'POST': form = PasswordChangeForm(request.user, request.POST) if form.is_valid(): user = form.save() # Log password change log_security_event( user=user, event_type='password_change', severity='medium', description='User changed password', ip_address=get_client_ip(request) ) # Update password change timestamp try: profile = user.userprofile profile.password_changed_at = timezone.now() profile.save(update_fields=['password_changed_at']) except UserProfile.DoesNotExist: pass messages.success(request, _('Your password has been changed successfully.')) return redirect('accounts:profile') else: messages.error(request, _('Please correct the errors below.')) else: form = PasswordChangeForm(request.user) return render(request, 'accounts/change_password.html', {'form': form}) def password_reset_request(request: HttpRequest) -> HttpResponse: """ Handle password reset request. Args: request (HttpRequest): The HTTP request object Returns: HttpResponse: Password reset form or confirmation """ if request.method == 'POST': form = PasswordResetForm(request.POST) if form.is_valid(): email = form.cleaned_data['email'] try: user = User.objects.get(email=email, is_active=True) # Generate password reset token token = default_token_generator.make_token(user) uid = urlsafe_base64_encode(force_bytes(user.pk)) # Create reset URL reset_url = request.build_absolute_uri( reverse('accounts:password_reset_confirm', kwargs={'uidb64': uid, 'token': token}) ) # Send password reset email subject = _('Password Reset Request') message = render_to_string('accounts/emails/password_reset.html', { 'user': user, 'reset_url': reset_url, 'site_name': settings.SITE_NAME, }) send_mail( subject=subject, message=message, from_email=settings.DEFAULT_FROM_EMAIL, recipient_list=[email], html_message=message ) # Log password reset request log_security_event( user=user, event_type='password_reset', severity='medium', description='Password reset requested', ip_address=get_client_ip(request) ) messages.success(request, _('Password reset instructions have been sent to your email.')) return redirect('accounts:login') except User.DoesNotExist: # Don't reveal if email exists or not messages.success(request, _('If the email exists, password reset instructions have been sent.')) return redirect('accounts:login') else: form = PasswordResetForm() return render(request, 'accounts/password_reset.html', {'form': form}) # ============================================================================ # User Management Views # ============================================================================ @login_required def profile_view(request: HttpRequest) -> HttpResponse: """ Display and edit user profile. Args: request (HttpRequest): The HTTP request object Returns: HttpResponse: User profile page """ try: profile = request.user.userprofile except UserProfile.DoesNotExist: profile = UserProfile.objects.create(user=request.user) if request.method == 'POST': form = UserProfileForm(request.POST, request.FILES, instance=profile) if form.is_valid(): form.save() # Log profile update log_security_event( user=request.user, event_type='data_modification', severity='low', description='User profile updated', ip_address=get_client_ip(request) ) messages.success(request, _('Your profile has been updated successfully.')) return redirect('accounts:profile') else: messages.error(request, _('Please correct the errors below.')) else: form = UserProfileForm(instance=profile) # Get user's recent sessions recent_sessions = UserSession.objects.filter( user=request.user ).order_by('-last_activity')[:5] # Get user's API keys api_keys = APIKey.objects.filter( user=request.user, is_active=True ).order_by('-created_at') context = { 'form': form, 'profile': profile, 'recent_sessions': recent_sessions, 'api_keys': api_keys, } return render(request, 'accounts/profile.html', context) @login_required @permission_required('accounts.view_user') def user_list(request: HttpRequest) -> HttpResponse: """ Display list of users with filtering and pagination. Args: request (HttpRequest): The HTTP request object Returns: HttpResponse: User list page """ # Get filter parameters search_query = request.GET.get('search', '') user_type_filter = request.GET.get('user_type', '') is_active_filter = request.GET.get('is_active', '') # Build queryset users = User.objects.select_related('userprofile').all() # Apply search filter if search_query: users = users.filter( Q(username__icontains=search_query) | Q(first_name__icontains=search_query) | Q(last_name__icontains=search_query) | Q(email__icontains=search_query) ) # Apply user type filter if user_type_filter: users = users.filter(userprofile__user_type=user_type_filter) # Apply active status filter if is_active_filter: is_active = is_active_filter.lower() == 'true' users = users.filter(is_active=is_active) # Order by last login users = users.order_by('-last_login') # Pagination paginator = Paginator(users, 25) # Show 25 users per page page = request.GET.get('page') try: users_page = paginator.page(page) except PageNotAnInteger: users_page = paginator.page(1) except EmptyPage: users_page = paginator.page(paginator.num_pages) # Get user type choices for filter user_type_choices = UserProfile.USER_TYPES context = { 'users': users_page, 'search_query': search_query, 'user_type_filter': user_type_filter, 'is_active_filter': is_active_filter, 'user_type_choices': user_type_choices, } return render(request, 'accounts/user_list.html', context) @login_required @permission_required('accounts.view_user') def user_detail(request: HttpRequest, user_id: int) -> HttpResponse: """ Display detailed user information. Args: request (HttpRequest): The HTTP request object user_id (int): ID of the user to display Returns: HttpResponse: User detail page """ user = get_object_or_404(User, id=user_id) try: profile = user.userprofile except UserProfile.DoesNotExist: profile = UserProfile.objects.create(user=user) # Get user's roles user_roles = UserRole.objects.filter( user=user, is_active=True ).select_related('role') # Get user's recent sessions recent_sessions = UserSession.objects.filter( user=user ).order_by('-last_activity')[:10] # Get user's security logs security_logs = SecurityLog.objects.filter( user=user ).order_by('-created_at')[:20] # Get user's API keys api_keys = APIKey.objects.filter( user=user ).order_by('-created_at') context = { 'user_obj': user, # Avoid conflict with request.user 'profile': profile, 'user_roles': user_roles, 'recent_sessions': recent_sessions, 'security_logs': security_logs, 'api_keys': api_keys, } return render(request, 'accounts/user_detail.html', context) # ============================================================================ # Role and Permission Management Views # ============================================================================ @login_required @permission_required('accounts.view_role') def role_list(request: HttpRequest) -> HttpResponse: """ Display list of roles with their permissions. Args: request (HttpRequest): The HTTP request object Returns: HttpResponse: Role list page """ roles = Role.objects.filter(is_active=True).prefetch_related('permissions') # Add permission count to each role for role in roles: role.permission_count = role.get_permission_count() role.user_count = role.get_user_count() context = { 'roles': roles, } return render(request, 'accounts/role_list.html', context) @login_required @permission_required('accounts.add_role') def role_create(request: HttpRequest) -> HttpResponse: """ Create a new role. Args: request (HttpRequest): The HTTP request object Returns: HttpResponse: Role creation form or redirect """ if request.method == 'POST': form = RoleForm(request.POST) if form.is_valid(): role = form.save(commit=False) role.created_by = request.user role.save() # Save many-to-many relationships form.save_m2m() # Log role creation log_security_event( user=request.user, event_type='admin_action', severity='medium', description=f'Created role: {role.name}', ip_address=get_client_ip(request), additional_data={'role_id': role.id, 'role_name': role.name} ) messages.success(request, _(f'Role "{role.display_name}" has been created successfully.')) return redirect('accounts:role_list') else: messages.error(request, _('Please correct the errors below.')) else: form = RoleForm() context = { 'form': form, 'title': _('Create Role'), } return render(request, 'accounts/role_form.html', context) @login_required @permission_required('accounts.change_role') def role_edit(request: HttpRequest, role_id: int) -> HttpResponse: """ Edit an existing role. Args: request (HttpRequest): The HTTP request object role_id (int): ID of the role to edit Returns: HttpResponse: Role edit form or redirect """ role = get_object_or_404(Role, id=role_id) if request.method == 'POST': form = RoleForm(request.POST, instance=role) if form.is_valid(): role = form.save() # Log role update log_security_event( user=request.user, event_type='admin_action', severity='medium', description=f'Updated role: {role.name}', ip_address=get_client_ip(request), additional_data={'role_id': role.id, 'role_name': role.name} ) messages.success(request, _(f'Role "{role.display_name}" has been updated successfully.')) return redirect('accounts:role_list') else: messages.error(request, _('Please correct the errors below.')) else: form = RoleForm(instance=role) context = { 'form': form, 'role': role, 'title': _(f'Edit Role: {role.display_name}'), } return render(request, 'accounts/role_form.html', context) @login_required @permission_required('accounts.view_permission') def permission_list(request: HttpRequest) -> HttpResponse: """ Display list of permissions grouped by resource. Args: request (HttpRequest): The HTTP request object Returns: HttpResponse: Permission list page """ permissions = Permission.objects.filter(is_active=True).order_by('resource', 'action') # Group permissions by resource grouped_permissions = {} for permission in permissions: resource = permission.resource if resource not in grouped_permissions: grouped_permissions[resource] = [] grouped_permissions[resource].append(permission) context = { 'grouped_permissions': grouped_permissions, } return render(request, 'accounts/permission_list.html', context) # ============================================================================ # Security Monitoring Views # ============================================================================ @login_required @permission_required('accounts.view_securitylog') def security_logs(request: HttpRequest) -> HttpResponse: """ Display security logs with filtering. Args: request (HttpRequest): The HTTP request object Returns: HttpResponse: Security logs page """ # Get filter parameters event_type_filter = request.GET.get('event_type', '') severity_filter = request.GET.get('severity', '') user_filter = request.GET.get('user', '') date_from = request.GET.get('date_from', '') date_to = request.GET.get('date_to', '') # Build queryset logs = SecurityLog.objects.select_related('user').all() # Apply filters if event_type_filter: logs = logs.filter(event_type=event_type_filter) if severity_filter: logs = logs.filter(severity=severity_filter) if user_filter: logs = logs.filter(user__username__icontains=user_filter) if date_from: try: date_from_obj = datetime.strptime(date_from, '%Y-%m-%d').date() logs = logs.filter(created_at__date__gte=date_from_obj) except ValueError: pass if date_to: try: date_to_obj = datetime.strptime(date_to, '%Y-%m-%d').date() logs = logs.filter(created_at__date__lte=date_to_obj) except ValueError: pass # Order by creation date (newest first) logs = logs.order_by('-created_at') # Pagination paginator = Paginator(logs, 50) # Show 50 logs per page page = request.GET.get('page') try: logs_page = paginator.page(page) except PageNotAnInteger: logs_page = paginator.page(1) except EmptyPage: logs_page = paginator.page(paginator.num_pages) # Get filter choices event_type_choices = SecurityLog.EVENT_TYPES severity_choices = SecurityLog.SEVERITY_LEVELS context = { 'logs': logs_page, 'event_type_filter': event_type_filter, 'severity_filter': severity_filter, 'user_filter': user_filter, 'date_from': date_from, 'date_to': date_to, 'event_type_choices': event_type_choices, 'severity_choices': severity_choices, } return render(request, 'accounts/security_logs.html', context) @login_required @permission_required('accounts.view_usersession') def active_sessions(request: HttpRequest) -> HttpResponse: """ Display active user sessions. Args: request (HttpRequest): The HTTP request object Returns: HttpResponse: Active sessions page """ # Get active sessions sessions = UserSession.objects.filter( is_active=True, expires_at__gt=timezone.now() ).select_related('user').order_by('-last_activity') # Add session duration to each session for session in sessions: session.duration_minutes = int(session.duration.total_seconds() / 60) context = { 'sessions': sessions, } return render(request, 'accounts/active_sessions.html', context) # ============================================================================ # API Views # ============================================================================ @login_required @require_POST def terminate_session(request: HttpRequest) -> JsonResponse: """ Terminate a user session via AJAX. Args: request (HttpRequest): The HTTP request object Returns: JsonResponse: Success or error response """ try: session_id = request.POST.get('session_id') session = get_object_or_404(UserSession, id=session_id) # Check permissions if not (request.user.has_perm('accounts.change_usersession') or session.user == request.user): return JsonResponse({ 'success': False, 'error': _('Permission denied') }, status=403) # Terminate session session.terminate(reason='admin' if session.user != request.user else 'user') # Log session termination log_security_event( user=request.user, event_type='admin_action' if session.user != request.user else 'logout', severity='medium' if session.user != request.user else 'low', description=f'Session terminated for user: {session.user.username}', ip_address=get_client_ip(request), additional_data={ 'terminated_session_id': session.id, 'terminated_user': session.user.username } ) return JsonResponse({ 'success': True, 'message': _('Session terminated successfully') }) except Exception as e: logger.error(f'Error terminating session: {str(e)}') return JsonResponse({ 'success': False, 'error': _('An error occurred while terminating the session') }, status=500) @login_required @require_POST def generate_api_key_view(request: HttpRequest) -> JsonResponse: """ Generate a new API key for the user. Args: request (HttpRequest): The HTTP request object Returns: JsonResponse: API key data or error response """ try: name = request.POST.get('name', '').strip() description = request.POST.get('description', '').strip() if not name: return JsonResponse({ 'success': False, 'error': _('API key name is required') }, status=400) # Generate API key api_key_data = generate_api_key() # Create API key record api_key = APIKey.objects.create( user=request.user, name=name, key=api_key_data['hashed_key'], key_prefix=api_key_data['prefix'], description=description ) # Log API key creation log_security_event( user=request.user, event_type='admin_action', severity='medium', description=f'Generated API key: {name}', ip_address=get_client_ip(request), additional_data={ 'api_key_id': api_key.id, 'api_key_name': name } ) return JsonResponse({ 'success': True, 'api_key': api_key_data['raw_key'], 'key_prefix': api_key_data['prefix'], 'message': _('API key generated successfully. Please save it securely as it will not be shown again.') }) except Exception as e: logger.error(f'Error generating API key: {str(e)}') return JsonResponse({ 'success': False, 'error': _('An error occurred while generating the API key') }, status=500) @login_required @require_POST def revoke_api_key(request: HttpRequest) -> JsonResponse: """ Revoke an API key. Args: request (HttpRequest): The HTTP request object Returns: JsonResponse: Success or error response """ try: api_key_id = request.POST.get('api_key_id') api_key = get_object_or_404(APIKey, id=api_key_id) # Check permissions if not (request.user.has_perm('accounts.delete_apikey') or api_key.user == request.user): return JsonResponse({ 'success': False, 'error': _('Permission denied') }, status=403) # Revoke API key api_key.is_active = False api_key.save(update_fields=['is_active']) # Log API key revocation log_security_event( user=request.user, event_type='admin_action', severity='medium', description=f'Revoked API key: {api_key.name}', ip_address=get_client_ip(request), additional_data={ 'api_key_id': api_key.id, 'api_key_name': api_key.name, 'api_key_owner': api_key.user.username } ) return JsonResponse({ 'success': True, 'message': _('API key revoked successfully') }) except Exception as e: logger.error(f'Error revoking API key: {str(e)}') return JsonResponse({ 'success': False, 'error': _('An error occurred while revoking the API key') }, status=500) @login_required def user_stats_api(request: HttpRequest) -> JsonResponse: """ Get user statistics for dashboard widgets. Args: request (HttpRequest): The HTTP request object Returns: JsonResponse: User statistics data """ try: # Check permissions if not request.user.has_perm('accounts.view_user'): return JsonResponse({ 'success': False, 'error': _('Permission denied') }, status=403) # Calculate statistics total_users = User.objects.count() active_users = User.objects.filter(is_active=True).count() inactive_users = total_users - active_users # Users by type user_types = UserProfile.objects.values('user_type').annotate( count=Count('user_type') ) # Recent registrations (last 30 days) thirty_days_ago = timezone.now() - timedelta(days=30) recent_registrations = User.objects.filter( date_joined__gte=thirty_days_ago ).count() # Active sessions active_sessions_count = UserSession.objects.filter( is_active=True, expires_at__gt=timezone.now() ).count() # Security events (last 24 hours) twenty_four_hours_ago = timezone.now() - timedelta(hours=24) recent_security_events = SecurityLog.objects.filter( created_at__gte=twenty_four_hours_ago ).count() return JsonResponse({ 'success': True, 'data': { 'total_users': total_users, 'active_users': active_users, 'inactive_users': inactive_users, 'user_types': list(user_types), 'recent_registrations': recent_registrations, 'active_sessions': active_sessions_count, 'recent_security_events': recent_security_events, } }) except Exception as e: logger.error(f'Error getting user statistics: {str(e)}') return JsonResponse({ 'success': False, 'error': _('An error occurred while retrieving statistics') }, status=500)