from django.shortcuts import render, redirect, get_object_or_404 from django.contrib.auth import authenticate, login, logout, update_session_auth_hash from django.contrib.auth.decorators import login_required, user_passes_test from django.contrib.auth.forms import AuthenticationForm, SetPasswordForm from django.contrib.auth.tokens import default_token_generator from django.contrib.sites.shortcuts import get_current_site from django.template.loader import render_to_string from django.utils.http import urlsafe_base64_encode, urlsafe_base64_decode from django.utils.encoding import force_bytes, force_str from django.contrib import messages from django.http import JsonResponse, HttpResponse from django.contrib.auth import get_user_model from django.core.exceptions import ValidationError from django.db import IntegrityError from django.conf import settings from django.contrib.auth.hashers import make_password from django.utils.crypto import get_random_string from django.middleware.csrf import get_token from .models import CustomUser, UserActivityLog from .forms import CustomPasswordResetForm, CustomSetPasswordForm, ProfileUpdateForm from hr.models import Employee from customers.models import Customer import logging from django.contrib.auth.views import PasswordResetView, PasswordResetConfirmView from django.urls import reverse_lazy from settings.utils import send_password_reset_email import json # Import json for handling JSON data from django.db import models # Import models for search functionality # Get the user model User = get_user_model() logger = logging.getLogger('accounts.login') def superuser_login(request): if request.method == 'POST': username = request.POST['username'] password = request.POST['password'] # Log the attempt logger.info(f"Superuser login attempt for username: {username} from IP: {request.META.get('REMOTE_ADDR')}") user = authenticate(request, username=username, password=password) if user is not None and user.is_superuser: login(request, user) logger.info(f"Successful superuser login for: {username}") # Log user activity UserActivityLog.objects.create( user=user, activity_type='login', description=f'Superuser login from {request.META.get("REMOTE_ADDR")}', ip_address=request.META.get('REMOTE_ADDR'), user_agent=request.META.get('HTTP_USER_AGENT', '') ) return redirect('customers:dashboard') else: logger.warning(f"Failed superuser login attempt for: {username} from IP: {request.META.get('REMOTE_ADDR')}") messages.error(request, 'Invalid superuser credentials.') return render(request, 'accounts/superuser_login.html') def employee_login(request): """Employee login view""" if request.method == 'POST': username = request.POST.get('username', '').strip() password = request.POST.get('password', '').strip() # Log the attempt logger.info(f"Employee login attempt for username: {username} from IP: {request.META.get('REMOTE_ADDR')}") if not username or not password: messages.error(request, 'Please provide both username and password.') return render(request, 'accounts/employee_login.html') try: # Check if user exists and is an employee user = User.objects.get(username=username) # Check if user has an employee profile if not hasattr(user, 'employee_profile'): logger.warning(f"Login attempt for non-employee user: {username}") messages.error(request, 'Invalid employee credentials.') return render(request, 'accounts/employee_login.html') # Authenticate user authenticated_user = authenticate(request, username=username, password=password) if authenticated_user is not None: # Check if employee account is active employee = authenticated_user.employee_profile if employee.status != 'active': logger.warning(f"Login attempt for inactive employee: {username}") messages.error(request, 'Your employee account is not active. Please contact HR.') return render(request, 'accounts/employee_login.html') login(request, authenticated_user) logger.info(f"Successful employee login for: {username}") # Log user activity UserActivityLog.objects.create( user=authenticated_user, activity_type='login', description=f'Employee login from {request.META.get("REMOTE_ADDR")}', ip_address=request.META.get('REMOTE_ADDR'), user_agent=request.META.get('HTTP_USER_AGENT', '') ) # Check if this is first login (no last_login before this) if not authenticated_user.last_login: messages.success(request, 'Welcome! This is your first login. Please update your profile.') return redirect('accounts:profile') return redirect('customers:dashboard') else: logger.warning(f"Failed employee login attempt for: {username}") messages.error(request, 'Invalid username or password.') except User.DoesNotExist: logger.warning(f"Login attempt for non-existent user: {username}") messages.error(request, 'Invalid username or password.') except Exception as e: logger.error(f"Error during employee login for {username}: {str(e)}") messages.error(request, 'An error occurred during login. Please try again.') return render(request, 'accounts/employee_login.html') def customer_login(request): """Customer login view""" if request.method == 'POST': username = request.POST.get('username', '').strip() password = request.POST.get('password', '').strip() # Log the attempt logger.info(f"Customer login attempt for username: {username} from IP: {request.META.get('REMOTE_ADDR')}") if not username or not password: messages.error(request, 'Please provide both username and password.') return render(request, 'customers/customer_login.html') try: # Check if user exists and is a customer user = User.objects.get(username=username) # Check if user has a customer profile if not hasattr(user, 'customer_profile'): logger.warning(f"Login attempt for non-customer user: {username}") messages.error(request, 'Invalid customer credentials.') return render(request, 'customers/customer_login.html') # Authenticate user authenticated_user = authenticate(request, username=username, password=password) if authenticated_user is not None: # Check if customer account is active customer = authenticated_user.customer_profile if customer.status != 'active': logger.warning(f"Login attempt for inactive customer: {username}") if customer.status == 'suspended': messages.error(request, 'Your account has been suspended. Please contact support.') else: messages.error(request, 'Your account is not active. Please contact support.') return render(request, 'customers/customer_login.html') login(request, authenticated_user) logger.info(f"Successful customer login for: {username}") # Log user activity UserActivityLog.objects.create( user=authenticated_user, activity_type='login', description=f'Customer login from {request.META.get("REMOTE_ADDR")}', ip_address=request.META.get('REMOTE_ADDR'), user_agent=request.META.get('HTTP_USER_AGENT', '') ) return redirect('customers:customer_dashboard') else: logger.warning(f"Failed customer login attempt for: {username}") messages.error(request, 'Invalid username or password.') except User.DoesNotExist: logger.warning(f"Login attempt for non-existent customer user: {username}") messages.error(request, 'Invalid username or password.') except Exception as e: logger.error(f"Error during customer login for {username}: {str(e)}") messages.error(request, 'An error occurred during login. Please try again.') return render(request, 'customers/customer_login.html') from django.views.decorators.csrf import csrf_protect, ensure_csrf_cookie from django.views.decorators.cache import never_cache @ensure_csrf_cookie @csrf_protect @never_cache def unified_login(request): """Unified login view that handles all user types with first-time password change""" if request.method == 'POST': username = request.POST.get('username', '').strip() password = request.POST.get('password', '').strip() if not username or not password: messages.error(request, 'Please provide both username and password.') return render(request, 'accounts/unified_login.html') # Only log attempts with valid credentials to avoid spam logger.info(f"Login attempt for username: {username} from IP: {request.META.get('REMOTE_ADDR')}") try: # Authenticate user user = authenticate(request, username=username, password=password) if user is not None: # Check if this is first login (password needs to be changed) if user.last_login is None and getattr(user, 'first_login_required', False): # Store user ID in session for password change request.session['first_login_user_id'] = user.id messages.info(request, 'This is your first login. Please change your password.') return redirect('accounts:first_time_password_change') # Check account status based on user type if user.is_superuser: # Superuser login login(request, user) logger.info(f"Successful superuser login for: {username}") # Log user activity UserActivityLog.objects.create( user=user, activity_type='login', description=f'Superuser login from {request.META.get("REMOTE_ADDR")}', ip_address=request.META.get('REMOTE_ADDR'), user_agent=request.META.get('HTTP_USER_AGENT', '') ) return redirect('customers:dashboard') elif hasattr(user, 'employee_profile') and user.employee_profile: # Employee login employee = user.employee_profile if hasattr(employee, 'status') and employee.status != 'active': logger.warning(f"Login attempt for inactive employee: {username}") messages.error(request, 'Your employee account is not active. Please contact HR.') return render(request, 'accounts/unified_login.html') login(request, user) logger.info(f"Successful employee login for: {username}") # Log user activity UserActivityLog.objects.create( user=user, activity_type='login', description=f'Employee login from {request.META.get("REMOTE_ADDR")}', ip_address=request.META.get('REMOTE_ADDR'), user_agent=request.META.get('HTTP_USER_AGENT', '') ) return redirect('customers:dashboard') elif hasattr(user, 'customer_profile') and user.customer_profile: # Customer login customer = user.customer_profile if hasattr(customer, 'status') and customer.status != 'active': logger.warning(f"Login attempt for inactive customer: {username}") if customer.status == 'suspended': messages.error(request, 'Your account has been suspended. Please contact support.') else: messages.error(request, 'Your account is not active. Please contact support.') return render(request, 'accounts/unified_login.html') login(request, user) logger.info(f"Successful customer login for: {username}") # Log user activity UserActivityLog.objects.create( user=user, activity_type='login', description=f'Customer login from {request.META.get("REMOTE_ADDR")}', ip_address=request.META.get('REMOTE_ADDR'), user_agent=request.META.get('HTTP_USER_AGENT', '') ) return redirect('customers:customer_dashboard') else: # Regular user without specific profile - allow login for superusers/staff if user.is_superuser or user.is_staff: login(request, user) logger.info(f"Successful staff/superuser login for: {username}") # Log user activity UserActivityLog.objects.create( user=user, activity_type='login', description=f'Staff login from {request.META.get("REMOTE_ADDR")}', ip_address=request.META.get('REMOTE_ADDR'), user_agent=request.META.get('HTTP_USER_AGENT', '') ) return redirect('customers:dashboard') else: # User exists but has no profile and isn't staff logger.warning(f"Login attempt for user without profile: {username}") messages.error(request, 'Account setup is incomplete. Please contact support.') return render(request, 'accounts/unified_login.html') else: logger.warning(f"Failed login attempt for: {username}") messages.error(request, 'Invalid username or password.') return render(request, 'accounts/unified_login.html') except Exception as e: logger.error(f"Error during login for {username}: {str(e)}") messages.error(request, 'An error occurred during login. Please try again.') return render(request, 'accounts/unified_login.html') # Always render the template with proper context context = { 'csrf_token': get_token(request), } return render(request, 'accounts/login.html', context) from django.contrib import messages from django.shortcuts import render, redirect, get_object_or_404 from django.contrib.auth.decorators import login_required from django.contrib.auth.models import Group, Permission from django.db import transaction from hr.models import Department from .models import GroupPermissionManager, DepartmentPermissionAssignment from .forms import DepartmentPermissionForm, AddPermissionForm from .permissions import has_permission from .permissions import permission_required @login_required @permission_required('manage_settings') def permission_management_dashboard(request): """Dashboard for managing department permissions""" departments = Department.objects.filter(is_active=True) permissions_by_category = {} for category_key, category_name in GroupPermissionManager.PERMISSION_CATEGORIES: permissions_by_category[category_name] = GroupPermissionManager.objects.filter( category=category_key, is_active=True ).count() context = { 'departments': departments, 'permissions_by_category': permissions_by_category, 'total_permissions': GroupPermissionManager.objects.filter(is_active=True).count() } return render(request, 'accounts/permission_management_dashboard.html', context) @login_required @permission_required('manage_settings') def manage_department_permissions(request, department_id): """Manage permissions for a specific department""" department = get_object_or_404(Department, id=department_id, is_active=True) if request.method == 'POST': form = DepartmentPermissionForm(request.POST, department=department) if form.is_valid(): with transaction.atomic(): # Remove all existing permissions for this department DepartmentPermissionAssignment.objects.filter(department=department).delete() # Add selected permissions for field_name, permissions in form.cleaned_data.items(): if field_name.startswith('permissions_') and permissions: for permission in permissions: DepartmentPermissionAssignment.objects.create( department=department, permission=permission, assigned_by=request.user ) # Update Django group permissions _update_django_group_permissions(department) messages.success(request, f'Permissions updated for {department.name} department.') return redirect('accounts:permission_management_dashboard') else: form = DepartmentPermissionForm(department=department) context = { 'department': department, 'form': form } return render(request, 'accounts/manage_department_permissions.html', context) @login_required @permission_required('manage_settings') def add_permission(request): """Add a new system permission""" if request.method == 'POST': form = AddPermissionForm(request.POST) if form.is_valid(): permission = form.save() messages.success(request, f'Permission "{permission.display_name}" added successfully.') return redirect('accounts:permission_management_dashboard') else: form = AddPermissionForm() context = {'form': form} return render(request, 'accounts/add_permission.html', context) @login_required @permission_required('manage_settings') def delete_permission(request, permission_id): """Delete a system permission""" permission = get_object_or_404(GroupPermissionManager, id=permission_id) if request.method == 'POST': permission_name = permission.display_name permission.delete() messages.success(request, f'Permission "{permission_name}" deleted successfully.') return redirect('accounts:permission_management_dashboard') context = {'permission': permission} return render(request, 'accounts/delete_permission.html', context) def _update_django_group_permissions(department): """Update Django group permissions based on department assignments""" # Get or create group for department group, created = Group.objects.get_or_create(name=department.name) # Clear existing permissions group.permissions.clear() # Get assigned permissions for department assigned_permissions = DepartmentPermissionAssignment.objects.filter( department=department ).select_related('permission') # Map custom permissions to Django permissions django_permissions = [] for assignment in assigned_permissions: permission_name = assignment.permission.name # Try to find matching Django permissions matching_perms = Permission.objects.filter(codename=permission_name) django_permissions.extend(matching_perms) # Also try variations (add_, change_, view_, delete_) base_name = permission_name.replace('manage_', '').replace('view_', '').replace('add_', '').replace('change_', '').replace('delete_', '') for prefix in ['add_', 'change_', 'view_', 'delete_']: perm_variation = f"{prefix}{base_name}" matching_perms = Permission.objects.filter(codename=perm_variation) django_permissions.extend(matching_perms) # Add permissions to group for perm in set(django_permissions): group.permissions.add(perm) # Update department's user_group field department.user_group = group department.save() def first_time_password_change(request): """Handle first-time password change""" user_id = request.session.get('first_login_user_id') if not user_id: return redirect('accounts:login') try: user = User.objects.get(id=user_id) except User.DoesNotExist: return redirect('accounts:login') if request.method == 'POST': new_password = request.POST.get('new_password') confirm_password = request.POST.get('confirm_password') if new_password != confirm_password: messages.error(request, 'Passwords do not match.') return render(request, 'accounts/first_time_password_change.html', {'user': user}) if len(new_password) < 8: messages.error(request, 'Password must be at least 8 characters long.') return render(request, 'accounts/first_time_password_change.html', {'user': user}) # Update password and remove first login flag user.set_password(new_password) user.first_login_required = False user.save() # Clear session del request.session['first_login_user_id'] # Determine the appropriate backend for this user backend = None if user.is_superuser: backend = 'accounts.backends.SuperuserAuthBackend' elif hasattr(user, 'employee_profile') and user.employee_profile: backend = 'accounts.backends.EmployeeAuthBackend' elif hasattr(user, 'customer_profile') and user.customer_profile: backend = 'accounts.backends.CustomerAuthBackend' else: backend = 'django.contrib.auth.backends.ModelBackend' # Log them in with the appropriate backend login(request, user, backend=backend) messages.success(request, 'Password changed successfully! Welcome to the system.') # Redirect based on user type if user.is_superuser or (hasattr(user, 'employee_profile') and user.employee_profile): return redirect('customers:dashboard') else: return redirect('customers:dashboard') return render(request, 'accounts/first_time_password_change.html', {'user': user}) def password_reset_request(request): """Enhanced password reset request""" if request.method == 'POST': # Check if it's a JSON request if request.content_type == 'application/json': try: data = json.loads(request.body) email = data.get('email', '').strip() except (json.JSONDecodeError, ValueError): return JsonResponse({'success': False, 'error': 'Invalid JSON data.'}) else: # Handle form data email = request.POST.get('email', '').strip() if not email: if request.content_type == 'application/json': return JsonResponse({'success': False, 'error': 'Please provide an email address.'}) else: messages.error(request, 'Please provide an email address.') return render(request, 'accounts/password_reset_form.html') try: # Find users by email users = User.objects.filter(email=email, is_active=True) email_sent = False for user in users: # Generate reset token token = default_token_generator.make_token(user) uid = urlsafe_base64_encode(force_bytes(user.pk)) # Build reset URL current_site = get_current_site(request) reset_url = request.build_absolute_uri( f'/accounts/password-reset-confirm/{uid}/{token}/' ) # Send password reset email using the notifications app try: from notifications.email_service import EmailService email_service = EmailService() success, error_msg = email_service.send_email( recipient_email=email, subject='Password Reset Request - OptiNet', content=f''' Dear {user.get_full_name() or user.username}, You have requested to reset your password for your OptiNet account. Click the link below to reset your password: {reset_url} This link will expire in 24 hours. If you did not request this password reset, please ignore this email. Best regards, OptiNet Support Team ''', email_type='password_reset', recipient_name=user.get_full_name() or user.username ) if success: logger.info(f"Password reset email sent to {email}") email_sent = True else: logger.error(f"Failed to send password reset email to {email}: {error_msg}") except Exception as email_error: logger.error(f"Error sending password reset email to {email}: {str(email_error)}") if request.content_type == 'application/json': return JsonResponse({ 'success': True, 'message': 'If an account with that email exists, password reset instructions have been sent.' }) else: messages.success(request, 'If an account with that email exists, password reset instructions have been sent.') return render(request, 'accounts/password_reset_form.html') except Exception as e: logger.error(f"Error in password reset for {email}: {str(e)}") if request.content_type == 'application/json': return JsonResponse({ 'success': False, 'error': 'An error occurred while processing your request. Please try again later.' }) else: messages.error(request, 'An error occurred while processing your request. Please try again later.') return render(request, 'accounts/password_reset_form.html') # Handle GET request - show the form return render(request, 'accounts/password_reset_form.html') def password_reset_confirm(request, uidb64, token): """Password reset confirmation""" try: uid = force_str(urlsafe_base64_decode(uidb64)) user = User.objects.get(pk=uid) except (TypeError, ValueError, OverflowError, User.DoesNotExist): user = None if user is not None and default_token_generator.check_token(user, token): if request.method == 'POST': new_password = request.POST.get('new_password') confirm_password = request.POST.get('confirm_password') if new_password != confirm_password: messages.error(request, 'Passwords do not match.') return render(request, 'accounts/password_reset_confirm.html', {'valid_link': True}) if len(new_password) < 8: messages.error(request, 'Password must be at least 8 characters long.') return render(request, 'accounts/password_reset_confirm.html', {'valid_link': True}) user.set_password(new_password) user.save() update_session_auth_hash(request, user) # Update session to keep the user logged in if they were messages.success(request, 'Your password has been reset successfully! Please log in.') return redirect('accounts:login') return render(request, 'accounts/password_reset_confirm.html', {'valid_link': True}) else: return render(request, 'accounts/password_reset_confirm.html', {'valid_link': False}) def create_user_account(username, email, user_type='customer', employee_profile=None, customer_profile=None): """Helper function for admins to create user accounts""" # Generate random password temp_password = get_random_string(12) # Create user user = User.objects.create( username=username, email=email, password=make_password(temp_password), is_active=True ) # Mark as requiring first-time password change user.first_login_required = True user.save() return user, temp_password @login_required def change_password(request): """Change password view""" if request.method == 'POST': old_password = request.POST.get('old_password') new_password = request.POST.get('new_password') confirm_password = request.POST.get('confirm_password') if not request.user.check_password(old_password): messages.error(request, 'Current password is incorrect.') return render(request, 'accounts/change_password.html') if new_password != confirm_password: messages.error(request, 'New passwords do not match.') return render(request, 'accounts/change_password.html') if len(new_password) < 8: messages.error(request, 'Password must be at least 8 characters long.') return render(request, 'accounts/change_password.html') # Update password request.user.set_password(new_password) request.user.save() update_session_auth_hash(request, request.user) # Update session to keep the user logged in # Log the activity UserActivityLog.objects.create( user=request.user, activity_type='password_change', description=f'Password changed from {request.META.get("REMOTE_ADDR")}', ip_address=request.META.get('REMOTE_ADDR'), user_agent=request.META.get('HTTP_USER_AGENT', '') ) messages.success(request, 'Password changed successfully!') return redirect('accounts:profile') return render(request, 'accounts/change_password.html') @login_required def profile_view(request): """User profile view and update""" if request.method == 'POST': form = ProfileUpdateForm(request.POST, instance=request.user) if form.is_valid(): form.save() messages.success(request, 'Profile updated successfully!') return redirect('accounts:profile') else: form = ProfileUpdateForm(instance=request.user) # Get user-specific information user_info = { 'user_type': 'Unknown', 'profile': None, 'additional_info': {} } if request.user.is_superuser: user_info['user_type'] = 'Superuser' elif hasattr(request.user, 'employee_profile'): user_info['user_type'] = 'Employee' user_info['profile'] = request.user.employee_profile user_info['additional_info'] = { 'employee_id': request.user.employee_profile.employee_id, 'department': request.user.employee_profile.department.name if request.user.employee_profile.department else 'Not assigned', 'position': request.user.employee_profile.position, 'status': request.user.employee_profile.get_status_display(), } elif hasattr(request.user, 'customer_profile'): user_info['user_type'] = 'Customer' user_info['profile'] = request.user.customer_profile user_info['additional_info'] = { 'customer_id': request.user.customer_profile.customer_id, 'service': request.user.customer_profile.service.name if request.user.customer_profile.service else 'No service', 'status': request.user.customer_profile.get_status_display(), 'account_balance': request.user.customer_profile.account_balance, } # Get recent activity recent_activity = UserActivityLog.objects.filter(user=request.user).order_by('-timestamp')[:10] context = { 'form': form, 'user_info': user_info, 'recent_activity': recent_activity, } return render(request, 'accounts/profile.html', context) def custom_logout(request): """Custom logout view with activity logging""" if request.user.is_authenticated: # Log the logout UserActivityLog.objects.create( user=request.user, activity_type='logout', description=f'User logout from {request.META.get("REMOTE_ADDR")}', ip_address=request.META.get('REMOTE_ADDR'), user_agent=request.META.get('HTTP_USER_AGENT', '') ) logger.info(f"User logout: {request.user.username}") logout(request) messages.success(request, 'You have been successfully logged out.') return redirect('accounts:login') def admin_logout_redirect(request): """Redirect admin logout to main login""" return redirect('accounts:login') def admin_logout_view(request): """Admin logout view - same as admin_logout_redirect""" return admin_logout_redirect(request) @login_required def test_email_view(request): """Test email functionality for debugging""" if not request.user.is_superuser: return JsonResponse({'success': False, 'error': 'Permission denied'}) try: from notifications.email_service import EmailService email_service = EmailService() # Send test email success, error_msg = email_service.send_test_email( recipient_email=request.user.email, sent_by=request.user ) return JsonResponse({ 'success': success, 'message': 'Test email sent successfully!' if success else f'Failed to send test email: {error_msg}' }) except Exception as e: logger.error(f"Error in test email view: {str(e)}") return JsonResponse({ 'success': False, 'error': f'Error sending test email: {str(e)}' }) def is_superuser(user): """Check if user is superuser""" return user.is_authenticated and user.is_superuser def is_admin_or_management(user): """Check if user is admin or management""" if not user.is_authenticated: return False return (user.is_superuser or user.is_staff or (hasattr(user, 'employee_profile') and user.employee_profile.department and user.employee_profile.department.name == 'Management')) @login_required @user_passes_test(is_admin_or_management) def user_activity_logs(request): """View user activity logs""" logs = UserActivityLog.objects.all().order_by('-timestamp') # Filter by user if specified user_id = request.GET.get('user') if user_id: try: logs = logs.filter(user_id=user_id) except (ValueError, TypeError): pass # Filter by activity type if specified activity_type = request.GET.get('activity_type') if activity_type: logs = logs.filter(activity_type=activity_type) # Search functionality search = request.GET.get('search') if search: logs = logs.filter( models.Q(user__username__icontains=search) | models.Q(description__icontains=search) | models.Q(ip_address__icontains=search) ) # Pagination from django.core.paginator import Paginator paginator = Paginator(logs, 50) page_number = request.GET.get('page') page_logs = paginator.get_page(page_number) # Get available users for filter users = User.objects.filter( useractivitylog__isnull=False ).distinct().order_by('username') context = { 'logs': page_logs, 'users': users, 'activity_types': UserActivityLog.ACTIVITY_TYPES, 'selected_user': user_id, 'selected_activity_type': activity_type, 'search_query': search or '', } return render(request, 'accounts/activity_logs.html', context) # Legacy views for backward compatibility - removed duplicate function definitions # The original superuser_login function above is the correct implementation