Merged to r631.

git-svn-id: http://code.djangoproject.com/svn/django/branches/new-admin@933 bcc190cf-cafb-0310-a4f2-bffc1f526a37

django/conf/urls/admin.py

@@ -2,24 +2,24 @@ from django.conf.urls.defaults import *
 from django.conf.settings import INSTALLED_APPS
 
 urlpatterns = (
-    ('^$', 'django.views.admin.main.index'),
+    ('^$', 'django.contrib.admin.views.main.index'),
     ('^logout/$', 'django.views.auth.login.logout'),
     ('^password_change/$', 'django.views.registration.passwords.password_change'),
     ('^password_change/done/$', 'django.views.registration.passwords.password_change_done'),
-    ('^template_validator/$', 'django.views.admin.template.template_validator'),
+    ('^template_validator/$', 'django.contrib.admin.views.template.template_validator'),
 
     # Documentation
-    ('^doc/$', 'django.views.admin.doc.doc_index'),
+    ('^doc/$', 'django.contrib.admin.views.doc.doc_index'),
-    ('^doc/bookmarklets/$', 'django.views.admin.doc.bookmarklets'),
+    ('^doc/bookmarklets/$', 'django.contrib.admin.views.doc.bookmarklets'),
-    ('^doc/tags/$', 'django.views.admin.doc.template_tag_index'),
+    ('^doc/tags/$', 'django.contrib.admin.views.doc.template_tag_index'),
-    ('^doc/filters/$', 'django.views.admin.doc.template_filter_index'),
+    ('^doc/filters/$', 'django.contrib.admin.views.doc.template_filter_index'),
-    ('^doc/views/$', 'django.views.admin.doc.view_index'),
+    ('^doc/views/$', 'django.contrib.admin.views.doc.view_index'),
-    ('^doc/views/jump/$', 'django.views.admin.doc.jump_to_view'),
+    ('^doc/views/jump/$', 'django.contrib.admin.views.doc.jump_to_view'),
-    ('^doc/views/(?P<view>[^/]+)/$', 'django.views.admin.doc.view_detail'),
+    ('^doc/views/(?P<view>[^/]+)/$', 'django.contrib.admin.views.doc.view_detail'),
-    ('^doc/models/$', 'django.views.admin.doc.model_index'),
+    ('^doc/models/$', 'django.contrib.admin.views.doc.model_index'),
-    ('^doc/models/(?P<model>[^/]+)/$', 'django.views.admin.doc.model_detail'),
+    ('^doc/models/(?P<model>[^/]+)/$', 'django.contrib.admin.views.doc.model_detail'),
 #    ('^doc/templates/$', 'django.views.admin.doc.template_index'),
-    ('^doc/templates/(?P<template>.*)/$', 'django.views.admin.doc.template_detail'),
+    ('^doc/templates/(?P<template>.*)/$', 'django.contrib.admin.views.doc.template_detail'),
 )
 
 if 'ellington.events' in INSTALLED_APPS:
@@ -48,13 +48,12 @@ if 'ellington.media' in INSTALLED_APPS:
 
 urlpatterns += (
     # Metasystem admin pages
-    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/add_old/$', 'django.views.admin.main.add_stage'),
+    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/add_old/$', 'django.contrib.admin.views.main.add_stage'),
-    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/(?P<object_id>.+)_old/$', 'django.views.admin.main.change_stage'),
+    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/(?P<object_id>.+)_old/$', 'django.contrib.admin.views.main.change_stage'),
-    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/$', 'django.views.admin.main.change_list'),
+    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/$', 'django.contrib.admin.views.main.change_list'),
-    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/add/$', 'django.views.admin.main.add_stage_new'),
+    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/add/$', 'django.contrib.admin.views.main.add_stage_new'),
-    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/jsvalidation/$', 'django.views.admin.jsvalidation.jsvalidation'),
+    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/(?P<object_id>.+)/history/$', 'django.contrib.admin.views.main.history'),
-    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/(?P<object_id>.+)/history/$', 'django.views.admin.main.history'),
+    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/(?P<object_id>.+)/delete/$', 'django.contrib.admin.views.main.delete_stage'),
-    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/(?P<object_id>.+)/delete/$', 'django.views.admin.main.delete_stage'),
+    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/(?P<object_id>.+)/$', 'django.contrib.admin.views.main.change_stage_new'),
-    ('^(?P<app_label>[^/]+)/(?P<module_name>[^/]+)/(?P<object_id>.+)/$', 'django.views.admin.main.change_stage_new'),
 )
 urlpatterns = patterns('', *urlpatterns)

django/contrib/admin/views/decorators.py

@@ -0,0 +1,100 @@
+from django.core.extensions import DjangoContext, render_to_response
+from django.conf.settings import SECRET_KEY
+from django.models.auth import users
+from django.utils import httpwrappers
+import base64, md5
+import cPickle as pickle
+
+ERROR_MESSAGE = "Please enter a correct username and password. Note that both fields are case-sensitive."
+LOGIN_FORM_KEY = 'this_is_the_login_form'
+
+def _display_login_form(request, error_message=''):
+    request.session.set_test_cookie()
+    if request.POST and request.POST.has_key('post_data'):
+        # User has failed login BUT has previously saved post data.
+        post_data = request.POST['post_data']
+    elif request.POST:
+        # User's session must have expired; save their post data.
+        post_data = _encode_post_data(request.POST)
+    else:
+        post_data = _encode_post_data({})
+    return render_to_response('admin/login', {
+        'title': 'Log in',
+        'app_path': request.path,
+        'post_data': post_data,
+        'error_message': error_message
+    }, context_instance=DjangoContext(request))
+
+def _encode_post_data(post_data):
+    pickled = pickle.dumps(post_data)
+    pickled_md5 = md5.new(pickled + SECRET_KEY).hexdigest()
+    return base64.encodestring(pickled + pickled_md5)
+
+def _decode_post_data(encoded_data):
+    encoded_data = base64.decodestring(encoded_data)
+    pickled, tamper_check = encoded_data[:-32], encoded_data[-32:]
+    if md5.new(pickled + SECRET_KEY).hexdigest() != tamper_check:
+        from django.core.exceptions import SuspiciousOperation
+        raise SuspiciousOperation, "User may have tampered with session cookie."
+    return pickle.loads(pickled)
+
+def staff_member_required(view_func):
+    """
+    Decorator for views that checks that the user is logged in and is a staff
+    member, displaying the login page if necessary.
+    """
+    def _checklogin(request, *args, **kwargs):
+        if not request.user.is_anonymous() and request.user.is_staff:
+            # The user is valid. Continue to the admin page.
+            return view_func(request, *args, **kwargs)
+
+        assert hasattr(request, 'session'), "The Django admin requires session middleware to be installed. Edit your MIDDLEWARE_CLASSES setting to insert 'django.middleware.sessions.SessionMiddleware'."
+
+        # If this isn't already the login page, display it.
+        if not request.POST.has_key(LOGIN_FORM_KEY):
+            if request.POST:
+                message = "Please log in again, because your session has expired. "\
+                          "Don't worry: Your submission has been saved."
+            else:
+                message = ""
+            return _display_login_form(request, message)
+
+        # Check that the user accepts cookies.
+        if not request.session.test_cookie_worked():
+            message = "Looks like your browser isn't configured to accept cookies. Please enable cookies, reload this page, and try again."
+            return _display_login_form(request, message)
+
+        # Check the password.
+        username = request.POST.get('username', '')
+        try:
+            user = users.get_object(username__exact=username, is_staff__exact=True)
+        except users.UserDoesNotExist:
+            message = ERROR_MESSAGE
+            if '@' in username:
+                # Mistakenly entered e-mail address instead of username? Look it up.
+                try:
+                    user = users.get_object(email__exact=username)
+                except users.UserDoesNotExist:
+                    message = "Usernames cannot contain the '@' character."
+                else:
+                    message = "Your e-mail address is not your username. Try '%s' instead." % user.username
+            return _display_login_form(request, message)
+
+        # The user data is correct; log in the user in and continue.
+        else:
+            if user.check_password(request.POST.get('password', '')):
+                request.session[users.SESSION_KEY] = user.id
+                if request.POST.has_key('post_data'):
+                    post_data = _decode_post_data(request.POST['post_data'])
+                    if post_data and not post_data.has_key(LOGIN_FORM_KEY):
+                        # overwrite request.POST with the saved post_data, and continue
+                        request.POST = post_data
+                        request.user = user
+                        return view_func(request, *args, **kwargs)
+                    else:
+                        request.session.delete_test_cookie()
+                        return httpwrappers.HttpResponseRedirect(request.path)
+            else:
+                return _display_login_form(request, ERROR_MESSAGE)
+
+    return _checklogin

django/contrib/admin/views/doc.py

@@ -1,11 +1,12 @@
 from django.core import meta
 from django import templatetags
 from django.conf import settings
+from django.contrib.admin.views.decorators import staff_member_required
 from django.models.core import sites
 from django.core.extensions import DjangoContext, render_to_response
 from django.core.exceptions import Http404, ViewDoesNotExist
-from django.core import template, template_loader, urlresolvers
+from django.core import template, urlresolvers
-from django.core.template import defaulttags, defaultfilters
+from django.core.template import defaulttags, defaultfilters, loader
 try:
     from django.parts.admin import doc
 except ImportError:
@@ -19,11 +20,13 @@ def doc_index(request):
     if not doc:
         return missing_docutils_page(request)
     return render_to_response('doc/index', context_instance=DjangoContext(request))
+doc_index = staff_member_required(doc_index)
 
 def bookmarklets(request):
     return render_to_response('doc/bookmarklets', {
         'admin_url' : "%s://%s" % (os.environ.get('HTTPS') == 'on' and 'https' or 'http', request.META['HTTP_HOST']),
     }, context_instance=DjangoContext(request))
+bookmarklets = staff_member_required(bookmarklets)
 
 def template_tag_index(request):
     import sys
@@ -61,6 +64,7 @@ def template_tag_index(request):
     template.registered_tags, template.registered_filters = saved_tagset
 
     return render_to_response('doc/template_tag_index', {'tags': tags}, context_instance=DjangoContext(request))
+template_tag_index = staff_member_required(template_tag_index)
 
 def template_filter_index(request):
     if not doc:
@@ -93,6 +97,7 @@ def template_filter_index(request):
     template.registered_tags, template.registered_filters = saved_tagset
 
     return render_to_response('doc/template_filter_index', {'filters': filters}, context_instance=DjangoContext(request))
+template_filter_index = staff_member_required(template_filter_index)
 
 def view_index(request):
     if not doc:
@@ -112,6 +117,7 @@ def view_index(request):
                 'url'    : simplify_regex(regex),
             })
     return render_to_response('doc/view_index', {'views': views}, context_instance=DjangoContext(request))
+view_index = staff_member_required(view_index)
 
 def view_detail(request, view):
     if not doc:
@@ -135,6 +141,7 @@ def view_detail(request, view):
         'body': body,
         'meta': metadata,
     }, context_instance=DjangoContext(request))
+view_detail = staff_member_required(view_detail)
 
 def model_index(request):
     if not doc:
@@ -150,6 +157,7 @@ def model_index(request):
                 'class'  : opts.module_name,
             })
     return render_to_response('doc/model_index', {'models': models}, context_instance=DjangoContext(request))
+model_index = staff_member_required(model_index)
 
 def model_detail(request, model):
     if not doc:
@@ -191,6 +199,7 @@ def model_detail(request, model):
         'summary': "Fields on %s objects" % opts.verbose_name,
         'fields': fields,
     }, context_instance=DjangoContext(request))
+model_detail = staff_member_required(model_detail)
 
 def template_detail(request, template):
     templates = []
@@ -210,6 +219,7 @@ def template_detail(request, template):
         'name': template,
         'templates': templates,
     }, context_instance=DjangoContext(request))
+template_detail = staff_member_required(template_detail)
 
 ####################
 # Helper functions #
@@ -223,7 +233,7 @@ def load_all_installed_template_libraries():
     # Clear out and reload default tags
     template.registered_tags.clear()
     reload(defaulttags)
-    reload(template_loader) # template_loader defines the block/extends tags
+    reload(loader) # loader defines the block/extends tags
 
     # Load any template tag libraries from installed apps
     for e in templatetags.__path__:

django/contrib/admin/views/main.py

@@ -1,6 +1,8 @@
-# Generic admin views, with admin templates created dynamically at runtime.
+# Generic admin views.
 
-from django.core import formfields, meta, template_loader, template
+from django.contrib.admin.views.decorators import staff_member_required
+from django.core import formfields, meta, template
+from django.core.template import loader
 from django.core.meta.fields import BoundField, BoundFieldLine, BoundFieldSet
 from django.core.exceptions import Http404, ObjectDoesNotExist, PermissionDenied
 from django.core.extensions import DjangoContext as Context
@@ -49,6 +51,7 @@ def get_query_string(original_params, new_params={}, remove=[]):
 
 def index(request):
     return render_to_response('index', {'title': 'Site administration'}, context_instance=Context(request))
+index = staff_member_required(index)
 
 def change_list(request, app_label, module_name):
     from django.core import paginator
@@ -487,12 +490,13 @@ def change_list(request, app_label, module_name):
 
     raw_template.append('</div>\n</div>')
     raw_template.append('{% endblock %}\n')
-    t = template_loader.get_template_from_string(''.join(raw_template))
+    t = loader.get_template_from_string(''.join(raw_template))
     c = Context(request, {
         'title': (is_popup and 'Select %s' % opts.verbose_name or 'Select %s to change' % opts.verbose_name),
         'is_popup': is_popup,
     })
     return HttpResponse(t.render(c))
+change_list = staff_member_required(change_list)
 
 use_raw_id_admin = lambda field: isinstance(field.rel, (meta.ManyToOne, meta.ManyToMany)) and field.rel.raw_id_admin
 
@@ -721,7 +725,7 @@ def add_stage_new(request, app_label, module_name, show_delete=False, form_url='
     fill_extra_context(opts, app_label, c, add=True)
    
     return render_to_response("admin_change_form", context_instance=c) 
-
+add_stage_new = staff_member_required(add_stage_new)
 
 
 def change_stage_new(request, app_label, module_name, object_id):
@@ -817,10 +821,8 @@ def change_stage_new(request, app_label, module_name, object_id):
 
     fill_extra_context(opts, app_label, c, change=True)
     
-    #t = template_loader.get_template_from_string(raw_template)
-    
     return render_to_response('admin_change_form', context_instance=c);
-
+change_stage_new = staff_member_required(change_stage_new)
 
 def _get_template(opts, app_label, add=False, change=False, show_delete=False, form_url=''):
     admin_field_objs = opts.admin.get_field_objs(opts)
@@ -1144,8 +1146,9 @@ def add_stage(request, app_label, module_name, show_delete=False, form_url='', p
     if object_id_override is not None:
         c['object_id'] = object_id_override
     raw_template = _get_template(opts, app_label, add=True, show_delete=show_delete, form_url=form_url)
-    t = template_loader.get_template_from_string(raw_template)
+    t = loader.get_template_from_string(raw_template)
     return HttpResponse(t.render(c))
+add_stage = staff_member_required(add_stage)
 
 def change_stage(request, app_label, module_name, object_id):
     mod, opts = _get_mod_opts(app_label, module_name)
@@ -1271,8 +1274,9 @@ def change_stage(request, app_label, module_name, object_id):
     })
     raw_template = _get_template(opts, app_label, change=True)
 #     return HttpResponse(raw_template, mimetype='text/plain')
-    t = template_loader.get_template_from_string(raw_template)
+    t = loader.get_template_from_string(raw_template)
     return HttpResponse(t.render(c))
+change_stage = staff_member_required(change_stage)
 
 def _nest_help(obj, depth, val):
     current = obj
@@ -1384,6 +1388,7 @@ def delete_stage(request, app_label, module_name, object_id):
         "deleted_objects": deleted_objects,
         "perms_lacking": perms_needed,
     }, context_instance=Context(request))
+delete_stage = staff_member_required(delete_stage)
 
 def history(request, app_label, module_name, object_id):
     mod, opts = _get_mod_opts(app_label, module_name)
@@ -1397,3 +1402,4 @@ def history(request, app_label, module_name, object_id):
         'module_name': capfirst(opts.verbose_name_plural),
         'object': obj,
     }, context_instance=Context(request))
+history = staff_member_required(history)

django/contrib/admin/views/template.py

@@ -1,3 +1,4 @@
+from django.contrib.admin.views.decorators import staff_member_required
 from django.core import formfields, validators
 from django.core import template
 from django.core.template import loader
@@ -26,6 +27,7 @@ def template_validator(request):
         'title': 'Template validator',
         'form': formfields.FormWrapper(manipulator, new_data, errors),
     }, context_instance=DjangoContext(request))
+template_validator = staff_member_required(template_validator)
 
 class TemplateValidator(formfields.Manipulator):
     def __init__(self, settings_modules):

django/templatetags/admin_modify.py

@@ -7,7 +7,7 @@ from django.utils.functional import curry
 
 from django.core.template.decorators import simple_tag, inclusion_tag
 
-from django.views.admin.main import AdminBoundField
+from django.contrib.admin.views.main import AdminBoundField
 from django.core.meta.fields import BoundField, Field
 import re