notice inserted if ADMIN, not fully implemented

2026-01-19 12:23:01 +00:00 · 2025-05-21 09:40:09 +03:00
parent 06f9de360a
commit 9ae9ca9ec3
2 changed files with 36 additions and 22 deletions
--- a/core/views/user_registration.py
+++ b/core/views/user_registration.py
@@ -136,33 +136,44 @@ def register(request, url_username=None):
    similar to the "expo" user
    (with cavey:beery password) but specific to an individual.
    
-    We should only allow this to be done ONCE for each user-id. But this constraint seems to be broken.
+    We should only allow this to be done ONCE for each user-id. 
    
    """
    warning = ""
+    admin_notice = ""
    initial_values={"visible-passwords": "True"}
    print(f"{url_username=}")
- 
-    logged_in = (identified_login := is_identified_user(request.user))
-    if logged_in:
-        # logged in as a known real person with a User logon
-        print(f"Already logged in as {identified_login=}, redirecting to re_register_email()")
-        return re_register_email(request) # discarding url_username 
-    
-    if not request.user.is_anonymous:    
-        # Anonymous users are not logged in as anybody.
-        print(f"user is logged in as somebody (but not an identified person, so 'expo'), redirecting to expologout()")
-        # logged in as expo or expoadmin, or as a real person, so logout invisibly before we do anything
-        expologout(request) # returns a response, which we discard
-        
+  
+    if request.user.is_anonymous:    
+        # Anonymous users are not logged in as anybody. Which is what we expect
+        pass
+    else:
+        logged_in = (identified_login := is_identified_user(request.user))
+        if logged_in:
+            # logged in as a known real person with a User logon
+            print(f"Already logged in as {identified_login=}, redirecting to re_register_email()")
+            return re_register_email(request) # discarding url_username 
+        else:
+            print(f"user is logged in as somebody (but not an identified person, so must be 'expo')")
+            # logout invisibly before we do anything, 'expo' is irrelevant; but 'expoadmin' is significant!
+            # , redirecting to expologout()
+            pass
+            # expologout(request) # returns a response, which we discard
+            
+    # At this point we know the request user is not logged in at all.
    if url_username: # if provided in URL
-        print(url_username, Person.objects.filter(slug=url_username).count())
-        # This is where we need to check that this url_username has or has not already been registered.
-        # to do..
+        print(url_username, "Person count",Person.objects.filter(slug=url_username).count())
        if Person.objects.filter(slug=url_username).count() != 1:
            # not an old expoer, so redirect to the other form
            return HttpResponseRedirect("/accounts/newregister/")
-
+        # This is where we need to check that this url_username has or has not already been registered.
+        print(url_username, "User count",User.objects.filter(username=url_username).count())            
+        if User.objects.filter(username=url_username).count() == 1:    
+            # Do not allow registration unless superuser is logged in, oops, need to refactor/reorder
+            pass
+            admin_notice = "ADMIN PRIViedge ?!"
+            
+       
        initial_values.update({"username": url_username})
        form = register_form(initial=initial_values)
        form.fields["username"].widget.attrs["readonly"]="readonly"
@@ -177,7 +188,7 @@ def register(request, url_username=None):
            pw= form.cleaned_data["password1"]
            email = form.cleaned_data["email"]
            expoers = User.objects.filter(username=un)
-            # if this is LOGONABLE user and we are not logged on
+            # if this is a LOGONABLE user and we are not logged on
            # NOT just save the data ! Anyone could do  that..
            # we are now in a state where password should only be re-set by email token
            # but rather than redirect (off-putting) we just make the password fields read-only
@@ -191,11 +202,11 @@ def register(request, url_username=None):
            # to do, login automatically, and redirect to control panel ?
            form.fields["username"].widget.attrs["readonly"]="readonly"
            form.fields["email"].widget.attrs["readonly"]="readonly"
-            return render(request, "login/register.html", {"form": form, "email_stored": True}) 
+            return render(request, "login/register.html", {"form": form, "email_stored": True, "admin_notice": admin_notice, "warning": warning}) 
            # return HttpResponseRedirect("/accounts/login/")
    else: # GET
        pass
-    return render(request, "login/register.html", {"form": form})    
+    return render(request, "login/register.html", {"form": form, "admin_notice": admin_notice, "warning": warning})    


 def save_users(request, updated_user, email="troggle@exposerver.expo"):
--- a/templates/login/register.html
+++ b/templates/login/register.html
@@ -4,7 +4,7 @@
 <!-- this overrides the django.contrib.auth default  form
 and it must be placed in 
 troggle/templates/login/register.html
-because magic 
+because magic.

 This is because Django is Opinionated and does lots of Invisible Defaults
 see 
@@ -49,6 +49,9 @@ User Registration - for a personal login to Troggle by a known caver
 ALSO it behaves differently if a username is specified in the URL, when username becomes readonly

 -->
+<span style="color:red; font-weight: bold;">
+{{ admin_notice }}
+</span>
 <h3>Register your email address</h3>

 {% if newuser %}