notice inserted if ADMIN, not fully implemented

core/views/user_registration.py

@@ -136,32 +136,43 @@ def register(request, url_username=None):
     similar to the "expo" user
     (with cavey:beery password) but specific to an individual.
     
-    We should only allow this to be done ONCE for each user-id. But this constraint seems to be broken.
+    We should only allow this to be done ONCE for each user-id. 
     
     """
     warning = ""
+    admin_notice = ""
     initial_values={"visible-passwords": "True"}
     print(f"{url_username=}")
   
-    logged_in = (identified_login := is_identified_user(request.user))
+    if request.user.is_anonymous:    
-    if logged_in:
+        # Anonymous users are not logged in as anybody. Which is what we expect
-        # logged in as a known real person with a User logon
+        pass
-        print(f"Already logged in as {identified_login=}, redirecting to re_register_email()")
+    else:
-        return re_register_email(request) # discarding url_username 
+        logged_in = (identified_login := is_identified_user(request.user))
-    
+        if logged_in:
-    if not request.user.is_anonymous:    
+            # logged in as a known real person with a User logon
-        # Anonymous users are not logged in as anybody.
+            print(f"Already logged in as {identified_login=}, redirecting to re_register_email()")
-        print(f"user is logged in as somebody (but not an identified person, so 'expo'), redirecting to expologout()")
+            return re_register_email(request) # discarding url_username 
-        # logged in as expo or expoadmin, or as a real person, so logout invisibly before we do anything
+        else:
-        expologout(request) # returns a response, which we discard
+            print(f"user is logged in as somebody (but not an identified person, so must be 'expo')")
+            # logout invisibly before we do anything, 'expo' is irrelevant; but 'expoadmin' is significant!
+            # , redirecting to expologout()
+            pass
+            # expologout(request) # returns a response, which we discard
             
+    # At this point we know the request user is not logged in at all.
     if url_username: # if provided in URL
-        print(url_username, Person.objects.filter(slug=url_username).count())
+        print(url_username, "Person count",Person.objects.filter(slug=url_username).count())
-        # This is where we need to check that this url_username has or has not already been registered.
-        # to do..
         if Person.objects.filter(slug=url_username).count() != 1:
             # not an old expoer, so redirect to the other form
             return HttpResponseRedirect("/accounts/newregister/")
+        # This is where we need to check that this url_username has or has not already been registered.
+        print(url_username, "User count",User.objects.filter(username=url_username).count())            
+        if User.objects.filter(username=url_username).count() == 1:    
+            # Do not allow registration unless superuser is logged in, oops, need to refactor/reorder
+            pass
+            admin_notice = "ADMIN PRIViedge ?!"
+            
        
         initial_values.update({"username": url_username})
         form = register_form(initial=initial_values)
@@ -177,7 +188,7 @@ def register(request, url_username=None):
             pw= form.cleaned_data["password1"]
             email = form.cleaned_data["email"]
             expoers = User.objects.filter(username=un)
-            # if this is LOGONABLE user and we are not logged on
+            # if this is a LOGONABLE user and we are not logged on
             # NOT just save the data ! Anyone could do  that..
             # we are now in a state where password should only be re-set by email token
             # but rather than redirect (off-putting) we just make the password fields read-only
@@ -191,11 +202,11 @@ def register(request, url_username=None):
             # to do, login automatically, and redirect to control panel ?
             form.fields["username"].widget.attrs["readonly"]="readonly"
             form.fields["email"].widget.attrs["readonly"]="readonly"
-            return render(request, "login/register.html", {"form": form, "email_stored": True}) 
+            return render(request, "login/register.html", {"form": form, "email_stored": True, "admin_notice": admin_notice, "warning": warning}) 
             # return HttpResponseRedirect("/accounts/login/")
     else: # GET
         pass
-    return render(request, "login/register.html", {"form": form})    
+    return render(request, "login/register.html", {"form": form, "admin_notice": admin_notice, "warning": warning})    
 
 
 def save_users(request, updated_user, email="troggle@exposerver.expo"):

templates/login/register.html

@@ -4,7 +4,7 @@
 <!-- this overrides the django.contrib.auth default  form
 and it must be placed in 
 troggle/templates/login/register.html
-because magic 
+because magic.
 
 This is because Django is Opinionated and does lots of Invisible Defaults
 see 
@@ -49,6 +49,9 @@ User Registration - for a personal login to Troggle by a known caver
 ALSO it behaves differently if a username is specified in the URL, when username becomes readonly
 
 -->
+<span style="color:red; font-weight: bold;">
+{{ admin_notice }}
+</span>
 <h3>Register your email address</h3>
 
 {% if newuser %}