wechange-eg · 2e2a · Oct 22, 2024 · Oct 22, 2024 · Oct 22, 2024
diff --git a/cosinnus/admin.py b/cosinnus/admin.py
@@ -11,6 +11,7 @@
 from django.contrib.auth import get_user_model
 from django.contrib.auth import login as django_login
 from django.contrib.auth.admin import UserAdmin as DjangoUserAdmin
+from django.contrib.auth.models import Group
 from django.contrib.contenttypes.admin import GenericStackedInline
 from django.core.exceptions import ValidationError
 from django.db.models import JSONField, Q
@@ -889,6 +890,9 @@ def queryset(self, request, queryset):
 
 
 class UserAdmin(DjangoUserAdmin):
+    PERMISSION_FIELDS = ('is_active', 'is_staff', 'is_superuser')
+    if settings.COSINNUS_DJANGO_ADMIN_GROUP_PERMISSIONS_ENABLED:
+        PERMISSION_FIELDS += ('groups',)
     fieldsets = (
         (
             _('Personal info'),
@@ -897,11 +901,7 @@ class UserAdmin(DjangoUserAdmin):
         (
             _('Permissions'),
             {
-                'fields': (
-                    'is_active',
-                    'is_staff',
-                    'is_superuser',
-                ),
+                'fields': PERMISSION_FIELDS,
             },
         ),
     )
@@ -1245,6 +1245,11 @@ def make_user_cloud_admin(self, request, queryset):
 admin.site.register(USER_MODEL, UserAdmin)
 
 
+# disable group admin if django permissions are not used.
+if not settings.COSINNUS_DJANGO_ADMIN_GROUP_PERMISSIONS_ENABLED:
+    admin.site.unregister(Group)
+
+
 class CosinnusTopicCategoryAdmin(admin.ModelAdmin):
     list_display = (
         'name',

diff --git a/cosinnus/conf.py b/cosinnus/conf.py
@@ -1528,6 +1528,9 @@ class Meta(object):
     # and are used to configure the frontend server
     V3_PORTAL_SETTINGS = {}
 
+    # enable group permissions in the django admin, including the group admin and the group field in the user admin.
+    DJANGO_ADMIN_GROUP_PERMISSIONS_ENABLED = False
+
 
 class CosinnusDefaultSettings(AppConf):
     """Settings without a prefix namespace to provide default setting values for other apps.

diff --git a/cosinnus/core/middleware/cosinnus_middleware.py b/cosinnus/core/middleware/cosinnus_middleware.py
@@ -176,7 +176,7 @@ def process_request(self, request):
         # check if the user is a superuser and they attempted to access a covered url
         if (
             user
-            and check_user_superuser(user)
+            and (check_user_superuser(user) or user.is_staff)
             and request.path.startswith(filter_path)
             and not any([request.path.startswith(prefix) for prefix in EXEMPTED_URLS_FOR_2FA])
         ):
@@ -195,6 +195,7 @@ def process_request(self, request):
             user
             and user.is_authenticated
             and not check_user_superuser(user)
+            and not user.is_staff
             and request.path.startswith('/admin/')
             and not any([request.path.startswith(prefix) for prefix in EXEMPTED_URLS_FOR_2FA])
         ):

diff --git a/cosinnus/views/authentication.py b/cosinnus/views/authentication.py
@@ -10,6 +10,7 @@
 from two_factor.views import BackupTokensView, DisableView, ProfileView, QRGeneratorView, SetupCompleteView, SetupView
 
 from cosinnus.forms.authentication import DisableFormWithPasswordValidation
+from cosinnus.utils.permissions import check_user_superuser
 from cosinnus.utils.urls import get_non_cms_root_url, safe_redirect
 from cosinnus.views.mixins.group import RequireLoggedInMixin
 
@@ -26,8 +27,12 @@ class AdminOnlyOTPTokenValidationView(auth_views.LoginView):
 
     def dispatch(self, request, *args, **kwargs):
         user = self.request.user
-        if not user.is_authenticated or user.is_verified() or not (user.is_staff or user.is_superuser):
-            return redirect('/admin/')
+        if not user.is_authenticated:
+            return redirect('login')
+        elif user.is_verified():
+            return redirect(self.get_success_url())
+        elif not (user.is_staff or check_user_superuser(user)):
+            return redirect('cosinnus:user-dashboard')
         user.backend = 'cosinnus.backends.EmailAuthBackend'
         return super(AdminOnlyOTPTokenValidationView, self).dispatch(request, *args, **kwargs)
 
@@ -37,7 +42,9 @@ def authentication_form(self):
 
     def get_success_url(self):
         url = self.get_redirect_url()
-        return url or '/admin/'
+        if not url:
+            url = '/admin/' if self.request.user.is_staff else '/administration/'
+        return url
 
 
 admin_only_otp_token_validation = AdminOnlyOTPTokenValidationView.as_view()