deny access to my events for passwordless accounts

locale/de/LC_MESSAGES/django.po

@@ -8,7 +8,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-12-21 19:07+0000\n"
+"POT-Creation-Date: 2022-12-21 21:44+0000\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -89,7 +89,7 @@ msgstr ""
 "Ziehe die Maus über einen Zeitslot, um ihn auszuwählen. Markiere ihn erneut, "
 "um ihn abzuwählen."
 
-#: zitap/helpers.py:22
+#: zitap/helpers.py:24
 #, fuzzy, python-brace-format
 #| msgid "Invalid string length"
 msgid "Invalid string length: {0} (expected: {1})"
@@ -121,15 +121,15 @@ msgstr "Ereignis nicht gefunden"
 msgid "Event"
 msgstr "Ereignis"
 
-#: zitap/templates/zitap/event.html:38
+#: zitap/templates/zitap/event.html:37
 msgid "Update Slots"
 msgstr "Zeitslot aktualisieren"
 
-#: zitap/templates/zitap/event.html:41 zitap/templates/zitap/my-events.html:32
+#: zitap/templates/zitap/event.html:40 zitap/templates/zitap/my-events.html:32
 msgid "Logout"
 msgstr "Abmelden"
 
-#: zitap/templates/zitap/event.html:64 zitap/views.py:87
+#: zitap/templates/zitap/event.html:63 zitap/views.py:95
 msgid "Login to Update Slots"
 msgstr "Anmelden, um Zeitslots zu aktualisieren"
 
@@ -139,8 +139,6 @@ msgstr "Startseite"
 
 #: zitap/templates/zitap/index.html:19 zitap/templates/zitap/my-events.html:5
 #: zitap/templates/zitap/my-events.html:9
-#, fuzzy
-#| msgid "Event"
 msgid "My Events"
 msgstr "Meine Ereignisse"
 
@@ -148,16 +146,22 @@ msgstr "Meine Ereignisse"
 msgid "Login"
 msgstr "Anmelden"
 
-#: zitap/views.py:54
-msgid "Could not create event. Please try again."
-msgstr "Konnte Ereignis nicht erstellen. Bitte versuchen Sie es erneut."
+#: zitap/views.py:24
+msgid "Please enter a password."
+msgstr "Bitte geben Sie ein Passwort ein."
 
-#: zitap/views.py:85
-#, fuzzy
-#| msgid "Event"
+#: zitap/views.py:25 zitap/views.py:93
 msgid "Login to My Events"
 msgstr "Anmelden, um meine Ereignisse anzuzeigen"
 
-#: zitap/views.py:104
+#: zitap/views.py:58
+msgid "Could not create event. Please try again."
+msgstr "Konnte Ereignis nicht erstellen. Bitte versuchen Sie es erneut."
+
+#: zitap/views.py:112
+msgid "Wrong password"
+msgstr "Falsches Passwort"
+
+#: zitap/views.py:115
 msgid "Username already exists"
 msgstr "Benutzername existiert bereits"

zitap/helpers.py

@@ -121,7 +121,7 @@ def slots2grid( event : Event, participants : list[Participant], is_input : bool
                     classes = ""
 
                 slots.append(
-                    f'<div class="slot{classes}" id="grid_slot_{ day_offset + j }" title="{slot_begin} - {slot_end} \n{escape(", ".join([participants[p].user.username for p in ps]))}" style="--color-index:{ len(ps) }">{ time_label }</div>')
+                    f'<div class="slot{classes}" id="grid_slot_{ day_offset + j }" title="{slot_begin} - {slot_end} \n{escape(", ".join([participants[p].name for p in ps]))}" style="--color-index:{ len(ps) }">{ time_label }</div>')
                 max_occupancy = max(max_occupancy, len(ps))
             html.append(''.join(slots))
             html.append('</div>')

zitap/migrations/0002_participant_name_alter_participant_user.py

@@ -0,0 +1,27 @@
+# Generated by Django 4.1.2 on 2022-12-21 20:52
+
+from django.conf import settings
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+        ('zitap', '0001_initial'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='participant',
+            name='name',
+            field=models.CharField(default='', max_length=255),
+            preserve_default=False,
+        ),
+        migrations.AlterField(
+            model_name='participant',
+            name='user',
+            field=models.ForeignKey(blank=True, null=True, on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL),
+        ),
+    ]

zitap/models.py

@@ -22,6 +22,7 @@ class Date(models.Model):
     date = models.DateField()
 
 class Participant(models.Model):
+    name = models.CharField(max_length=255)
     event = models.ForeignKey(Event, on_delete=models.CASCADE)
-    user = models.ForeignKey(User, on_delete=models.CASCADE)
+    user = models.ForeignKey(User, on_delete=models.CASCADE, null=True, blank=True)
     slots = models.BinaryField()

zitap/static/zitap/js/live-updates.js

@@ -15,29 +15,29 @@ window.addEventListener("load", function()
   function setCheckboxes(data)
   {
     let maxParticipants = 0
-    const username = document.getElementById("username")
     for(let i=0; i<gridSlots.length; i++)
     {
       const slot = document.getElementById(`grid_slot_${i}`)
       let participants = []
-      for(let participant in data)
+      for(let j=0; j<data.participants.length; j++)
       {
-        if(data[participant][i] === '1')
+        if(data.slots[j][i] === '1')
         {
-          participants.push(participant)
+          participants.push(data.participants[j])
         }
-      }
-      if(username && data[username.value]) 
-      {
-        if(data[username.value][i] === '1')
+        const inputs = document.getElementsByName(`slot_${i}`)
+        if(inputs && data.participants[j] === data.username) 
         {
-          slot.classList.add("my-slot")
-          document.getElementsByName(`slot_${i}`)[0].checked = true
-        }
-        else
-        {
-          slot.classList.remove("my-slot")
-          document.getElementsByName(`slot_${i}`)[0].checked = false
+          if(data.slots[j][i] === '1')
+          {
+            slot.classList.add("my-slot")
+            inputs[0].checked = true
+          }
+          else
+          {
+            slot.classList.remove("my-slot")
+            inputs[0].checked = false
+          }
         }
       }
       slot.style.setProperty("--color-index", participants.length)
@@ -45,7 +45,7 @@ window.addEventListener("load", function()
       maxParticipants = Math.max(participants.length, maxParticipants)
     }
     occupancyGrid.style.setProperty("--color-count", maxParticipants)
-    
+
     const updateButton = this.document.getElementById("update-button")
     if(updateButton)
       updateButton.style.display = "none"

zitap/templates/zitap/event.html

@@ -34,7 +34,6 @@
             {% endfor %}
             </div>
             {{ form.non_field_errors }}
-            <input type="hidden" id="username" value="{{ user.username }}">
         <input type="submit" value="{% trans 'Update Slots' %}" id="update-button">
     </form>
     <button class="logout" onclick="location.href='{% url 'logout' url=event.url %}'">

zitap/templates/zitap/my-events.html

@@ -21,7 +21,7 @@
           <ul class="event-participants">
             {% for participant in event.participant_set.all %}
             <li class="event-participant">
-              {{ participant.user.username }}
+              {{ participant.name }}
             </li>
             {% endfor %}
           </ul>

zitap/views.py

@@ -1,7 +1,7 @@
 import datetime
 import json
 from django.db import IntegrityError
-from django.http import HttpResponseNotFound, HttpResponseRedirect, JsonResponse, HttpResponseNotAllowed
+from django.http import HttpResponseForbidden, HttpResponseNotFound, HttpResponseRedirect, JsonResponse, HttpResponseNotAllowed
 from django.shortcuts import render
 from django.contrib.auth import authenticate, login as auth_login, logout as auth_logout
 from django.views.decorators.csrf import csrf_exempt
@@ -19,8 +19,12 @@ def index(request):
     return render(request, 'zitap/index.html')
 
 def my_events(request):
-    if not request.user.is_authenticated:
-        return HttpResponseRedirect('/my-events/login')
+    if not request.session.get('user_id'):
+        form = LoginForm({'username': request.session.get('username', '')})
+        form.add_error('password', _('Please enter a password.'))
+        return render(request, 'zitap/login.html', {'form': form, 'url': 'my-events', 'text': _('Login to My Events')})
+
+    print(request.session.get('user_id'))
     events = Event.objects.filter(participant__user=request.user).prefetch_related('date_set', 'participant_set', 'participant_set__user')
     return render(request, 'zitap/my-events.html', {
         'events': events,
@@ -65,9 +69,10 @@ def event(request, url):
         return render(request, 'zitap/event-not-found.html')
     
     # Check if the user is logged in
-    if 'user_id' in request.session:
+    participant = None
+    if 'username' in request.session:
         for participant in participants:
-            if participant.user_id == request.session['user_id']:
+            if participant.name == request.session['username']:
                 break
         else:
             participant = None
@@ -93,29 +98,35 @@ def login(request, url):
 
     if request.method == 'POST':
         form = LoginForm(request.POST)
-    elif request.user.is_authenticated:
+    elif 'username' in request.session:
         return HttpResponseRedirect(f'/{url}')
     else:
         form = LoginForm()
     if form.is_valid():
         data = form.cleaned_data
         user = authenticate(request, username=data['username'], password=data.get('password'))
-        if user is None:
+        if user is None and data.get('password'):
             try:
                 user = User.objects.create_user(data['username'], password=data.get('password'))
             except IntegrityError:
-                form.add_error('username', _('Username already exists'))
+                form.add_error('password', _('Wrong password'))
                 return render(request, 'zitap/login.html', {'form': form, 'url': url, 'text': text})
-
-        auth_login(request, user)
-        request.session['user_id'] = user.id
+        elif user is None and User.objects.filter(username=data['username']).exists():
+            form.add_error('username', _('Username already exists'))
+            return render(request, 'zitap/login.html', {'form': form, 'url': url, 'text': text})
+        if user:
+            auth_login(request, user)
+            request.session['user_id'] = user.id
+        elif 'user_id' in request.session:
+            del request.session['user_id']
+        request.session['username'] = data['username']
         return HttpResponseRedirect(f'/{url}')
     return render(request, 'zitap/login.html', {'form': form, 'url': url, 'text': text})
 
 def logout(request, url):
     auth_logout(request)
     if url == 'my-events':
-        return HttpResponseRedirect(f'/{url}')
+        return HttpResponseRedirect(f'/my-events/login')
     elif Event.objects.filter(url=url).exists():
         return HttpResponseRedirect(f'/{url}')
     else:
@@ -130,16 +141,19 @@ def update_slots(request, url):
 
     if request.method != 'POST':
         return HttpResponseNotAllowed(['POST'])
+    
+    if 'username' not in request.session:
+        return HttpResponseForbidden()
 
     slot_count = get_slot_count(event)
-    participant = event.participant_set.filter(user_id=request.session['user_id'], event=event).first()
+    participant = event.participant_set.filter(name=request.session['username'], event=event).first()
     form = UpdateSlotsForm(request.POST, event=event, n_slots=slot_count, participant=participant)
     if form.is_valid():
         data = form.cleaned_data
         if data['slots'] == '0' * slot_count and participant:
             participant.delete()
         elif not participant:
-            participant = Participant.objects.create(user_id=request.session['user_id'], event=event, slots=string2slots(data['slots'], slot_count))
+            participant = Participant.objects.create(name=request.session['username'], user_id=request.session['user_id'], event=event, slots=string2slots(data['slots'], slot_count))
         else:
             participant.slots = string2slots(data['slots'], slot_count)
             participant.save()
@@ -180,9 +194,9 @@ def slots_api(request, url):
     slot_count = get_slot_count(event)
 
     # Check if the user is logged in and wants to update their slots
-    if 'user_id' in request.session and request.method == 'POST':
+    if 'username' in request.session and request.method == 'POST':
         for participant in participants:
-            if participant.user_id == request.session['user_id']:
+            if participant.name == request.session['username']:
                 break
         else:
             participant = None
@@ -194,15 +208,18 @@ def slots_api(request, url):
             if data['slots'] == '0' * slot_count and participant:
                 participant.delete()
             elif not participant:
-                participant = Participant.objects.create(user_id=request.session['user_id'], event=event, slots=string2slots(data['slots'], slot_count))
+                participant = Participant.objects.create(name=request.session['username'], user_id=request.session.get('user_id'), event=event, slots=string2slots(data['slots'], slot_count))
             else:
                 participant.slots = string2slots(data['slots'], slot_count)
                 participant.save()
 
     # Get the slots of each participant
-    data = {}
-    for participant in participants:
-        data[participant.user.username] = slots2string(participant, slot_count)
+    data = {
+        'username': request.session.get('username'),
+        'n_slots': slot_count,
+        'participants': [participant.name for participant in participants],
+        'slots': [slots2string(participant, slot_count) for participant in participants],
+    }
     
     return JsonResponse(data)