Add Lodging to Map, Sanitize MD, Optional Password Disable

Author: seanmorley15

backend/server/adventures/admin.py

@@ -71,7 +71,7 @@ class CustomUserAdmin(UserAdmin):
     readonly_fields = ('uuid',)
     search_fields = ('username',)
     fieldsets = UserAdmin.fieldsets + (
-        (None, {'fields': ('profile_pic', 'uuid', 'public_profile')}),
+        (None, {'fields': ('profile_pic', 'uuid', 'public_profile', 'disable_password')}),
     )
     def image_display(self, obj):
         if obj.profile_pic:

backend/server/adventures/migrations/0024_alter_attachment_file.py

@@ -0,0 +1,19 @@
+# Generated by Django 5.0.8 on 2025-03-17 01:15
+
+import adventures.models
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('adventures', '0023_lodging_delete_hotel'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='attachment',
+            name='file',
+            field=models.FileField(upload_to=adventures.models.PathAndRename('attachments/'), validators=[adventures.models.validate_file_extension]),
+        ),
+    ]

backend/server/adventures/models.py

@@ -1,4 +1,4 @@
-from collections.abc import Collection
+from django.core.exceptions import ValidationError
 import os
 from typing import Iterable
 import uuid
@@ -10,6 +10,13 @@
 from django.forms import ValidationError
 from django_resized import ResizedImageField
 
+def validate_file_extension(value):
+    import os
+    from django.core.exceptions import ValidationError
+    ext = os.path.splitext(value.name)[1]  # [0] returns path+filename
+    valid_extensions = ['.pdf', '.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx', '.txt', '.png', '.jpg', '.jpeg', '.gif', '.webp', '.mp4', '.mov', '.avi', '.mkv', '.mp3', '.wav', '.flac', '.ogg', '.m4a', '.wma', '.aac', '.opus', '.zip', '.rar', '.7z', '.tar', '.gz', '.bz2', '.xz', '.zst', '.lz4', '.lzma', '.lzo', '.z', '.tar.gz', '.tar.bz2', '.tar.xz', '.tar.zst', '.tar.lz4', '.tar.lzma', '.tar.lzo', '.tar.z', 'gpx', 'md', 'pdf']
+    if not ext.lower() in valid_extensions:
+        raise ValidationError('Unsupported file extension.')
 
 ADVENTURE_TYPES = [
     ('general', 'General 🌍'),
@@ -306,7 +313,7 @@ class Attachment(models.Model):
     id = models.UUIDField(default=uuid.uuid4, editable=False, unique=True, primary_key=True)
     user_id = models.ForeignKey(
         User, on_delete=models.CASCADE, default=default_user_id)
-    file = models.FileField(upload_to=PathAndRename('attachments/'))
+    file = models.FileField(upload_to=PathAndRename('attachments/'),validators=[validate_file_extension])
     adventure = models.ForeignKey(Adventure, related_name='attachments', on_delete=models.CASCADE)
     name = models.CharField(max_length=200, null=True, blank=True)
 

backend/server/main/settings.py

@@ -227,6 +227,10 @@
     "socialaccount_login_error": f"{FRONTEND_URL}/account/provider/callback",
 }
 
+AUTHENTICATION_BACKENDS = [
+    'users.backends.NoPasswordAuthBackend',
+]
+
 EMAIL_BACKEND = 'django.core.mail.backends.console.EmailBackend'
 SITE_ID = 1
 ACCOUNT_EMAIL_REQUIRED = True

backend/server/main/urls.py

@@ -1,7 +1,7 @@
 from django.urls import include, re_path, path
 from django.contrib import admin
 from django.views.generic import RedirectView, TemplateView
-from users.views import IsRegistrationDisabled, PublicUserListView, PublicUserDetailView, UserMetadataView, UpdateUserMetadataView, EnabledSocialProvidersView
+from users.views import IsRegistrationDisabled, PublicUserListView, PublicUserDetailView, UserMetadataView, UpdateUserMetadataView, EnabledSocialProvidersView, DisablePasswordAuthenticationView
 from .views import get_csrf_token, get_public_url, serve_protected_media
 from drf_yasg.views import get_schema_view
 from drf_yasg import openapi
@@ -29,6 +29,8 @@
 
     path('auth/social-providers/', EnabledSocialProvidersView.as_view(), name='enabled-social-providers'),
 
+    path('auth/disable-password/', DisablePasswordAuthenticationView.as_view(), name='disable-password-authentication'),
+
     path('csrf/', get_csrf_token, name='get_csrf_token'),
     path('public-url/', get_public_url, name='get_public_url'),
 

backend/server/users/backends.py

@@ -0,0 +1,16 @@
+from django.contrib.auth.backends import ModelBackend
+from allauth.socialaccount.models import SocialAccount
+
+class NoPasswordAuthBackend(ModelBackend):
+    def authenticate(self, request, username=None, password=None, **kwargs):
+        print("NoPasswordAuthBackend")
+        # First, attempt normal authentication
+        user = super().authenticate(request, username=username, password=password, **kwargs)
+        if user is None:
+            return None
+        
+        if SocialAccount.objects.filter(user=user).exists() and user.disable_password:
+            # If yes, disable login via password
+            return None
+        
+        return user

backend/server/users/migrations/0004_customuser_disable_password.py

@@ -0,0 +1,18 @@
+# Generated by Django 5.0.8 on 2025-03-17 01:15
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0003_alter_customuser_email'),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name='customuser',
+            name='disable_password',
+            field=models.BooleanField(default=False),
+        ),
+    ]

backend/server/users/models.py

@@ -8,6 +8,7 @@ class CustomUser(AbstractUser):
     profile_pic = ResizedImageField(force_format="WEBP", quality=75, null=True, blank=True, upload_to='profile-pics/')
     uuid = models.UUIDField(default=uuid.uuid4, editable=False, unique=True)
     public_profile = models.BooleanField(default=False)
+    disable_password = models.BooleanField(default=False)
 
     def __str__(self):
         return self.username

backend/server/users/serializers.py

@@ -64,9 +64,11 @@ class Meta:
             extra_fields.append('date_joined')
         if hasattr(UserModel, 'is_staff'):
             extra_fields.append('is_staff')
+        if hasattr(UserModel, 'disable_password'):
+            extra_fields.append('disable_password')
 
         fields = ['pk', *extra_fields]
-        read_only_fields = ('email', 'date_joined', 'is_staff', 'is_superuser', 'is_active', 'pk')
+        read_only_fields = ('email', 'date_joined', 'is_staff', 'is_superuser', 'is_active', 'pk', 'disable_password')
 
     def handle_public_profile_change(self, instance, validated_data):
         """
@@ -94,8 +96,8 @@ class CustomUserDetailsSerializer(UserDetailsSerializer):
 
     class Meta(UserDetailsSerializer.Meta):
         model = CustomUser
-        fields = UserDetailsSerializer.Meta.fields + ['profile_pic', 'uuid', 'public_profile', 'has_password']
-        read_only_fields = UserDetailsSerializer.Meta.read_only_fields + ('uuid', 'has_password')
+        fields = UserDetailsSerializer.Meta.fields + ['profile_pic', 'uuid', 'public_profile', 'has_password', 'disable_password']
+        read_only_fields = UserDetailsSerializer.Meta.read_only_fields + ('uuid', 'has_password', 'disable_password')
 
     @staticmethod
     def get_has_password(instance):
@@ -120,5 +122,5 @@ def to_representation(self, instance):
         representation.pop('pk', None)
         # Remove the email field
         representation.pop('email', None)
-
+        
         return representation

backend/server/users/views.py

@@ -13,6 +13,7 @@
 from allauth.socialaccount.models import SocialApp
 from adventures.serializers import AdventureSerializer, CollectionSerializer
 from adventures.models import Adventure, Collection
+from allauth.socialaccount.models import SocialAccount
 
 User = get_user_model()
 
@@ -71,6 +72,7 @@ def get(self, request):
         # for every user, remove the field has_password
         for user in serializer.data:
             user.pop('has_password', None)
+            user.pop('disable_password', None)
         return Response(serializer.data, status=status.HTTP_200_OK)
 
 class PublicUserDetailView(APIView):
@@ -171,4 +173,35 @@ def get(self, request):
                 'url': f"{getenv('PUBLIC_URL')}/accounts/{new_provider}/login/",
                 'name': provider.name
             })
-        return Response(providers, status=status.HTTP_200_OK)
+        return Response(providers, status=status.HTTP_200_OK)
+    
+
+class DisablePasswordAuthenticationView(APIView):
+    """
+    Disable password authentication for a user. This is used when a user signs up with a social provider.
+    """
+
+# Allows the user to set the disable_password field to True if they have a social account linked
+    permission_classes = [IsAuthenticated]
+
+    @swagger_auto_schema(
+        responses={
+            200: openapi.Response('Password authentication disabled'),
+            400: 'Bad Request'
+        },
+        operation_description="Disable password authentication."
+    )
+    def post(self, request):
+        user = request.user
+        if SocialAccount.objects.filter(user=user).exists():
+            user.disable_password = True
+            user.save()
+            return Response({"detail": "Password authentication disabled."}, status=status.HTTP_200_OK)
+        return Response({"detail": "No social account linked."}, status=status.HTTP_400_BAD_REQUEST)
+    
+    def delete(self, request):
+        user = request.user
+        user.disable_password = False
+        user.save()
+        return Response({"detail": "Password authentication enabled."}, status=status.HTTP_200_OK)
+