Merge staging

Dockerfile

@@ -1,4 +1,4 @@
-FROM docker.io/debian:bullseye-slim
+FROM docker.io/debian:bookworm-slim
 
 # Install base system dependencies
 RUN apt update
@@ -7,19 +7,18 @@ RUN mkdir -p /usr/share/man/man1 /app/config
 ENV DEBIAN_FRONTEND=noninteractive
 RUN apt upgrade -y &&\
     apt install -y --no-install-recommends uwsgi uwsgi-plugin-python3 python3 python3-setuptools python3-pip gcc gettext \
-    libldap-2.4-2 libldap2-dev libsasl2-2 libsasl2-dev libgpgme11 libgpgme-dev python3-dev libgraphviz-dev graphviz libmagic-dev libjpeg-dev libjs-mathjax \
-    make nginx supervisor &&\
-    pip3 install --no-cache pipenv &&\
-    update-alternatives --install /usr/bin/python python /usr/bin/python3 99
+    libldap-common libldap2-dev libsasl2-2 libsasl2-dev libgpgme11 libgpgme-dev python3-dev libgraphviz-dev graphviz libmagic-dev libjpeg-dev libjs-mathjax \
+    make nginx supervisor pipenv python-is-python3 git
 
 # add Pipfile seperate from other sources to take advantage of build caching
 ADD Pipfile /app/src/Pipfile
 ADD Pipfile.lock /app/src/Pipfile.lock
 WORKDIR /app/src
-RUN python -m pipenv install --system --deploy --ignore-pipfile
+# delete file that marks root python package path as externally managed
+RUN rm /usr/lib/python3.11/EXTERNALLY-MANAGED
+RUN pipenv install --system --deploy --ignore-pipfile --verbose
 RUN pip3 install sentry-sdk
 
-
 # add remaining sources
 ADD . /app/src
 

Pipfile

@@ -4,7 +4,7 @@ verify_ssl = true
 name = "pypi"
 
 [packages]
-Django = "~=4.1.12"    # can be upgraded once we have postgres >11 deployed
+Django = "~=5.0"
 Pillow = "~=10.0"
 PyPDF2 = "~=1.27"
 bleach = {extras = ["css"], version = "~=6.1"}
@@ -20,7 +20,8 @@ nameparser = "~=1.1"
 networkx = "~=3.1"
 oauthlib = "~=3.2"
 psycopg2-binary = "~=2.9"
-pygpgme = "~=0.3"
+# should be replaced once https://github.com/rshk/pygpgme/pull/12 is merged
+pygpgme = { git = "https://github.com/timonegk/pygpgme.git", ref = "patch-1" }
 pygraphviz = "~=1.11"
 python-Levenshtein = "~=0.22"
 python-creole = "~=1.4"

locale/de_DE/LC_MESSAGES/django.po

@@ -3,7 +3,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Mafiasi\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-01-12 16:48+0100\n"
+"POT-Creation-Date: 2024-02-26 19:24+0100\n"
 "PO-Revision-Date: 2024-01-12 16:56+0100\n"
 "Last-Translator: Timon Engelke <timon.engelke@uni-hamburg.de>\n"
 "Language-Team: \n"
@@ -88,6 +88,15 @@ msgstr "Probleme?"
 msgid "License information"
 msgstr "Lizenzinformationen"
 
+#: mafiasi/base/templates/base/login.html:8
+#, python-format
+msgid ""
+"You are authenticated as %(username)s, but are not authorized to access this "
+"page. Would you like to login to a different account?"
+msgstr ""
+"Sie sind als %(username)s angemeldet, aber nicht autorisiert, auf diese "
+"Seite zuzugreifen. Wollen Sie sich mit einem anderen Account anmelden?"
+
 #: mafiasi/base/templates/base/problems.html:7
 #, python-format
 msgid ""

locale/en_US/LC_MESSAGES/django.po

@@ -2,7 +2,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Mafiasi\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-01-12 17:28+0100\n"
+"POT-Creation-Date: 2024-02-26 19:24+0100\n"
 "PO-Revision-Date: 2024-01-12 17:06+0100\n"
 "Last-Translator: Timon Engelke <timon.engelke@uni-hamburg.de>\n"
 "Language-Team: \n"
@@ -80,6 +80,13 @@ msgstr ""
 msgid "License information"
 msgstr ""
 
+#: mafiasi/base/templates/base/login.html:8
+#, python-format
+msgid ""
+"You are authenticated as %(username)s, but are not authorized to access this "
+"page. Would you like to login to a different account?"
+msgstr ""
+
 #: mafiasi/base/templates/base/problems.html:7
 #, python-format
 msgid ""

locale/fr_FR/LC_MESSAGES/django.po

@@ -2,7 +2,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Mafiasi\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2024-01-12 16:48+0100\n"
+"POT-Creation-Date: 2024-02-26 19:24+0100\n"
 "PO-Revision-Date: 2024-01-15 16:39+0100\n"
 "Last-Translator: Timon Engelke <timon.engelke@uni-hamburg.de>\n"
 "Language-Team: \n"
@@ -88,6 +88,16 @@ msgstr "Problèmes?"
 msgid "License information"
 msgstr "Informations sur la licence"
 
+#: mafiasi/base/templates/base/login.html:8
+#, python-format
+msgid ""
+"You are authenticated as %(username)s, but are not authorized to access this "
+"page. Would you like to login to a different account?"
+msgstr ""
+"Vous êtes authentifié sous le nom %(username)s, mais vous n’êtes pas "
+"autorisé à accéder à cette page. Souhaitez-vous vous connecter avec un autre "
+"compte utilisateur ?"
+
 #: mafiasi/base/templates/base/problems.html:7
 #, python-format
 msgid ""

mafiasi/base/admin.py

@@ -23,3 +23,4 @@ class MafiasiAdmin(UserAdmin):
 
 admin.site.register(Yeargroup)
 admin.site.register(Mafiasi, MafiasiAdmin)
+admin.site.login_template = "base/login.html"

mafiasi/base/models.py

@@ -44,9 +44,6 @@ class Mafiasi(AbstractUser):
     real_email = models.EmailField(unique=True, null=True)
     new_password = None
 
-    # USED in contrib.auth to determine the mail address for thinks like password reset
-    EMAIL_FIELD = "real_email"
-
     REQUIRED_FIELDS = ["email", "real_email"]
 
     @property

mafiasi/base/templates/base/login.html

@@ -0,0 +1,22 @@
+{% extends "admin/login.html" %}
+{% load i18n %}
+{% block content %}
+<div id="content-main">
+
+{% if user.is_authenticated %}
+<p class="errornote">
+{% blocktranslate trimmed %}
+    You are authenticated as {{ username }}, but are not authorized to
+    access this page. Would you like to login to a different account?
+{% endblocktranslate %}
+</p>
+{% endif %}
+
+<form id="login-form" method="get" action="{% url 'simple_openid_connect:login' %}">
+  <div class="submit-row">
+    <input type="submit" value="Log in with Mafiasi">
+  </div>
+</form>
+
+</div>
+{% endblock %}

mafiasi/registration/urls.py

@@ -9,7 +9,6 @@
     path("change_email/<token>", change_email, name="registration_change_email"),
     path("request_successful", request_successful, name="registration_request_successful"),
     path("account", account_settings, name="registration_account"),
-    path("password_reset", password_reset, name="registration_password_reset"),
 ]
 
 if settings.REGISTER_ENABLED:

mafiasi/registration/views.py

@@ -317,7 +317,7 @@ def _finish_account_request(request, info):
 
 def _send_email_exists(request, username):
     email = Mafiasi.objects.get(username=username).real_email
-    password_reset_url = request.build_absolute_uri(reverse("registration_password_reset"))
+    password_reset_url = settings.KEYCLOAK_ACCOUNT_CONSOLE_URL
     email_content = render_to_string(
         "registration/email_exists.txt",
         {
@@ -359,20 +359,3 @@ def _send_mail_or_error_page(subject, content, address, request, email_shown):
             "email": email_shown,
         },
     )
-
-
-def password_reset(request):
-    password_reset_url = settings.PASSWORD_RESET_URL
-    if password_reset_url is None:
-        password_reset_url = (
-            settings.OPENID_ISSUER
-            + "/login-actions/reset-credentials?"
-            + urlencode(
-                {
-                    "response_type": "code",
-                    "client_id": settings.OPENID_CLIENT_ID,
-                    "redirect_uri": request.build_absolute_uri(reverse(settings.LOGIN_URL)),
-                }
-            )
-        )
-    return redirect(password_reset_url)