arthexis 0.1.16__py3-none-any.whl → 0.1.26__py3-none-any.whl

pages/views.py

@@ -1,5 +1,6 @@
 import base64
 import logging
+import mimetypes
 from pathlib import Path
 from types import SimpleNamespace
 import datetime
@@ -15,15 +16,25 @@ from django.contrib import admin
 from django.contrib import messages
 from django.contrib.admin.views.decorators import staff_member_required
 from django.contrib.auth import get_user_model, login
+from django.contrib.auth.decorators import login_required
 from django.contrib.auth.tokens import default_token_generator
 from django.contrib.auth.views import LoginView
 from django import forms
 from django.apps import apps as django_apps
 from utils.decorators import security_group_required
 from utils.sites import get_site
-from django.http import Http404, HttpResponse, JsonResponse
+from django.contrib.staticfiles import finders
+from django.http import (
+    FileResponse,
+    Http404,
+    HttpResponse,
+    HttpResponseForbidden,
+    HttpResponseRedirect,
+    JsonResponse,
+)
 from django.shortcuts import get_object_or_404, redirect, render
 from nodes.models import Node
+from nodes.utils import capture_screenshot, save_screenshot
 from django.template import loader
 from django.template.response import TemplateResponse
 from django.test import RequestFactory, signals as test_signals
@@ -33,14 +44,19 @@ from django.utils.encoding import force_bytes, force_str
 from django.utils.http import urlsafe_base64_decode, urlsafe_base64_encode
 from core import mailer, public_wifi
 from core.backends import TOTP_DEVICE_NAME
-from django.utils.translation import gettext as _
+from django.utils.translation import get_language, gettext as _
+
+try:  # pragma: no cover - compatibility shim for Django versions without constant
+    from django.utils.translation import LANGUAGE_SESSION_KEY
+except ImportError:  # pragma: no cover - fallback when constant is unavailable
+    LANGUAGE_SESSION_KEY = "_language"
 from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
 from django.views.decorators.http import require_POST
 from django.core.cache import cache
 from django.views.decorators.cache import never_cache
-from django.utils.cache import patch_vary_headers
-from django.core.exceptions import PermissionDenied
-from django.utils.text import slugify
+from django.utils.cache import patch_cache_control, patch_vary_headers
+from django.core.exceptions import PermissionDenied, SuspiciousFileOperation
+from django.utils.text import slugify, Truncator
 from django.core.validators import EmailValidator
 from django.db.models import Q
 from core.models import (
@@ -48,7 +64,10 @@ from core.models import (
     ClientReport,
     ClientReportSchedule,
     SecurityGroup,
+    Todo,
 )
+from ocpp.models import Charger
+from .utils import get_original_referer
 
 try:  # pragma: no cover - optional dependency guard
     from graphviz import Digraph
@@ -58,16 +77,34 @@ except ImportError:  # pragma: no cover - handled gracefully in views
     CalledProcessError = ExecutableNotFound = None
 
 import markdown
+from django.utils._os import safe_join
 
 
 MARKDOWN_EXTENSIONS = ["toc", "tables", "mdx_truly_sane_lists"]
 
+MARKDOWN_IMAGE_PATTERN = re.compile(
+    r"(?P<prefix><img\b[^>]*\bsrc=[\"\'])(?P<scheme>(?:static|work))://(?P<path>[^\"\']+)(?P<suffix>[\"\'])",
+    re.IGNORECASE,
+)
+
+ALLOWED_IMAGE_EXTENSIONS = {
+    ".apng",
+    ".avif",
+    ".gif",
+    ".jpg",
+    ".jpeg",
+    ".png",
+    ".svg",
+    ".webp",
+}
+
 
 def _render_markdown_with_toc(text: str) -> tuple[str, str]:
     """Render ``text`` to HTML and return the HTML and stripped TOC."""
 
     md = markdown.Markdown(extensions=MARKDOWN_EXTENSIONS)
     html = md.convert(text)
+    html = _rewrite_markdown_asset_links(html)
     toc_html = md.toc
     toc_html = _strip_toc_wrapper(toc_html)
     return html, toc_html
@@ -82,6 +119,86 @@ def _strip_toc_wrapper(toc_html: str) -> str:
         if toc_html.endswith("</div>"):
             toc_html = toc_html[: -len("</div>")]
     return toc_html.strip()
+
+
+def _rewrite_markdown_asset_links(html: str) -> str:
+    """Rewrite asset links that reference local asset schemes."""
+
+    def _replace(match: re.Match[str]) -> str:
+        scheme = match.group("scheme").lower()
+        asset_path = match.group("path").lstrip("/")
+        if not asset_path:
+            return match.group(0)
+        extension = Path(asset_path).suffix.lower()
+        if extension not in ALLOWED_IMAGE_EXTENSIONS:
+            return match.group(0)
+        try:
+            asset_url = reverse(
+                "pages:readme-asset",
+                kwargs={"source": scheme, "asset": asset_path},
+            )
+        except NoReverseMatch:
+            return match.group(0)
+        return f"{match.group('prefix')}{escape(asset_url)}{match.group('suffix')}"
+
+    return MARKDOWN_IMAGE_PATTERN.sub(_replace, html)
+
+
+def _resolve_static_asset(path: str) -> Path:
+    normalized = path.lstrip("/")
+    if not normalized:
+        raise Http404("Asset not found")
+    resolved = finders.find(normalized)
+    if not resolved:
+        raise Http404("Asset not found")
+    if isinstance(resolved, (list, tuple)):
+        resolved = resolved[0]
+    file_path = Path(resolved)
+    if file_path.is_dir():
+        raise Http404("Asset not found")
+    return file_path
+
+
+def _resolve_work_asset(user, path: str) -> Path:
+    if not (user and getattr(user, "is_authenticated", False)):
+        raise PermissionDenied
+    normalized = path.lstrip("/")
+    if not normalized:
+        raise Http404("Asset not found")
+    username = getattr(user, "get_username", None)
+    if callable(username):
+        username = username()
+    else:
+        username = getattr(user, "username", "")
+    username_component = Path(str(username or user.pk)).name
+    base_work = Path(settings.BASE_DIR) / "work"
+    try:
+        user_dir = Path(safe_join(str(base_work), username_component))
+        asset_path = Path(safe_join(str(user_dir), normalized))
+    except SuspiciousFileOperation as exc:
+        logger.warning("Rejected suspicious work asset path: %s", normalized, exc_info=exc)
+        raise Http404("Asset not found") from exc
+    try:
+        user_dir_resolved = user_dir.resolve(strict=True)
+    except FileNotFoundError as exc:
+        logger.warning(
+            "Work directory missing for asset request: %s", user_dir, exc_info=exc
+        )
+        raise Http404("Asset not found") from exc
+    try:
+        asset_resolved = asset_path.resolve(strict=True)
+    except FileNotFoundError as exc:
+        raise Http404("Asset not found") from exc
+    try:
+        asset_resolved.relative_to(user_dir_resolved)
+    except ValueError as exc:
+        logger.warning(
+            "Rejected work asset outside directory: %s", asset_resolved, exc_info=exc
+        )
+        raise Http404("Asset not found") from exc
+    if asset_resolved.is_dir():
+        raise Http404("Asset not found")
+    return asset_resolved
 from pages.utils import landing
 from core.liveupdate import live_update
 from django_otp import login as otp_login
@@ -439,43 +556,185 @@ def admin_model_graph(request, app_label: str):
     return response
 
 
-def _render_readme(request, role):
+def _locate_readme_document(role, doc: str | None, lang: str) -> SimpleNamespace:
     app = (
         Module.objects.filter(node_role=role, is_default=True)
         .select_related("application")
         .first()
     )
     app_slug = app.path.strip("/") if app else ""
-    readme_base = (
-        Path(settings.BASE_DIR) / app_slug if app_slug else Path(settings.BASE_DIR)
-    )
-    lang = getattr(request, "LANGUAGE_CODE", "")
-    lang = lang.replace("_", "-").lower()
-    root_base = Path(settings.BASE_DIR)
-    candidates = []
-    if lang:
-        candidates.append(readme_base / f"README.{lang}.md")
-        short = lang.split("-")[0]
-        if short != lang:
-            candidates.append(readme_base / f"README.{short}.md")
-    candidates.append(readme_base / "README.md")
-    if readme_base != root_base:
+    root_base = Path(settings.BASE_DIR).resolve()
+    readme_base = (root_base / app_slug).resolve() if app_slug else root_base
+    candidates: list[Path] = []
+
+    if doc:
+        normalized = doc.strip().replace("\\", "/")
+        while normalized.startswith("./"):
+            normalized = normalized[2:]
+        normalized = normalized.lstrip("/")
+        if not normalized:
+            raise Http404("Document not found")
+        doc_path = Path(normalized)
+        if doc_path.is_absolute() or any(part == ".." for part in doc_path.parts):
+            raise Http404("Document not found")
+
+        relative_candidates: list[Path] = []
+
+        def add_candidate(path: Path) -> None:
+            if path not in relative_candidates:
+                relative_candidates.append(path)
+
+        add_candidate(doc_path)
+        if doc_path.suffix.lower() != ".md" or doc_path.suffix != ".md":
+            add_candidate(doc_path.with_suffix(".md"))
+        if doc_path.suffix.lower() != ".md":
+            add_candidate(doc_path / "README.md")
+
+        search_roots = [readme_base]
+        if readme_base != root_base:
+            search_roots.append(root_base)
+
+        for relative in relative_candidates:
+            for base in search_roots:
+                base_resolved = base.resolve()
+                candidate = (base_resolved / relative).resolve(strict=False)
+                try:
+                    candidate.relative_to(base_resolved)
+                except ValueError:
+                    continue
+                candidates.append(candidate)
+    else:
+        default_readme = readme_base / "README.md"
+        root_default: Path | None = None
         if lang:
-            candidates.append(root_base / f"README.{lang}.md")
+            candidates.append(readme_base / f"README.{lang}.md")
             short = lang.split("-")[0]
             if short != lang:
-                candidates.append(root_base / f"README.{short}.md")
-        candidates.append(root_base / "README.md")
-    readme_file = next((p for p in candidates if p.exists()), root_base / "README.md")
-    text = readme_file.read_text(encoding="utf-8")
-    html, toc_html = _render_markdown_with_toc(text)
+                candidates.append(readme_base / f"README.{short}.md")
+        if readme_base != root_base:
+            candidates.append(default_readme)
+            if lang:
+                candidates.append(root_base / f"README.{lang}.md")
+                short = lang.split("-")[0]
+                if short != lang:
+                    candidates.append(root_base / f"README.{short}.md")
+            root_default = root_base / "README.md"
+        else:
+            root_default = default_readme
+        locale_base = root_base / "locale"
+        if locale_base.exists():
+            if lang:
+                candidates.append(locale_base / f"README.{lang}.md")
+                short = lang.split("-")[0]
+                if short != lang:
+                    candidates.append(locale_base / f"README.{short}.md")
+            candidates.append(locale_base / "README.md")
+        if root_default is not None:
+            candidates.append(root_default)
+
+    readme_file = next((p for p in candidates if p.exists()), None)
+    if readme_file is None:
+        raise Http404("Document not found")
+
     title = "README" if readme_file.name.startswith("README") else readme_file.stem
-    context = {"content": html, "title": title, "toc": toc_html}
+    return SimpleNamespace(
+        file=readme_file,
+        title=title,
+        root_base=root_base,
+    )
+
+
+def _relative_readme_path(readme_file: Path, root_base: Path) -> str | None:
+    try:
+        return readme_file.relative_to(root_base).as_posix()
+    except ValueError:
+        return None
+
+
+def _render_readme(request, role, doc: str | None = None):
+    lang = getattr(request, "LANGUAGE_CODE", "")
+    lang = lang.replace("_", "-").lower()
+    document = _locate_readme_document(role, doc, lang)
+    text = document.file.read_text(encoding="utf-8")
+    html, toc_html = _render_markdown_with_toc(text)
+    relative_path = _relative_readme_path(document.file, document.root_base)
+    user = getattr(request, "user", None)
+    can_edit = bool(
+        relative_path
+        and user
+        and user.is_authenticated
+        and user.is_superuser
+    )
+    edit_url = None
+    if can_edit:
+        try:
+            edit_url = reverse("pages:readme-edit", kwargs={"doc": relative_path})
+        except NoReverseMatch:
+            edit_url = None
+    context = {
+        "content": html,
+        "title": document.title,
+        "toc": toc_html,
+        "page_url": request.build_absolute_uri(),
+        "edit_url": edit_url,
+    }
     response = render(request, "pages/readme.html", context)
     patch_vary_headers(response, ["Accept-Language", "Cookie"])
     return response
 
 
+def readme_asset(request, source: str, asset: str):
+    source_normalized = (source or "").lower()
+    if source_normalized == "static":
+        file_path = _resolve_static_asset(asset)
+    elif source_normalized == "work":
+        file_path = _resolve_work_asset(getattr(request, "user", None), asset)
+    else:
+        raise Http404("Asset not found")
+
+    if not file_path.exists() or not file_path.is_file():
+        raise Http404("Asset not found")
+
+    extension = file_path.suffix.lower()
+    if extension not in ALLOWED_IMAGE_EXTENSIONS:
+        raise Http404("Asset not found")
+
+    try:
+        file_handle = file_path.open("rb")
+    except OSError as exc:  # pragma: no cover - unexpected filesystem error
+        logger.warning("Unable to open asset %s", file_path, exc_info=exc)
+        raise Http404("Asset not found") from exc
+
+    content_type = mimetypes.guess_type(str(file_path))[0] or "application/octet-stream"
+    response = FileResponse(file_handle, content_type=content_type)
+    try:
+        response["Content-Length"] = str(file_path.stat().st_size)
+    except OSError:  # pragma: no cover - filesystem race
+        pass
+
+    if source_normalized == "work":
+        patch_cache_control(response, private=True, no_store=True)
+        patch_vary_headers(response, ["Cookie"])
+    else:
+        patch_cache_control(response, public=True, max_age=3600)
+
+    return response
+
+
+class MarkdownDocumentForm(forms.Form):
+    content = forms.CharField(
+        widget=forms.Textarea(
+            attrs={
+                "class": "form-control",
+                "rows": 24,
+                "spellcheck": "false",
+            }
+        ),
+        required=False,
+        strip=False,
+    )
+
+
 @landing("Home")
 @never_cache
 def index(request):
@@ -525,10 +784,61 @@ def index(request):
 
 
 @never_cache
-def readme(request):
+def readme(request, doc=None):
     node = Node.get_local()
     role = node.role if node else None
-    return _render_readme(request, role)
+    return _render_readme(request, role, doc)
+
+
+def readme_edit(request, doc):
+    user = getattr(request, "user", None)
+    if not (user and user.is_authenticated and user.is_superuser):
+        raise PermissionDenied
+
+    node = Node.get_local()
+    role = node.role if node else None
+    lang = getattr(request, "LANGUAGE_CODE", "")
+    lang = lang.replace("_", "-").lower()
+    document = _locate_readme_document(role, doc, lang)
+    relative_path = _relative_readme_path(document.file, document.root_base)
+    if relative_path:
+        read_url = reverse("pages:readme-document", kwargs={"doc": relative_path})
+    else:
+        read_url = reverse("pages:readme")
+
+    if request.method == "POST":
+        form = MarkdownDocumentForm(request.POST)
+        if form.is_valid():
+            content = form.cleaned_data["content"]
+            try:
+                document.file.write_text(content, encoding="utf-8")
+            except OSError:
+                logger.exception("Failed to update markdown document %s", document.file)
+                messages.error(
+                    request,
+                    _("Unable to save changes. Please try again."),
+                )
+            else:
+                messages.success(request, _("Document saved successfully."))
+                if relative_path:
+                    return redirect("pages:readme-edit", doc=relative_path)
+                return redirect("pages:readme")
+    else:
+        try:
+            initial_text = document.file.read_text(encoding="utf-8")
+        except OSError:
+            logger.exception("Failed to read markdown document %s", document.file)
+            messages.error(request, _("Unable to load the document for editing."))
+            return redirect("pages:readme")
+        form = MarkdownDocumentForm(initial={"content": initial_text})
+
+    context = {
+        "form": form,
+        "title": document.title,
+        "relative_path": relative_path,
+        "read_url": read_url,
+    }
+    return render(request, "pages/readme_edit.html", context)
 
 
 def sitemap(request):
@@ -569,11 +879,6 @@ def release_checklist(request):
     return response
 
 
-@csrf_exempt
-def datasette_auth(request):
-    if request.user.is_authenticated:
-        return HttpResponse("OK")
-    return HttpResponse(status=401)
 
 
 class CustomLoginView(LoginView):
@@ -810,7 +1115,7 @@ def request_invite(request):
                 comment=comment,
                 user=request.user if request.user.is_authenticated else None,
                 path=request.path,
-                referer=request.META.get("HTTP_REFERER", ""),
+                referer=get_original_referer(request),
                 user_agent=request.META.get("HTTP_USER_AGENT", ""),
                 ip_address=ip_address,
                 mac_address=mac_address or "",
@@ -963,31 +1268,51 @@ class ClientReportForm(forms.Form):
         label=_("Month"),
         required=False,
         widget=forms.DateInput(attrs={"type": "month"}),
+        input_formats=["%Y-%m"],
         help_text=_("Generates the report for the calendar month that you select."),
     )
+    language = forms.ChoiceField(
+        label=_("Report language"),
+        choices=settings.LANGUAGES,
+        help_text=_("Choose the language used for the generated report."),
+    )
+    title = forms.CharField(
+        label=_("Report title"),
+        required=False,
+        max_length=200,
+        help_text=_("Optional heading that replaces the default report title."),
+    )
+    chargers = forms.ModelMultipleChoiceField(
+        label=_("Charge points"),
+        queryset=Charger.objects.filter(connector_id__isnull=True)
+        .order_by("display_name", "charger_id"),
+        required=False,
+        widget=forms.CheckboxSelectMultiple,
+        help_text=_("Choose which charge points are included in the report."),
+    )
     owner = forms.ModelChoiceField(
         queryset=get_user_model().objects.all(),
         required=False,
         help_text=_(
-            "Sets who owns the report schedule and is listed as the requestor."
+            "Sets who owns the report schedule and is listed as the requester."
         ),
     )
     destinations = forms.CharField(
         label=_("Email destinations"),
         required=False,
         widget=forms.Textarea(attrs={"rows": 2}),
-        help_text=_("Separate addresses with commas or new lines."),
+        help_text=_("Separate addresses with commas, whitespace, or new lines."),
     )
     recurrence = forms.ChoiceField(
-        label=_("Recurrency"),
+        label=_("Recurrence"),
         choices=RECURRENCE_CHOICES,
         initial=ClientReportSchedule.PERIODICITY_NONE,
         help_text=_("Defines how often the report should be generated automatically."),
     )
-    disable_emails = forms.BooleanField(
-        label=_("Disable email delivery"),
+    enable_emails = forms.BooleanField(
+        label=_("Enable email delivery"),
         required=False,
-        help_text=_("Generate files without sending emails."),
+        help_text=_("Send the report via email to the recipients listed above."),
     )
 
     def __init__(self, *args, request=None, **kwargs):
@@ -995,6 +1320,13 @@ class ClientReportForm(forms.Form):
         super().__init__(*args, **kwargs)
         if request and getattr(request, "user", None) and request.user.is_authenticated:
             self.fields["owner"].initial = request.user.pk
+        self.fields["chargers"].widget.attrs["class"] = "charger-options"
+        language_initial = ClientReport.default_language()
+        if request:
+            language_initial = ClientReport.normalize_language(
+                getattr(request, "LANGUAGE_CODE", language_initial)
+            )
+        self.fields["language"].initial = language_initial
 
     def clean(self):
         cleaned = super().clean()
@@ -1006,8 +1338,13 @@ class ClientReportForm(forms.Form):
             week_str = cleaned.get("week")
             if not week_str:
                 raise forms.ValidationError(_("Please select a week."))
-            year, week_num = week_str.split("-W")
-            start = datetime.date.fromisocalendar(int(year), int(week_num), 1)
+            try:
+                year_str, week_num_str = week_str.split("-W", 1)
+                start = datetime.date.fromisocalendar(
+                    int(year_str), int(week_num_str), 1
+                )
+            except (TypeError, ValueError):
+                raise forms.ValidationError(_("Please select a week."))
             cleaned["start"] = start
             cleaned["end"] = start + datetime.timedelta(days=6)
         elif period == "month":
@@ -1039,6 +1376,10 @@ class ClientReportForm(forms.Form):
             emails.append(candidate)
         return emails
 
+    def clean_title(self):
+        title = self.cleaned_data.get("title")
+        return ClientReport.normalize_title(title)
+
 
 @live_update()
 def client_report(request):
@@ -1049,7 +1390,7 @@ def client_report(request):
         if not request.user.is_authenticated:
             form.is_valid()  # Run validation to surface field errors alongside auth error.
             form.add_error(
-                None, _("You must log in to generate client reports."),
+                None, _("You must log in to generate consumer reports."),
             )
         elif form.is_valid():
             throttle_seconds = getattr(settings, "CLIENT_REPORT_THROTTLE_SECONDS", 60)
@@ -1078,38 +1419,90 @@ def client_report(request):
                 form.add_error(
                     None,
                     _(
-                        "Client reports can only be generated periodically. Please wait before trying again."
+                        "Consumer reports can only be generated periodically. Please wait before trying again."
                     ),
                 )
             else:
                 owner = form.cleaned_data.get("owner")
                 if not owner and request.user.is_authenticated:
                     owner = request.user
+                enable_emails = form.cleaned_data.get("enable_emails", False)
+                disable_emails = not enable_emails
+                recipients = (
+                    form.cleaned_data.get("destinations") if enable_emails else []
+                )
+                chargers = list(form.cleaned_data.get("chargers") or [])
+                language = form.cleaned_data.get("language")
+                title = form.cleaned_data.get("title")
                 report = ClientReport.generate(
                     form.cleaned_data["start"],
                     form.cleaned_data["end"],
                     owner=owner,
-                    recipients=form.cleaned_data.get("destinations"),
-                    disable_emails=form.cleaned_data.get("disable_emails", False),
+                    recipients=recipients,
+                    disable_emails=disable_emails,
+                    chargers=chargers,
+                    language=language,
+                    title=title,
                 )
                 report.store_local_copy()
+                if chargers:
+                    report.chargers.set(chargers)
+                if enable_emails and recipients:
+                    delivered = report.send_delivery(
+                        to=recipients,
+                        cc=[],
+                        outbox=ClientReport.resolve_outbox_for_owner(owner),
+                        reply_to=ClientReport.resolve_reply_to_for_owner(owner),
+                    )
+                    if delivered:
+                        report.recipients = delivered
+                        report.save(update_fields=["recipients"])
+                        messages.success(
+                            request,
+                            _("Consumer report emailed to the selected recipients."),
+                        )
                 recurrence = form.cleaned_data.get("recurrence")
                 if recurrence and recurrence != ClientReportSchedule.PERIODICITY_NONE:
                     schedule = ClientReportSchedule.objects.create(
                         owner=owner,
                         created_by=request.user if request.user.is_authenticated else None,
                         periodicity=recurrence,
-                        email_recipients=form.cleaned_data.get("destinations", []),
-                        disable_emails=form.cleaned_data.get("disable_emails", False),
+                        email_recipients=recipients,
+                        disable_emails=disable_emails,
+                        language=language,
+                        title=title,
                     )
+                    if chargers:
+                        schedule.chargers.set(chargers)
                     report.schedule = schedule
                     report.save(update_fields=["schedule"])
                     messages.success(
                         request,
                         _(
-                            "Client report schedule created; future reports will be generated automatically."
+                            "Consumer report schedule created; future reports will be generated automatically."
                         ),
                     )
+                if disable_emails:
+                    messages.success(
+                        request,
+                        _(
+                            "Consumer report generated. The download will begin automatically."
+                        ),
+                    )
+                    redirect_url = f"{reverse('pages:client-report')}?download={report.pk}"
+                    return HttpResponseRedirect(redirect_url)
+    download_url = None
+    download_param = request.GET.get("download")
+    if download_param and request.user.is_authenticated:
+        try:
+            download_id = int(download_param)
+        except (TypeError, ValueError):
+            download_id = None
+        if download_id:
+            download_url = reverse(
+                "pages:client-report-download", args=[download_id]
+            )
+
     try:
         login_url = reverse("pages:login")
     except NoReverseMatch:
@@ -1123,10 +1516,44 @@ def client_report(request):
         "report": report,
         "schedule": schedule,
         "login_url": login_url,
+        "download_url": download_url,
     }
     return render(request, "pages/client_report.html", context)
 
 
+@login_required
+def client_report_download(request, report_id: int):
+    report = get_object_or_404(ClientReport, pk=report_id)
+    if not request.user.is_staff and report.owner_id != request.user.pk:
+        return HttpResponseForbidden(
+            _("You do not have permission to download this report.")
+        )
+    pdf_path = report.ensure_pdf()
+    if not pdf_path.exists():
+        raise Http404(_("Report file unavailable."))
+    filename = f"consumer-report-{report.start_date}-{report.end_date}.pdf"
+    response = FileResponse(pdf_path.open("rb"), content_type="application/pdf")
+    response["Content-Disposition"] = f'attachment; filename="{filename}"'
+    return response
+def _get_request_language_code(request) -> str:
+    language_code = ""
+    if hasattr(request, "session"):
+        language_code = request.session.get(LANGUAGE_SESSION_KEY, "")
+    if not language_code:
+        cookie_name = getattr(settings, "LANGUAGE_COOKIE_NAME", "django_language")
+        language_code = request.COOKIES.get(cookie_name, "")
+    if not language_code:
+        language_code = getattr(request, "LANGUAGE_CODE", "") or ""
+    if not language_code:
+        language_code = get_language() or ""
+
+    language_code = language_code.strip()
+    if not language_code:
+        return ""
+
+    return language_code.replace("_", "-").lower()[:15]
+
+
 @require_POST
 def submit_user_story(request):
     throttle_seconds = getattr(settings, "USER_STORY_THROTTLE_SECONDS", 300)
@@ -1148,12 +1575,12 @@ def submit_user_story(request):
             )
 
     data = request.POST.copy()
-    if request.user.is_authenticated and not data.get("name"):
+    if request.user.is_authenticated:
         data["name"] = request.user.get_username()[:40]
     if not data.get("path"):
         data["path"] = request.get_full_path()
 
-    form = UserStoryForm(data)
+    form = UserStoryForm(data, user=request.user)
     if request.user.is_authenticated:
         form.instance.user = request.user
 
@@ -1162,16 +1589,92 @@ def submit_user_story(request):
         if request.user.is_authenticated:
             story.user = request.user
             story.owner = request.user
-            if not story.name:
-                story.name = request.user.get_username()[:40]
+            story.name = request.user.get_username()[:40]
         if not story.name:
             story.name = str(_("Anonymous"))[:40]
         story.path = (story.path or request.get_full_path())[:500]
-        story.referer = request.META.get("HTTP_REFERER", "")
+        story.referer = get_original_referer(request)
         story.user_agent = request.META.get("HTTP_USER_AGENT", "")
         story.ip_address = client_ip or None
         story.is_user_data = True
+        language_code = _get_request_language_code(request)
+        if language_code:
+            story.language_code = language_code
         story.save()
+        if request.user.is_authenticated and request.user.is_superuser:
+            comment_text = (story.comments or "").strip()
+            prefix = "Triage "
+            request_field = Todo._meta.get_field("request")
+            available_length = max(request_field.max_length - len(prefix), 0)
+            if available_length > 0 and comment_text:
+                summary = Truncator(comment_text).chars(
+                    available_length, truncate="…"
+                )
+            else:
+                summary = comment_text[:available_length]
+            todo_request = f"{prefix}{summary}".strip()
+            user_is_authenticated = request.user.is_authenticated
+            node = Node.get_local()
+            existing_todo = (
+                Todo.objects.filter(request__iexact=todo_request, is_deleted=False)
+                .order_by("pk")
+                .first()
+            )
+            if existing_todo:
+                update_fields: set[str] = set()
+                if node and existing_todo.origin_node_id != node.pk:
+                    existing_todo.origin_node = node
+                    update_fields.add("origin_node")
+                if existing_todo.original_user_id != request.user.pk:
+                    existing_todo.original_user = request.user
+                    update_fields.add("original_user")
+                if (
+                    existing_todo.original_user_is_authenticated
+                    != user_is_authenticated
+                ):
+                    existing_todo.original_user_is_authenticated = (
+                        user_is_authenticated
+                    )
+                    update_fields.add("original_user_is_authenticated")
+                if not existing_todo.is_user_data:
+                    existing_todo.is_user_data = True
+                    update_fields.add("is_user_data")
+                if update_fields:
+                    existing_todo.save(update_fields=tuple(update_fields))
+            else:
+                Todo.objects.create(
+                    request=todo_request,
+                    origin_node=node,
+                    original_user=request.user,
+                    original_user_is_authenticated=user_is_authenticated,
+                    is_user_data=True,
+                )
+        if story.take_screenshot:
+            screenshot_url = request.META.get("HTTP_REFERER", "")
+            parsed = urlparse(screenshot_url)
+            if not (parsed.scheme and parsed.netloc):
+                target_path = story.path or request.get_full_path() or "/"
+                screenshot_url = request.build_absolute_uri(target_path)
+            try:
+                screenshot_path = capture_screenshot(screenshot_url)
+            except Exception:  # pragma: no cover - best effort capture
+                logger.exception("Failed to capture screenshot for user story %s", story.pk)
+            else:
+                try:
+                    sample = save_screenshot(
+                        screenshot_path,
+                        method="USER_STORY",
+                        user=story.user if story.user_id else None,
+                        link_duplicates=True,
+                    )
+                except Exception:  # pragma: no cover - best effort persistence
+                    logger.exception(
+                        "Failed to persist screenshot for user story %s", story.pk
+                    )
+                else:
+                    if sample is not None:
+                        story.screenshot = sample
+                        story.save(update_fields=["screenshot"])
         return JsonResponse({"success": True})
 
     return JsonResponse({"success": False, "errors": form.errors}, status=400)