arthexis 0.1.21__py3-none-any.whl → 0.1.23__py3-none-any.whl

pages/views.py

@@ -1,5 +1,6 @@
 import base64
 import logging
+import mimetypes
 from pathlib import Path
 from types import SimpleNamespace
 import datetime
@@ -15,15 +16,25 @@ from django.contrib import admin
 from django.contrib import messages
 from django.contrib.admin.views.decorators import staff_member_required
 from django.contrib.auth import get_user_model, login
+from django.contrib.auth.decorators import login_required
 from django.contrib.auth.tokens import default_token_generator
 from django.contrib.auth.views import LoginView
 from django import forms
 from django.apps import apps as django_apps
 from utils.decorators import security_group_required
 from utils.sites import get_site
-from django.http import Http404, HttpResponse, JsonResponse
+from django.contrib.staticfiles import finders
+from django.http import (
+    FileResponse,
+    Http404,
+    HttpResponse,
+    HttpResponseForbidden,
+    HttpResponseRedirect,
+    JsonResponse,
+)
 from django.shortcuts import get_object_or_404, redirect, render
 from nodes.models import Node
+from nodes.utils import capture_screenshot, save_screenshot
 from django.template import loader
 from django.template.response import TemplateResponse
 from django.test import RequestFactory, signals as test_signals
@@ -33,14 +44,19 @@ from django.utils.encoding import force_bytes, force_str
 from django.utils.http import urlsafe_base64_decode, urlsafe_base64_encode
 from core import mailer, public_wifi
 from core.backends import TOTP_DEVICE_NAME
-from django.utils.translation import gettext as _
+from django.utils.translation import get_language, gettext as _
+
+try:  # pragma: no cover - compatibility shim for Django versions without constant
+    from django.utils.translation import LANGUAGE_SESSION_KEY
+except ImportError:  # pragma: no cover - fallback when constant is unavailable
+    LANGUAGE_SESSION_KEY = "_language"
 from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
 from django.views.decorators.http import require_POST
 from django.core.cache import cache
 from django.views.decorators.cache import never_cache
-from django.utils.cache import patch_vary_headers
-from django.core.exceptions import PermissionDenied
-from django.utils.text import slugify
+from django.utils.cache import patch_cache_control, patch_vary_headers
+from django.core.exceptions import PermissionDenied, SuspiciousFileOperation
+from django.utils.text import slugify, Truncator
 from django.core.validators import EmailValidator
 from django.db.models import Q
 from core.models import (
@@ -48,6 +64,7 @@ from core.models import (
     ClientReport,
     ClientReportSchedule,
     SecurityGroup,
+    Todo,
 )
 
 try:  # pragma: no cover - optional dependency guard
@@ -58,16 +75,34 @@ except ImportError:  # pragma: no cover - handled gracefully in views
     CalledProcessError = ExecutableNotFound = None
 
 import markdown
+from django.utils._os import safe_join
 
 
 MARKDOWN_EXTENSIONS = ["toc", "tables", "mdx_truly_sane_lists"]
 
+MARKDOWN_IMAGE_PATTERN = re.compile(
+    r"(?P<prefix><img\b[^>]*\bsrc=[\"\'])(?P<scheme>(?:static|work))://(?P<path>[^\"\']+)(?P<suffix>[\"\'])",
+    re.IGNORECASE,
+)
+
+ALLOWED_IMAGE_EXTENSIONS = {
+    ".apng",
+    ".avif",
+    ".gif",
+    ".jpg",
+    ".jpeg",
+    ".png",
+    ".svg",
+    ".webp",
+}
+
 
 def _render_markdown_with_toc(text: str) -> tuple[str, str]:
     """Render ``text`` to HTML and return the HTML and stripped TOC."""
 
     md = markdown.Markdown(extensions=MARKDOWN_EXTENSIONS)
     html = md.convert(text)
+    html = _rewrite_markdown_asset_links(html)
     toc_html = md.toc
     toc_html = _strip_toc_wrapper(toc_html)
     return html, toc_html
@@ -82,6 +117,86 @@ def _strip_toc_wrapper(toc_html: str) -> str:
         if toc_html.endswith("</div>"):
             toc_html = toc_html[: -len("</div>")]
     return toc_html.strip()
+
+
+def _rewrite_markdown_asset_links(html: str) -> str:
+    """Rewrite asset links that reference local asset schemes."""
+
+    def _replace(match: re.Match[str]) -> str:
+        scheme = match.group("scheme").lower()
+        asset_path = match.group("path").lstrip("/")
+        if not asset_path:
+            return match.group(0)
+        extension = Path(asset_path).suffix.lower()
+        if extension not in ALLOWED_IMAGE_EXTENSIONS:
+            return match.group(0)
+        try:
+            asset_url = reverse(
+                "pages:readme-asset",
+                kwargs={"source": scheme, "asset": asset_path},
+            )
+        except NoReverseMatch:
+            return match.group(0)
+        return f"{match.group('prefix')}{escape(asset_url)}{match.group('suffix')}"
+
+    return MARKDOWN_IMAGE_PATTERN.sub(_replace, html)
+
+
+def _resolve_static_asset(path: str) -> Path:
+    normalized = path.lstrip("/")
+    if not normalized:
+        raise Http404("Asset not found")
+    resolved = finders.find(normalized)
+    if not resolved:
+        raise Http404("Asset not found")
+    if isinstance(resolved, (list, tuple)):
+        resolved = resolved[0]
+    file_path = Path(resolved)
+    if file_path.is_dir():
+        raise Http404("Asset not found")
+    return file_path
+
+
+def _resolve_work_asset(user, path: str) -> Path:
+    if not (user and getattr(user, "is_authenticated", False)):
+        raise PermissionDenied
+    normalized = path.lstrip("/")
+    if not normalized:
+        raise Http404("Asset not found")
+    username = getattr(user, "get_username", None)
+    if callable(username):
+        username = username()
+    else:
+        username = getattr(user, "username", "")
+    username_component = Path(str(username or user.pk)).name
+    base_work = Path(settings.BASE_DIR) / "work"
+    try:
+        user_dir = Path(safe_join(str(base_work), username_component))
+        asset_path = Path(safe_join(str(user_dir), normalized))
+    except SuspiciousFileOperation as exc:
+        logger.warning("Rejected suspicious work asset path: %s", normalized, exc_info=exc)
+        raise Http404("Asset not found") from exc
+    try:
+        user_dir_resolved = user_dir.resolve(strict=True)
+    except FileNotFoundError as exc:
+        logger.warning(
+            "Work directory missing for asset request: %s", user_dir, exc_info=exc
+        )
+        raise Http404("Asset not found") from exc
+    try:
+        asset_resolved = asset_path.resolve(strict=True)
+    except FileNotFoundError as exc:
+        raise Http404("Asset not found") from exc
+    try:
+        asset_resolved.relative_to(user_dir_resolved)
+    except ValueError as exc:
+        logger.warning(
+            "Rejected work asset outside directory: %s", asset_resolved, exc_info=exc
+        )
+        raise Http404("Asset not found") from exc
+    if asset_resolved.is_dir():
+        raise Http404("Asset not found")
+    return asset_resolved
 from pages.utils import landing
 from core.liveupdate import live_update
 from django_otp import login as otp_login
@@ -487,19 +602,33 @@ def _locate_readme_document(role, doc: str | None, lang: str) -> SimpleNamespace
                     continue
                 candidates.append(candidate)
     else:
+        default_readme = readme_base / "README.md"
+        root_default: Path | None = None
         if lang:
             candidates.append(readme_base / f"README.{lang}.md")
             short = lang.split("-")[0]
             if short != lang:
                 candidates.append(readme_base / f"README.{short}.md")
-        candidates.append(readme_base / "README.md")
         if readme_base != root_base:
+            candidates.append(default_readme)
             if lang:
                 candidates.append(root_base / f"README.{lang}.md")
                 short = lang.split("-")[0]
                 if short != lang:
                     candidates.append(root_base / f"README.{short}.md")
-            candidates.append(root_base / "README.md")
+            root_default = root_base / "README.md"
+        else:
+            root_default = default_readme
+        locale_base = root_base / "locale"
+        if locale_base.exists():
+            if lang:
+                candidates.append(locale_base / f"README.{lang}.md")
+                short = lang.split("-")[0]
+                if short != lang:
+                    candidates.append(locale_base / f"README.{short}.md")
+            candidates.append(locale_base / "README.md")
+        if root_default is not None:
+            candidates.append(root_default)
 
     readme_file = next((p for p in candidates if p.exists()), None)
     if readme_file is None:
@@ -552,6 +681,44 @@ def _render_readme(request, role, doc: str | None = None):
     return response
 
 
+def readme_asset(request, source: str, asset: str):
+    source_normalized = (source or "").lower()
+    if source_normalized == "static":
+        file_path = _resolve_static_asset(asset)
+    elif source_normalized == "work":
+        file_path = _resolve_work_asset(getattr(request, "user", None), asset)
+    else:
+        raise Http404("Asset not found")
+
+    if not file_path.exists() or not file_path.is_file():
+        raise Http404("Asset not found")
+
+    extension = file_path.suffix.lower()
+    if extension not in ALLOWED_IMAGE_EXTENSIONS:
+        raise Http404("Asset not found")
+
+    try:
+        file_handle = file_path.open("rb")
+    except OSError as exc:  # pragma: no cover - unexpected filesystem error
+        logger.warning("Unable to open asset %s", file_path, exc_info=exc)
+        raise Http404("Asset not found") from exc
+
+    content_type = mimetypes.guess_type(str(file_path))[0] or "application/octet-stream"
+    response = FileResponse(file_handle, content_type=content_type)
+    try:
+        response["Content-Length"] = str(file_path.stat().st_size)
+    except OSError:  # pragma: no cover - filesystem race
+        pass
+
+    if source_normalized == "work":
+        patch_cache_control(response, private=True, no_store=True)
+        patch_vary_headers(response, ["Cookie"])
+    else:
+        patch_cache_control(response, public=True, max_age=3600)
+
+    return response
+
+
 class MarkdownDocumentForm(forms.Form):
     content = forms.CharField(
         widget=forms.Textarea(
@@ -1121,10 +1288,10 @@ class ClientReportForm(forms.Form):
         initial=ClientReportSchedule.PERIODICITY_NONE,
         help_text=_("Defines how often the report should be generated automatically."),
     )
-    disable_emails = forms.BooleanField(
-        label=_("Disable email delivery"),
+    enable_emails = forms.BooleanField(
+        label=_("Enable email delivery"),
         required=False,
-        help_text=_("Generate files without sending emails."),
+        help_text=_("Send the report via email to the recipients listed above."),
     )
 
     def __init__(self, *args, request=None, **kwargs):
@@ -1227,12 +1394,17 @@ def client_report(request):
                 owner = form.cleaned_data.get("owner")
                 if not owner and request.user.is_authenticated:
                     owner = request.user
+                enable_emails = form.cleaned_data.get("enable_emails", False)
+                disable_emails = not enable_emails
+                recipients = (
+                    form.cleaned_data.get("destinations") if enable_emails else []
+                )
                 report = ClientReport.generate(
                     form.cleaned_data["start"],
                     form.cleaned_data["end"],
                     owner=owner,
-                    recipients=form.cleaned_data.get("destinations"),
-                    disable_emails=form.cleaned_data.get("disable_emails", False),
+                    recipients=recipients,
+                    disable_emails=disable_emails,
                 )
                 report.store_local_copy()
                 recurrence = form.cleaned_data.get("recurrence")
@@ -1241,8 +1413,8 @@ def client_report(request):
                         owner=owner,
                         created_by=request.user if request.user.is_authenticated else None,
                         periodicity=recurrence,
-                        email_recipients=form.cleaned_data.get("destinations", []),
-                        disable_emails=form.cleaned_data.get("disable_emails", False),
+                        email_recipients=recipients,
+                        disable_emails=disable_emails,
                     )
                     report.schedule = schedule
                     report.save(update_fields=["schedule"])
@@ -1252,6 +1424,27 @@ def client_report(request):
                             "Client report schedule created; future reports will be generated automatically."
                         ),
                     )
+                if disable_emails:
+                    messages.success(
+                        request,
+                        _(
+                            "Consumer report generated. The download will begin automatically."
+                        ),
+                    )
+                    redirect_url = f"{reverse('pages:client-report')}?download={report.pk}"
+                    return HttpResponseRedirect(redirect_url)
+    download_url = None
+    download_param = request.GET.get("download")
+    if download_param and request.user.is_authenticated:
+        try:
+            download_id = int(download_param)
+        except (TypeError, ValueError):
+            download_id = None
+        if download_id:
+            download_url = reverse(
+                "pages:client-report-download", args=[download_id]
+            )
+
     try:
         login_url = reverse("pages:login")
     except NoReverseMatch:
@@ -1265,10 +1458,71 @@ def client_report(request):
         "report": report,
         "schedule": schedule,
         "login_url": login_url,
+        "download_url": download_url,
+        "previous_reports": _client_report_history(request),
     }
     return render(request, "pages/client_report.html", context)
 
 
+@login_required
+def client_report_download(request, report_id: int):
+    report = get_object_or_404(ClientReport, pk=report_id)
+    if not request.user.is_staff and report.owner_id != request.user.pk:
+        return HttpResponseForbidden(
+            _("You do not have permission to download this report.")
+        )
+    pdf_path = report.ensure_pdf()
+    if not pdf_path.exists():
+        raise Http404(_("Report file unavailable."))
+    filename = f"consumer-report-{report.start_date}-{report.end_date}.pdf"
+    response = FileResponse(pdf_path.open("rb"), content_type="application/pdf")
+    response["Content-Disposition"] = f'attachment; filename="{filename}"'
+    return response
+
+
+def _client_report_history(request, limit: int = 20):
+    if not request.user.is_authenticated:
+        return []
+    qs = ClientReport.objects.order_by("-created_on")
+    if not request.user.is_staff:
+        qs = qs.filter(owner=request.user)
+    history = []
+    for report in qs[:limit]:
+        totals = report.rows_for_display.get("totals", {})
+        history.append(
+            {
+                "instance": report,
+                "download_url": reverse("pages:client-report-download", args=[report.pk]),
+                "email_enabled": not report.disable_emails,
+                "recipients": report.recipients or [],
+                "totals": {
+                    "total_kw": totals.get("total_kw", 0.0),
+                    "total_kw_period": totals.get("total_kw_period", 0.0),
+                },
+            }
+        )
+    return history
+
+
+def _get_request_language_code(request) -> str:
+    language_code = ""
+    if hasattr(request, "session"):
+        language_code = request.session.get(LANGUAGE_SESSION_KEY, "")
+    if not language_code:
+        cookie_name = getattr(settings, "LANGUAGE_COOKIE_NAME", "django_language")
+        language_code = request.COOKIES.get(cookie_name, "")
+    if not language_code:
+        language_code = getattr(request, "LANGUAGE_CODE", "") or ""
+    if not language_code:
+        language_code = get_language() or ""
+
+    language_code = language_code.strip()
+    if not language_code:
+        return ""
+
+    return language_code.replace("_", "-").lower()[:15]
+
+
 @require_POST
 def submit_user_story(request):
     throttle_seconds = getattr(settings, "USER_STORY_THROTTLE_SECONDS", 300)
@@ -1290,12 +1544,12 @@ def submit_user_story(request):
             )
 
     data = request.POST.copy()
-    if request.user.is_authenticated and not data.get("name"):
+    if request.user.is_authenticated:
         data["name"] = request.user.get_username()[:40]
     if not data.get("path"):
         data["path"] = request.get_full_path()
 
-    form = UserStoryForm(data)
+    form = UserStoryForm(data, user=request.user)
     if request.user.is_authenticated:
         form.instance.user = request.user
 
@@ -1304,8 +1558,7 @@ def submit_user_story(request):
         if request.user.is_authenticated:
             story.user = request.user
             story.owner = request.user
-            if not story.name:
-                story.name = request.user.get_username()[:40]
+            story.name = request.user.get_username()[:40]
         if not story.name:
             story.name = str(_("Anonymous"))[:40]
         story.path = (story.path or request.get_full_path())[:500]
@@ -1313,7 +1566,83 @@ def submit_user_story(request):
         story.user_agent = request.META.get("HTTP_USER_AGENT", "")
         story.ip_address = client_ip or None
         story.is_user_data = True
+        language_code = _get_request_language_code(request)
+        if language_code:
+            story.language_code = language_code
         story.save()
+        if request.user.is_authenticated and request.user.is_superuser:
+            comment_text = (story.comments or "").strip()
+            prefix = "Triage "
+            request_field = Todo._meta.get_field("request")
+            available_length = max(request_field.max_length - len(prefix), 0)
+            if available_length > 0 and comment_text:
+                summary = Truncator(comment_text).chars(
+                    available_length, truncate="…"
+                )
+            else:
+                summary = comment_text[:available_length]
+            todo_request = f"{prefix}{summary}".strip()
+            user_is_authenticated = request.user.is_authenticated
+            node = Node.get_local()
+            existing_todo = (
+                Todo.objects.filter(request__iexact=todo_request, is_deleted=False)
+                .order_by("pk")
+                .first()
+            )
+            if existing_todo:
+                update_fields: set[str] = set()
+                if node and existing_todo.origin_node_id != node.pk:
+                    existing_todo.origin_node = node
+                    update_fields.add("origin_node")
+                if existing_todo.original_user_id != request.user.pk:
+                    existing_todo.original_user = request.user
+                    update_fields.add("original_user")
+                if (
+                    existing_todo.original_user_is_authenticated
+                    != user_is_authenticated
+                ):
+                    existing_todo.original_user_is_authenticated = (
+                        user_is_authenticated
+                    )
+                    update_fields.add("original_user_is_authenticated")
+                if not existing_todo.is_user_data:
+                    existing_todo.is_user_data = True
+                    update_fields.add("is_user_data")
+                if update_fields:
+                    existing_todo.save(update_fields=tuple(update_fields))
+            else:
+                Todo.objects.create(
+                    request=todo_request,
+                    origin_node=node,
+                    original_user=request.user,
+                    original_user_is_authenticated=user_is_authenticated,
+                    is_user_data=True,
+                )
+        if story.take_screenshot:
+            screenshot_url = request.META.get("HTTP_REFERER", "")
+            parsed = urlparse(screenshot_url)
+            if not (parsed.scheme and parsed.netloc):
+                target_path = story.path or request.get_full_path() or "/"
+                screenshot_url = request.build_absolute_uri(target_path)
+            try:
+                screenshot_path = capture_screenshot(screenshot_url)
+            except Exception:  # pragma: no cover - best effort capture
+                logger.exception("Failed to capture screenshot for user story %s", story.pk)
+            else:
+                try:
+                    sample = save_screenshot(
+                        screenshot_path,
+                        method="USER_STORY",
+                        user=story.user if story.user_id else None,
+                    )
+                except Exception:  # pragma: no cover - best effort persistence
+                    logger.exception(
+                        "Failed to persist screenshot for user story %s", story.pk
+                    )
+                else:
+                    if sample is not None:
+                        story.screenshot = sample
+                        story.save(update_fields=["screenshot"])
         return JsonResponse({"success": True})
 
     return JsonResponse({"success": False, "errors": form.errors}, status=400)