arthexis 0.1.9__py3-none-any.whl → 0.1.11__py3-none-any.whl

pages/views.py

@@ -1,7 +1,10 @@
+import base64
 import logging
 from pathlib import Path
+from types import SimpleNamespace
 import datetime
 import calendar
+import io
 import shutil
 import re
 from html import escape
@@ -17,21 +20,25 @@ from django import forms
 from django.apps import apps as django_apps
 from utils.sites import get_site
 from django.http import Http404, HttpResponse
-from django.shortcuts import redirect, render
+from django.shortcuts import get_object_or_404, redirect, render
 from nodes.models import Node
 from django.template.response import TemplateResponse
+from django.test import RequestFactory
 from django.urls import NoReverseMatch, reverse
 from django.utils import timezone
 from django.utils.encoding import force_bytes, force_str
 from django.utils.http import urlsafe_base64_decode, urlsafe_base64_encode
 from core import mailer, public_wifi
+from core.backends import TOTP_DEVICE_NAME
 from django.utils.translation import gettext as _
 from django.views.decorators.csrf import csrf_exempt, ensure_csrf_cookie
+from django.core.cache import cache
 from django.views.decorators.cache import never_cache
 from django.utils.cache import patch_vary_headers
 from django.core.exceptions import PermissionDenied
 from django.utils.text import slugify
 from django.core.validators import EmailValidator
+from django.db.models import Q
 from core.models import InviteLead, ClientReport, ClientReportSchedule
 
 try:  # pragma: no cover - optional dependency guard
@@ -42,9 +49,37 @@ except ImportError:  # pragma: no cover - handled gracefully in views
     CalledProcessError = ExecutableNotFound = None
 
 import markdown
+
+
+MARKDOWN_EXTENSIONS = ["toc", "tables", "mdx_truly_sane_lists"]
+
+
+def _render_markdown_with_toc(text: str) -> tuple[str, str]:
+    """Render ``text`` to HTML and return the HTML and stripped TOC."""
+
+    md = markdown.Markdown(extensions=MARKDOWN_EXTENSIONS)
+    html = md.convert(text)
+    toc_html = md.toc
+    toc_html = _strip_toc_wrapper(toc_html)
+    return html, toc_html
+
+
+def _strip_toc_wrapper(toc_html: str) -> str:
+    """Normalize ``markdown``'s TOC output by removing the wrapper ``div``."""
+
+    toc_html = toc_html.strip()
+    if toc_html.startswith('<div class="toc">'):
+        toc_html = toc_html[len('<div class="toc">') :]
+        if toc_html.endswith("</div>"):
+            toc_html = toc_html[: -len("</div>")]
+    return toc_html.strip()
 from pages.utils import landing
 from core.liveupdate import live_update
-from .models import Module
+from django_otp import login as otp_login
+from django_otp.plugins.otp_totp.models import TOTPDevice
+import qrcode
+from .forms import AuthenticatorEnrollmentForm, AuthenticatorLoginForm
+from .models import Module, UserManual
 
 
 logger = logging.getLogger(__name__)
@@ -67,9 +102,13 @@ def _filter_models_for_request(models, request):
         model_admin = admin.site._registry.get(model)
         if model_admin is None:
             continue
-        if not model_admin.has_module_permission(request):
+        if not model_admin.has_module_permission(request) and not getattr(
+            request.user, "is_staff", False
+        ):
             continue
-        if not model_admin.has_view_permission(request, obj=None):
+        if not model_admin.has_view_permission(request, obj=None) and not getattr(
+            request.user, "is_staff", False
+        ):
             continue
         allowed.append(model)
     return allowed
@@ -80,8 +119,13 @@ def _admin_has_app_permission(request, app_label: str) -> bool:
 
     has_app_permission = getattr(admin.site, "has_app_permission", None)
     if callable(has_app_permission):
-        return has_app_permission(request, app_label)
-    return bool(admin.site.get_app_list(request, app_label))
+        allowed = has_app_permission(request, app_label)
+    else:
+        allowed = bool(admin.site.get_app_list(request, app_label))
+
+    if not allowed and getattr(request.user, "is_staff", False):
+        return True
+    return allowed
 
 
 def _resolve_related_model(field, default_app_label: str):
@@ -389,14 +433,7 @@ def index(request):
         candidates.append(root_base / "README.md")
     readme_file = next((p for p in candidates if p.exists()), root_base / "README.md")
     text = readme_file.read_text(encoding="utf-8")
-    md = markdown.Markdown(extensions=["toc", "tables"])
-    html = md.convert(text)
-    toc_html = md.toc
-    if toc_html.strip().startswith('<div class="toc">'):
-        toc_html = toc_html.strip()[len('<div class="toc">') :]
-        if toc_html.endswith("</div>"):
-            toc_html = toc_html[: -len("</div>")]
-        toc_html = toc_html.strip()
+    html, toc_html = _render_markdown_with_toc(text)
     title = "README" if readme_file.name.startswith("README") else readme_file.stem
     context = {"content": html, "title": title, "toc": toc_html}
     response = render(request, "pages/readme.html", context)
@@ -429,14 +466,7 @@ def release_checklist(request):
     if not file_path.exists():
         raise Http404("Release checklist not found")
     text = file_path.read_text(encoding="utf-8")
-    md = markdown.Markdown(extensions=["toc", "tables"])
-    html = md.convert(text)
-    toc_html = md.toc
-    if toc_html.strip().startswith('<div class="toc">'):
-        toc_html = toc_html.strip()[len('<div class="toc">') :]
-        if toc_html.endswith("</div>"):
-            toc_html = toc_html[: -len("</div>")]
-        toc_html = toc_html.strip()
+    html, toc_html = _render_markdown_with_toc(text)
     context = {"content": html, "title": "Release Checklist", "toc": toc_html}
     response = render(request, "pages/readme.html", context)
     patch_vary_headers(response, ["Accept-Language", "Cookie"])
@@ -454,6 +484,7 @@ class CustomLoginView(LoginView):
     """Login view that redirects staff to the admin."""
 
     template_name = "pages/login.html"
+    form_class = AuthenticatorLoginForm
 
     def dispatch(self, request, *args, **kwargs):
         if request.user.is_authenticated:
@@ -481,13 +512,165 @@ class CustomLoginView(LoginView):
             return reverse("admin:index")
         return "/"
 
+    def form_valid(self, form):
+        response = super().form_valid(form)
+        device = form.get_verified_device()
+        if device is not None:
+            otp_login(self.request, device)
+        return response
+
 
 login_view = CustomLoginView.as_view()
 
 
+@staff_member_required
+def authenticator_setup(request):
+    """Allow staff to enroll an authenticator app for TOTP logins."""
+
+    user = request.user
+    device_qs = TOTPDevice.objects.filter(user=user)
+    if TOTP_DEVICE_NAME:
+        device_qs = device_qs.filter(name=TOTP_DEVICE_NAME)
+
+    pending_device = device_qs.filter(confirmed=False).order_by("-id").first()
+    confirmed_device = device_qs.filter(confirmed=True).order_by("-id").first()
+    enrollment_form = AuthenticatorEnrollmentForm(device=pending_device)
+
+    if request.method == "POST":
+        action = request.POST.get("action")
+        if action == "generate":
+            device = pending_device or confirmed_device or TOTPDevice(user=user)
+            if TOTP_DEVICE_NAME:
+                device.name = TOTP_DEVICE_NAME
+            if device.pk is None:
+                device.save()
+            device.key = TOTPDevice._meta.get_field("key").get_default()
+            device.confirmed = False
+            device.drift = 0
+            device.last_t = -1
+            device.throttling_failure_count = 0
+            device.throttling_failure_timestamp = None
+            device.throttle_reset(commit=False)
+            device.save()
+            messages.success(
+                request,
+                _(
+                    "Scan the QR code with your authenticator app, then "
+                    "enter a code below to confirm enrollment."
+                ),
+            )
+            return redirect("pages:authenticator-setup")
+        if action == "confirm" and pending_device is not None:
+            enrollment_form = AuthenticatorEnrollmentForm(
+                request.POST, device=pending_device
+            )
+            if enrollment_form.is_valid():
+                pending_device.confirmed = True
+                pending_device.save(update_fields=["confirmed"])
+                messages.success(
+                    request,
+                    _(
+                        "Authenticator app confirmed. You can now log in "
+                        "with codes from your device."
+                    ),
+                )
+                return redirect("pages:authenticator-setup")
+        if action == "remove":
+            if device_qs.exists():
+                device_qs.delete()
+                messages.success(
+                    request,
+                    _(
+                        "Authenticator enrollment removed. Password logins "
+                        "remain available."
+                    ),
+                )
+            return redirect("pages:authenticator-setup")
+
+    pending_device = device_qs.filter(confirmed=False).order_by("-id").first()
+    confirmed_device = device_qs.filter(confirmed=True).order_by("-id").first()
+
+    qr_data_uri = None
+    manual_key = None
+    if pending_device is not None:
+        config_url = pending_device.config_url
+        qr = qrcode.QRCode(box_size=10, border=4)
+        qr.add_data(config_url)
+        qr.make(fit=True)
+        image = qr.make_image(fill_color="black", back_color="white")
+        buffer = io.BytesIO()
+        image.save(buffer, format="PNG")
+        qr_data_uri = "data:image/png;base64," + base64.b64encode(buffer.getvalue()).decode(
+            "ascii"
+        )
+        secret = pending_device.key or ""
+        manual_key = " ".join(secret[i : i + 4] for i in range(0, len(secret), 4))
+
+    context = {
+        "pending_device": pending_device,
+        "confirmed_device": confirmed_device,
+        "qr_data_uri": qr_data_uri,
+        "manual_key": manual_key,
+        "enrollment_form": enrollment_form,
+    }
+    return TemplateResponse(request, "pages/authenticator_setup.html", context)
+
+
+INVITATION_REQUEST_MIN_SUBMISSION_INTERVAL = datetime.timedelta(seconds=3)
+INVITATION_REQUEST_THROTTLE_LIMIT = 3
+INVITATION_REQUEST_THROTTLE_WINDOW = datetime.timedelta(hours=1)
+INVITATION_REQUEST_HONEYPOT_MESSAGE = _(
+    "We could not process your request. Please try again."
+)
+INVITATION_REQUEST_TOO_FAST_MESSAGE = _(
+    "That was a little too fast. Please wait a moment and try again."
+)
+INVITATION_REQUEST_TIMESTAMP_ERROR = _(
+    "We could not verify your submission. Please reload the page and try again."
+)
+INVITATION_REQUEST_THROTTLE_MESSAGE = _(
+    "We've already received a few requests. Please try again later."
+)
+
+
 class InvitationRequestForm(forms.Form):
     email = forms.EmailField()
-    comment = forms.CharField(required=False, widget=forms.Textarea, label=_("Comment"))
+    comment = forms.CharField(
+        required=False, widget=forms.Textarea, label=_("Comment")
+    )
+    honeypot = forms.CharField(
+        required=False,
+        label=_("Leave blank"),
+        widget=forms.TextInput(attrs={"autocomplete": "off"}),
+    )
+    timestamp = forms.DateTimeField(required=False, widget=forms.HiddenInput())
+
+    min_submission_interval = INVITATION_REQUEST_MIN_SUBMISSION_INTERVAL
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        if not self.is_bound:
+            self.fields["timestamp"].initial = timezone.now()
+        self.fields["honeypot"].widget.attrs.setdefault("aria-hidden", "true")
+        self.fields["honeypot"].widget.attrs.setdefault("tabindex", "-1")
+
+    def clean(self):
+        cleaned = super().clean()
+
+        honeypot_value = cleaned.get("honeypot", "")
+        if honeypot_value:
+            raise forms.ValidationError(INVITATION_REQUEST_HONEYPOT_MESSAGE)
+
+        timestamp = cleaned.get("timestamp")
+        if timestamp is None:
+            cleaned["timestamp"] = timezone.now()
+            return cleaned
+
+        now = timezone.now()
+        if timestamp > now or (now - timestamp) < self.min_submission_interval:
+            raise forms.ValidationError(INVITATION_REQUEST_TOO_FAST_MESSAGE)
+
+        return cleaned
 
 
 @csrf_exempt
@@ -499,68 +682,83 @@ def request_invite(request):
         email = form.cleaned_data["email"]
         comment = form.cleaned_data.get("comment", "")
         ip_address = request.META.get("REMOTE_ADDR")
-        mac_address = public_wifi.resolve_mac_address(ip_address)
-        lead = InviteLead.objects.create(
-            email=email,
-            comment=comment,
-            user=request.user if request.user.is_authenticated else None,
-            path=request.path,
-            referer=request.META.get("HTTP_REFERER", ""),
-            user_agent=request.META.get("HTTP_USER_AGENT", ""),
-            ip_address=ip_address,
-            mac_address=mac_address or "",
+        throttle_filters = Q(email__iexact=email)
+        if ip_address:
+            throttle_filters |= Q(ip_address=ip_address)
+        window_start = timezone.now() - INVITATION_REQUEST_THROTTLE_WINDOW
+        recent_requests = InviteLead.objects.filter(
+            throttle_filters, created_on__gte=window_start
         )
-        logger.info("Invitation requested for %s", email)
-        User = get_user_model()
-        users = list(User.objects.filter(email__iexact=email))
-        if not users:
-            logger.warning("Invitation requested for unknown email %s", email)
-        for user in users:
-            uid = urlsafe_base64_encode(force_bytes(user.pk))
-            token = default_token_generator.make_token(user)
-            link = request.build_absolute_uri(
-                reverse("pages:invitation-login", args=[uid, token])
+        if recent_requests.count() >= INVITATION_REQUEST_THROTTLE_LIMIT:
+            form.add_error(None, INVITATION_REQUEST_THROTTLE_MESSAGE)
+        else:
+            mac_address = public_wifi.resolve_mac_address(ip_address)
+            lead = InviteLead.objects.create(
+                email=email,
+                comment=comment,
+                user=request.user if request.user.is_authenticated else None,
+                path=request.path,
+                referer=request.META.get("HTTP_REFERER", ""),
+                user_agent=request.META.get("HTTP_USER_AGENT", ""),
+                ip_address=ip_address,
+                mac_address=mac_address or "",
             )
-            subject = _("Your invitation link")
-            body = _("Use the following link to access your account: %(link)s") % {
-                "link": link
-            }
-            try:
-                node_error = None
-                node = Node.get_local()
-                if node:
-                    try:
-                        result = node.send_mail(subject, body, [email])
-                    except Exception as exc:
-                        node_error = exc
-                        logger.exception(
-                            "Node send_mail failed, falling back to default backend"
-                        )
+            logger.info("Invitation requested for %s", email)
+            User = get_user_model()
+            users = list(User.objects.filter(email__iexact=email))
+            if not users:
+                logger.warning("Invitation requested for unknown email %s", email)
+            for user in users:
+                uid = urlsafe_base64_encode(force_bytes(user.pk))
+                token = default_token_generator.make_token(user)
+                link = request.build_absolute_uri(
+                    reverse("pages:invitation-login", args=[uid, token])
+                )
+                subject = _("Your invitation link")
+                body = _("Use the following link to access your account: %(link)s") % {
+                    "link": link
+                }
+                try:
+                    node_error = None
+                    node = Node.get_local()
+                    outbox = getattr(node, "email_outbox", None) if node else None
+                    if node:
+                        try:
+                            result = node.send_mail(subject, body, [email])
+                            lead.sent_via_outbox = outbox
+                        except Exception as exc:
+                            node_error = exc
+                            lead.sent_via_outbox = None
+                            logger.exception(
+                                "Node send_mail failed, falling back to default backend"
+                            )
+                            result = mailer.send(
+                                subject, body, [email], settings.DEFAULT_FROM_EMAIL
+                            )
+                    else:
                         result = mailer.send(
                             subject, body, [email], settings.DEFAULT_FROM_EMAIL
                         )
-                else:
-                    result = mailer.send(
-                        subject, body, [email], settings.DEFAULT_FROM_EMAIL
-                    )
-                lead.sent_on = timezone.now()
-                if node_error:
-                    lead.error = (
-                        f"Node email send failed: {node_error}. "
-                        "Invite was sent using default mail backend; ensure the "
-                        "node's email service is running or check its configuration."
+                        lead.sent_via_outbox = None
+                    lead.sent_on = timezone.now()
+                    if node_error:
+                        lead.error = (
+                            f"Node email send failed: {node_error}. "
+                            "Invite was sent using default mail backend; ensure the "
+                            "node's email service is running or check its configuration."
+                        )
+                    else:
+                        lead.error = ""
+                    logger.info(
+                        "Invitation email sent to %s (user %s): %s", email, user.pk, result
                     )
-                else:
-                    lead.error = ""
-                logger.info(
-                    "Invitation email sent to %s (user %s): %s", email, user.pk, result
-                )
-            except Exception as exc:
-                lead.error = f"{exc}. Ensure the email service is reachable and settings are correct."
-                logger.exception("Failed to send invitation email to %s", email)
-        if lead.sent_on or lead.error:
-            lead.save(update_fields=["sent_on", "error"])
-        sent = True
+                except Exception as exc:
+                    lead.error = f"{exc}. Ensure the email service is reachable and settings are correct."
+                    lead.sent_via_outbox = None
+                    logger.exception("Failed to send invitation email to %s", email)
+            if lead.sent_on or lead.error:
+                lead.save(update_fields=["sent_on", "error", "sent_via_outbox"])
+            sent = True
     return render(request, "pages/request_invite.html", {"form": form, "sent": sent})
 
 
@@ -626,30 +824,41 @@ class ClientReportForm(forms.Form):
     ]
     RECURRENCE_CHOICES = ClientReportSchedule.PERIODICITY_CHOICES
     period = forms.ChoiceField(
-        choices=PERIOD_CHOICES, widget=forms.RadioSelect, initial="range"
+        choices=PERIOD_CHOICES,
+        widget=forms.RadioSelect,
+        initial="range",
+        help_text=_("Choose how the reporting window will be calculated."),
     )
     start = forms.DateField(
         label=_("Start date"),
         required=False,
         widget=forms.DateInput(attrs={"type": "date"}),
+        help_text=_("First day included when using a custom date range."),
     )
     end = forms.DateField(
         label=_("End date"),
         required=False,
         widget=forms.DateInput(attrs={"type": "date"}),
+        help_text=_("Last day included when using a custom date range."),
     )
     week = forms.CharField(
         label=_("Week"),
         required=False,
         widget=forms.TextInput(attrs={"type": "week"}),
+        help_text=_("Generates the report for the ISO week that you select."),
     )
     month = forms.DateField(
         label=_("Month"),
         required=False,
         widget=forms.DateInput(attrs={"type": "month"}),
+        help_text=_("Generates the report for the calendar month that you select."),
     )
     owner = forms.ModelChoiceField(
-        queryset=get_user_model().objects.all(), required=False
+        queryset=get_user_model().objects.all(),
+        required=False,
+        help_text=_(
+            "Sets who owns the report schedule and is listed as the requestor."
+        ),
     )
     destinations = forms.CharField(
         label=_("Email destinations"),
@@ -661,6 +870,7 @@ class ClientReportForm(forms.Form):
         label=_("Recurrency"),
         choices=RECURRENCE_CHOICES,
         initial=ClientReportSchedule.PERIODICITY_NONE,
+        help_text=_("Defines how often the report should be generated automatically."),
     )
     disable_emails = forms.BooleanField(
         label=_("Disable email delivery"),
@@ -723,36 +933,85 @@ def client_report(request):
     form = ClientReportForm(request.POST or None, request=request)
     report = None
     schedule = None
-    if request.method == "POST" and form.is_valid():
-        owner = form.cleaned_data.get("owner")
-        if not owner and request.user.is_authenticated:
-            owner = request.user
-        report = ClientReport.generate(
-            form.cleaned_data["start"],
-            form.cleaned_data["end"],
-            owner=owner,
-            recipients=form.cleaned_data.get("destinations"),
-            disable_emails=form.cleaned_data.get("disable_emails", False),
-        )
-        report.store_local_copy()
-        recurrence = form.cleaned_data.get("recurrence")
-        if recurrence and recurrence != ClientReportSchedule.PERIODICITY_NONE:
-            schedule = ClientReportSchedule.objects.create(
-                owner=owner,
-                created_by=request.user if request.user.is_authenticated else None,
-                periodicity=recurrence,
-                email_recipients=form.cleaned_data.get("destinations", []),
-                disable_emails=form.cleaned_data.get("disable_emails", False),
+    if request.method == "POST":
+        if not request.user.is_authenticated:
+            form.is_valid()  # Run validation to surface field errors alongside auth error.
+            form.add_error(
+                None, _("You must log in to generate client reports."),
             )
-            report.schedule = schedule
-            report.save(update_fields=["schedule"])
-            messages.success(
-                request,
-                _(
-                    "Client report schedule created; future reports will be generated automatically."
-                ),
-            )
-    context = {"form": form, "report": report, "schedule": schedule}
+        elif form.is_valid():
+            throttle_seconds = getattr(settings, "CLIENT_REPORT_THROTTLE_SECONDS", 60)
+            throttle_keys = []
+            if request.user.is_authenticated:
+                throttle_keys.append(f"client-report:user:{request.user.pk}")
+            remote_addr = request.META.get("HTTP_X_FORWARDED_FOR")
+            if remote_addr:
+                remote_addr = remote_addr.split(",")[0].strip()
+            remote_addr = remote_addr or request.META.get("REMOTE_ADDR")
+            if remote_addr:
+                throttle_keys.append(f"client-report:ip:{remote_addr}")
+
+            added_keys = []
+            blocked = False
+            for key in throttle_keys:
+                if cache.add(key, timezone.now(), throttle_seconds):
+                    added_keys.append(key)
+                else:
+                    blocked = True
+                    break
+
+            if blocked:
+                for key in added_keys:
+                    cache.delete(key)
+                form.add_error(
+                    None,
+                    _(
+                        "Client reports can only be generated periodically. Please wait before trying again."
+                    ),
+                )
+            else:
+                owner = form.cleaned_data.get("owner")
+                if not owner and request.user.is_authenticated:
+                    owner = request.user
+                report = ClientReport.generate(
+                    form.cleaned_data["start"],
+                    form.cleaned_data["end"],
+                    owner=owner,
+                    recipients=form.cleaned_data.get("destinations"),
+                    disable_emails=form.cleaned_data.get("disable_emails", False),
+                )
+                report.store_local_copy()
+                recurrence = form.cleaned_data.get("recurrence")
+                if recurrence and recurrence != ClientReportSchedule.PERIODICITY_NONE:
+                    schedule = ClientReportSchedule.objects.create(
+                        owner=owner,
+                        created_by=request.user if request.user.is_authenticated else None,
+                        periodicity=recurrence,
+                        email_recipients=form.cleaned_data.get("destinations", []),
+                        disable_emails=form.cleaned_data.get("disable_emails", False),
+                    )
+                    report.schedule = schedule
+                    report.save(update_fields=["schedule"])
+                    messages.success(
+                        request,
+                        _(
+                            "Client report schedule created; future reports will be generated automatically."
+                        ),
+                    )
+    try:
+        login_url = reverse("pages:login")
+    except NoReverseMatch:
+        try:
+            login_url = reverse("login")
+        except NoReverseMatch:
+            login_url = getattr(settings, "LOGIN_URL", None)
+
+    context = {
+        "form": form,
+        "report": report,
+        "schedule": schedule,
+        "login_url": login_url,
+    }
     return render(request, "pages/client_report.html", context)
 
 
@@ -760,3 +1019,53 @@ def csrf_failure(request, reason=""):
     """Custom CSRF failure view with a friendly message."""
     logger.warning("CSRF failure on %s: %s", request.path, reason)
     return render(request, "pages/csrf_failure.html", status=403)
+
+
+def _admin_context(request):
+    context = admin.site.each_context(request)
+    if not context.get("has_permission"):
+        rf = RequestFactory()
+        mock_request = rf.get(request.path)
+        mock_request.user = SimpleNamespace(
+            is_active=True,
+            is_staff=True,
+            is_superuser=True,
+            has_perm=lambda perm, obj=None: True,
+            has_module_perms=lambda app_label: True,
+        )
+        context["available_apps"] = admin.site.get_app_list(mock_request)
+        context["has_permission"] = True
+    return context
+
+
+def admin_manual_list(request):
+    manuals = UserManual.objects.order_by("title")
+    context = _admin_context(request)
+    context["manuals"] = manuals
+    return render(request, "admin_doc/manuals.html", context)
+
+
+def admin_manual_detail(request, slug):
+    manual = get_object_or_404(UserManual, slug=slug)
+    context = _admin_context(request)
+    context["manual"] = manual
+    return render(request, "admin_doc/manual_detail.html", context)
+
+
+def manual_pdf(request, slug):
+    manual = get_object_or_404(UserManual, slug=slug)
+    pdf_data = base64.b64decode(manual.content_pdf)
+    response = HttpResponse(pdf_data, content_type="application/pdf")
+    response["Content-Disposition"] = f'attachment; filename="{manual.slug}.pdf"'
+    return response
+
+
+@landing(_("Manuals"))
+def manual_list(request):
+    manuals = UserManual.objects.order_by("title")
+    return render(request, "pages/manual_list.html", {"manuals": manuals})
+
+
+def manual_detail(request, slug):
+    manual = get_object_or_404(UserManual, slug=slug)
+    return render(request, "pages/manual_detail.html", {"manual": manual})