django-nativemojo 0.1.10__py3-none-any.whl → 0.1.16__py3-none-any.whl

mojo/apps/account/models/push/device.py

@@ -0,0 +1,66 @@
+from django.db import models
+from mojo.models import MojoModel
+
+
+class RegisteredDevice(models.Model, MojoModel):
+    """
+    Represents a device explicitly registered for push notifications via REST API.
+    Separate from UserDevice which tracks browser sessions via duid/user-agent.
+    """
+    created = models.DateTimeField(auto_now_add=True, editable=False, db_index=True)
+    modified = models.DateTimeField(auto_now=True, db_index=True)
+
+    user = models.ForeignKey("account.User", on_delete=models.CASCADE, related_name='registered_devices')
+
+    # Device identification
+    device_token = models.TextField(db_index=True, help_text="Push token from platform")
+    device_id = models.CharField(max_length=255, db_index=True, help_text="App-provided device ID")
+    platform = models.CharField(max_length=20, choices=[
+        ('ios', 'iOS'),
+        ('android', 'Android'),
+        ('web', 'Web')
+    ], db_index=True)
+
+    # Device info
+    app_version = models.CharField(max_length=50, blank=True)
+    os_version = models.CharField(max_length=50, blank=True)
+    device_name = models.CharField(max_length=100, blank=True)
+
+    # Push preferences
+    push_enabled = models.BooleanField(default=True, db_index=True)
+    push_preferences = models.JSONField(default=dict, blank=True,
+                                      help_text="Category-based notification preferences")
+
+    # Status tracking
+    is_active = models.BooleanField(default=True, db_index=True)
+    last_seen = models.DateTimeField(auto_now=True)
+
+    class Meta:
+        unique_together = [('user', 'device_id'), ('device_token', 'platform')]
+        ordering = ['-last_seen']
+
+    class RestMeta:
+        VIEW_PERMS = ["view_devices", "manage_devices", "owner", "manage_users"]
+        SAVE_PERMS = ["manage_devices", "owner"]
+        SEARCH_FIELDS = ["device_name", "device_id"]
+        LIST_DEFAULT_FILTERS = {"is_active": True}
+        GRAPHS = {
+            "basic": {
+                "fields": ["id", "device_id", "platform", "device_name", "push_enabled", "last_seen"]
+            },
+            "default": {
+                "fields": ["id", "device_id", "platform", "device_name", "app_version",
+                          "os_version", "push_enabled", "push_preferences", "last_seen"],
+                "graphs": {
+                    "user": "basic"
+                }
+            },
+            "full": {
+                "graphs": {
+                    "user": "default"
+                }
+            }
+        }
+
+    def __str__(self):
+        return f"{self.device_name or self.device_id} ({self.platform}) - {self.user.username}"

mojo/apps/account/models/push/template.py

@@ -0,0 +1,99 @@
+from django.db import models
+from mojo.models import MojoModel
+
+
+class NotificationTemplate(models.Model, MojoModel):
+    """
+    Reusable notification templates with variable substitution support.
+    """
+    created = models.DateTimeField(auto_now_add=True, editable=False, db_index=True)
+    modified = models.DateTimeField(auto_now=True, db_index=True)
+
+    group = models.ForeignKey("account.Group", on_delete=models.CASCADE,
+                             related_name="notification_templates", null=True, blank=True,
+                             help_text="Organization for this template. Null = system template")
+
+    name = models.CharField(max_length=100, db_index=True)
+    title_template = models.CharField(max_length=200, blank=True, null=True)
+    body_template = models.TextField(blank=True, null=True)
+    action_url = models.URLField(blank=True, null=True, help_text="Template URL with variable support")
+    data_template = models.JSONField(default=dict, blank=True,
+                                   help_text="Template data payload with variable support")
+
+    # Delivery preferences
+    category = models.CharField(max_length=50, default="general", db_index=True)
+    priority = models.CharField(max_length=20, choices=[
+        ('low', 'Low'),
+        ('normal', 'Normal'),
+        ('high', 'High')
+    ], default='normal', db_index=True)
+
+    # Template variables documentation
+    variables = models.JSONField(default=dict, blank=True,
+                               help_text="Expected template variables and descriptions for title, body, action_url, and data_template")
+
+    is_active = models.BooleanField(default=True, db_index=True)
+
+    class Meta:
+        ordering = ['group__name', 'name']
+        unique_together = [('group', 'name')]
+
+    class RestMeta:
+        VIEW_PERMS = ["manage_notifications", "manage_groups", "owner", "manage_users"]
+        SAVE_PERMS = ["manage_notifications", "manage_groups"]
+        SEARCH_FIELDS = ["name", "category"]
+        LIST_DEFAULT_FILTERS = {"is_active": True}
+        GRAPHS = {
+            "basic": {
+                "fields": ["id", "name", "category", "priority", "is_active"]
+            },
+            "default": {
+                "fields": ["id", "name", "title_template", "body_template", "action_url",
+                          "data_template", "category", "priority", "variables", "is_active"],
+                "graphs": {
+                    "group": "basic"
+                }
+            },
+            "full": {
+                "graphs": {
+                    "group": "default"
+                }
+            }
+        }
+
+    def __str__(self):
+        org = self.group.name if self.group else "System"
+        return f"{self.name} ({org})"
+
+    def clean(self):
+        """Validate that at least one template field is provided."""
+        from django.core.exceptions import ValidationError
+
+        has_title = self.title_template and self.title_template.strip()
+        has_body = self.body_template and self.body_template.strip()
+        has_data = self.data_template and bool(self.data_template)
+
+        if not (has_title or has_body or has_data):
+            raise ValidationError(
+                "Template must have at least one of: title_template, body_template, or data_template"
+            )
+
+    def render(self, context):
+        """
+        Render template with provided context variables.
+        Returns tuple of (title, body, action_url, data)
+        """
+        title = self.title_template.format(**context) if self.title_template else None
+        body = self.body_template.format(**context) if self.body_template else None
+        action_url = self.action_url.format(**context) if self.action_url else None
+
+        # Render data template with context
+        data = {}
+        if self.data_template:
+            for key, value in self.data_template.items():
+                if isinstance(value, str):
+                    data[key] = value.format(**context)
+                else:
+                    data[key] = value
+
+        return title, body, action_url, data

mojo/apps/account/models/user.py

@@ -5,10 +5,31 @@ from mojo.helpers.settings import settings
 from mojo import errors as merrors
 from mojo.helpers import dates
 from mojo.apps.account.utils.jwtoken import JWToken
+from mojo.apps import metrics
+from .device import UserDevice
 import uuid
 
+SYS_USER_PERMS_PROTECTION = {
+    "manage_users": "manage_users",
+    "manage_groups": "manage_users",
+    "view_logs": "manage_users",
+    "view_incidents": "manage_users",
+    "view_admin": "manage_users",
+    "view_taskqueue": "manage_users",
+    "view_global": "manage_users",
+    "manage_notifications": "manage_users",
+    "manage_files": "manage_users",
+    "force_single_session": "manage_users",
+    "file_vault": "manage_users",
+    "manage_aws": "manage_users"
+}
+
 USER_PERMS_PROTECTION = settings.get("USER_PERMS_PROTECTION", {})
+USER_PERMS_PROTECTION.update(SYS_USER_PERMS_PROTECTION)
+
 USER_LAST_ACTIVITY_FREQ = settings.get("USER_LAST_ACTIVITY_FREQ", 300)
+METRICS_TIMEZONE = settings.get("METRICS_TIMEZONE", "America/Los_Angeles")
+METRICS_TRACK_USER_ACTIVITY = settings.get("METRICS_TRACK_USER_ACTIVITY", False)
 
 class CustomUserManager(BaseUserManager):
     def create_user(self, email, password=None, **extra_fields):
@@ -43,6 +64,11 @@ class User(MojoSecrets, AbstractBaseUser, MojoModel):
     phone_number = models.CharField(max_length=32, blank=True, null=True, default=None)
     is_active = models.BooleanField(default=True, db_index=True)
     display_name = models.CharField(max_length=80, blank=True, null=True, default=None)
+
+    # Organization relationship for push config resolution
+    org = models.ForeignKey("account.Group", on_delete=models.SET_NULL,
+                           null=True, blank=True, related_name="org_users",
+                           help_text="Default organization for this user")
     # key used for sessions and general authentication algs
     auth_key = models.TextField(null=True, default=None)
     onetime_code = models.TextField(null=True, default=None)
@@ -62,10 +88,15 @@ class User(MojoSecrets, AbstractBaseUser, MojoModel):
     is_email_verified = models.BooleanField(default=False)
     is_phone_verified = models.BooleanField(default=False)
 
+    avatar = models.ForeignKey('fileman.File', on_delete=models.SET_NULL,
+        null=True, blank=True, related_name='+')
+
     USERNAME_FIELD = 'username'
     objects = CustomUserManager()
 
     class RestMeta:
+        LOG_CHANGES = True
+        POST_SAVE_ACTIONS = ['send_invite']
         NO_SHOW_FIELDS = ["password", "auth_key", "onetime_code"]
         SEARCH_FIELDS = ["username", "email", "display_name"]
         VIEW_PERMS = ["view_users", "manage_users", "owner"]
@@ -80,12 +111,13 @@ class User(MojoSecrets, AbstractBaseUser, MojoModel):
                     'id',
                     'display_name',
                     'username',
-                    'email',
-                    'phone_number',
                     'last_login',
                     'last_activity',
                     'is_active'
-                ]
+                ],
+                "graphs": {
+                    "avatar": "basic"
+                }
             },
             "default": {
                 "fields": [
@@ -100,7 +132,16 @@ class User(MojoSecrets, AbstractBaseUser, MojoModel):
                     'metadata',
                     'is_active'
                 ],
+                "graphs": {
+                    "avatar": "basic",
+                    "org": "basic"
+                }
             },
+            "full": {
+                "graphs": {
+                    "avatar": "basic"
+                }
+            }
         }
 
     def __str__(self):
@@ -115,9 +156,17 @@ class User(MojoSecrets, AbstractBaseUser, MojoModel):
 
     def touch(self):
         # can't subtract offset-naive and offset-aware datetimes
+        if self.last_activity and not dates.is_today(self.last_activity, METRICS_TIMEZONE):
+            metrics.record("user_activity_day", category="user", min_granularity="days")
         if self.last_activity is None or dates.has_time_elsapsed(self.last_activity, seconds=USER_LAST_ACTIVITY_FREQ):
             self.last_activity = dates.utcnow()
             self.atomic_save()
+        if METRICS_TRACK_USER_ACTIVITY:
+            metrics.record(f"user_activity:{self.pk}", category="user", min_granularity="minutes")
+
+    def track(self, request):
+        self.touch()
+        UserDevice.track(request)
 
     def get_auth_key(self):
         if self.auth_key is None:
@@ -125,19 +174,24 @@ class User(MojoSecrets, AbstractBaseUser, MojoModel):
             self.atomic_save()
         return self.auth_key
 
-    def set_permissions(self, value, request):
+    def set_username(self, value):
+        if not isinstance(value, str):
+            raise ValueError("Username must be a string")
+        self.username = value
+
+    def set_permissions(self, value):
         if not isinstance(value, dict):
             return
         for key in value:
             if key in USER_PERMS_PROTECTION:
-                if not request.user.has_permission(USER_PERMS_PROTECTION[key]):
+                if not self.active_user.has_permission(USER_PERMS_PROTECTION[key]):
                     raise merrors.PermissionDeniedException()
-            elif not request.user.has_permission("manage_users"):
+            elif not self.active_user.has_permission("manage_users"):
                 raise merrors.PermissionDeniedException()
             if bool(value[key]):
-                self.add_permission(key)
+                self.add_permission(key, commit=False)
             else:
-                self.remove_permission(key)
+                self.remove_permission(key, commit=False)
 
     def has_module_perms(self, app_label):
         """Check if user has any permissions in a given app."""
@@ -145,7 +199,7 @@ class User(MojoSecrets, AbstractBaseUser, MojoModel):
 
     def has_permission(self, perm_key):
         """Check if user has a specific permission in JSON field."""
-        if isinstance(perm_key, list):
+        if isinstance(perm_key, (list, set)):
             for pk in perm_key:
                 if self.has_permission(pk):
                     return True
@@ -154,25 +208,39 @@ class User(MojoSecrets, AbstractBaseUser, MojoModel):
             return True
         return self.permissions.get(perm_key, False)
 
-    def add_permission(self, perm_key, value=True):
+    def add_permission(self, perm_key, value=True, commit=True):
         """Dynamically add a permission."""
+        changed = False
         if isinstance(perm_key, (list, set)):
             for pk in perm_key:
-                self.permissions[pk] = value
+                if self.permissions.get(pk) != value:
+                    self.permissions[pk] = value
+                    changed = True
         else:
-            self.permissions[perm_key] = value
-        self.save()
+            if self.permissions.get(perm_key) != value:
+                self.permissions[perm_key] = value
+                changed = True
+        if changed:
+            self.log(f"Added permission {perm_key}", "permission:added")
+        if commit and changed:
+            self.save()
 
-    def remove_permission(self, perm_key):
+    def remove_permission(self, perm_key, commit=True):
         """Remove a permission."""
+        changed = False
         if isinstance(perm_key, (list, set)):
             for pk in perm_key:
                 if pk in self.permissions:
                     del self.permissions[pk]
+                    changed = True
         else:
             if perm_key in self.permissions:
                 del self.permissions[perm_key]
-        self.save()
+                changed = True
+        if changed:
+            self.log(f"Removed permission {perm_key}", "permission:removed")
+        if commit and changed:
+            self.save()
 
     def remove_all_permissions(self):
         self.permissions = {}
@@ -182,18 +250,300 @@ class User(MojoSecrets, AbstractBaseUser, MojoModel):
         self.set_password(value)
         self.save()
 
-    def save(self, *args, **kwargs):
+    def validate_email(self):
+        import re
+        if not self.email:
+            raise merrors.ValueException("Email is required")
+        if not re.match(r"[^@]+@[^@]+\.[^@]+", str(self.email)):
+            raise merrors.ValueException("Invalid email format")
+        return True
+
+    def validate_username(self):
         if not self.username:
-            self.username = self.email.split("@")[0]
+            raise merrors.ValueException("Username is required")
+        if len(str(self.username)) <= 2:
+            raise merrors.ValueException("Username must be more than 2 characters")
+        # Check for special characters (only allow alphanumeric, underscore, dot, and @)
+        import re
+        if not re.match(r'^[a-zA-Z0-9_.@]+$', str(self.username)):
+            raise merrors.ValueException("Username can only contain letters, numbers, underscores, dots, and @")
+        # If username contains @, it must match the email field
+        if '@' in str(self.username) and str(self.username) != str(self.email):
+            raise merrors.ValueException("Username containing @ must match the email address")
+        return True
+
+    def set_new_password(self, new_password):
+        self.debug("SET NEW PASSWORD")
+        # Validate password strength
+        if len(new_password) < 8:
+            raise merrors.ValueException("Password must be at least 8 characters long")
+
+        strength_score = 0
+
+        # Length contributes to strength (longer is better)
+        if len(new_password) >= 12:
+            strength_score += 2
+        elif len(new_password) >= 10:
+            strength_score += 1
+
+        # Check for mixed case
+        has_upper = any(c.isupper() for c in new_password)
+        has_lower = any(c.islower() for c in new_password)
+        if has_upper and has_lower:
+            strength_score += 1
+
+        # Check for numbers
+        has_numbers = any(c.isdigit() for c in new_password)
+        if has_numbers:
+            strength_score += 1
+
+        # Check for special characters
+        import re
+        has_special = bool(re.search(r'[!@#$%^&*(),.?":{}|<>]', new_password))
+        if has_special:
+            strength_score += 1
+
+        # Require minimum strength score
+        if strength_score < 2:
+            raise merrors.ValueException("Password is too weak. Use a longer password or include a mix of uppercase, lowercase, numbers, and special characters")
+
+        self.set_password(new_password)
+        self._set_field_change("new_password", "*", "*********")
+
+    def can_change_password(self):
+        if self.pk == self.active_user.pk:
+            return True
+        if self.active_user.is_superuser:
+            return True
+        if self.active_user.has_permission(["manage_users"]):
+            return True
+        return False
+
+    def generate_username_from_email(self):
+        """Generate a username from email, falling back to email if username exists."""
+        if not self.email:
+            raise merrors.ValueException("Email is required to generate username")
+
+        # Try using the part before @ as username
+        potential_username = self.email.split("@")[0].lower()
+
+        # Check if this username already exists
+        qset = User.objects.filter(username=potential_username)
+        if self.pk is not None:
+            qset = qset.exclude(pk=self.pk)
+
+        # If username doesn't exist, use it
+        if not qset.exists():
+            return potential_username
+
+        # Fall back to using the full email as username
+        return self.email.lower()
+
+    def generate_display_name(self):
+        """Generate a display name from email, falling back to email if username exists."""
+        # Try using the part before @ as display name
+        # generate display name from usernames like "bob.smith", "bob_smith", "bob.smith@example.com"
+        # Extract the base part (before @ if email format)
+        base_username = self.username.split("@")[0] if "@" in self.username else self.username
+        # Replace underscores and dots with spaces, then title case
+        return base_username.replace("_", " ").replace(".", " ").title()
+
+    def on_rest_pre_save(self, changed_fields, created):
+        creds_changed = False
+        if "email" in changed_fields:
+            creds_changed = True
+            self.validate_email()
+            self.email = self.email.lower()
+            if not self.username:
+                self.username = self.generate_username_from_email()
+            elif "@" in self.username and self.username != self.email:
+                self.username = self.email
+            qset = User.objects.filter(email=self.email)
+            if self.pk is not None:
+                qset = qset.exclude(pk=self.pk)
+            if qset.exists():
+                raise merrors.ValueException("Email already exists")
+        if "username" in changed_fields:
+            creds_changed = True
+            self.validate_username()
+            self.username = self.username.lower()
+            qset = User.objects.filter(username=self.username)
+            if self.pk is not None:
+                qset = qset.exclude(pk=self.pk)
+            if qset.exists():
+                raise merrors.ValueException("Username already exists")
         if not self.display_name:
-            self.display_name = self.username
-        super().save(*args, **kwargs)
+            self.display_name = self.generate_display_name()
+        if self.pk is not None:
+            self._handle_new_user_pre_save(creds_changed, changed_fields)
+
+    def _handle_new_user_pre_save(self, creds_changed, changed_fields):
+        # only super user can change email or username
+        if creds_changed and not self.active_user.is_superuser:
+            raise merrors.PermissionDeniedException("You are not allowed to change email or username")
+        if "password" in changed_fields:
+            raise merrors.PermissionDeniedException("You are not allowed to change password")
+        if "new_password" in changed_fields:
+            if not self.can_change_password():
+                raise merrors.PermissionDeniedException("You are not allowed to change password")
+            self.debug("CHANGING PASSWORD")
+            self.log("****", kind="password:changed")
+        if "email" in changed_fields:
+            self.log(kind="email:changed", log=f"{changed_fields['email']} to {self.email}")
+        if "username" in changed_fields:
+            self.log(kind="username:changed", log=f"{changed_fields['username']} to {self.username}")
+        if "is_active" in changed_fields:
+            if not self.is_active:
+                metrics.record("user_deactivated", category="user", min_granularity="hours")
+            metrics.set_value("total_users", User.objects.filter(is_active=True).count(), account="global")
 
     def check_edit_permission(self, perms, request):
         if "owner" in perms and self.is_request_user():
             return True
         return request.user.has_permission(perms)
 
+    def on_action_send_invite(self, value):
+        self.send_invite()
+
+    def push_notification(self, title=None, body=None, data=None,
+                          category="general", action_url=None,
+                          devices=None, user_ids=None, delay=None):
+        from mojo.apps.account.services.push import send_direct_notification
+        send_direct_notification(
+            self, title=title, body=body, data=data, category=category,
+            action_url=action_url,
+            devices=devices, user_ids=user_ids, delay=delay)
+
+    def send_invite(self):
+        self.send_template_email(
+            template_name="invite",
+            context={"user": self.to_dict("basic")}
+        )
+
+    def send_email(
+        self,
+        subject=None,
+        body_text=None,
+        body_html=None,
+        cc=None,
+        bcc=None,
+        reply_to=None,
+        **kwargs
+    ):
+        """Send email to this user using mailbox determined by user's org domain or system default
+
+        Args:
+            subject: Email subject
+            body_text: Optional plain text body
+            body_html: Optional HTML body
+            cc, bcc, reply_to: Optional addressing
+            **kwargs: Additional arguments passed to mailbox.send_email()
+
+        Returns:
+            SentMessage instance
+
+        Raises:
+            ValueError: If no mailbox can be found
+        """
+        from mojo.apps.aws.models import Mailbox
+
+        mailbox = None
+
+        # Try to get mailbox from org domain
+        if self.org and hasattr(self.org, 'metadata'):
+            domain = self.org.metadata.get("domain")
+            if domain:
+                # Try domain default first
+                mailbox = Mailbox.get_domain_default(domain)
+                if not mailbox:
+                    # Try any mailbox from that domain
+                    mailbox = Mailbox.objects.filter(
+                        domain__name__iexact=domain,
+                        allow_outbound=True
+                    ).first()
+
+        # Fall back to system default
+        if not mailbox:
+            mailbox = Mailbox.get_system_default()
+
+        if not mailbox:
+            raise ValueError("No mailbox available for sending email. Please configure a system default mailbox.")
+
+        return mailbox.send_email(
+            to=self.email,
+            subject=subject,
+            body_text=body_text,
+            body_html=body_html,
+            cc=cc,
+            bcc=bcc,
+            reply_to=reply_to,
+            **kwargs
+        )
+
+    def send_template_email(
+        self,
+        template_name,
+        context=None,
+        cc=None,
+        bcc=None,
+        reply_to=None,
+        **kwargs
+    ):
+        """Send template email to this user using mailbox determined by user's org domain or system default
+
+        Args:
+            template_name: Name of the EmailTemplate in database
+            context: Template context variables (user will be added automatically)
+            cc, bcc, reply_to: Optional addressing
+            **kwargs: Additional arguments passed to mailbox.send_template_email()
+
+        Returns:
+            SentMessage instance
+
+        Raises:
+            ValueError: If no mailbox can be found or template not found
+        """
+        from mojo.apps.aws.models import Mailbox
+
+        mailbox = None
+
+        # Try to get mailbox from org domain
+        if self.org and hasattr(self.org, 'metadata'):
+            domain = self.org.metadata.get("domain")
+            if domain:
+                # Try domain default first
+                mailbox = Mailbox.get_domain_default(domain)
+                if not mailbox:
+                    # Try any mailbox from that domain
+                    mailbox = Mailbox.objects.filter(
+                        domain__name__iexact=domain,
+                        allow_outbound=True
+                    ).first()
+
+        # Fall back to system default
+        if not mailbox:
+            mailbox = Mailbox.get_system_default()
+
+        if not mailbox:
+            raise ValueError("No mailbox available for sending email. Please configure a system default mailbox.")
+
+        # Add user to context if not already present
+        if context is None:
+            context = {}
+        if 'user' not in context:
+            context['user'] = self.to_dict("basic")
+
+        return mailbox.send_template_email(
+            to=self.email,
+            template_name=template_name,
+            context=context,
+            cc=cc,
+            bcc=bcc,
+            reply_to=reply_to,
+            allow_unverified=True,
+            **kwargs
+        )
+
     @classmethod
     def validate_jwt(cls, token):
         token_manager = JWToken()

mojo/apps/account/rest/__init__.py

@@ -1,3 +1,5 @@
 APP_NAME = ""
 from .user import *
 from .group import *
+from .device import *
+from .push import *