seperate login level for APDA board (#504)

* add seperate login level for apda board to manage results

Author: JoeyRubas

Pipfile

@@ -36,6 +36,7 @@ six = "==1.17.0"
 exceptiongroup = "==1.3.0"
 wrapt = "==1.17.3"
 pyyaml = "==5.3.1"
+nplusone = "*"
 
 [requires]
 python_version = "3.10.16"

Pipfile.lock

@@ -179,4 +179,6 @@
 ]
 
 # Ignore bad random CI warning
-linkcheck_ignore = [r"https://www\.wikiwand\.com/en/articles/Blossom_algorithm.*"]
+linkcheck_ignore = [
+    r"https://www\.wikiwand\.com/en/articles/Blossom_algorithm",
+]

docs/conf.py

@@ -0,0 +1,18 @@
+from django.contrib.auth.backends import ModelBackend
+
+from mittab.apps.tab.auth_roles import is_apda_board_access_open, is_apda_board_user
+
+
+class TabAuthenticationBackend(ModelBackend):
+    """Enforce APDA board access timing while preserving default auth behavior."""
+
+    def authenticate(self, request, username=None, password=None, **kwargs):
+        user = super().authenticate(
+            request,
+            username=username,
+            password=password,
+            **kwargs,
+        )
+        if user and is_apda_board_user(user) and not is_apda_board_access_open():
+            return None
+        return user

mittab/apps/tab/auth_backends.py

@@ -0,0 +1,23 @@
+from mittab.apps.tab.models import Round, TabSettings
+
+APDA_BOARD_GROUP_NAME = "APDA Board"
+
+
+def is_apda_board_user(user):
+    if not user or not user.is_authenticated:
+        return False
+    if user.is_superuser:
+        return False
+    return user.groups.filter(name=APDA_BOARD_GROUP_NAME).exists()
+
+
+def is_apda_board_access_open():
+    """APDA board access opens once the final inround has been paired."""
+    try:
+        total_inrounds = int(TabSettings.get("tot_rounds"))
+    except (TypeError, ValueError):
+        return False
+
+    if total_inrounds < 1:
+        return False
+    return Round.objects.filter(round_number=total_inrounds).exists()

mittab/apps/tab/auth_roles.py

@@ -33,6 +33,12 @@ class Meta:
         fields = "__all__"
 
 
+class SchoolApdaIdForm(forms.ModelForm):
+    class Meta:
+        model = School
+        fields = ["apda_id"]
+
+
 class RoomForm(forms.ModelForm):
     def __init__(self, *args, **kwargs):
         entry = "first_entry" in kwargs
@@ -240,6 +246,12 @@ class Meta:
         exclude = ["tiebreaker"]
 
 
+class DebaterApdaIdForm(forms.ModelForm):
+    class Meta:
+        model = Debater
+        fields = ["apda_id"]
+
+
 def validate_speaks(value):
     if not (TabSettings.get("min_speak", 0) <= value <= TabSettings.get(
             "max_speak", 50)):

mittab/apps/tab/forms.py

@@ -3,8 +3,10 @@
 
 from django.core.management import call_command
 from django.contrib.auth import get_user_model
+from django.contrib.auth.models import Group
 from django.core.management.base import BaseCommand
 
+from mittab.apps.tab.auth_roles import APDA_BOARD_GROUP_NAME
 from mittab.apps.tab.models import TabSettings
 from mittab.libs.backup import backup_round, BEFORE_NEW_TOURNAMENT, INITIAL
 
@@ -26,6 +28,12 @@ def add_arguments(self, parser):
             help="Password for the entry user",
             nargs="?",
             default=USER_MODEL.objects.make_random_password(length=8))
+        parser.add_argument(
+            "--apda-board-password",
+            dest="apda_board_password",
+            help="Password for the APDA Board user",
+            nargs="?",
+            default=None)
         parser.add_argument(
             "--first-init",
             dest="first_init",
@@ -35,6 +43,12 @@ def add_arguments(self, parser):
             default=False)
 
     def handle(self, *args, **options):
+        apda_board_password = (
+            options.get("apda_board_password")
+            or os.environ.get("BOARD_PASSWORD")
+            or USER_MODEL.objects.make_random_password(length=16)
+        )
+
         if not options["first_init"]:
             self.stdout.write("Backing up the previous tournament data")
             backup_round(btype=BEFORE_NEW_TOURNAMENT)
@@ -48,13 +62,16 @@ def handle(self, *args, **options):
             print(why)
             sys.exit(1)
 
-        self.stdout.write("Creating tab/entry users")
+        self.stdout.write("Creating tab/entry/APDA Board users")
         tab = USER_MODEL.objects.create_user("tab", None, options["tab_password"])
         tab.is_staff = True
         tab.is_admin = True
         tab.is_superuser = True
         tab.save()
         USER_MODEL.objects.create_user("entry", None, options["entry_password"])
+        apda_board = USER_MODEL.objects.create_user("board", None, apda_board_password)
+        apda_board_group, _ = Group.objects.get_or_create(name=APDA_BOARD_GROUP_NAME)
+        apda_board.groups.add(apda_board_group)
 
         self.stdout.write("Setting default tab settings")
         TabSettings.set("tot_rounds", 5)
@@ -73,5 +90,9 @@ def handle(self, *args, **options):
         self.stdout.write(
             f"{'entry'.ljust(10, ' ')} | {options['entry_password'].ljust(10, ' ')}"
         )
+        self.stdout.write(
+            f"{'board'.ljust(10, ' ')} | "
+            f"{apda_board_password.ljust(10, ' ')}"
+        )
         if options["first_init"]:
             backup_round(name="initial-tournament", btype=INITIAL)

mittab/apps/tab/management/commands/initialize_tourney.py

@@ -1,10 +1,12 @@
 import re
 from urllib.parse import urlsplit
 
+from django.contrib.auth import logout
 from django.contrib.auth.views import LoginView
 from django.http import HttpResponse, JsonResponse
 from django.utils.http import url_has_allowed_host_and_scheme
 
+from mittab.apps.tab.auth_roles import is_apda_board_access_open, is_apda_board_user
 from mittab.apps.tab.helpers import redirect_and_flash_info
 from mittab.apps.tab.public_rankings import get_standings_publication_setting
 from mittab.libs.backup import is_backup_active
@@ -40,6 +42,19 @@
     "team": "Team results not published",
     "shared": "Standings data not published",
 }
+APDA_BOARD_ALLOWED_PREFIXES = (
+    "/apda-board/",
+    "/public/",
+    "/accounts/logout/",
+    "/admin/logout/",
+    "/403/",
+    "/404/",
+    "/500/",
+    "/favicon.ico",
+    "/static/",
+    "/dynamic-media/",
+)
+APDA_BOARD_ALLOWED_EXACT_PATHS = ("/", "/archive/black_rod_bundle/")
 
 
 class Login:
@@ -50,6 +65,22 @@ def __init__(self, get_response):
 
     def __call__(self, request):
         path = request.path
+        if request.user.is_authenticated and is_apda_board_user(request.user):
+            if not is_apda_board_access_open():
+                logout(request)
+                return redirect_and_flash_info(
+                    request,
+                    "APDA Board login activates after the final inround is paired.",
+                    path="/public/",
+                )
+            if path not in APDA_BOARD_ALLOWED_EXACT_PATHS and \
+                    not path.startswith(APDA_BOARD_ALLOWED_PREFIXES):
+                return redirect_and_flash_info(
+                    request,
+                    "APDA Board access is limited to APDA tools and public pages.",
+                    path="/403/",
+                )
+
         should_store_return_to = (
             request.method == "GET"
             and not request.path.startswith("/api/")

mittab/apps/tab/middleware.py

@@ -1,6 +1,7 @@
 from django import template
 from django.forms.fields import FileField
 
+from mittab.apps.tab.auth_roles import is_apda_board_user
 from mittab.apps.tab.helpers import get_redirect_target
 from mittab.apps.tab.models import TabSettings
 from mittab.apps.tab.public_rankings import get_public_display_flags
@@ -89,3 +90,8 @@ def public_display_flags():
 def motions_enabled():
     """Returns True if motions feature is enabled."""
     return bool(TabSettings.get("motions_enabled", 0))
+
+
+@register.simple_tag
+def is_apda_board(user):
+    return is_apda_board_user(user)