portal.py 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508
  1. # -*- coding: utf-8 -*-
  2. # Part of Odoo. See LICENSE file for full copyright and licensing details.
  3. import base64
  4. import json
  5. import math
  6. import re
  7. from werkzeug import urls
  8. from odoo import http, tools, _, SUPERUSER_ID
  9. from odoo.exceptions import AccessDenied, AccessError, MissingError, UserError, ValidationError
  10. from odoo.http import content_disposition, Controller, request, route
  11. from odoo.tools import consteq
  12. # --------------------------------------------------
  13. # Misc tools
  14. # --------------------------------------------------
  15. def pager(url, total, page=1, step=30, scope=5, url_args=None):
  16. """ Generate a dict with required value to render `website.pager` template.
  17. This method computes url, page range to display, ... in the pager.
  18. :param str url : base url of the page link
  19. :param int total : number total of item to be splitted into pages
  20. :param int page : current page
  21. :param int step : item per page
  22. :param int scope : number of page to display on pager
  23. :param dict url_args : additionnal parameters to add as query params to page url
  24. :returns dict
  25. """
  26. # Compute Pager
  27. page_count = int(math.ceil(float(total) / step))
  28. page = max(1, min(int(page if str(page).isdigit() else 1), page_count))
  29. scope -= 1
  30. pmin = max(page - int(math.floor(scope/2)), 1)
  31. pmax = min(pmin + scope, page_count)
  32. if pmax - pmin < scope:
  33. pmin = pmax - scope if pmax - scope > 0 else 1
  34. def get_url(page):
  35. _url = "%s/page/%s" % (url, page) if page > 1 else url
  36. if url_args:
  37. _url = "%s?%s" % (_url, urls.url_encode(url_args))
  38. return _url
  39. return {
  40. "page_count": page_count,
  41. "offset": (page - 1) * step,
  42. "page": {
  43. 'url': get_url(page),
  44. 'num': page
  45. },
  46. "page_first": {
  47. 'url': get_url(1),
  48. 'num': 1
  49. },
  50. "page_start": {
  51. 'url': get_url(pmin),
  52. 'num': pmin
  53. },
  54. "page_previous": {
  55. 'url': get_url(max(pmin, page - 1)),
  56. 'num': max(pmin, page - 1)
  57. },
  58. "page_next": {
  59. 'url': get_url(min(pmax, page + 1)),
  60. 'num': min(pmax, page + 1)
  61. },
  62. "page_end": {
  63. 'url': get_url(pmax),
  64. 'num': pmax
  65. },
  66. "page_last": {
  67. 'url': get_url(page_count),
  68. 'num': page_count
  69. },
  70. "pages": [
  71. {'url': get_url(page_num), 'num': page_num} for page_num in range(pmin, pmax+1)
  72. ]
  73. }
  74. def get_records_pager(ids, current):
  75. if current.id in ids and (hasattr(current, 'website_url') or hasattr(current, 'access_url')):
  76. attr_name = 'access_url' if hasattr(current, 'access_url') else 'website_url'
  77. idx = ids.index(current.id)
  78. prev_record = idx != 0 and current.browse(ids[idx - 1])
  79. next_record = idx < len(ids) - 1 and current.browse(ids[idx + 1])
  80. if prev_record and prev_record[attr_name] and attr_name == "access_url":
  81. prev_url = '%s?access_token=%s' % (prev_record[attr_name], prev_record._portal_ensure_token())
  82. elif prev_record and prev_record[attr_name]:
  83. prev_url = prev_record[attr_name]
  84. else:
  85. prev_url = prev_record
  86. if next_record and next_record[attr_name] and attr_name == "access_url":
  87. next_url = '%s?access_token=%s' % (next_record[attr_name], next_record._portal_ensure_token())
  88. elif next_record and next_record[attr_name]:
  89. next_url = next_record[attr_name]
  90. else:
  91. next_url = next_record
  92. return {
  93. 'prev_record': prev_url,
  94. 'next_record': next_url,
  95. }
  96. return {}
  97. def _build_url_w_params(url_string, query_params, remove_duplicates=True):
  98. """ Rebuild a string url based on url_string and correctly compute query parameters
  99. using those present in the url and those given by query_params. Having duplicates in
  100. the final url is optional. For example:
  101. * url_string = '/my?foo=bar&error=pay'
  102. * query_params = {'foo': 'bar2', 'alice': 'bob'}
  103. * if remove duplicates: result = '/my?foo=bar2&error=pay&alice=bob'
  104. * else: result = '/my?foo=bar&foo=bar2&error=pay&alice=bob'
  105. """
  106. url = urls.url_parse(url_string)
  107. url_params = url.decode_query()
  108. if remove_duplicates: # convert to standard dict instead of werkzeug multidict to remove duplicates automatically
  109. url_params = url_params.to_dict()
  110. url_params.update(query_params)
  111. return url.replace(query=urls.url_encode(url_params)).to_url()
  112. class CustomerPortal(Controller):
  113. MANDATORY_BILLING_FIELDS = ["name", "phone", "email", "street", "city", "country_id"]
  114. OPTIONAL_BILLING_FIELDS = ["zipcode", "state_id", "vat", "company_name"]
  115. _items_per_page = 80
  116. def _prepare_portal_layout_values(self):
  117. """Values for /my/* templates rendering.
  118. Does not include the record counts.
  119. """
  120. # get customer sales rep
  121. sales_user_sudo = request.env['res.users']
  122. partner_sudo = request.env.user.partner_id
  123. if partner_sudo.user_id and not partner_sudo.user_id._is_public():
  124. sales_user_sudo = partner_sudo.user_id
  125. return {
  126. 'sales_user': sales_user_sudo,
  127. 'page_name': 'home',
  128. }
  129. def _prepare_home_portal_values(self, counters):
  130. """Values for /my & /my/home routes template rendering.
  131. Includes the record count for the displayed badges.
  132. where 'counters' is the list of the displayed badges
  133. and so the list to compute.
  134. """
  135. return {}
  136. @route(['/my/counters'], type='json', auth="user", website=True)
  137. def counters(self, counters, **kw):
  138. return self._prepare_home_portal_values(counters)
  139. @route(['/my', '/my/home'], type='http', auth="user", website=True)
  140. def home(self, **kw):
  141. values = self._prepare_portal_layout_values()
  142. return request.render("portal.portal_my_home", values)
  143. @route(['/my/account'], type='http', auth='user', website=True)
  144. def account(self, redirect=None, **post):
  145. values = self._prepare_portal_layout_values()
  146. partner = request.env.user.partner_id
  147. values.update({
  148. 'error': {},
  149. 'error_message': [],
  150. })
  151. if post and request.httprequest.method == 'POST':
  152. error, error_message = self.details_form_validate(post)
  153. values.update({'error': error, 'error_message': error_message})
  154. values.update(post)
  155. if not error:
  156. values = {key: post[key] for key in self.MANDATORY_BILLING_FIELDS}
  157. values.update({key: post[key] for key in self.OPTIONAL_BILLING_FIELDS if key in post})
  158. for field in set(['country_id', 'state_id']) & set(values.keys()):
  159. try:
  160. values[field] = int(values[field])
  161. except:
  162. values[field] = False
  163. values.update({'zip': values.pop('zipcode', '')})
  164. self.on_account_update(values, partner)
  165. partner.sudo().write(values)
  166. if redirect:
  167. return request.redirect(redirect)
  168. return request.redirect('/my/home')
  169. countries = request.env['res.country'].sudo().search([])
  170. states = request.env['res.country.state'].sudo().search([])
  171. values.update({
  172. 'partner': partner,
  173. 'countries': countries,
  174. 'states': states,
  175. 'has_check_vat': hasattr(request.env['res.partner'], 'check_vat'),
  176. 'partner_can_edit_vat': partner.can_edit_vat(),
  177. 'redirect': redirect,
  178. 'page_name': 'my_details',
  179. })
  180. response = request.render("portal.portal_my_details", values)
  181. response.headers['X-Frame-Options'] = 'SAMEORIGIN'
  182. response.headers['Content-Security-Policy'] = "frame-ancestors 'self'"
  183. return response
  184. def on_account_update(self, values, partner):
  185. pass
  186. @route('/my/security', type='http', auth='user', website=True, methods=['GET', 'POST'])
  187. def security(self, **post):
  188. values = self._prepare_portal_layout_values()
  189. values['get_error'] = get_error
  190. values['allow_api_keys'] = bool(request.env['ir.config_parameter'].sudo().get_param('portal.allow_api_keys'))
  191. values['open_deactivate_modal'] = False
  192. if request.httprequest.method == 'POST':
  193. values.update(self._update_password(
  194. post['old'].strip(),
  195. post['new1'].strip(),
  196. post['new2'].strip()
  197. ))
  198. return request.render('portal.portal_my_security', values, headers={
  199. 'X-Frame-Options': 'SAMEORIGIN',
  200. 'Content-Security-Policy': "frame-ancestors 'self'"
  201. })
  202. def _update_password(self, old, new1, new2):
  203. for k, v in [('old', old), ('new1', new1), ('new2', new2)]:
  204. if not v:
  205. return {'errors': {'password': {k: _("You cannot leave any password empty.")}}}
  206. if new1 != new2:
  207. return {'errors': {'password': {'new2': _("The new password and its confirmation must be identical.")}}}
  208. try:
  209. request.env['res.users'].change_password(old, new1)
  210. except AccessDenied as e:
  211. msg = e.args[0]
  212. if msg == AccessDenied().args[0]:
  213. msg = _('The old password you provided is incorrect, your password was not changed.')
  214. return {'errors': {'password': {'old': msg}}}
  215. except UserError as e:
  216. return {'errors': {'password': e.name}}
  217. # update session token so the user does not get logged out (cache cleared by passwd change)
  218. new_token = request.env.user._compute_session_token(request.session.sid)
  219. request.session.session_token = new_token
  220. return {'success': {'password': True}}
  221. @route('/my/deactivate_account', type='http', auth='user', website=True, methods=['POST'])
  222. def deactivate_account(self, validation, password, **post):
  223. values = self._prepare_portal_layout_values()
  224. values['get_error'] = get_error
  225. values['open_deactivate_modal'] = True
  226. if validation != request.env.user.login:
  227. values['errors'] = {'deactivate': 'validation'}
  228. else:
  229. try:
  230. request.env['res.users']._check_credentials(password, {'interactive': True})
  231. request.env.user.sudo()._deactivate_portal_user(**post)
  232. request.session.logout()
  233. return request.redirect('/web/login?message=%s' % urls.url_quote(_('Account deleted!')))
  234. except AccessDenied:
  235. values['errors'] = {'deactivate': 'password'}
  236. except UserError as e:
  237. values['errors'] = {'deactivate': {'other': str(e)}}
  238. return request.render('portal.portal_my_security', values, headers={
  239. 'X-Frame-Options': 'SAMEORIGIN',
  240. 'Content-Security-Policy': "frame-ancestors 'self'",
  241. })
  242. @http.route('/portal/attachment/add', type='http', auth='public', methods=['POST'], website=True)
  243. def attachment_add(self, name, file, res_model, res_id, access_token=None, **kwargs):
  244. """Process a file uploaded from the portal chatter and create the
  245. corresponding `ir.attachment`.
  246. The attachment will be created "pending" until the associated message
  247. is actually created, and it will be garbage collected otherwise.
  248. :param name: name of the file to save.
  249. :type name: string
  250. :param file: the file to save
  251. :type file: werkzeug.FileStorage
  252. :param res_model: name of the model of the original document.
  253. To check access rights only, it will not be saved here.
  254. :type res_model: string
  255. :param res_id: id of the original document.
  256. To check access rights only, it will not be saved here.
  257. :type res_id: int
  258. :param access_token: access_token of the original document.
  259. To check access rights only, it will not be saved here.
  260. :type access_token: string
  261. :return: attachment data {id, name, mimetype, file_size, access_token}
  262. :rtype: dict
  263. """
  264. try:
  265. self._document_check_access(res_model, int(res_id), access_token=access_token)
  266. except (AccessError, MissingError) as e:
  267. raise UserError(_("The document does not exist or you do not have the rights to access it."))
  268. IrAttachment = request.env['ir.attachment']
  269. access_token = False
  270. # Avoid using sudo or creating access_token when not necessary: internal
  271. # users can create attachments, as opposed to public and portal users.
  272. if not request.env.user._is_internal():
  273. IrAttachment = IrAttachment.sudo().with_context(binary_field_real_user=IrAttachment.env.user)
  274. access_token = IrAttachment._generate_access_token()
  275. # At this point the related message does not exist yet, so we assign
  276. # those specific res_model and res_is. They will be correctly set
  277. # when the message is created: see `portal_chatter_post`,
  278. # or garbage collected otherwise: see `_garbage_collect_attachments`.
  279. attachment = IrAttachment.create({
  280. 'name': name,
  281. 'datas': base64.b64encode(file.read()),
  282. 'res_model': 'mail.compose.message',
  283. 'res_id': 0,
  284. 'access_token': access_token,
  285. })
  286. return request.make_response(
  287. data=json.dumps(attachment.read(['id', 'name', 'mimetype', 'file_size', 'access_token'])[0]),
  288. headers=[('Content-Type', 'application/json')]
  289. )
  290. @http.route('/portal/attachment/remove', type='json', auth='public')
  291. def attachment_remove(self, attachment_id, access_token=None):
  292. """Remove the given `attachment_id`, only if it is in a "pending" state.
  293. The user must have access right on the attachment or provide a valid
  294. `access_token`.
  295. """
  296. try:
  297. attachment_sudo = self._document_check_access('ir.attachment', int(attachment_id), access_token=access_token)
  298. except (AccessError, MissingError) as e:
  299. raise UserError(_("The attachment does not exist or you do not have the rights to access it."))
  300. if attachment_sudo.res_model != 'mail.compose.message' or attachment_sudo.res_id != 0:
  301. raise UserError(_("The attachment %s cannot be removed because it is not in a pending state.", attachment_sudo.name))
  302. if attachment_sudo.env['mail.message'].search([('attachment_ids', 'in', attachment_sudo.ids)]):
  303. raise UserError(_("The attachment %s cannot be removed because it is linked to a message.", attachment_sudo.name))
  304. return attachment_sudo.unlink()
  305. def details_form_validate(self, data, partner_creation=False):
  306. error = dict()
  307. error_message = []
  308. # Validation
  309. for field_name in self.MANDATORY_BILLING_FIELDS:
  310. if not data.get(field_name):
  311. error[field_name] = 'missing'
  312. # email validation
  313. if data.get('email') and not tools.single_email_re.match(data.get('email')):
  314. error["email"] = 'error'
  315. error_message.append(_('Invalid Email! Please enter a valid email address.'))
  316. # vat validation
  317. partner = request.env.user.partner_id
  318. if data.get("vat") and partner and partner.vat != data.get("vat"):
  319. # Check the VAT if it is the public user too.
  320. if partner_creation or partner.can_edit_vat():
  321. if hasattr(partner, "check_vat"):
  322. if data.get("country_id"):
  323. data["vat"] = request.env["res.partner"].fix_eu_vat_number(int(data.get("country_id")), data.get("vat"))
  324. partner_dummy = partner.new({
  325. 'vat': data['vat'],
  326. 'country_id': (int(data['country_id'])
  327. if data.get('country_id') else False),
  328. })
  329. try:
  330. partner_dummy.check_vat()
  331. except ValidationError as e:
  332. error["vat"] = 'error'
  333. error_message.append(e.args[0])
  334. else:
  335. error_message.append(_('Changing VAT number is not allowed once document(s) have been issued for your account. Please contact us directly for this operation.'))
  336. # error message for empty required fields
  337. if [err for err in error.values() if err == 'missing']:
  338. error_message.append(_('Some required fields are empty.'))
  339. unknown = [k for k in data if k not in self.MANDATORY_BILLING_FIELDS + self.OPTIONAL_BILLING_FIELDS]
  340. if unknown:
  341. error['common'] = 'Unknown field'
  342. error_message.append("Unknown field '%s'" % ','.join(unknown))
  343. return error, error_message
  344. def _document_check_access(self, model_name, document_id, access_token=None):
  345. """Check if current user is allowed to access the specified record.
  346. :param str model_name: model of the requested record
  347. :param int document_id: id of the requested record
  348. :param str access_token: record token to check if user isn't allowed to read requested record
  349. :return: expected record, SUDOED, with SUPERUSER context
  350. :raise MissingError: record not found in database, might have been deleted
  351. :raise AccessError: current user isn't allowed to read requested document (and no valid token was given)
  352. """
  353. document = request.env[model_name].browse([document_id])
  354. document_sudo = document.with_user(SUPERUSER_ID).exists()
  355. if not document_sudo:
  356. raise MissingError(_("This document does not exist."))
  357. try:
  358. document.check_access_rights('read')
  359. document.check_access_rule('read')
  360. except AccessError:
  361. if not access_token or not document_sudo.access_token or not consteq(document_sudo.access_token, access_token):
  362. raise
  363. return document_sudo
  364. def _get_page_view_values(self, document, access_token, values, session_history, no_breadcrumbs, **kwargs):
  365. """Include necessary values for portal chatter & pager setup (see template portal.message_thread).
  366. :param document: record to display on portal
  367. :param str access_token: provided document access token
  368. :param dict values: base dict of values where chatter rendering values should be added
  369. :param str session_history: key used to store latest records browsed on the portal in the session
  370. :param bool no_breadcrumbs:
  371. :return: updated values
  372. :rtype: dict
  373. """
  374. values['object'] = document
  375. if access_token:
  376. # if no_breadcrumbs = False -> force breadcrumbs even if access_token to `invite` users to register if they click on it
  377. values['no_breadcrumbs'] = no_breadcrumbs
  378. values['access_token'] = access_token
  379. values['token'] = access_token # for portal chatter
  380. # Those are used notably whenever the payment form is implied in the portal.
  381. if kwargs.get('error'):
  382. values['error'] = kwargs['error']
  383. if kwargs.get('warning'):
  384. values['warning'] = kwargs['warning']
  385. if kwargs.get('success'):
  386. values['success'] = kwargs['success']
  387. # Email token for posting messages in portal view with identified author
  388. if kwargs.get('pid'):
  389. values['pid'] = kwargs['pid']
  390. if kwargs.get('hash'):
  391. values['hash'] = kwargs['hash']
  392. history = request.session.get(session_history, [])
  393. values.update(get_records_pager(history, document))
  394. return values
  395. def _show_report(self, model, report_type, report_ref, download=False):
  396. if report_type not in ('html', 'pdf', 'text'):
  397. raise UserError(_("Invalid report type: %s", report_type))
  398. ReportAction = request.env['ir.actions.report'].sudo()
  399. if hasattr(model, 'company_id'):
  400. if len(model.company_id) > 1:
  401. raise UserError(_('Multi company reports are not supported.'))
  402. ReportAction = ReportAction.with_company(model.company_id)
  403. method_name = '_render_qweb_%s' % (report_type)
  404. report = getattr(ReportAction, method_name)(report_ref, list(model.ids), data={'report_type': report_type})[0]
  405. reporthttpheaders = [
  406. ('Content-Type', 'application/pdf' if report_type == 'pdf' else 'text/html'),
  407. ('Content-Length', len(report)),
  408. ]
  409. if report_type == 'pdf' and download:
  410. filename = "%s.pdf" % (re.sub('\W+', '-', model._get_report_base_filename()))
  411. reporthttpheaders.append(('Content-Disposition', content_disposition(filename)))
  412. return request.make_response(report, headers=reporthttpheaders)
  413. def get_error(e, path=''):
  414. """ Recursively dereferences `path` (a period-separated sequence of dict
  415. keys) in `e` (an error dict or value), returns the final resolution IIF it's
  416. an str, otherwise returns None
  417. """
  418. for k in (path.split('.') if path else []):
  419. if not isinstance(e, dict):
  420. return None
  421. e = e.get(k)
  422. return e if isinstance(e, str) else None