Merge branch 'main' into tour

- we need to do this because of conflicting migrations

bookwyrm/views/__init__.py

@@ -28,7 +28,7 @@ from .admin.user_admin import UserAdmin, UserAdminList
 # user preferences
 from .preferences.change_password import ChangePassword
 from .preferences.edit_user import EditUser
-from .preferences.export import Export, export_user_book_data
+from .preferences.export import Export
 from .preferences.delete_user import DeleteUser
 from .preferences.block import Block, unblock
 

bookwyrm/views/follow.py

@@ -1,7 +1,9 @@
 """ views for actions you can take in the application """
 import urllib.parse
 import re
+
 from django.contrib.auth.decorators import login_required
+from django.http import HttpResponse
 from django.shortcuts import get_object_or_404, redirect
 from django.template.response import TemplateResponse
 from django.views.decorators.http import require_POST
@@ -13,6 +15,7 @@ from .helpers import (
     handle_remote_webfinger,
     subscribe_remote_webfinger,
     WebFingerError,
+    is_api_request,
 )
 
 
@@ -34,6 +37,8 @@ def follow(request):
         # that means we should save to trigger a re-broadcast
         follow_request.save()
 
+    if is_api_request(request):
+        return HttpResponse()
     return redirect(to_follow.local_path)
 
 
@@ -58,8 +63,10 @@ def unfollow(request):
     except models.UserFollowRequest.DoesNotExist:
         clear_cache(request.user, to_unfollow)
 
+    if is_api_request(request):
+        return HttpResponse()
     # this is handled with ajax so it shouldn't really matter
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")
 
 
 @login_required

bookwyrm/views/goal.py

@@ -70,7 +70,7 @@ class Goal(View):
                 privacy=goal.privacy,
             )
 
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("user-goal", request.user.localname, year)
 
 
 @require_POST
@@ -79,4 +79,4 @@ def hide_goal(request):
     """don't keep bugging people to set a goal"""
     request.user.show_goal = False
     request.user.save(broadcast=False, update_fields=["show_goal"])
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")

bookwyrm/views/interaction.py

@@ -28,7 +28,7 @@ class Favorite(View):
 
         if is_api_request(request):
             return HttpResponse()
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("/")
 
 
 @method_decorator(login_required, name="dispatch")
@@ -48,7 +48,7 @@ class Unfavorite(View):
         favorite.delete()
         if is_api_request(request):
             return HttpResponse()
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("/")
 
 
 @method_decorator(login_required, name="dispatch")
@@ -67,7 +67,7 @@ class Boost(View):
             boosted_status=status, user=request.user
         ).exists():
             # you already boosted that.
-            return redirect(request.headers.get("Referer", "/"))
+            return redirect("/")
 
         models.Boost.objects.create(
             boosted_status=status,
@@ -76,7 +76,7 @@ class Boost(View):
         )
         if is_api_request(request):
             return HttpResponse()
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("/")
 
 
 @method_decorator(login_required, name="dispatch")
@@ -94,4 +94,4 @@ class Unboost(View):
         boost.delete()
         if is_api_request(request):
             return HttpResponse()
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("/")

bookwyrm/views/landing/login.py

@@ -58,7 +58,7 @@ class Login(View):
             user.update_active_date()
             if request.POST.get("first_login"):
                 return set_language(user, redirect("get-started-profile"))
-            return set_language(user, redirect(request.GET.get("next", "/")))
+            return set_language(user, redirect("/"))
 
         # maybe the user is pending email confirmation
         if models.User.objects.filter(
@@ -77,7 +77,7 @@ class Login(View):
 class Logout(View):
     """log out"""
 
-    def get(self, request):
+    def post(self, request):
         """done with this place! outa here!"""
         logout(request)
         return redirect("/")

bookwyrm/views/landing/password.py

@@ -5,7 +5,7 @@ from django.shortcuts import redirect
 from django.template.response import TemplateResponse
 from django.views import View
 
-from bookwyrm import models
+from bookwyrm import forms, models
 from bookwyrm.emailing import password_reset_email
 
 
@@ -57,7 +57,8 @@ class PasswordReset(View):
         except models.PasswordReset.DoesNotExist:
             raise PermissionDenied()
 
-        return TemplateResponse(request, "landing/password_reset.html", {"code": code})
+        data = {"code": code, "form": forms.PasswordResetForm()}
+        return TemplateResponse(request, "landing/password_reset.html", data)
 
     def post(self, request, code):
         """allow a user to change their password through an emailed token"""
@@ -68,14 +69,12 @@ class PasswordReset(View):
             return TemplateResponse(request, "landing/password_reset.html", data)
 
         user = reset_code.user
-
-        new_password = request.POST.get("password")
-        confirm_password = request.POST.get("confirm-password")
-
-        if new_password != confirm_password:
-            data = {"errors": ["Passwords do not match"]}
+        form = forms.PasswordResetForm(request.POST, instance=user)
+        if not form.is_valid():
+            data = {"code": code, "form": form}
             return TemplateResponse(request, "landing/password_reset.html", data)
 
+        new_password = form.cleaned_data["password"]
         user.set_password(new_password)
         user.save(broadcast=False, update_fields=["password"])
         login(request, user)

bookwyrm/views/landing/register.py

@@ -134,19 +134,19 @@ class ConfirmEmail(View):
 class ResendConfirmEmail(View):
     """you probably didn't get the email because celery is slow but you can try this"""
 
-    def get(self, request, error=False):
+    def get(self, request):
         """resend link landing page"""
-        return TemplateResponse(request, "confirm_email/resend.html", {"error": error})
+        return TemplateResponse(request, "confirm_email/resend.html")
 
     def post(self, request):
         """resend confirmation link"""
         email = request.POST.get("email")
         try:
             user = models.User.objects.get(email=email)
+            emailing.email_confirmation_email(user)
         except models.User.DoesNotExist:
-            return self.get(request, error=True)
+            pass
 
-        emailing.email_confirmation_email(user)
         return TemplateResponse(
             request, "confirm_email/confirm_email.html", {"valid": True}
         )

bookwyrm/views/preferences/change_password.py

@@ -1,10 +1,12 @@
 """ class views for password management """
 from django.contrib.auth import login
 from django.contrib.auth.decorators import login_required
-from django.shortcuts import redirect
 from django.template.response import TemplateResponse
 from django.utils.decorators import method_decorator
 from django.views import View
+from django.views.decorators.debug import sensitive_variables, sensitive_post_parameters
+
+from bookwyrm import forms
 
 
 # pylint: disable= no-self-use
@@ -14,18 +16,24 @@ class ChangePassword(View):
 
     def get(self, request):
         """change password page"""
-        data = {"user": request.user}
+        data = {"form": forms.ChangePasswordForm()}
         return TemplateResponse(request, "preferences/change_password.html", data)
 
+    @method_decorator(sensitive_variables("new_password"))
+    @method_decorator(sensitive_post_parameters("current_password"))
+    @method_decorator(sensitive_post_parameters("password"))
+    @method_decorator(sensitive_post_parameters("confirm_password"))
     def post(self, request):
         """allow a user to change their password"""
-        new_password = request.POST.get("password")
-        confirm_password = request.POST.get("confirm-password")
-
-        if new_password != confirm_password:
-            return redirect("prefs-password")
+        form = forms.ChangePasswordForm(request.POST, instance=request.user)
+        if not form.is_valid():
+            data = {"form": form}
+            return TemplateResponse(request, "preferences/change_password.html", data)
 
+        new_password = form.cleaned_data["password"]
         request.user.set_password(new_password)
         request.user.save(broadcast=False, update_fields=["password"])
+
         login(request, request.user)
-        return redirect("user-feed", request.user.localname)
+        data = {"success": True, "form": forms.ChangePasswordForm()}
+        return TemplateResponse(request, "preferences/change_password.html", data)

bookwyrm/views/preferences/export.py

@@ -7,7 +7,6 @@ from django.http import StreamingHttpResponse
 from django.template.response import TemplateResponse
 from django.views import View
 from django.utils.decorators import method_decorator
-from django.views.decorators.http import require_GET
 
 from bookwyrm import models
 
@@ -20,35 +19,34 @@ class Export(View):
         """Request csv file"""
         return TemplateResponse(request, "preferences/export.html")
 
-
-@login_required
-@require_GET
-def export_user_book_data(request):
-    """Streaming the csv file of a user's book data"""
-    data = (
-        models.Edition.viewer_aware_objects(request.user)
-        .filter(
-            Q(shelves__user=request.user)
-            | Q(readthrough__user=request.user)
-            | Q(review__user=request.user)
-            | Q(comment__user=request.user)
-            | Q(quotation__user=request.user)
+    def post(self, request):
+        """Streaming the csv file of a user's book data"""
+        data = (
+            models.Edition.viewer_aware_objects(request.user)
+            .filter(
+                Q(shelves__user=request.user)
+                | Q(readthrough__user=request.user)
+                | Q(review__user=request.user)
+                | Q(comment__user=request.user)
+                | Q(quotation__user=request.user)
+            )
+            .distinct()
         )
-        .distinct()
-    )
 
-    generator = csv_row_generator(data, request.user)
+        generator = csv_row_generator(data, request.user)
 
-    pseudo_buffer = Echo()
-    writer = csv.writer(pseudo_buffer)
-    # for testing, if you want to see the results in the browser:
-    # from django.http import JsonResponse
-    # return JsonResponse(list(generator), safe=False)
-    return StreamingHttpResponse(
-        (writer.writerow(row) for row in generator),
-        content_type="text/csv",
-        headers={"Content-Disposition": 'attachment; filename="bookwyrm-export.csv"'},
-    )
+        pseudo_buffer = Echo()
+        writer = csv.writer(pseudo_buffer)
+        # for testing, if you want to see the results in the browser:
+        # from django.http import JsonResponse
+        # return JsonResponse(list(generator), safe=False)
+        return StreamingHttpResponse(
+            (writer.writerow(row) for row in generator),
+            content_type="text/csv",
+            headers={
+                "Content-Disposition": 'attachment; filename="bookwyrm-export.csv"'
+            },
+        )
 
 
 def csv_row_generator(books, user):

bookwyrm/views/reading.py

@@ -79,13 +79,11 @@ class ReadingStatus(View):
         current_status_shelfbook = shelves[0] if shelves else None
 
         # checking the referer prevents redirecting back to the modal page
-        referer = request.headers.get("Referer", "/")
-        referer = "/" if "reading-status" in referer else referer
         if current_status_shelfbook is not None:
             if current_status_shelfbook.shelf.identifier != desired_shelf.identifier:
                 current_status_shelfbook.delete()
             else:  # It already was on the shelf
-                return redirect(referer)
+                return redirect("/")
 
         models.ShelfBook.objects.create(
             book=book, shelf=desired_shelf, user=request.user
@@ -123,7 +121,7 @@ class ReadingStatus(View):
         if is_api_request(request):
             return HttpResponse()
 
-        return redirect(referer)
+        return redirect("/")
 
 
 @method_decorator(login_required, name="dispatch")
@@ -205,7 +203,7 @@ def delete_readthrough(request):
     readthrough.raise_not_deletable(request.user)
 
     readthrough.delete()
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")
 
 
 @login_required
@@ -216,4 +214,4 @@ def delete_progressupdate(request):
     update.raise_not_deletable(request.user)
 
     update.delete()
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")

bookwyrm/views/shelf/shelf_actions.py

@@ -13,9 +13,11 @@ def create_shelf(request):
     """user generated shelves"""
     form = forms.ShelfForm(request.POST)
     if not form.is_valid():
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("user-shelves", request.user.localname)
 
-    shelf = form.save()
+    shelf = form.save(commit=False)
+    shelf.raise_not_editable(request.user)
+    shelf.save()
     return redirect(shelf.local_path)
 
 
@@ -70,7 +72,7 @@ def shelve(request):
             ):
                 current_read_status_shelfbook.delete()
             else:  # It is already on the shelf
-                return redirect(request.headers.get("Referer", "/"))
+                return redirect("/")
 
         # create the new shelf-book entry
         models.ShelfBook.objects.create(
@@ -86,7 +88,7 @@ def shelve(request):
         # Might be good to alert, or reject the action?
         except IntegrityError:
             pass
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")
 
 
 @login_required
@@ -100,4 +102,4 @@ def unshelve(request, book_id=False):
     )
     shelf_book.raise_not_deletable(request.user)
     shelf_book.delete()
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")

bookwyrm/views/status.py

@@ -82,9 +82,10 @@ class CreateStatus(View):
             if is_api_request(request):
                 logger.exception(form.errors)
                 return HttpResponseBadRequest()
-            return redirect(request.headers.get("Referer", "/"))
+            return redirect("/")
 
         status = form.save(commit=False)
+        status.raise_not_editable(request.user)
         # save the plain, unformatted version of the status for future editing
         status.raw_content = status.content
         if hasattr(status, "quote"):
@@ -146,7 +147,7 @@ class DeleteStatus(View):
 
         # perform deletion
         status.delete()
-        return redirect(request.headers.get("Referer", "/"))
+        return redirect("/")
 
 
 @login_required
@@ -195,7 +196,7 @@ def edit_readthrough(request):
 
     if is_api_request(request):
         return HttpResponse()
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")
 
 
 def find_mentions(content):

bookwyrm/views/user.py

@@ -164,7 +164,7 @@ def hide_suggestions(request):
     """not everyone wants user suggestions"""
     request.user.show_suggested_users = False
     request.user.save(broadcast=False, update_fields=["show_suggested_users"])
-    return redirect(request.headers.get("Referer", "/"))
+    return redirect("/")
 
 
 # pylint: disable=unused-argument