2 files changed, 36 insertions, 22 deletions

diff --git a/core/views/user_registration.py b/core/views/user_registration.py
index 814eb07..59990a0 100644
--- a/core/views/user_registration.py
+++ b/core/views/user_registration.py
@@ -136,33 +136,44 @@ def register(request, url_username=None):
     similar to the "expo" user

     (with cavey:beery password) but specific to an individual.

     

-    We should only allow this to be done ONCE for each user-id. But this constraint seems to be broken.

+    We should only allow this to be done ONCE for each user-id. 

     

     """

     warning = ""

+    admin_notice = ""

     initial_values={"visible-passwords": "True"}

     print(f"{url_username=}")

- 

-    logged_in = (identified_login := is_identified_user(request.user))

-    if logged_in:

-        # logged in as a known real person with a User logon

-        print(f"Already logged in as {identified_login=}, redirecting to re_register_email()")

-        return re_register_email(request) # discarding url_username 

-    

-    if not request.user.is_anonymous:    

-        # Anonymous users are not logged in as anybody.

-        print(f"user is logged in as somebody (but not an identified person, so 'expo'), redirecting to expologout()")

-        # logged in as expo or expoadmin, or as a real person, so logout invisibly before we do anything

-        expologout(request) # returns a response, which we discard

-        

+  

+    if request.user.is_anonymous:    

+        # Anonymous users are not logged in as anybody. Which is what we expect

+        pass

+    else:

+        logged_in = (identified_login := is_identified_user(request.user))

+        if logged_in:

+            # logged in as a known real person with a User logon

+            print(f"Already logged in as {identified_login=}, redirecting to re_register_email()")

+            return re_register_email(request) # discarding url_username 

+        else:

+            print(f"user is logged in as somebody (but not an identified person, so must be 'expo')")

+            # logout invisibly before we do anything, 'expo' is irrelevant; but 'expoadmin' is significant!

+            # , redirecting to expologout()

+            pass

+            # expologout(request) # returns a response, which we discard

+            

+    # At this point we know the request user is not logged in at all.

     if url_username: # if provided in URL

-        print(url_username, Person.objects.filter(slug=url_username).count())

-        # This is where we need to check that this url_username has or has not already been registered.

-        # to do..

+        print(url_username, "Person count",Person.objects.filter(slug=url_username).count())

         if Person.objects.filter(slug=url_username).count() != 1:

             # not an old expoer, so redirect to the other form

             return HttpResponseRedirect("/accounts/newregister/")

-

+        # This is where we need to check that this url_username has or has not already been registered.

+        print(url_username, "User count",User.objects.filter(username=url_username).count())            

+        if User.objects.filter(username=url_username).count() == 1:    

+            # Do not allow registration unless superuser is logged in, oops, need to refactor/reorder

+            pass

+            admin_notice = "ADMIN PRIViedge ?!"

+            

+       

         initial_values.update({"username": url_username})

         form = register_form(initial=initial_values)

         form.fields["username"].widget.attrs["readonly"]="readonly"

@@ -177,7 +188,7 @@ def register(request, url_username=None):
             pw= form.cleaned_data["password1"]

             email = form.cleaned_data["email"]

             expoers = User.objects.filter(username=un)

-            # if this is LOGONABLE user and we are not logged on

+            # if this is a LOGONABLE user and we are not logged on

             # NOT just save the data ! Anyone could do  that..

             # we are now in a state where password should only be re-set by email token

             # but rather than redirect (off-putting) we just make the password fields read-only

@@ -191,11 +202,11 @@ def register(request, url_username=None):
             # to do, login automatically, and redirect to control panel ?

             form.fields["username"].widget.attrs["readonly"]="readonly"

             form.fields["email"].widget.attrs["readonly"]="readonly"

-            return render(request, "login/register.html", {"form": form, "email_stored": True}) 

+            return render(request, "login/register.html", {"form": form, "email_stored": True, "admin_notice": admin_notice, "warning": warning}) 

             # return HttpResponseRedirect("/accounts/login/")

     else: # GET

         pass

-    return render(request, "login/register.html", {"form": form})    

+    return render(request, "login/register.html", {"form": form, "admin_notice": admin_notice, "warning": warning})    

 

 

 def save_users(request, updated_user, email="troggle@exposerver.expo"):

diff --git a/templates/login/register.html b/templates/login/register.html
index 07ae34b..e025879 100644
--- a/templates/login/register.html
+++ b/templates/login/register.html
@@ -4,7 +4,7 @@
 <!-- this overrides the django.contrib.auth default  form
 and it must be placed in 
 troggle/templates/login/register.html
-because magic 
+because magic.
 
 This is because Django is Opinionated and does lots of Invisible Defaults
 see 
@@ -49,6 +49,9 @@ User Registration - for a personal login to Troggle by a known caver
 ALSO it behaves differently if a username is specified in the URL, when username becomes readonly
 
 -->
+<span style="color:red; font-weight: bold;">
+{{ admin_notice }}
+</span>
 <h3>Register your email address</h3>
 
 {% if newuser %}