From 74dee5121ad0fd8bb151491a63498acc2f829e70 Mon Sep 17 00:00:00 2001
From: Tudor Amariei <tudor.amariei@commitglobal.org>
Date: Tue, 29 Oct 2024 16:02:03 +0200
Subject: [PATCH] Add impersonation on read-only

---
 backend/accounts/admin.py              | 11 +++++-
 backend/civil_society_vote/settings.py |  2 ++
 backend/hub/admin.py                   | 49 --------------------------
 backend/hub/templates/hub/header.html  |  4 +--
 4 files changed, 14 insertions(+), 52 deletions(-)

diff --git a/backend/accounts/admin.py b/backend/accounts/admin.py
index 24add759..c145ff1f 100644
--- a/backend/accounts/admin.py
+++ b/backend/accounts/admin.py
@@ -6,6 +6,7 @@
 from django.urls import reverse_lazy
 from django.utils.safestring import mark_safe
 from django.utils.translation import gettext_lazy as _
+from impersonate.admin import UserAdminImpersonateMixin
 
 from .models import User, GroupProxy
 
@@ -22,7 +23,9 @@
 
 
 @admin.register(User)
-class UserAdmin(ModelAdmin):
+class UserAdmin(UserAdminImpersonateMixin, ModelAdmin):
+    open_new_window = True
+
     list_display = (
         "email",
         "get_organization",
@@ -97,6 +100,12 @@ class UserAdmin(ModelAdmin):
         ),
     )
 
+    def change_view(self, request, object_id, form_url="", extra_context=None):
+        extra_context = extra_context or {}
+        extra_context["user_id"] = object_id
+
+        return super().change_view(request, object_id, form_url, extra_context=extra_context)
+
     def get_organization(self, obj: User):
         if not obj:
             return "-"
diff --git a/backend/civil_society_vote/settings.py b/backend/civil_society_vote/settings.py
index 10eafbb0..5a00e19f 100644
--- a/backend/civil_society_vote/settings.py
+++ b/backend/civil_society_vote/settings.py
@@ -74,6 +74,7 @@
     AUDITLOG_EXPIRY_DAYS=(int, 45),
     DATA_UPLOAD_MAX_MEMORY_SIZE=(int, 3 * MEBIBYTE),
     MAX_DOCUMENT_SIZE=(int, 2 * MEBIBYTE),
+    IMPERSONATE_READ_ONLY=(bool, False),
     # db settings
     # DATABASE_ENGINE=(str, "sqlite3"),
     DATABASE_NAME=(str, "default"),
@@ -511,6 +512,7 @@ def show_toolbar(request):
 ANALYTICS_ENABLED = env("ANALYTICS_ENABLED")
 
 IMPERSONATE = {
+    "READ_ONLY": env.bool("IMPERSONATE_READ_ONLY", default=not DEBUG),
     "REQUIRE_SUPERUSER": True,
 }
 
diff --git a/backend/hub/admin.py b/backend/hub/admin.py
index 15cbc3a0..91e8a62a 100644
--- a/backend/hub/admin.py
+++ b/backend/hub/admin.py
@@ -6,7 +6,6 @@
 from django.contrib import admin, messages
 from django.contrib.admin.filters import AllValuesFieldListFilter
 from django.contrib.admin.helpers import ACTION_CHECKBOX_NAME
-from django.contrib.auth.admin import UserAdmin
 from django.contrib.auth.models import Group
 from django.contrib.sites.shortcuts import get_current_site
 from django.db.models import Count
@@ -14,7 +13,6 @@
 from django.urls import path, reverse
 from django.utils.safestring import mark_safe
 from django.utils.translation import gettext_lazy as _
-from impersonate.admin import UserAdminImpersonateMixin
 from import_export import resources
 from import_export.admin import ImportExportModelAdmin
 from sentry_sdk import capture_message
@@ -41,53 +39,6 @@
 from hub.workers.update_organization import update_organization
 
 
-class NoUsernameUserAdmin(UserAdmin):
-    """
-    UserAdmin without the `username` field
-    """
-
-    fieldsets = (
-        (None, {"fields": ("email", "password")}),
-        (_("Personal info"), {"fields": ("first_name", "last_name")}),
-        (
-            _("Permissions"),
-            {
-                "fields": (
-                    "is_active",
-                    "is_staff",
-                    "is_superuser",
-                    "groups",
-                    "user_permissions",
-                ),
-            },
-        ),
-        (_("Important dates"), {"fields": ("last_login", "date_joined")}),
-    )
-
-
-class ImpersonableUserAdmin(UserAdminImpersonateMixin, NoUsernameUserAdmin):
-    list_display = ("email", "get_groups", "is_active", "is_staff", "is_superuser")
-    open_new_window = True
-    pass
-
-    def change_view(self, request, object_id, form_url="", extra_context=None):
-        extra_context = extra_context or {}
-        extra_context["user_id"] = object_id
-        return super().change_view(request, object_id, form_url, extra_context=extra_context)
-
-    def get_groups(self, obj=None):
-        if obj:
-            groups = obj.groups.all().values_list("name", flat=True)
-            return ", ".join(groups)
-
-    get_groups.short_description = _("groups")
-
-
-# NOTE: This is needed in order for impersonation to work
-# admin.site.unregister(User)
-admin.site.register(User, ImpersonableUserAdmin)
-
-
 class CountyFilter(AllValuesFieldListFilter):
     template = "admin/dropdown_filter.html"
 
diff --git a/backend/hub/templates/hub/header.html b/backend/hub/templates/hub/header.html
index c9c81fdb..a9dcc458 100644
--- a/backend/hub/templates/hub/header.html
+++ b/backend/hub/templates/hub/header.html
@@ -110,10 +110,10 @@
                 <a href="{% url 'impersonate-stop' %}" class="navbar-item" style="color:red; text-align:center;">
                   {% trans "STOP IMPERSONATING" %}<br>{{ request.user.email }}
                 </a>
+              {% else %}
+                <a href="{% url 'account_logout' %}" class="navbar-item">{% trans "Logout" %}</a>
               {% endif %}
 
-              <a href="{% url 'account_logout' %}" class="navbar-item">{% trans "Logout" %}</a>
-
             {% else %}
 
               <a href="{% url 'login_landing' %}" class="navbar-item">