Carry next URL through authentication

src/core/janeway_global_settings.py

@@ -169,6 +169,7 @@
             ],
             'builtins': [
                 'core.templatetags.fqdn',
+                'security.templatetags.securitytags',
                 'django.templatetags.i18n',
             ]
         },

src/core/locales/cy/LC_MESSAGES/django.po

@@ -393,7 +393,7 @@ msgstr ""
 
 #: src/core/views.py:355
 msgid ""
-"Your account has been created, please follow theinstructions in the email "
+"Your account has been created. Please follow theinstructions in the email "
 "that has been sent to you."
 msgstr ""
 

src/core/locales/de/LC_MESSAGES/django.po

@@ -382,7 +382,7 @@ msgstr "Falls Ihr Konto gefunden wurde, wurde Ihnen eine E-Mail geschickt."
 
 #: src/core/views.py:355
 msgid ""
-"Your account has been created, please follow theinstructions in the email "
+"Your account has been created. Please follow the instructions in the email "
 "that has been sent to you."
 msgstr ""
 "Ihr Konto wurde angelegt. Bitte folgen Sie den Anweisungen aus der E-Mail, "

src/core/locales/en_us/LC_MESSAGES/django.po

@@ -373,7 +373,7 @@ msgstr ""
 
 #: src/core/views.py:355
 msgid ""
-"Your account has been created, please follow theinstructions in the email "
+"Your account has been created. Please follow the instructions in the email "
 "that has been sent to you."
 msgstr ""
 

src/core/locales/es/LC_MESSAGES/django.po

@@ -4440,7 +4440,9 @@ msgid "\n"
 msgstr ""
 
 #: src/core/views.py:355
-msgid "Your account has been created, please follow theinstructions in the email that has been sent to you."
+msgid ""
+"Your account has been created. Please follow the instructions in the email "
+"that has been sent to you."
 msgstr ""
 
 #: src/core/views.py:400

src/core/locales/fr/LC_MESSAGES/django.po

@@ -394,7 +394,7 @@ msgstr ""
 
 #: src/core/views.py:355
 msgid ""
-"Your account has been created, please follow theinstructions in the email "
+"Your account has been created. Please follow the instructions in the email "
 "that has been sent to you."
 msgstr ""
 

src/core/locales/it/LC_MESSAGES/django.po

@@ -395,7 +395,7 @@ msgstr ""
 
 #: src/core/views.py:355
 msgid ""
-"Your account has been created, please follow theinstructions in the email "
+"Your account has been created. Please follow the instructions in the email "
 "that has been sent to you."
 msgstr ""
 

src/core/locales/nl/LC_MESSAGES/django.po

@@ -389,7 +389,7 @@ msgstr ""
 
 #: src/core/views.py:355
 msgid ""
-"Your account has been created, please follow theinstructions in the email "
+"Your account has been created. Please follow the instructions in the email "
 "that has been sent to you."
 msgstr ""
 
@@ -2435,13 +2435,15 @@ msgstr ""
 msgid ""
 "All authors must agree to the below statements in order to submit an article "
 "to"
-msgstr ""
+msgstr "Alle auteurs moeten zich akkoord verklaren met onderstaande stellingen "
+"om een artikel te publiceren in"
 
 #: src/templates/admin/submission/start.html:24
 msgid ""
 "If you do not agree with these terms you will be unable to proceed with your "
 "submission."
-msgstr ""
+msgstr "Als je je niet akkoord verklaart met deze voorwaarden "
+"kan je niet verdergaan met deze inzending."
 
 #: src/templates/admin/submission/start.html:29
 msgid "Publication Fees"

src/core/logic.py

@@ -11,13 +11,14 @@
 import operator
 import re
 from functools import reduce
+from urllib.parse import unquote, urlparse
 
 from django.conf import settings
 from django.contrib.auth import logout
 from django.contrib import messages
 from django.template.loader import get_template
 from django.db.models import Q
-from django.http import JsonResponse
+from django.http import JsonResponse, QueryDict
 from django.forms.models import model_to_dict
 from django.shortcuts import reverse
 from django.utils import timezone
@@ -35,81 +36,117 @@
 logger = get_logger(__name__)
 
 
+def get_raw_next_url(next_url, request):
+    """
+    Get the next_url passed in or the 'next' on the request, as raw unicode.
+    :param next_url: an optional string with the path and query parts of
+                     a destination URL -- overrides any 'next' in request data
+    :param request: HttpRequest, optionally containing 'next' in GET or POST
+    """
+    if not next_url:
+        next_url = request.GET.get('next', '') or request.POST.get('next', '')
+    return unquote(next_url)
+
+
+def reverse_with_next(url_name, request, next_url='', args=None, kwargs=None):
+    """
+    Reverse a URL but keep the 'next' parameter that exists on the request
+    or that the caller wants to introduce.
+    The value of 'next' on the request or 'next_url' can be in raw unicode or
+    it can have been percent-encoded one time.
+    :param request: HttpRequest, optionally containing 'next' in GET or POST
+    :param next_url: an optional string with the path and query parts of
+                     a destination URL -- overrides any 'next' in request data
+    :param args: args to pass to django.shortcuts.reverse, if no kwargs
+    :param kwargs: kwargs to pass to django.shortcuts.reverse, if no args
+    """
+    # reverse can only accept either args or kwargs
+    if args:
+        reversed_url = reverse(url_name, args=args)
+    elif kwargs:
+        reversed_url = reverse(url_name, kwargs=kwargs)
+    else:
+        reversed_url = reverse(url_name)
+
+    raw_next_url = get_raw_next_url(next_url, request)
+
+    if not raw_next_url:
+        return reversed_url
+
+    if reversed_url == raw_next_url:
+        # Avoid circular next URLs
+        return reversed_url
+
+    # Parse the reversed URL string enough to safely update the query parameters.
+    # Then re-encode them into a query string and generate the final URL.
+    parsed_url = urlparse(reversed_url) # ParseResult
+    parsed_query = QueryDict(parsed_url.query, mutable=True) # mutable QueryDict
+    parsed_query.update({'next': raw_next_url})
+    # We treat / as safe to match the default behavior
+    # of the |urlencode template filter,
+    # which is where many next URLs are created
+    new_query_string = parsed_query.urlencode(safe="/") # Full percent-encoded query string
+    return parsed_url._replace(query=new_query_string).geturl()
+
+
 def send_reset_token(request, reset_token):
     core_reset_password_url = request.site_type.site_url(
         reverse(
             'core_reset_password',
             kwargs={'token': reset_token.token},
-        )
+        ),
+        query={'next': get_raw_next_url('', request)},
     )
     context = {
         'reset_token': reset_token,
         'core_reset_password_url': core_reset_password_url,
     }
     log_dict = {'level': 'Info', 'types': 'Reset Token', 'target': None}
-    if not request.journal:
-        message = render_template.get_message_content(
-            request,
-            context,
-            request.press.password_reset_text,
-            template_is_setting=True,
-        )
-    else:
-        message = render_template.get_message_content(
-            request,
-            context,
-            'password_reset',
-        )
-
-    subject = 'subject_password_reset'
-
-    notify_helpers.send_email_with_body_from_user(
+    notify_helpers.send_email_with_body_from_setting_template(
         request,
-        subject,
+        'password_reset',
+        'subject_password_reset',
         reset_token.account.email,
-        message,
+        context,
         log_dict=log_dict,
     )
 
 
-def send_confirmation_link(request, new_user):
-    core_confirm_account_url = request.site_type.site_url(
+def get_confirm_account_url(request, user, next_url=''):
+    return request.site_type.site_url(
         reverse(
             'core_confirm_account',
-            kwargs={'token': new_user.confirmation_code},
-        )
+            kwargs={'token': user.confirmation_code},
+        ),
+        query={'next': get_raw_next_url(next_url, request)},
     )
+
+
+def send_confirmation_link(request, new_user):
+    core_confirm_account_url = get_confirm_account_url(request, new_user)
+    if request.journal:
+        site_name = request.journal.name
+    elif request.repository:
+        site_name = request.repository.name
+    else:
+        site_name = request.press.name
     context = {
         'user': new_user,
+        'site_name': site_name,
         'core_confirm_account_url': core_confirm_account_url,
     }
-    if not request.journal:
-        message = render_template.get_message_content(
-            request,
-            context,
-            request.press.registration_text,
-            template_is_setting=True,
-        )
-    else:
-        message = render_template.get_message_content(
-            request,
-            context,
-            'new_user_registration',
-        )
-
-    subject = 'subject_new_user_registration'
-
     notify_helpers.send_slack(
         request,
         'New registration: {0}'.format(new_user.full_name()),
         ['slack_admins'],
     )
     log_dict = {'level': 'Info', 'types': 'Account Confirmation', 'target': None}
-    notify_helpers.send_email_with_body_from_user(
+    notify_helpers.send_email_with_body_from_setting_template(
         request,
-        subject,
+        'new_user_registration',
+        'subject_new_user_registration',
         new_user.email,
-        message,
+        context,
         log_dict=log_dict,
     )
 
@@ -644,20 +681,18 @@ def handle_article_thumb_image_file(uploaded_file, article, request):
         article.save()
 
 
-def handle_email_change(request, email_address):
+def handle_email_change(request, email_address, next_url=''):
     request.user.email = email_address
     request.user.is_active = False
     request.user.confirmation_code = uuid.uuid4()
     request.user.clean()
     request.user.save()
 
-    core_confirm_account_url = request.site_type.site_url(
-        reverse(
-            'core_confirm_account',
-            kwargs={'token': request.user.confirmation_code},
-        )
+    core_confirm_account_url = get_confirm_account_url(
+        request,
+        request.user,
+        next_url=next_url,
     )
-
     context = {
         'user': request.user,
         'core_confirm_account_url': core_confirm_account_url,
@@ -868,7 +903,7 @@ def check_for_bad_login_attempts(request):
     time = timezone.now() - timedelta(minutes=10)
 
     attempts = models.LoginAttempt.objects.filter(user_agent=user_agent, ip_address=ip_address, timestamp__gte=time)
-    print(time, attempts.count())
+    logger.debug(f'Bad login attempt {attempts.count()+1} at {time}')
     return attempts.count()
 
 

src/core/migrations/0096_alter_account_activation_code_and_more.py

@@ -3,6 +3,8 @@
 import core.model_utils
 from django.db import migrations, models
 
+import utils
+
 
 class Migration(migrations.Migration):
 
@@ -19,32 +21,32 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='account',
             name='department',
-            field=core.model_utils.JanewayBleachCharField(blank=True, max_length=300, verbose_name='Department'),
+            field=models.CharField(blank=True, max_length=300, verbose_name='Department', validators=[utils.forms.plain_text_validator]),
         ),
         migrations.AlterField(
             model_name='account',
             name='first_name',
-            field=core.model_utils.JanewayBleachCharField(max_length=300, verbose_name='First name'),
+            field=models.CharField(max_length=300, verbose_name='First name', validators=[utils.forms.plain_text_validator]),
         ),
         migrations.AlterField(
             model_name='account',
             name='institution',
-            field=core.model_utils.JanewayBleachCharField(blank=True, max_length=1000, verbose_name='Institution'),
+            field=models.CharField(blank=True, max_length=1000, verbose_name='Institution', validators=[utils.forms.plain_text_validator]),
         ),
         migrations.AlterField(
             model_name='account',
             name='last_name',
-            field=core.model_utils.JanewayBleachCharField(max_length=300, verbose_name='Last name'),
+            field=models.CharField(max_length=300, verbose_name='Last name', validators=[utils.forms.plain_text_validator]),
         ),
         migrations.AlterField(
             model_name='account',
             name='middle_name',
-            field=core.model_utils.JanewayBleachCharField(blank=True, max_length=300, verbose_name='Middle name'),
+            field=models.CharField(blank=True, max_length=300, verbose_name='Middle name', validators=[utils.forms.plain_text_validator]),
         ),
         migrations.AlterField(
             model_name='account',
             name='salutation',
-            field=core.model_utils.JanewayBleachCharField(blank=True, choices=[('Miss', 'Miss'), ('Ms', 'Ms'), ('Mrs', 'Mrs'), ('Mr', 'Mr'), ('Mx', 'Mx'), ('Dr', 'Dr'), ('Prof.', 'Prof.')], max_length=10, verbose_name='Salutation'),
+            field=models.CharField(blank=True, choices=[('Miss', 'Miss'), ('Ms', 'Ms'), ('Mrs', 'Mrs'), ('Mr', 'Mr'), ('Mx', 'Mx'), ('Dr', 'Dr'), ('Prof.', 'Prof.')], max_length=10, verbose_name='Salutation', validators=[utils.forms.plain_text_validator]),
         ),
         migrations.AlterField(
             model_name='account',
@@ -54,6 +56,6 @@ class Migration(migrations.Migration):
         migrations.AlterField(
             model_name='account',
             name='suffix',
-            field=core.model_utils.JanewayBleachCharField(blank=True, max_length=300, verbose_name='Name suffix'),
+            field=models.CharField(blank=True, max_length=300, verbose_name='Name suffix', validators=[utils.forms.plain_text_validator]),
         ),
     ]