Trying to get view working without exposing project to the world

tos/models.py

@@ -4,6 +4,8 @@ from django.db import models
 
 from django.utils.translation import ugettext_lazy as _ 
 
+class NoActiveTermsOfService(ValidationError): pass
+
 class BaseModel(models.Model):
     
     created     = models.DateTimeField(auto_now_add=True, editable=False)
@@ -15,8 +17,11 @@ class BaseModel(models.Model):
 class TermsOfServiceManager(models.Manager):
     
     def get_current_tos(self):
-        return super(TermsOfServiceManager, self).get_query_set().get(active=True)
-        
+        try:
+            return super(TermsOfServiceManager, self).get_query_set().get(active=True)
+        except TermsOfService.DoesNotExist:
+            raise NoActiveTermsOfService('Please create an active Terms-of-Service')
+
 
 class TermsOfService(BaseModel):
 
@@ -44,7 +49,7 @@ class TermsOfService(BaseModel):
             
         else:
             if not TermsOfService.objects.exclude(id=self.id).filter(active=True):
-                raise ValidationError('One of the terms of service must be marked active')
+                raise NoActiveTermsOfService('One of the terms of service must be marked active')
 
         super(TermsOfService,self).save(*args, **kwargs)
         

tos/templates/tos/tos_check.html

@@ -0,0 +1,10 @@
+<h2>Terms of Service as of {{ tos.created }}</h2>
+
+{{ tos.content }}
+
+<h2>Accept Terms of Service?</h2>
+
+<form method="post" action="#">
+    <button type="submit" name="accept">accept</button>
+    <button type="submit" name="reject">reject</button>
+</form>

tos/views.py

@@ -10,9 +10,11 @@ from django.template import RequestContext
 from django.views.decorators.cache import never_cache
 from django.views.decorators.csrf import csrf_protect
 
+from tos.models import has_user_agreed_latest_tos, TermsOfService
+
 @csrf_protect
 @never_cache
-def login(request, template_name='registration/login.html',
+def login_old(request, template_name='registration/login.html',
           redirect_field_name=REDIRECT_FIELD_NAME,
           authentication_form=AuthenticationForm):
     """Displays the login form and handles the login action."""
@@ -22,12 +24,7 @@ def login(request, template_name='registration/login.html',
     if request.method == "POST":
         form = authentication_form(data=request.POST)
         if form.is_valid():
-            
-            # force user to agree to TOS
-            # 1. get latest TOS
-            # 2. Confirm that user is on the TOS agreement list
-            # 3. redirect them to TOS page if they have not yet agreed
-            
+                        
             # Light security check -- make sure redirect_to isn't garbage.
             if not redirect_to or ' ' in redirect_to:
                 redirect_to = settings.LOGIN_REDIRECT_URL
@@ -63,3 +60,76 @@ def login(request, template_name='registration/login.html',
         'site': current_site,
         'site_name': current_site.name,
     }, context_instance=RequestContext(request))
+
+@csrf_protect
+@never_cache
+def tos_check(request):
+    
+    # force user to agree to TOS
+    # 1. get latest TOS
+    has_user_agreed_latest_tos 
+    
+    # 2. Confirm that user is on the TOS agreement list
+    # 3. redirect them to TOS page if they have not yet agreed
+    
+def login(request, template_name='registration/login.html',
+          redirect_field_name=REDIRECT_FIELD_NAME,
+          authentication_form=AuthenticationForm):
+    """Displays the login form and handles the login action."""
+
+    redirect_to = request.REQUEST.get(redirect_field_name, '')
+
+    if request.method == "POST":
+        form = authentication_form(data=request.POST)
+        if form.is_valid():
+
+            # Light security check -- make sure redirect_to isn't garbage.
+            if not redirect_to or ' ' in redirect_to:
+                redirect_to = settings.LOGIN_REDIRECT_URL
+
+            # Heavier security check -- redirects to http://example.com should 
+            # not be allowed, but things like /view/?param=http://example.com 
+            # should be allowed. This regex checks if there is a '//' *before* a
+            # question mark.
+            elif '//' in redirect_to and re.match(r'[^\?]*//', redirect_to):
+                    redirect_to = settings.LOGIN_REDIRECT_URL
+                    
+            # Okay, security checks complete. Check to see if user agrees to terms
+            if has_user_agreed_latest_tos(form.get_user()):
+
+                # Log the user in.
+                auth_login(request, form.get_user())
+
+                if request.session.test_cookie_worked():
+                    request.session.delete_test_cookie()
+
+                return HttpResponseRedirect(redirect_to)
+                
+            else:
+                # user has not yet agreed to latest tos
+                # force them to accept or refuse
+                
+                
+                return render_to_response('tos/tos_check.html', {
+                    redirect_field_name: redirect_to,
+                    'tos':TermsOfService.objects.get_current_tos(),
+                    'form':authentication_form(request)
+                }, context_instance=RequestContext(request))                
+
+    else:
+        form = authentication_form(request)
+
+    request.session.set_test_cookie()
+
+    if Site._meta.installed:
+        current_site = Site.objects.get_current()
+    else:
+        current_site = RequestSite(request)
+
+    return render_to_response(template_name, {
+        'form': form,
+        redirect_field_name: redirect_to,
+        'site': current_site,
+        'site_name': current_site.name,
+    }, context_instance=RequestContext(request))
+