Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(admin): django admin tweaks #4842

Draft
wants to merge 21 commits into
base: main
Choose a base branch
from
Draft

feat(admin): django admin tweaks #4842

wants to merge 21 commits into from
+237 −41

Conversation

elisa-a-v
Copy link
Contributor

@elisa-a-v elisa-a-v commented Dec 18, 2024
edited
Loading

Closes #2988

This PR introduces several small tweaks to the Django admin interface by:

  1. Adding new admins for UserProfileEvent and UserProxyEvent.
  2. Adding links in the User instance detail view to the related newly-created Event admins alongside the buttons for Events(*) and History:
    image
  3. Optimizing a query for a User's Permissions content_type. I noticed the loading time was extremely long when first loading a User instance detail view. Upon inspection I saw it was performing 795 queries, and after the optimization it went down to 21.
  4. Adding a new column in the Courts list for jurisdiction.
  5. Adding a new column for date_created in the ProcessingQueueAdmin and PacerFetchQueueAdmin lists.
  6. Adding a new column for date_created in the EmailProcessingQueueAdmin, and displaying the date_created and date_modified as readonly fields in the instance detail.
  7. Refactoring get_email_confirmed and get_stub_account to UserAdmin class as methods using the @admin.display decorator for better integration with the Django admin interface.
  8. Adding an autocomplete field to the DocketAdmin's court field and to the SCOTUSMapAdmin's user field to avoid loading all of them at once, and to improve UX by allowing users to search for related instances.
    Image

Note

(*) The pghistory default Events button redirects to a pghistory admin view that displays a table with pgh_diff, but I could not for the life of me get it to work in a way that felt useful:

  • no matter what I did, I could never see the detailed view for a given Events instance, I always got an error stating that the instance did not exist:
    Screenshot from 2024-12-19 15-54-25
  • I think this one has to do with the row=pghistory.Old statement in the UserProxy model declaration, but the diff was always off, like it was one step behind, so the diff was very unclear. For example:
    1. I created a new user with a first email, say first_email@example.com. This created a first event for the UserProxy model with no diff, which makes sense.
    2. Then I changed the email to second_email@example.com and it did not create an event.
    3. Then I changed it yet again, this time to third_email@example.com, and it did create an event, but it displayed the first two in the diff, stating I'd changed it from first_email@example.com to second_email@example.com.

This was all very confusing, and I decided it was much clearer to simply see the last snapshot of the instance via the registered admin. Maybe changing the row=pghistory.Old to the default row=pghistory.New would help with this but I'm guessing that's there for a reason, and this alternative seemed good enough.

  • Email change validation (unsure where this should be done)
  • Add court type filter to CourtAdmin.
  • Replace courts select in DocketAdmin.
  • Add date_created to ProcessingQueueAdmin and PacerFetchQueueAdmin as list_display.
  • Add date_created to EmailProcessingQueueAdmin as list_display and in the instance detail.
  • Fix DocketAdmin slow loading times for instances with many entries.
  • Avoid loading all users in database in SCOTUSMapAdmin instance detail.

@elisa-a-v elisa-a-v self-assigned this Dec 18, 2024
@elisa-a-v elisa-a-v marked this pull request as draft December 18, 2024 21:45
@elisa-a-v
refactor(admin): move get_email_confirmed and get_stub_account to Use…
36d7002 
…rAdmin class as methods

This improves code organization by localizing user-admin-related logic to the UserAdmin class,
enhancing readability and maintainability.
@elisa-a-v
Merge branch 'main' into 2988-django-admin-tweaks
e210304
@elisa-a-v
refactor(admin): use decorator to register UserAdmin
3cca3c5
@elisa-a-v
feat(admin): make all events fields readonly
10e6d08
@elisa-a-v
feat(admin): add list_filter fields to UserAdmin
265058e
@elisa-a-v
feat(admin): enhance DocketEntryAdmin list view
50aa258 
- Enable searching by description, docket__id, docket__case_name and recap_sequence_number
- Display more fields in list view
- Enable filtering by date_filed, date_created and date_modified
@elisa-a-v
feat(admin): replace DocketEntryInline in DocketAdmin
60b05f7 
To improve performance in dockets with several entries, the inline
was replaced by a button that redirects to the list of docket
entries filtered by the docket, so they don't have to all be loaded
when browsing a docket instance detail.
@elisa-a-v
feat(admin): enhance DocketAdmin list view
1ec8c0f 
- Enable searching by pk, pacer_case_id and docket_number
- Display more fields in list view
@elisa-a-v
feat(admin): add search_help_text to admins with search fields
58f99e5
@elisa-a-v
fix(admin): remove non-indexed fields from DocketEntryAdmin search fi…
e114241 
…elds to avoid overhead
@elisa-a-v
feat(admin): replace DocketAlertInline in DocketAdmin
e779c3c 
To improve performance in dockets with several alerts, the inline
was replaced by a button that redirects to the list of docket
alerts filtered by the docket, so they don't have to all be loaded
when browsing a docket instance detail.
@elisa-a-v
feat(admin): add appeal_from to autocomplete fields in DocketAdmin
13832c0
@elisa-a-v
fix(admin): update UserAdmin change_form_template path
89e6d58
semgrep-app[bot]
semgrep-app bot reviewed Dec 23, 2024
View reviewed changes
cl/assets/templates/admin/docket_change_form.html
{% block object-tools-items %}
{% if docket_entries_url %}
<li>
<a class="historylink" href="{{ docket_entries_url }}">
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using Flask, use 'url_for()' to safely generate a URL. If using Django, use the 'url' filter to safely generate a URL. If using Mustache, use a URL encoding library, or prepend a slash '/' to the variable for relative links (href="/{{link}}"). You may also consider setting the Content Security Policy (CSP) header.

To resolve this comment:

No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Leave a nosemgrep comment directly above or at the end of line 6 like so // nosemgrep: generic.html-templates.security.var-in-href.var-in-href

Take care to validate that this is not a true positive finding before ignoring it.
Learn more about ignoring code, files and folders here.

You can view more details about this finding in the Semgrep AppSec Platform.

semgrep-app[bot]
semgrep-app bot reviewed Dec 23, 2024
View reviewed changes
cl/assets/templates/admin/docket_change_form.html
{% endif %}
{% if docket_alerts_url %}
<li>
<a class="historylink" href="{{ docket_alerts_url }}">
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using Flask, use 'url_for()' to safely generate a URL. If using Django, use the 'url' filter to safely generate a URL. If using Mustache, use a URL encoding library, or prepend a slash '/' to the variable for relative links (href="/{{link}}"). You may also consider setting the Content Security Policy (CSP) header.

To resolve this comment:

No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Leave a nosemgrep comment directly above or at the end of line 13 like so // nosemgrep: generic.html-templates.security.var-in-href.var-in-href

Take care to validate that this is not a true positive finding before ignoring it.
Learn more about ignoring code, files and folders here.

You can view more details about this finding in the Semgrep AppSec Platform.

semgrep-app[bot]
semgrep-app bot reviewed Dec 23, 2024
View reviewed changes
cl/assets/templates/admin/user_change_form.html
{% endif %}
{% if profile_events_url %}
<li>
<a class="historylink" href="{{ profile_events_url }}">
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using Flask, use 'url_for()' to safely generate a URL. If using Django, use the 'url' filter to safely generate a URL. If using Mustache, use a URL encoding library, or prepend a slash '/' to the variable for relative links (href="/{{link}}"). You may also consider setting the Content Security Policy (CSP) header.

To resolve this comment:

No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Leave a nosemgrep comment directly above or at the end of line 13 like so // nosemgrep: generic.html-templates.security.var-in-href.var-in-href

Take care to validate that this is not a true positive finding before ignoring it.
Learn more about ignoring code, files and folders here.

You can view more details about this finding in the Semgrep AppSec Platform.

semgrep-app[bot]
semgrep-app bot reviewed Dec 23, 2024
View reviewed changes
cl/assets/templates/admin/user_change_form.html
{% block object-tools-items %}
{% if proxy_events_url %}
<li>
<a class="historylink" href="{{ proxy_events_url }}">
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:

Detected a template variable used in an anchor tag with the 'href' attribute. This allows a malicious actor to input the 'javascript:' URI and is subject to cross- site scripting (XSS) attacks. If using Flask, use 'url_for()' to safely generate a URL. If using Django, use the 'url' filter to safely generate a URL. If using Mustache, use a URL encoding library, or prepend a slash '/' to the variable for relative links (href="/{{link}}"). You may also consider setting the Content Security Policy (CSP) header.

To resolve this comment:

No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Leave a nosemgrep comment directly above or at the end of line 6 like so // nosemgrep: generic.html-templates.security.var-in-href.var-in-href

Take care to validate that this is not a true positive finding before ignoring it.
Learn more about ignoring code, files and folders here.

You can view more details about this finding in the Semgrep AppSec Platform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@semgrep-app semgrep-app[bot] semgrep-app[bot] left review comments

Assignees

@elisa-a-v elisa-a-v

Labels
None yet
Projects
Sprint (Web Team)
Status: In progress
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Tweaks to Django Admin
1 participant
@elisa-a-v