[feature] Made RegisteredUser model support multi-tenancy #692

.github/workflows/ci.yml

@@ -74,6 +74,7 @@ jobs:
           pip install -U pip wheel setuptools
           pip install -U -r requirements-test.txt
           pip install -e .[saml,openvpn_status]
+          pip install --upgrade --no-deps --no-cache-dir --force-reinstall "https://github.com/openwisp/openwisp-users/tarball/issues/497-export-users"
           pip install ${{ matrix.django-version }}
 
       - name: Start InfluxDB and Redis container

openwisp_radius/admin.py

@@ -538,7 +538,11 @@ class RegisteredUserInline(StackedInline):
     model = RegisteredUser
     form = AlwaysHasChangedForm
     extra = 0
-    readonly_fields = ("modified",)
+    readonly_fields = (
+        "organization",
+        "modified",
+    )
+    fields = ("organization", "method", "is_verified", "modified")
 
     def has_delete_permission(self, request, obj=None):
         return False
@@ -549,12 +553,17 @@ def has_delete_permission(self, request, obj=None):
     RadiusUserGroupInline,
     PhoneTokenInline,
 ]
-UserAdmin.list_filter += (RegisteredUserFilter, "registered_user__method")
+UserAdmin.list_filter += (RegisteredUserFilter, "registered_users__method")
 
 
 def get_is_verified(self, obj):
     try:
-        value = "yes" if obj.registered_user.is_verified else "no"
+        if not obj.registered_users.exists():
+            value = "unknown"
+        elif obj.registered_users.filter(is_verified=True).exists():
+            value = "yes"
+        else:
+            value = "no"
     except Exception:
         value = "unknown"
     icon_url = static(f"admin/img/icon-{value}.svg")
@@ -564,7 +573,6 @@ def get_is_verified(self, obj):
 UserAdmin.get_is_verified = get_is_verified
 UserAdmin.get_is_verified.short_description = _("Verified")
 UserAdmin.list_display.insert(3, "get_is_verified")
-UserAdmin.list_select_related = ("registered_user",)
 
 
 class OrganizationRadiusSettingsInline(admin.StackedInline):

openwisp_radius/api/freeradius_views.py

@@ -290,7 +290,7 @@ def get_user(self, request, username, password):
         """
         conditions = self._get_user_query_conditions(request)
         try:
-            user = auth_backend.get_users(username).filter(conditions)[0]
+            user = auth_backend.get_users(username).filter(conditions).distinct()[0]
         except IndexError:
             return None
         # ensure user is member of the authenticated org
@@ -409,8 +409,11 @@ def _get_user_query_conditions(self, request):
         # just ensure user is active
         if not needs_verification:
             return is_active
-        # if identity verification is enabled
-        is_verified = Q(registered_user__is_verified=True)
+        organization_id = request._auth
+        org_or_global = Q(registered_users__organization_id=organization_id) | Q(
+            registered_users__organization__isnull=True
+        )
+        is_verified = Q(registered_users__is_verified=True) & org_or_global
         AUTHORIZE_UNVERIFIED = registration.AUTHORIZE_UNVERIFIED
         # and no method should authorize unverified users
         # ensure user is active AND verified
@@ -420,7 +423,9 @@ def _get_user_query_conditions(self, request):
         # ensure user is active AND
         # (user is verified OR user uses one of these methods)
         else:
-            authorize_unverified = Q(registered_user__method__in=AUTHORIZE_UNVERIFIED)
+            authorize_unverified = (
+                Q(registered_users__method__in=AUTHORIZE_UNVERIFIED) & org_or_global
+            )
             return is_active & (is_verified | authorize_unverified)
 
     def authenticate_user(self, request, user, password):

openwisp_radius/api/serializers.py

@@ -688,9 +688,11 @@ def save(self, request):
         # the custom_signup method contains the openwisp specific logic
         self.custom_signup(request, user)
         # create a RegisteredUser object for every user that registers through API
-        RegisteredUser.objects.create(
+        org = self.context["view"].organization
+        RegisteredUser.objects.get_or_create(
             user=user,
-            method=self.validated_data["method"],
+            organization=org,
+            defaults={"method": self.validated_data["method"]},
         )
         setup_user_email(request, user, [])
         return user
@@ -753,20 +755,23 @@ def save(self):
         # yet, tha will be done by the phone token validation view
         # once the phone number has been validated
         # at this point we flag the user as unverified again
-        self.user.registered_user.is_verified = False
-        self.user.registered_user.save()
+        org = self.context["view"].organization
+        reg_user, _ = RegisteredUser.get_or_create_for_user_and_org(
+            user=self.user,
+            organization=org,
+            defaults={"is_verified": False, "method": ""},
+        )
+        reg_user.is_verified = False
+        reg_user.save()
 
 
 class RadiusUserSerializer(serializers.ModelSerializer):
     """
     Used to return information about the logged in user
     """
 
-    is_verified = serializers.BooleanField(source="registered_user.is_verified")
-    method = serializers.CharField(
-        source="registered_user.method",
-        allow_null=True,
-    )
+    is_verified = serializers.SerializerMethodField()
+    method = serializers.SerializerMethodField()
     password_expired = serializers.BooleanField(source="has_password_expired")
     radius_user_token = serializers.CharField(source="radius_token.key", default=None)
 
@@ -786,3 +791,33 @@ class Meta:
             "password_expired",
             "radius_user_token",
         ]
+
+    def _get_registered_user(self, obj):
+        if not hasattr(self, "_registered_user_cache"):
+            self._registered_user_cache = {}
+        if obj.pk not in self._registered_user_cache:
+            view = self.context.get("view")
+            organization = getattr(view, "organization", None)
+            org_reg_user = None
+            global_reg_user = None
+            # We iterate over .all() instead of using .filter() because callers
+            # of this serializer (e.g. validate_auth_token) prefetch
+            # "registered_users" via prefetch_related. Using .all() hits the
+            # in-memory prefetch cache (0 DB queries), whereas .filter() would
+            # bypass the cache and issue a new query every time.
+            for ru in obj.registered_users.all():
+                if organization and ru.organization_id == organization.pk:
+                    org_reg_user = ru
+                    break
+                elif ru.organization_id is None:
+                    global_reg_user = ru
+            self._registered_user_cache[obj.pk] = org_reg_user or global_reg_user
+        return self._registered_user_cache[obj.pk]
+
+    def get_is_verified(self, obj):
+        reg_user = self._get_registered_user(obj)
+        return reg_user.is_verified if reg_user else None
+
+    def get_method(self, obj):
+        reg_user = self._get_registered_user(obj)
+        return reg_user.method if reg_user else None

openwisp_radius/api/utils.py

@@ -9,6 +9,7 @@
 
 Organization = load_model("openwisp_users", "Organization")
 OrganizationRadiusSettings = load_model("openwisp_radius", "OrganizationRadiusSettings")
+RegisteredUser = load_model("openwisp_radius", "RegisteredUser")
 
 
 class ErrorDictMixin(object):
@@ -30,8 +31,18 @@ def _needs_identity_verification(self, organization_filter_kwargs={}, org=None):
         except ObjectDoesNotExist:
             return app_settings.NEEDS_IDENTITY_VERIFICATION
 
-    def is_identity_verified_strong(self, user):
-        try:
-            return user.registered_user.is_identity_verified_strong
-        except ObjectDoesNotExist:
+    def is_identity_verified_strong(self, user, organization=None):
+        reg_user = None
+        global_reg_user = None
+        # We use all() to utilize the prefetch cache, otherwise
+        # it would cause an additional query to fetch the registered user
+        for ru in user.registered_users.all():
+            if organization and ru.organization_id == organization.pk:
+                reg_user = ru
+                break
+            elif ru.organization_id is None:
+                global_reg_user = ru
+        reg_user = reg_user or global_reg_user
+        if reg_user is None:
             return False
+        return reg_user.is_identity_verified_strong

openwisp_radius/api/views.py

@@ -92,6 +92,7 @@
 Organization = swapper.load_model("openwisp_users", "Organization")
 OrganizationUser = swapper.load_model("openwisp_users", "OrganizationUser")
 PhoneToken = load_model("PhoneToken")
+RegisteredUser = load_model("RegisteredUser")
 RadiusAccounting = load_model("RadiusAccounting")
 RadiusToken = load_model("RadiusToken")
 RadiusBatch = load_model("RadiusBatch")
@@ -315,13 +316,13 @@ def post(self, request, *args, **kwargs):
         self.update_user_details(user)
         context = {"view": self, "request": request}
         serializer = self.serializer_class(instance=token, context=context)
-        response = RadiusUserSerializer(user).data
+        response = RadiusUserSerializer(user, context=context).data
         response.update(serializer.data)
         status_code = 200 if user.is_active else 401
         # If identity verification is required, check if user is verified
         if self._needs_identity_verification(
             {"slug": kwargs["slug"]}
-        ) and not self.is_identity_verified_strong(user):
+        ) and not self.is_identity_verified_strong(user, self.organization):
             status_code = 401
         return Response(response, status=status_code)
 
@@ -335,24 +336,24 @@ def validate_membership(self, user):
             if get_organization_radius_settings(
                 self.organization, "registration_enabled"
             ):
-                if self._needs_identity_verification(
-                    org=self.organization
-                ) and not self.is_identity_verified_strong(user):
-                    raise PermissionDenied
                 try:
                     org_user = OrganizationUser(
                         user=user, organization=self.organization
                     )
                     org_user.full_clean()
                     org_user.save()
+                    RegisteredUser.objects.get_or_create(
+                        user=user,
+                        organization=self.organization,
+                        defaults={"method": ""},
+                    )
                 except ValidationError as error:
                     raise serializers.ValidationError(
                         {"non_field_errors": error.message_dict.pop("__all__")}
                     )
             else:
                 message = _(
-                    "{organization} does not allow self registration "
-                    "of new accounts."
+                    "{organization} does not allow self registration of new accounts."
                 ).format(organization=self.organization.name)
                 raise PermissionDenied(message)
 
@@ -383,9 +384,15 @@ def post(self, request, *args, **kwargs):
         response = {"response_code": "BLANK_OR_INVALID_TOKEN"}
         if request_token:
             try:
-                token = UserToken.objects.select_related(
-                    "user", "user__registered_user"
-                ).get(key=request_token)
+                token = (
+                    UserToken.objects.select_related(
+                        "user",
+                    )
+                    .prefetch_related(
+                        "user__registered_users",
+                    )
+                    .get(key=request_token)
+                )
             except UserToken.DoesNotExist:
                 pass
             else:
@@ -395,7 +402,7 @@ def post(self, request, *args, **kwargs):
                 )
                 # user may be in the process of changing the phone number
                 # in that case show the new phone number (which is not verified yet)
-                if not self.is_identity_verified_strong(user):
+                if not self.is_identity_verified_strong(user, self.organization):
                     phone_token = (
                         PhoneToken.objects.filter(user=user)
                         .order_by("-created")
@@ -404,8 +411,8 @@ def post(self, request, *args, **kwargs):
                     user.phone_number = (
                         phone_token.phone_number if phone_token else user.phone_number
                     )
-                response = RadiusUserSerializer(user).data
                 context = {"view": self, "request": request}
+                response = RadiusUserSerializer(user, context=context).data
                 token_data = rest_auth_settings.api_settings.TOKEN_SERIALIZER(
                     token, context=context
                 ).data
@@ -614,11 +621,13 @@ class CreatePhoneTokenView(
     )
 
     @swagger_auto_schema(
-        operation_description=("""
+        operation_description=(
+            """
             **Requires the user auth token (Bearer Token).**
             Used for SMS verification, sends a code via SMS to the
             phone number of the user.
-            """),
+            """
+        ),
         request_body=no_body,
         responses={201: ""},
     )
@@ -638,7 +647,7 @@ def create(self, *args, **kwargs):
         try:
             phone_token.full_clean()
             if kwargs.get("enforce_unverified", True):
-                phone_token._validate_already_verified()
+                phone_token._validate_already_verified(organization=self.organization)
         except ValidationError as e:
             error_dict = self._get_error_dict(e)
             raise serializers.ValidationError(error_dict)
@@ -692,12 +701,14 @@ class GetPhoneTokenStatusView(DispatchOrgMixin, GenericAPIView):
     serializer_class = serializers.Serializer
 
     @swagger_auto_schema(
-        operation_description=("""
+        operation_description=(
+            """
             **Requires the user auth token (Bearer Token).**
             Used for SMS verification, allows checking whether an active
             SMS token was already requested for the mobile phone number
             of the logged in account.
-            """),
+            """
+        ),
         responses={200: '`{"active":"true/false"}`'},
     )
     def get(self, request, *args, **kwargs):
@@ -747,23 +758,33 @@ def post(self, request, *args, **kwargs):
                 _("No verification code found in the system for this user.")
             )
         try:
-            is_valid = phone_token.is_valid(serializer.data["code"])
+            is_valid = phone_token.is_valid(
+                serializer.data["code"], organization=self.organization
+            )
         except PhoneTokenException as e:
             return self._error_response(str(e))
         if not is_valid:
             return self._error_response(_("Invalid code."))
         else:
-            user.registered_user.is_verified = True
-            user.registered_user.method = "mobile_phone"
-            user.is_active = True
+            reg_user, __ = RegisteredUser.get_or_create_for_user_and_org(
+                user=user,
+                organization=self.organization,
+                defaults={
+                    "is_verified": True,
+                    "method": "mobile_phone",
+                    "is_active": True,
+                },
+            )
+            reg_user.is_verified = True
+            reg_user.method = "mobile_phone"
             # Update username if phone_number is used as username
             if user.username == user.phone_number:
                 user.username = phone_token.phone_number
             # now that the phone number is verified
             # we can write it to the user field
             user.phone_number = phone_token.phone_number
             user.save()
-            user.registered_user.save()
+            reg_user.save()
             # delete any radius token cache key if present
             cache.delete(f"rt-{phone_token.phone_number}")
             return Response(None, status=200)
@@ -781,11 +802,13 @@ class ChangePhoneNumberView(ThrottledAPIMixin, CreatePhoneTokenView):
     serializer_class = ChangePhoneNumberSerializer
 
     @swagger_auto_schema(
-        operation_description=("""
+        operation_description=(
+            """
             **Requires the user auth token (Bearer Token).**
             Allows users to change their phone number, will flag the
             user as inactive and send them a verification code via SMS.
-            """),
+            """
+        ),
         responses={200: ""},
     )
     def post(self, request, *args, **kwargs):

openwisp_radius/base/admin_filters.py

@@ -15,7 +15,9 @@ def lookups(self, request, model_admin):
 
     def queryset(self, request, queryset):
         if self.value() == "unknown":
-            return queryset.filter(registered_user__isnull=True)
+            return queryset.filter(registered_users__isnull=True)
         elif self.value():
-            return queryset.filter(registered_user__is_verified=self.value() == "true")
+            return queryset.filter(
+                registered_users__is_verified=self.value() == "true"
+            ).distinct()
         return queryset