Update django-hijack to 3.x (#2384)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

authentication/pipeline/user.py

@@ -218,7 +218,7 @@ def forbid_hijack(strategy, backend, **kwargs):  # pylint: disable=unused-argume
         backend (social_core.backends.base.BaseAuth): the backend being used to authenticate
     """
     # As first step in pipeline, stop a hijacking admin from going any further
-    if strategy.session_get("is_hijacked_user"):
+    if bool(strategy.session_get("hijack_history")):
         raise AuthException("You are hijacking another user, don't try to login again")  # noqa: EM101
     return {}
 

authentication/views.py

@@ -48,7 +48,7 @@ def get_serializer_cls(self):  # pragma: no cover
 
     def post(self, request):
         """Processes a request"""
-        if request.session.get("is_hijacked_user", False):
+        if bool(request.session.get("hijack_history")):
             return Response(status=status.HTTP_403_FORBIDDEN)
 
         serializer_cls = self.get_serializer_cls()
@@ -90,7 +90,7 @@ def get_serializer_cls(self):
 
     def post(self, request):
         """Verify recaptcha response before proceeding"""
-        if request.session.get("is_hijacked_user", False):
+        if bool(request.session.get("hijack_history")):
             return Response(status=status.HTTP_403_FORBIDDEN)
         if settings.RECAPTCHA_SITE_KEY:
             r = requests.post(  # noqa: S113

authentication/views_test.py

@@ -589,7 +589,7 @@ def test_login_email_error(client, mocker):
 def test_login_email_hijacked(client, user, admin_user):
     """Test that a 403 response is returned for email login view if user is hijacked"""
     client.force_login(admin_user)
-    client.post(f"/hijack/{user.id}/")
+    client.post("/hijack/acquire/", {"user_pk": user.id})
     response = client.post(
         reverse("psa-login-email"),
         {"flow": SocialAuthState.FLOW_LOGIN, "email": "[email protected]"},
@@ -600,7 +600,7 @@ def test_login_email_hijacked(client, user, admin_user):
 def test_register_email_hijacked(client, user, admin_user):
     """Test that a 403 response is returned for email register view if user is hijacked"""
     client.force_login(admin_user)
-    client.post(f"/hijack/{user.id}/")
+    client.post("/hijack/acquire/", {"user_pk": user.id})
     response = client.post(
         reverse("psa-register-email"),
         {"flow": SocialAuthState.FLOW_LOGIN, "email": "[email protected]"},

cms/models_test.py

@@ -166,6 +166,7 @@ def test_course_page_context(  # noqa: PLR0913
         "can_access_edx_course": is_authenticated and has_relevant_run,
         "finaid_price": finaid_price,
         "product": product,
+        "hijack_logout_redirect_url": "/admin/users/user",
         "instructors": []
         if not has_instructor
         else [

frontend/public/scss/common.scss

@@ -261,3 +261,18 @@ button.btn-secondary.unstyled {
 .display-none {
   display: none !important;
 }
+
+.djhj {
+  position: relative !important;
+  top: 0;
+
+  .djhj-message, .djhj-actions {
+    width: fit-content;
+  }
+
+  .djhj-notification {
+    max-width: unset;
+    background: $navy-blue;
+    margin: 0;
+  }
+}

main/settings.py

@@ -200,9 +200,8 @@
     # "compliance",
     "openedx",
     # must be after "users" to pick up custom user model
-    "compat",
     "hijack",
-    "hijack_admin",
+    "hijack.contrib.admin",
     "ecommerce",
     "flexiblepricing",
     "micromasters_import",
@@ -235,6 +234,7 @@
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
     "django.contrib.sites.middleware.CurrentSiteMiddleware",
     "django_user_agents.middleware.UserAgentMiddleware",
+    "hijack.middleware.HijackUserMiddleware",
     "main.middleware.CachelessAPIMiddleware",
     "wagtail.contrib.redirects.middleware.RedirectMiddleware",
 )

main/templates/base.html

@@ -1,4 +1,4 @@
-{% load static hijack_tags js_interop %}
+{% load static hijack js_interop %}
 {% load wagtailcore_tags startswith noindex_meta banner %}
 {% load render_bundle from webpack_loader %}
 <!DOCTYPE html>
@@ -33,7 +33,8 @@
   <div class="main-panel">
     <a href="#main" class="visually-hidden visually-hidden-focusable">Skip to main content</a>
     {% include "partials/gtm_body.html" %}
-    {% hijack_notification %}
+
+    {% include 'hijack/notification.html' %}
     {% if not request.path|startswith:'/certificate/' %}
       {% banner %}
       {% block headercontent %}

main/templates/hijack/notification.html

@@ -0,0 +1,20 @@
+<!-- hijack/notification.html -->
+
+{% load static %}
+{% if request.user.is_hijacked %}
+<link rel="stylesheet" type="text/css" href="{% static 'hijack/hijack.min.css' %}" media="screen">
+<div class="djhj" id="djhj">
+  <div class="djhj-notification">
+    <div class="djhj-message">
+        You are currently working on behalf of <em>{{ request.user.username }}</em>.
+    </div>
+    <form action="{% url 'hijack:release' %}" method="POST" class="djhj-actions">
+      {% csrf_token %}
+      <input type="hidden" name="next" value="{{ hijack_logout_redirect_url }}">
+      <button class="djhj-button" type="submit">
+        release
+      </button>
+    </form>
+  </div>
+</div>
+{% endif %}

main/views.py

@@ -21,6 +21,7 @@ def get_base_context(request):  # noqa: ARG001
         context["domain_verification_tag"] = (
             settings.GOOGLE_DOMAIN_VERIFICATION_TAG_VALUE
         )
+    context["hijack_logout_redirect_url"] = settings.HIJACK_LOGOUT_REDIRECT_URL
 
     return context
 

pyproject.toml

@@ -25,8 +25,7 @@ django-countries = "^7.2.1"
 django-filter = "^2.4.0"
 django-fsm = "^2.8.0"
 django-fsm-admin = "^1.2.4"
-django-hijack = "^2.1.10"
-django-hijack-admin = "^2.1.10"
+django-hijack = "^3.0.0"
 django-ipware = "^4.0.0"
 django-oauth-toolkit = "^1.7.0"
 django-redis = "^5.0.0"

users/admin.py

@@ -3,7 +3,7 @@
 from django.contrib import admin
 from django.contrib.auth.admin import UserAdmin as ContribUserAdmin
 from django.utils.translation import gettext_lazy as _
-from hijack_admin.admin import HijackUserAdminMixin
+from hijack.contrib.admin import HijackUserAdminMixin
 from mitol.common.admin import TimestampedModelAdmin
 
 from users.models import BlockList, LegalAddress, User, UserProfile
@@ -88,7 +88,6 @@ class UserAdmin(ContribUserAdmin, HijackUserAdminMixin, TimestampedModelAdmin):
         "email",
         "name",
         "is_staff",
-        "hijack_field",
         "last_login",
     )
     list_filter = ("is_staff", "is_superuser", "is_active", "groups")