Add user profile pictures (#140)

* Add profile pic to User model

* Add profile pic upload endpoint

* Add pillow

* Add documentation about pipfile problems

* Switch to aws s3

* Prevent uploading non-images

* Add tests and move s3 to prod

* Add more tests

* Simplify image uploader code

* Clarify image filepath generator

* Add input checking

* Add env variables to readme

* More tests :/

* ¯\_(ツ)_/¯

* Specify http status code in tests

* Add file size check

Co-authored-by: Christopher Liu <[email protected]>

Author: Clue88

Diff for: .gitignore

@@ -25,3 +25,6 @@ db.sqlite3
 
 # Docker
 docker-compose.yml
+
+# Uploaded media files
+backend/accounts/mediafiles

Diff for: README.md

@@ -18,6 +18,9 @@ DATABASE_URL=mysql://USER:PASSWORD@HOST:PORT/NAME
 SECRET_KEY=secret
 DJANGO_SETTINGS_MODULE=Platform.settings.production
 SENTRY_URL=https://[email protected]/product
+AWS_ACCESS_KEY_ID
+AWS_ACCESS_SECRET_ID
+AWS_STORAGE_BUCKET_NAME
 ```
 
 1. Run using docker: `docker run -d pennlabs/platform`

Diff for: backend/Pipfile

@@ -36,6 +36,9 @@ django-email-tools = "*"
 twilio = "*"
 lxml = "*"
 requests = "*"
+pillow = "*"
+boto3 = "*"
+django-storages = "*"
 
 [requires]
 python_version = "3"

Diff for: backend/Pipfile.lock

@@ -73,6 +73,7 @@
     "options.apps.OptionsConfig",
     "accounts.apps.AccountsConfig",
     "identity.apps.IdentityConfig",
+    "storages",
 ]
 
 
@@ -203,3 +204,7 @@
     "FROM_EMAIL": "Penn Labs <[email protected]>",
     "TEMPLATE_DIRECTORY": os.path.join(BASE_DIR, "Platform", "templates", "emails"),
 }
+
+# Media Upload Settings
+MEDIA_ROOT = os.path.join(BASE_DIR, "accounts", "mediafiles")
+MEDIA_URL = "/media/"

Diff for: backend/Platform/settings/base.py

@@ -43,3 +43,10 @@
 EMAIL_USE_TLS = True
 
 IS_DEV_LOGIN = os.environ.get("DEV_LOGIN", "False") in ["True", "TRUE", "true"]
+
+# AWS S3
+DEFAULT_FILE_STORAGE = "storages.backends.s3boto3.S3Boto3Storage"
+AWS_ACCESS_KEY_ID = os.getenv("AWS_ACCESS_KEY_ID")
+AWS_ACCESS_SECRET_ID = os.getenv("AWS_SECRET_ACCESS_KEY")
+AWS_STORAGE_BUCKET_NAME = os.getenv("AWS_STORAGE_BUCKET_NAME")
+AWS_QUERYSTRING_AUTH = False

Diff for: backend/Platform/settings/production.py

@@ -0,0 +1,9 @@
+## Runbook
+This section is to collect thoughts/learnings from the codebase that have been hard-won, so we don't lose a record of it if and when the information proves useful again
+
+### Dependency Installation on MacOS Ventura
+There's a couple of issues at play here. The first is that the current `Pipfile` and `Pipfile.lock` are out of sync, most significantly with regard to Django--the `Pipfile` would generate a lockfile with Django 4, however, we are using Django 3 in the current lockfile and our tests. For now, use the current lockfile and use `--keep-outdated` when adding a new package with `pipenv`.
+
+However, there seems to be an issue with the way that lockfiles are interacting with MacOS Ventura. In that case, we have to ignore the lockfile entirely, using `pipenv install --dev --python 3.8 --skip-lock` to install dependenices. From what I can tell, this is the only way to actually install the dependencies without it failing, but it means that some tests might fail due to issues with Django 4.
+
+The long term solution is to make sure that the `Pipfile` and lockfile are in sync, either by forcing Django 3 or by updating our code to support Django 4.

Diff for: backend/README.md

@@ -0,0 +1,21 @@
+# Generated by Django 4.1.3 on 2022-11-10 02:05
+
+import accounts.models
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ("accounts", "0003_auto_20210918_2041"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="user",
+            name="profile_pic",
+            field=models.ImageField(
+                blank=True, null=True, upload_to=accounts.models.get_user_image_filepath
+            ),
+        ),
+    ]

Diff for: backend/accounts/migrations/0004_user_profile_pic.py

@@ -1,3 +1,4 @@
+import os
 import uuid
 
 from django.contrib.auth import get_user_model
@@ -9,6 +10,15 @@
 from phonenumber_field.modelfields import PhoneNumberField
 
 
+def get_user_image_filepath(instance, fname):
+    """
+    Returns the provided User's profile picture image path. Maintains the
+    file extension of the provided image file if it exists.
+    """
+    suffix = "." + fname.rsplit(".", 1)[-1] if "." in fname else ""
+    return os.path.join("images", f"{instance.username}{suffix}")
+
+
 class School(models.Model):
     """
     Represents a school at the University of Pennsylvania.
@@ -53,6 +63,9 @@ class User(AbstractUser):
     pennid = models.IntegerField(primary_key=True)
     uuid = models.UUIDField(unique=True, default=uuid.uuid4, editable=False)
     preferred_name = models.CharField(max_length=225, blank=True)
+    profile_pic = models.ImageField(
+        upload_to=get_user_image_filepath, blank=True, null=True
+    )
 
     VERIFICATION_EXPIRATION_MINUTES = 10
 

Diff for: backend/accounts/models.py

@@ -174,6 +174,7 @@ class UserSerializer(serializers.ModelSerializer):
     student = StudentSerializer()
     emails = EmailSerializer(many=True)
     phone_numbers = PhoneNumberSerializer(many=True)
+    profile_pic = serializers.ImageField(required=False, allow_empty_file=True)
 
     class Meta:
         model = User
@@ -189,6 +190,7 @@ class Meta:
             "student",
             "phone_numbers",
             "emails",
+            "profile_pic",
         )
 
         read_only_fields = (

Diff for: backend/accounts/serializers.py

@@ -1,4 +1,5 @@
 from django.conf import settings
+from django.conf.urls.static import static
 from django.urls import path
 from oauth2_provider.views import AuthorizationView, TokenView
 from rest_framework import routers
@@ -12,6 +13,7 @@
     MajorViewSet,
     PhoneNumberViewSet,
     ProductAdminView,
+    ProfilePicViewSet,
     SchoolViewSet,
     UserSearchView,
     UserView,
@@ -24,6 +26,7 @@
 router = routers.SimpleRouter()
 router.register("me/phonenumber", PhoneNumberViewSet, basename="me-phonenumber")
 router.register("me/email", EmailViewSet, basename="me-email")
+router.register("me/pfp", ProfilePicViewSet, basename="me-pfp")
 router.register("majors", MajorViewSet, basename="majors")
 router.register("schools", SchoolViewSet, basename="schools")
 
@@ -42,3 +45,4 @@
 ]
 
 urlpatterns += router.urls
+urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)

Diff for: backend/accounts/urls.py

@@ -7,6 +7,7 @@
 from django.contrib.auth.models import Permission
 from django.contrib.contenttypes.models import ContentType
 from django.core.exceptions import ObjectDoesNotExist
+from django.core.files.uploadedfile import UploadedFile
 from django.db.models import Case, IntegerField, Q, Value, When
 from django.http import HttpResponseServerError
 from django.http.response import HttpResponse, HttpResponseBadRequest
@@ -19,7 +20,7 @@
 from oauth2_provider.models import get_access_token_model
 from oauth2_provider.views import IntrospectTokenView
 from oauth2_provider.views.mixins import ProtectedResourceMixin
-from rest_framework import generics, viewsets
+from rest_framework import generics, status, viewsets
 from rest_framework.decorators import action
 from rest_framework.filters import SearchFilter
 from rest_framework.permissions import IsAuthenticated
@@ -39,6 +40,44 @@
 from accounts.verification import sendEmailVerification, sendSMSVerification
 
 
+def image_upload_helper(request, user, keyword, field):
+    """
+    Given a User object, save the uploaded image to the image field specified
+    in the argument. Returns a response that can be given to the end user.
+
+    keyword:    the key corresponding to the image file in the request body
+    field:      the name of the User model field to which the file is saved
+    """
+    if keyword not in request.data or not isinstance(
+        request.data[keyword], UploadedFile
+    ):
+        return Response(
+            {"detail": "No image file was uploaded!"},
+            status=status.HTTP_400_BAD_REQUEST,
+        )
+
+    if "image" not in request.data[keyword].content_type:
+        return Response(
+            {"detail": "You must upload an image file!"},
+            status=status.HTTP_400_BAD_REQUEST,
+        )
+
+    if request.data[keyword].size > 500000:
+        return Response(
+            {"detail": "Image files must be smaller than 500 KB!"},
+            status=status.HTTP_400_BAD_REQUEST,
+        )
+
+    getattr(user, field).delete(save=False)
+    setattr(user, field, request.data[keyword])
+    return Response(
+        {
+            "detail": f"{user.__class__.__name__} image uploaded!",
+            "url": getattr(user, field).url,
+        }
+    )
+
+
 class LoginView(View):
     """
     Log in a user.
@@ -247,6 +286,60 @@ def get_object(self):
         return self.request.user
 
 
+class ProfilePicViewSet(viewsets.ViewSet):
+    """
+    post:
+    Replace the profile picture of the logged in user with a new photo.
+    """
+
+    serializer_class = UserSerializer
+    permission_classes = [IsAuthenticated]
+    queryset = User.objects.all()
+
+    @action(detail=False, methods=["post"])
+    def upload(self, request, *args, **kwargs):
+        """
+        Upload a profile picture.
+        ---
+        requestBody:
+            content:
+                multipart/form-data:
+                    schema:
+                        type: object
+                        properties:
+                            profile_pic:
+                                type: object
+                                format: binary
+        responses:
+            "200":
+                description: Returned if the file was successfully uploaded.
+                content: &upload_resp
+                    application/json:
+                        schema:
+                            type: object
+                            properties:
+                                detail:
+                                    type: string
+                                    description: The status of the file upload.
+                                url:
+                                    type: string
+                                    nullable: true
+                                    description: >
+                                        The URL of the newly uploaded file.
+                                        Only exists if the file was
+                                        successfully uploaded.
+            "400":
+                description: Returned if there was an error while uploading the file.
+                content: *upload_resp
+        ---
+        """
+        user = self.request.user
+        resp = image_upload_helper(request, user, "profile_pic", "profile_pic")
+        if status.is_success(resp.status_code):
+            user.save(update_fields=["profile_pic"])
+        return resp
+
+
 class PhoneNumberViewSet(viewsets.ModelViewSet):
     """
     retrieve: