invoice button and security

alkatorapi/admin.py

@@ -1,5 +1,13 @@
 from django.contrib import admin
+from django.http import HttpResponseRedirect
 from .models import User
 
 
-admin.site.register(User)
+@admin.register(User)
+class UserAdmin(admin.ModelAdmin):
+    change_form_template = "invoice_custom_admin_page.html"
+
+    def response_change(self, request, obj):
+        if "_invoice" in request.POST:
+            return HttpResponseRedirect(f"/api/invoice?invoice_id={obj.invoice_id}")
+        return super().response_change(request, obj)

alkatorapi/models.py

@@ -1,4 +1,5 @@
 from django.db import models
+from django.contrib import admin
 
 ALKATOR_CHOICES = (
     (1, "Alkátor"),

alkatorapi/templates/invoice_custom_admin_page.html

@@ -0,0 +1,8 @@
+{% extends 'admin/change_form.html' %}
+
+{% block submit_buttons_bottom %}
+    {{ block.super }}
+    <div class="submit-row">
+            <input type="submit" value="Generate Invoice" name="_invoice">
+    </div>
+{% endblock %}

alkatorapi/views.py

@@ -2,6 +2,7 @@ from django.shortcuts import render
 from django.http import HttpResponse
 from django.template.response import TemplateResponse
 from django.views.decorators.csrf import csrf_exempt
+from django.contrib.admin.views.decorators import staff_member_required
 from datetime import date, datetime
 from urllib.parse import parse_qs
 import requests
@@ -153,5 +154,6 @@ def photos(request):
     return HttpResponse(json.dumps(rtn), content_type='application/json')
 
 
+@staff_member_required
 def invoice(request):
     return TemplateResponse(request, 'invoice.html', {'user': User.objects.get(invoice_id=request.GET['invoice_id'])})