2017-04-12 08:27:57 -04:00
|
|
|
// Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved.
|
2017-01-30 08:30:02 -05:00
|
|
|
// See License.txt for license information.
|
|
|
|
|
|
|
|
|
|
package api4
|
|
|
|
|
|
|
|
|
|
import (
|
2019-06-22 00:14:21 +01:00
|
|
|
"encoding/json"
|
2017-02-27 23:25:28 +09:00
|
|
|
"fmt"
|
2018-07-18 10:07:00 +02:00
|
|
|
"io"
|
|
|
|
|
"io/ioutil"
|
2017-01-30 08:30:02 -05:00
|
|
|
"net/http"
|
2017-02-27 23:25:28 +09:00
|
|
|
"strconv"
|
2017-03-27 09:17:34 -04:00
|
|
|
"time"
|
2017-01-30 08:30:02 -05:00
|
|
|
|
2017-09-06 23:05:10 -07:00
|
|
|
"github.com/mattermost/mattermost-server/app"
|
2018-04-27 12:49:45 -07:00
|
|
|
"github.com/mattermost/mattermost-server/mlog"
|
2017-09-06 23:05:10 -07:00
|
|
|
"github.com/mattermost/mattermost-server/model"
|
2019-06-27 09:37:03 -04:00
|
|
|
"github.com/mattermost/mattermost-server/store"
|
2019-05-03 13:52:32 -07:00
|
|
|
"github.com/mattermost/mattermost-server/utils"
|
2017-01-30 08:30:02 -05:00
|
|
|
)
|
|
|
|
|
|
2017-09-22 12:54:27 -05:00
|
|
|
func (api *API) InitUser() {
|
|
|
|
|
api.BaseRoutes.Users.Handle("", api.ApiHandler(createUser)).Methods("POST")
|
|
|
|
|
api.BaseRoutes.Users.Handle("", api.ApiSessionRequired(getUsers)).Methods("GET")
|
|
|
|
|
api.BaseRoutes.Users.Handle("/ids", api.ApiSessionRequired(getUsersByIds)).Methods("POST")
|
|
|
|
|
api.BaseRoutes.Users.Handle("/usernames", api.ApiSessionRequired(getUsersByNames)).Methods("POST")
|
|
|
|
|
api.BaseRoutes.Users.Handle("/search", api.ApiSessionRequired(searchUsers)).Methods("POST")
|
|
|
|
|
api.BaseRoutes.Users.Handle("/autocomplete", api.ApiSessionRequired(autocompleteUsers)).Methods("GET")
|
2018-06-07 09:45:49 -07:00
|
|
|
api.BaseRoutes.Users.Handle("/stats", api.ApiSessionRequired(getTotalUsersStats)).Methods("GET")
|
2019-06-22 00:14:21 +01:00
|
|
|
api.BaseRoutes.Users.Handle("/group_channels", api.ApiSessionRequired(getUsersByGroupChannelIds)).Methods("POST")
|
2017-09-22 12:54:27 -05:00
|
|
|
|
|
|
|
|
api.BaseRoutes.User.Handle("", api.ApiSessionRequired(getUser)).Methods("GET")
|
2018-10-02 08:04:38 +02:00
|
|
|
api.BaseRoutes.User.Handle("/image/default", api.ApiSessionRequiredTrustRequester(getDefaultProfileImage)).Methods("GET")
|
2017-09-22 12:54:27 -05:00
|
|
|
api.BaseRoutes.User.Handle("/image", api.ApiSessionRequiredTrustRequester(getProfileImage)).Methods("GET")
|
|
|
|
|
api.BaseRoutes.User.Handle("/image", api.ApiSessionRequired(setProfileImage)).Methods("POST")
|
2018-10-02 08:04:38 +02:00
|
|
|
api.BaseRoutes.User.Handle("/image", api.ApiSessionRequired(setDefaultProfileImage)).Methods("DELETE")
|
2017-09-22 12:54:27 -05:00
|
|
|
api.BaseRoutes.User.Handle("", api.ApiSessionRequired(updateUser)).Methods("PUT")
|
|
|
|
|
api.BaseRoutes.User.Handle("/patch", api.ApiSessionRequired(patchUser)).Methods("PUT")
|
|
|
|
|
api.BaseRoutes.User.Handle("", api.ApiSessionRequired(deleteUser)).Methods("DELETE")
|
|
|
|
|
api.BaseRoutes.User.Handle("/roles", api.ApiSessionRequired(updateUserRoles)).Methods("PUT")
|
|
|
|
|
api.BaseRoutes.User.Handle("/active", api.ApiSessionRequired(updateUserActive)).Methods("PUT")
|
|
|
|
|
api.BaseRoutes.User.Handle("/password", api.ApiSessionRequired(updatePassword)).Methods("PUT")
|
2019-07-22 22:13:39 +02:00
|
|
|
api.BaseRoutes.User.Handle("/promote", api.ApiSessionRequired(promoteGuestToUser)).Methods("POST")
|
|
|
|
|
api.BaseRoutes.User.Handle("/demote", api.ApiSessionRequired(demoteUserToGuest)).Methods("POST")
|
2017-09-22 12:54:27 -05:00
|
|
|
api.BaseRoutes.Users.Handle("/password/reset", api.ApiHandler(resetPassword)).Methods("POST")
|
|
|
|
|
api.BaseRoutes.Users.Handle("/password/reset/send", api.ApiHandler(sendPasswordReset)).Methods("POST")
|
|
|
|
|
api.BaseRoutes.Users.Handle("/email/verify", api.ApiHandler(verifyUserEmail)).Methods("POST")
|
|
|
|
|
api.BaseRoutes.Users.Handle("/email/verify/send", api.ApiHandler(sendVerificationEmail)).Methods("POST")
|
2018-11-09 02:18:14 +05:30
|
|
|
api.BaseRoutes.User.Handle("/terms_of_service", api.ApiSessionRequired(saveUserTermsOfService)).Methods("POST")
|
|
|
|
|
api.BaseRoutes.User.Handle("/terms_of_service", api.ApiSessionRequired(getUserTermsOfService)).Methods("GET")
|
2017-09-22 12:54:27 -05:00
|
|
|
|
2018-01-04 09:45:59 -08:00
|
|
|
api.BaseRoutes.User.Handle("/auth", api.ApiSessionRequiredTrustRequester(updateUserAuth)).Methods("PUT")
|
|
|
|
|
|
2017-09-22 12:54:27 -05:00
|
|
|
api.BaseRoutes.Users.Handle("/mfa", api.ApiHandler(checkUserMfa)).Methods("POST")
|
|
|
|
|
api.BaseRoutes.User.Handle("/mfa", api.ApiSessionRequiredMfa(updateUserMfa)).Methods("PUT")
|
|
|
|
|
api.BaseRoutes.User.Handle("/mfa/generate", api.ApiSessionRequiredMfa(generateMfaSecret)).Methods("POST")
|
|
|
|
|
|
|
|
|
|
api.BaseRoutes.Users.Handle("/login", api.ApiHandler(login)).Methods("POST")
|
|
|
|
|
api.BaseRoutes.Users.Handle("/login/switch", api.ApiHandler(switchAccountType)).Methods("POST")
|
|
|
|
|
api.BaseRoutes.Users.Handle("/logout", api.ApiHandler(logout)).Methods("POST")
|
|
|
|
|
|
|
|
|
|
api.BaseRoutes.UserByUsername.Handle("", api.ApiSessionRequired(getUserByUsername)).Methods("GET")
|
|
|
|
|
api.BaseRoutes.UserByEmail.Handle("", api.ApiSessionRequired(getUserByEmail)).Methods("GET")
|
|
|
|
|
|
|
|
|
|
api.BaseRoutes.User.Handle("/sessions", api.ApiSessionRequired(getSessions)).Methods("GET")
|
|
|
|
|
api.BaseRoutes.User.Handle("/sessions/revoke", api.ApiSessionRequired(revokeSession)).Methods("POST")
|
2017-10-16 23:50:31 -04:00
|
|
|
api.BaseRoutes.User.Handle("/sessions/revoke/all", api.ApiSessionRequired(revokeAllSessionsForUser)).Methods("POST")
|
2019-07-01 23:28:46 +02:00
|
|
|
api.BaseRoutes.Users.Handle("/sessions/revoke/all", api.ApiSessionRequired(revokeAllSessionsAllUsers)).Methods("POST")
|
2017-09-22 12:54:27 -05:00
|
|
|
api.BaseRoutes.Users.Handle("/sessions/device", api.ApiSessionRequired(attachDeviceId)).Methods("PUT")
|
|
|
|
|
api.BaseRoutes.User.Handle("/audits", api.ApiSessionRequired(getUserAudits)).Methods("GET")
|
|
|
|
|
|
|
|
|
|
api.BaseRoutes.User.Handle("/tokens", api.ApiSessionRequired(createUserAccessToken)).Methods("POST")
|
2018-01-05 14:46:48 -05:00
|
|
|
api.BaseRoutes.User.Handle("/tokens", api.ApiSessionRequired(getUserAccessTokensForUser)).Methods("GET")
|
|
|
|
|
api.BaseRoutes.Users.Handle("/tokens", api.ApiSessionRequired(getUserAccessTokens)).Methods("GET")
|
2018-01-11 16:30:55 -05:00
|
|
|
api.BaseRoutes.Users.Handle("/tokens/search", api.ApiSessionRequired(searchUserAccessTokens)).Methods("POST")
|
2017-09-22 12:54:27 -05:00
|
|
|
api.BaseRoutes.Users.Handle("/tokens/{token_id:[A-Za-z0-9]+}", api.ApiSessionRequired(getUserAccessToken)).Methods("GET")
|
|
|
|
|
api.BaseRoutes.Users.Handle("/tokens/revoke", api.ApiSessionRequired(revokeUserAccessToken)).Methods("POST")
|
2017-10-19 08:10:29 -04:00
|
|
|
api.BaseRoutes.Users.Handle("/tokens/disable", api.ApiSessionRequired(disableUserAccessToken)).Methods("POST")
|
|
|
|
|
api.BaseRoutes.Users.Handle("/tokens/enable", api.ApiSessionRequired(enableUserAccessToken)).Methods("POST")
|
2017-01-30 08:30:02 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func createUser(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
user := model.UserFromJson(r.Body)
|
|
|
|
|
if user == nil {
|
|
|
|
|
c.SetInvalidParam("user")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-07 12:12:37 -07:00
|
|
|
user.SanitizeInput(c.IsSystemAdmin())
|
2019-08-27 10:39:01 +02:00
|
|
|
|
2018-04-18 22:46:10 +02:00
|
|
|
tokenId := r.URL.Query().Get("t")
|
2017-01-30 08:30:02 -05:00
|
|
|
inviteId := r.URL.Query().Get("iid")
|
|
|
|
|
|
|
|
|
|
// No permission check required
|
|
|
|
|
|
|
|
|
|
var ruser *model.User
|
|
|
|
|
var err *model.AppError
|
2018-04-18 22:46:10 +02:00
|
|
|
if len(tokenId) > 0 {
|
2019-07-22 22:13:39 +02:00
|
|
|
var token *model.Token
|
|
|
|
|
token, err = c.App.Srv.Store.Token().GetByToken(tokenId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = model.NewAppError("CreateUserWithToken", "api.user.create_user.signup_link_invalid.app_error", nil, err.Error(), http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if token.Type == app.TOKEN_TYPE_GUEST_INVITATION {
|
|
|
|
|
if c.App.License() == nil {
|
|
|
|
|
c.Err = model.NewAppError("CreateUserWithToken", "api.user.create_user.guest_accounts.license.app_error", nil, "", http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if !*c.App.Config().GuestAccountsSettings.Enable {
|
|
|
|
|
c.Err = model.NewAppError("CreateUserWithToken", "api.user.create_user.guest_accounts.disabled.app_error", nil, "", http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
ruser, err = c.App.CreateUserWithToken(user, token)
|
2017-01-30 08:30:02 -05:00
|
|
|
} else if len(inviteId) > 0 {
|
2017-09-06 17:12:54 -05:00
|
|
|
ruser, err = c.App.CreateUserWithInviteId(user, inviteId)
|
2017-03-29 22:05:32 -03:00
|
|
|
} else if c.IsSystemAdmin() {
|
2017-09-06 17:12:54 -05:00
|
|
|
ruser, err = c.App.CreateUserAsAdmin(user)
|
2017-01-30 08:30:02 -05:00
|
|
|
} else {
|
2017-09-06 17:12:54 -05:00
|
|
|
ruser, err = c.App.CreateUserFromSignup(user)
|
2017-01-30 08:30:02 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
w.WriteHeader(http.StatusCreated)
|
|
|
|
|
w.Write([]byte(ruser.ToJson()))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getUser(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
canSee, err := c.App.UserCanSeeOtherUser(c.App.Session.UserId, c.Params.UserId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_VIEW_MEMBERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !canSee {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_VIEW_MEMBERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
2017-01-30 08:30:02 -05:00
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
user, err := c.App.GetUser(c.Params.UserId)
|
|
|
|
|
if err != nil {
|
2017-01-30 08:30:02 -05:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-27 18:31:35 +05:30
|
|
|
if c.IsSystemAdmin() || c.App.Session.UserId == user.Id {
|
|
|
|
|
userTermsOfService, err := c.App.GetUserTermsOfService(user.Id)
|
|
|
|
|
if err != nil && err.StatusCode != http.StatusNotFound {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if userTermsOfService != nil {
|
|
|
|
|
user.TermsOfServiceId = userTermsOfService.TermsOfServiceId
|
|
|
|
|
user.TermsOfServiceCreateAt = userTermsOfService.CreateAt
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-31 08:12:01 -05:00
|
|
|
etag := user.Etag(*c.App.Config().PrivacySettings.ShowFullName, *c.App.Config().PrivacySettings.ShowEmailAddress)
|
2017-01-30 08:30:02 -05:00
|
|
|
|
2017-09-22 12:54:27 -05:00
|
|
|
if c.HandleEtag(etag, "Get User", w, r) {
|
2017-01-30 08:30:02 -05:00
|
|
|
return
|
2018-08-01 16:55:18 +02:00
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if c.App.Session.UserId == user.Id {
|
2018-08-01 16:55:18 +02:00
|
|
|
user.Sanitize(map[string]bool{})
|
2017-01-30 08:30:02 -05:00
|
|
|
} else {
|
2018-08-01 16:55:18 +02:00
|
|
|
c.App.SanitizeProfile(user, c.IsSystemAdmin())
|
2017-01-30 08:30:02 -05:00
|
|
|
}
|
2018-11-28 10:56:21 -08:00
|
|
|
c.App.UpdateLastActivityAtIfNeeded(c.App.Session)
|
2018-08-01 16:55:18 +02:00
|
|
|
w.Header().Set(model.HEADER_ETAG_SERVER, etag)
|
|
|
|
|
w.Write([]byte(user.ToJson()))
|
2017-01-30 08:30:02 -05:00
|
|
|
}
|
|
|
|
|
|
2017-02-08 05:00:16 -05:00
|
|
|
func getUserByUsername(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUsername()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
user, err := c.App.GetUserByUsername(c.Params.Username)
|
2019-04-29 16:56:56 +02:00
|
|
|
if err != nil {
|
|
|
|
|
restrictions, err2 := c.App.GetViewUsersRestrictions(c.App.Session.UserId)
|
|
|
|
|
if err2 != nil {
|
|
|
|
|
c.Err = err2
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if restrictions != nil {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_VIEW_MEMBERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
canSee, err := c.App.UserCanSeeOtherUser(c.App.Session.UserId, user.Id)
|
2018-12-06 16:55:06 +01:00
|
|
|
if err != nil {
|
2017-02-08 05:00:16 -05:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
if !canSee {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_VIEW_MEMBERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-27 18:31:35 +05:30
|
|
|
if c.IsSystemAdmin() || c.App.Session.UserId == user.Id {
|
|
|
|
|
userTermsOfService, err := c.App.GetUserTermsOfService(user.Id)
|
|
|
|
|
if err != nil && err.StatusCode != http.StatusNotFound {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if userTermsOfService != nil {
|
|
|
|
|
user.TermsOfServiceId = userTermsOfService.TermsOfServiceId
|
|
|
|
|
user.TermsOfServiceCreateAt = userTermsOfService.CreateAt
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-31 08:12:01 -05:00
|
|
|
etag := user.Etag(*c.App.Config().PrivacySettings.ShowFullName, *c.App.Config().PrivacySettings.ShowEmailAddress)
|
2017-02-08 05:00:16 -05:00
|
|
|
|
2017-09-22 12:54:27 -05:00
|
|
|
if c.HandleEtag(etag, "Get User", w, r) {
|
2017-02-08 05:00:16 -05:00
|
|
|
return
|
2018-08-01 16:55:18 +02:00
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if c.App.Session.UserId == user.Id {
|
2018-08-01 16:55:18 +02:00
|
|
|
user.Sanitize(map[string]bool{})
|
2017-02-08 05:00:16 -05:00
|
|
|
} else {
|
2018-08-01 16:55:18 +02:00
|
|
|
c.App.SanitizeProfile(user, c.IsSystemAdmin())
|
2017-02-08 05:00:16 -05:00
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
w.Header().Set(model.HEADER_ETAG_SERVER, etag)
|
|
|
|
|
w.Write([]byte(user.ToJson()))
|
2017-02-08 05:00:16 -05:00
|
|
|
}
|
|
|
|
|
|
2017-02-07 11:54:07 -05:00
|
|
|
func getUserByEmail(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireEmail()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-18 16:04:25 -05:00
|
|
|
sanitizeOptions := c.App.GetSanitizeOptions(c.IsSystemAdmin())
|
|
|
|
|
if !sanitizeOptions["email"] {
|
|
|
|
|
c.Err = model.NewAppError("getUserByEmail", "api.user.get_user_by_email.permissions.app_error", nil, "userId="+c.App.Session.UserId, http.StatusForbidden)
|
|
|
|
|
return
|
|
|
|
|
}
|
2017-02-07 11:54:07 -05:00
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
user, err := c.App.GetUserByEmail(c.Params.Email)
|
|
|
|
|
if err != nil {
|
2019-04-29 16:56:56 +02:00
|
|
|
restrictions, err2 := c.App.GetViewUsersRestrictions(c.App.Session.UserId)
|
|
|
|
|
if err2 != nil {
|
|
|
|
|
c.Err = err2
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if restrictions != nil {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_VIEW_MEMBERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
2017-02-07 11:54:07 -05:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
canSee, err := c.App.UserCanSeeOtherUser(c.App.Session.UserId, user.Id)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !canSee {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_VIEW_MEMBERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-31 08:12:01 -05:00
|
|
|
etag := user.Etag(*c.App.Config().PrivacySettings.ShowFullName, *c.App.Config().PrivacySettings.ShowEmailAddress)
|
2017-02-07 11:54:07 -05:00
|
|
|
|
2017-09-22 12:54:27 -05:00
|
|
|
if c.HandleEtag(etag, "Get User", w, r) {
|
2017-02-07 11:54:07 -05:00
|
|
|
return
|
|
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
|
|
|
|
c.App.SanitizeProfile(user, c.IsSystemAdmin())
|
|
|
|
|
w.Header().Set(model.HEADER_ETAG_SERVER, etag)
|
|
|
|
|
w.Write([]byte(user.ToJson()))
|
2017-02-07 11:54:07 -05:00
|
|
|
}
|
|
|
|
|
|
2018-10-02 08:04:38 +02:00
|
|
|
func getDefaultProfileImage(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
canSee, err := c.App.UserCanSeeOtherUser(c.App.Session.UserId, c.Params.UserId)
|
2018-10-02 08:04:38 +02:00
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
if !canSee {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_VIEW_MEMBERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user, err := c.App.GetUser(c.Params.UserId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
2018-10-02 08:04:38 +02:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
img, err := c.App.GetDefaultProfileImage(user)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
w.Header().Set("Cache-Control", fmt.Sprintf("max-age=%v, public", 24*60*60)) // 24 hrs
|
|
|
|
|
w.Header().Set("Content-Type", "image/png")
|
|
|
|
|
w.Write(img)
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-27 23:25:28 +09:00
|
|
|
func getProfileImage(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
canSee, err := c.App.UserCanSeeOtherUser(c.App.Session.UserId, c.Params.UserId)
|
2018-08-01 16:55:18 +02:00
|
|
|
if err != nil {
|
2017-02-27 23:25:28 +09:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
2018-08-01 16:55:18 +02:00
|
|
|
}
|
2017-02-27 23:25:28 +09:00
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
if !canSee {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_VIEW_MEMBERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user, err := c.App.GetUser(c.Params.UserId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
2018-08-01 16:55:18 +02:00
|
|
|
return
|
|
|
|
|
}
|
2017-02-27 23:25:28 +09:00
|
|
|
|
2018-08-01 16:55:18 +02:00
|
|
|
etag := strconv.FormatInt(user.LastPictureUpdate, 10)
|
|
|
|
|
if c.HandleEtag(etag, "Get Profile Image", w, r) {
|
|
|
|
|
return
|
|
|
|
|
}
|
2017-02-27 23:25:28 +09:00
|
|
|
|
2018-08-01 16:55:18 +02:00
|
|
|
img, readFailed, err := c.App.GetProfileImage(user)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2017-02-27 23:25:28 +09:00
|
|
|
|
2018-08-01 16:55:18 +02:00
|
|
|
if readFailed {
|
|
|
|
|
w.Header().Set("Cache-Control", fmt.Sprintf("max-age=%v, public", 5*60)) // 5 mins
|
|
|
|
|
} else {
|
|
|
|
|
w.Header().Set("Cache-Control", fmt.Sprintf("max-age=%v, public", 24*60*60)) // 24 hrs
|
|
|
|
|
w.Header().Set(model.HEADER_ETAG_SERVER, etag)
|
2017-02-27 23:25:28 +09:00
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
|
|
|
|
w.Header().Set("Content-Type", "image/png")
|
|
|
|
|
w.Write(img)
|
2017-02-27 23:25:28 +09:00
|
|
|
}
|
|
|
|
|
|
2017-02-28 22:11:56 +09:00
|
|
|
func setProfileImage(c *Context, w http.ResponseWriter, r *http.Request) {
|
2018-07-18 10:07:00 +02:00
|
|
|
defer io.Copy(ioutil.Discard, r.Body)
|
|
|
|
|
|
2017-02-28 22:11:56 +09:00
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) {
|
2017-02-28 22:11:56 +09:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-18 15:36:43 -07:00
|
|
|
if len(*c.App.Config().FileSettings.DriverName) == 0 {
|
2017-08-31 15:03:16 +01:00
|
|
|
c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.storage.app_error", nil, "", http.StatusNotImplemented)
|
2017-02-28 22:11:56 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-18 15:36:43 -07:00
|
|
|
if r.ContentLength > *c.App.Config().FileSettings.MaxFileSize {
|
2017-08-31 15:03:16 +01:00
|
|
|
c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.too_large.app_error", nil, "", http.StatusRequestEntityTooLarge)
|
2017-02-28 22:11:56 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-18 15:36:43 -07:00
|
|
|
if err := r.ParseMultipartForm(*c.App.Config().FileSettings.MaxFileSize); err != nil {
|
2017-09-05 17:40:35 -04:00
|
|
|
c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.parse.app_error", nil, err.Error(), http.StatusInternalServerError)
|
2017-02-28 22:11:56 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
m := r.MultipartForm
|
|
|
|
|
imageArray, ok := m.File["image"]
|
|
|
|
|
if !ok {
|
2017-08-31 15:03:16 +01:00
|
|
|
c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.no_file.app_error", nil, "", http.StatusBadRequest)
|
2017-02-28 22:11:56 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(imageArray) <= 0 {
|
2017-08-31 15:03:16 +01:00
|
|
|
c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.array.app_error", nil, "", http.StatusBadRequest)
|
2017-02-28 22:11:56 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
imageData := imageArray[0]
|
2017-09-06 17:12:54 -05:00
|
|
|
if err := c.App.SetProfileImage(c.Params.UserId, imageData); err != nil {
|
2017-02-28 22:11:56 +09:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("")
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-02 08:04:38 +02:00
|
|
|
func setDefaultProfileImage(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) {
|
2018-10-02 08:04:38 +02:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(*c.App.Config().FileSettings.DriverName) == 0 {
|
|
|
|
|
c.Err = model.NewAppError("setDefaultProfileImage", "api.user.upload_profile_user.storage.app_error", nil, "", http.StatusNotImplemented)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user, err := c.App.GetUser(c.Params.UserId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := c.App.SetDefaultProfileImage(user); err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("")
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-07 09:45:49 -07:00
|
|
|
func getTotalUsersStats(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
restrictions, err := c.App.GetViewUsersRestrictions(c.App.Session.UserId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
stats, err := c.App.GetTotalUsersStats(restrictions)
|
2018-08-01 16:55:18 +02:00
|
|
|
if err != nil {
|
2018-06-07 09:45:49 -07:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
|
|
|
|
w.Write([]byte(stats.ToJson()))
|
2018-06-07 09:45:49 -07:00
|
|
|
}
|
|
|
|
|
|
2019-06-22 00:14:21 +01:00
|
|
|
func getUsersByGroupChannelIds(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
channelIds := model.ArrayFromJson(r.Body)
|
|
|
|
|
|
|
|
|
|
if len(channelIds) == 0 {
|
|
|
|
|
c.SetInvalidParam("channel_ids")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
usersByChannelId, err := c.App.GetUsersByGroupChannelIds(channelIds, c.IsSystemAdmin())
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b, _ := json.Marshal(usersByChannelId)
|
|
|
|
|
w.Write(b)
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-03 15:17:34 -05:00
|
|
|
func getUsers(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
inTeamId := r.URL.Query().Get("in_team")
|
2017-03-30 02:10:51 +01:00
|
|
|
notInTeamId := r.URL.Query().Get("not_in_team")
|
2017-02-03 15:17:34 -05:00
|
|
|
inChannelId := r.URL.Query().Get("in_channel")
|
|
|
|
|
notInChannelId := r.URL.Query().Get("not_in_channel")
|
2019-05-16 10:12:06 +01:00
|
|
|
groupConstrained := r.URL.Query().Get("group_constrained")
|
2017-03-29 21:11:40 -04:00
|
|
|
withoutTeam := r.URL.Query().Get("without_team")
|
2019-01-11 14:50:32 +01:00
|
|
|
inactive := r.URL.Query().Get("inactive")
|
|
|
|
|
role := r.URL.Query().Get("role")
|
2017-06-30 12:07:23 -04:00
|
|
|
sort := r.URL.Query().Get("sort")
|
2017-02-03 15:17:34 -05:00
|
|
|
|
|
|
|
|
if len(notInChannelId) > 0 && len(inTeamId) == 0 {
|
2017-06-30 12:07:23 -04:00
|
|
|
c.SetInvalidUrlParam("team_id")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-09 05:48:30 -07:00
|
|
|
if sort != "" && sort != "last_activity_at" && sort != "create_at" && sort != "status" {
|
2017-06-30 12:07:23 -04:00
|
|
|
c.SetInvalidUrlParam("sort")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Currently only supports sorting on a team
|
2018-03-09 05:48:30 -07:00
|
|
|
// or sort="status" on inChannelId
|
2017-06-30 12:07:23 -04:00
|
|
|
if (sort == "last_activity_at" || sort == "create_at") && (inTeamId == "" || notInTeamId != "" || inChannelId != "" || notInChannelId != "" || withoutTeam != "") {
|
|
|
|
|
c.SetInvalidUrlParam("sort")
|
2017-02-03 15:17:34 -05:00
|
|
|
return
|
|
|
|
|
}
|
2018-03-09 05:48:30 -07:00
|
|
|
if sort == "status" && inChannelId == "" {
|
|
|
|
|
c.SetInvalidUrlParam("sort")
|
|
|
|
|
return
|
|
|
|
|
}
|
2017-02-03 15:17:34 -05:00
|
|
|
|
2019-01-11 14:50:32 +01:00
|
|
|
withoutTeamBool, _ := strconv.ParseBool(withoutTeam)
|
2019-05-16 10:12:06 +01:00
|
|
|
groupConstrainedBool, _ := strconv.ParseBool(groupConstrained)
|
2019-01-11 14:50:32 +01:00
|
|
|
inactiveBool, _ := strconv.ParseBool(inactive)
|
|
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
restrictions, err := c.App.GetViewUsersRestrictions(c.App.Session.UserId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-11 14:50:32 +01:00
|
|
|
userGetOptions := &model.UserGetOptions{
|
2019-04-29 16:56:56 +02:00
|
|
|
InTeamId: inTeamId,
|
|
|
|
|
InChannelId: inChannelId,
|
|
|
|
|
NotInTeamId: notInTeamId,
|
|
|
|
|
NotInChannelId: notInChannelId,
|
2019-05-16 10:12:06 +01:00
|
|
|
GroupConstrained: groupConstrainedBool,
|
2019-04-29 16:56:56 +02:00
|
|
|
WithoutTeam: withoutTeamBool,
|
|
|
|
|
Inactive: inactiveBool,
|
|
|
|
|
Role: role,
|
|
|
|
|
Sort: sort,
|
|
|
|
|
Page: c.Params.Page,
|
|
|
|
|
PerPage: c.Params.PerPage,
|
|
|
|
|
ViewRestrictions: restrictions,
|
2019-01-11 14:50:32 +01:00
|
|
|
}
|
|
|
|
|
|
2017-02-03 15:17:34 -05:00
|
|
|
var profiles []*model.User
|
|
|
|
|
etag := ""
|
|
|
|
|
|
2017-06-30 12:07:23 -04:00
|
|
|
if withoutTeamBool, _ := strconv.ParseBool(withoutTeam); withoutTeamBool {
|
2017-03-29 21:11:40 -04:00
|
|
|
// Use a special permission for now
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_LIST_USERS_WITHOUT_TEAM) {
|
2017-03-29 21:11:40 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_LIST_USERS_WITHOUT_TEAM)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-09-17 15:13:17 -04:00
|
|
|
profiles, err = c.App.GetUsersWithoutTeamPage(userGetOptions, c.IsSystemAdmin())
|
2017-03-29 21:11:40 -04:00
|
|
|
} else if len(notInChannelId) > 0 {
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToChannel(c.App.Session, notInChannelId, model.PERMISSION_READ_CHANNEL) {
|
2017-02-03 15:17:34 -05:00
|
|
|
c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-05-16 10:12:06 +01:00
|
|
|
profiles, err = c.App.GetUsersNotInChannelPage(inTeamId, notInChannelId, groupConstrainedBool, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin(), restrictions)
|
2017-03-30 02:10:51 +01:00
|
|
|
} else if len(notInTeamId) > 0 {
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToTeam(c.App.Session, notInTeamId, model.PERMISSION_VIEW_TEAM) {
|
2017-03-30 02:10:51 +01:00
|
|
|
c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
etag = c.App.GetUsersNotInTeamEtag(inTeamId, restrictions.Hash())
|
2017-09-22 12:54:27 -05:00
|
|
|
if c.HandleEtag(etag, "Get Users Not in Team", w, r) {
|
2017-03-30 02:10:51 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-05-16 10:12:06 +01:00
|
|
|
profiles, err = c.App.GetUsersNotInTeamPage(notInTeamId, groupConstrainedBool, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin(), restrictions)
|
2017-02-03 15:17:34 -05:00
|
|
|
} else if len(inTeamId) > 0 {
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToTeam(c.App.Session, inTeamId, model.PERMISSION_VIEW_TEAM) {
|
2017-02-03 15:17:34 -05:00
|
|
|
c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-30 12:07:23 -04:00
|
|
|
if sort == "last_activity_at" {
|
2019-04-29 16:56:56 +02:00
|
|
|
profiles, err = c.App.GetRecentlyActiveUsersForTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin(), restrictions)
|
2017-06-30 12:07:23 -04:00
|
|
|
} else if sort == "create_at" {
|
2019-04-29 16:56:56 +02:00
|
|
|
profiles, err = c.App.GetNewUsersForTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin(), restrictions)
|
2017-06-30 12:07:23 -04:00
|
|
|
} else {
|
2019-04-29 16:56:56 +02:00
|
|
|
etag = c.App.GetUsersInTeamEtag(inTeamId, restrictions.Hash())
|
2017-09-22 12:54:27 -05:00
|
|
|
if c.HandleEtag(etag, "Get Users in Team", w, r) {
|
2017-06-30 12:07:23 -04:00
|
|
|
return
|
|
|
|
|
}
|
2019-01-11 14:50:32 +01:00
|
|
|
profiles, err = c.App.GetUsersInTeamPage(userGetOptions, c.IsSystemAdmin())
|
2017-06-30 12:07:23 -04:00
|
|
|
}
|
2017-02-03 15:17:34 -05:00
|
|
|
} else if len(inChannelId) > 0 {
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToChannel(c.App.Session, inChannelId, model.PERMISSION_READ_CHANNEL) {
|
2017-02-03 15:17:34 -05:00
|
|
|
c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-03-09 05:48:30 -07:00
|
|
|
if sort == "status" {
|
|
|
|
|
profiles, err = c.App.GetUsersInChannelPageByStatus(inChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin())
|
|
|
|
|
} else {
|
|
|
|
|
profiles, err = c.App.GetUsersInChannelPage(inChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin())
|
|
|
|
|
}
|
2017-02-03 15:17:34 -05:00
|
|
|
} else {
|
2019-04-29 16:56:56 +02:00
|
|
|
etag = c.App.GetUsersEtag(restrictions.Hash())
|
2017-09-22 12:54:27 -05:00
|
|
|
if c.HandleEtag(etag, "Get Users", w, r) {
|
2017-02-03 15:17:34 -05:00
|
|
|
return
|
|
|
|
|
}
|
2019-04-29 16:56:56 +02:00
|
|
|
|
|
|
|
|
userGetOptions, err = c.App.RestrictUsersGetByPermissions(c.App.Session.UserId, userGetOptions)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2019-01-11 14:50:32 +01:00
|
|
|
profiles, err = c.App.GetUsersPage(userGetOptions, c.IsSystemAdmin())
|
2017-02-03 15:17:34 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
|
|
|
|
if len(etag) > 0 {
|
|
|
|
|
w.Header().Set(model.HEADER_ETAG_SERVER, etag)
|
|
|
|
|
}
|
2018-11-28 10:56:21 -08:00
|
|
|
c.App.UpdateLastActivityAtIfNeeded(c.App.Session)
|
2018-08-01 16:55:18 +02:00
|
|
|
w.Write([]byte(model.UserListToJson(profiles)))
|
2017-02-03 15:17:34 -05:00
|
|
|
}
|
|
|
|
|
|
2017-02-03 09:30:57 -05:00
|
|
|
func getUsersByIds(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
userIds := model.ArrayFromJson(r.Body)
|
|
|
|
|
|
|
|
|
|
if len(userIds) == 0 {
|
|
|
|
|
c.SetInvalidParam("user_ids")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-27 09:37:03 -04:00
|
|
|
sinceString := r.URL.Query().Get("since")
|
|
|
|
|
|
|
|
|
|
options := &store.UserGetByIdsOpts{
|
|
|
|
|
IsAdmin: c.IsSystemAdmin(),
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(sinceString) > 0 {
|
|
|
|
|
since, parseError := strconv.ParseInt(sinceString, 10, 64)
|
|
|
|
|
if parseError != nil {
|
|
|
|
|
c.SetInvalidParam("since")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
options.Since = since
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
restrictions, err := c.App.GetViewUsersRestrictions(c.App.Session.UserId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2019-06-27 09:37:03 -04:00
|
|
|
options.ViewRestrictions = restrictions
|
2017-02-03 09:30:57 -05:00
|
|
|
|
2019-06-27 09:37:03 -04:00
|
|
|
users, err := c.App.GetUsersByIds(userIds, options)
|
2018-08-01 16:55:18 +02:00
|
|
|
if err != nil {
|
2017-02-03 09:30:57 -05:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
|
|
|
|
w.Write([]byte(model.UserListToJson(users)))
|
2017-02-03 09:30:57 -05:00
|
|
|
}
|
|
|
|
|
|
2017-04-25 11:00:41 -04:00
|
|
|
func getUsersByNames(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
usernames := model.ArrayFromJson(r.Body)
|
|
|
|
|
|
|
|
|
|
if len(usernames) == 0 {
|
|
|
|
|
c.SetInvalidParam("usernames")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
restrictions, err := c.App.GetViewUsersRestrictions(c.App.Session.UserId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2017-04-25 11:00:41 -04:00
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
users, err := c.App.GetUsersByUsernames(usernames, c.IsSystemAdmin(), restrictions)
|
2018-08-01 16:55:18 +02:00
|
|
|
if err != nil {
|
2017-04-25 11:00:41 -04:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
|
|
|
|
w.Write([]byte(model.UserListToJson(users)))
|
2017-04-25 11:00:41 -04:00
|
|
|
}
|
|
|
|
|
|
2017-03-23 06:34:22 -04:00
|
|
|
func searchUsers(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
props := model.UserSearchFromJson(r.Body)
|
|
|
|
|
if props == nil {
|
|
|
|
|
c.SetInvalidParam("")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(props.Term) == 0 {
|
|
|
|
|
c.SetInvalidParam("term")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if props.TeamId == "" && props.NotInChannelId != "" {
|
|
|
|
|
c.SetInvalidParam("team_id")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if props.InChannelId != "" && !c.App.SessionHasPermissionToChannel(c.App.Session, props.InChannelId, model.PERMISSION_READ_CHANNEL) {
|
2017-03-23 06:34:22 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if props.NotInChannelId != "" && !c.App.SessionHasPermissionToChannel(c.App.Session, props.NotInChannelId, model.PERMISSION_READ_CHANNEL) {
|
2017-03-23 06:34:22 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if props.TeamId != "" && !c.App.SessionHasPermissionToTeam(c.App.Session, props.TeamId, model.PERMISSION_VIEW_TEAM) {
|
2017-03-23 06:34:22 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if props.NotInTeamId != "" && !c.App.SessionHasPermissionToTeam(c.App.Session, props.NotInTeamId, model.PERMISSION_VIEW_TEAM) {
|
2017-04-03 18:11:12 +01:00
|
|
|
c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-17 11:24:12 -04:00
|
|
|
if props.Limit <= 0 || props.Limit > model.USER_SEARCH_MAX_LIMIT {
|
|
|
|
|
c.SetInvalidParam("limit")
|
|
|
|
|
return
|
|
|
|
|
}
|
2017-03-23 06:34:22 -04:00
|
|
|
|
2018-10-17 11:24:12 -04:00
|
|
|
options := &model.UserSearchOptions{
|
2019-05-16 10:12:06 +01:00
|
|
|
IsAdmin: c.IsSystemAdmin(),
|
|
|
|
|
AllowInactive: props.AllowInactive,
|
|
|
|
|
GroupConstrained: props.GroupConstrained,
|
|
|
|
|
Limit: props.Limit,
|
|
|
|
|
Role: props.Role,
|
2018-10-17 11:24:12 -04:00
|
|
|
}
|
2017-03-23 06:34:22 -04:00
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) {
|
2018-10-17 11:24:12 -04:00
|
|
|
options.AllowEmails = true
|
|
|
|
|
options.AllowFullNames = true
|
|
|
|
|
} else {
|
2019-01-31 08:12:01 -05:00
|
|
|
options.AllowEmails = *c.App.Config().PrivacySettings.ShowEmailAddress
|
|
|
|
|
options.AllowFullNames = *c.App.Config().PrivacySettings.ShowFullName
|
2017-03-23 06:34:22 -04:00
|
|
|
}
|
|
|
|
|
|
2019-04-29 16:56:56 +02:00
|
|
|
options, err := c.App.RestrictUsersSearchByPermissions(c.App.Session.UserId, options)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-17 11:24:12 -04:00
|
|
|
profiles, err := c.App.SearchUsers(props, options)
|
2018-08-01 16:55:18 +02:00
|
|
|
if err != nil {
|
2017-03-23 06:34:22 -04:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
|
|
|
|
w.Write([]byte(model.UserListToJson(profiles)))
|
2017-03-23 06:34:22 -04:00
|
|
|
}
|
|
|
|
|
|
2017-03-13 08:29:41 -04:00
|
|
|
func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
channelId := r.URL.Query().Get("in_channel")
|
|
|
|
|
teamId := r.URL.Query().Get("in_team")
|
|
|
|
|
name := r.URL.Query().Get("name")
|
2018-10-17 11:24:12 -04:00
|
|
|
limitStr := r.URL.Query().Get("limit")
|
|
|
|
|
limit, _ := strconv.Atoi(limitStr)
|
|
|
|
|
if limitStr == "" {
|
|
|
|
|
limit = model.USER_SEARCH_DEFAULT_LIMIT
|
2019-03-15 17:53:53 +00:00
|
|
|
} else if limit > model.USER_SEARCH_MAX_LIMIT {
|
|
|
|
|
limit = model.USER_SEARCH_MAX_LIMIT
|
2018-10-17 11:24:12 -04:00
|
|
|
}
|
2017-03-13 08:29:41 -04:00
|
|
|
|
2018-10-17 11:24:12 -04:00
|
|
|
options := &model.UserSearchOptions{
|
|
|
|
|
IsAdmin: c.IsSystemAdmin(),
|
|
|
|
|
// Never autocomplete on emails.
|
|
|
|
|
AllowEmails: false,
|
|
|
|
|
Limit: limit,
|
|
|
|
|
}
|
2017-03-13 08:29:41 -04:00
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) {
|
2018-10-17 11:24:12 -04:00
|
|
|
options.AllowFullNames = true
|
2017-03-13 08:29:41 -04:00
|
|
|
} else {
|
2019-01-31 08:12:01 -05:00
|
|
|
options.AllowFullNames = *c.App.Config().PrivacySettings.ShowFullName
|
2017-03-13 08:29:41 -04:00
|
|
|
}
|
|
|
|
|
|
2017-04-28 11:04:13 -04:00
|
|
|
if len(channelId) > 0 {
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToChannel(c.App.Session, channelId, model.PERMISSION_READ_CHANNEL) {
|
2017-04-28 11:04:13 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_READ_CHANNEL)
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-10-09 15:25:57 -04:00
|
|
|
}
|
2017-03-13 08:29:41 -04:00
|
|
|
|
2018-10-09 15:25:57 -04:00
|
|
|
if len(teamId) > 0 {
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToTeam(c.App.Session, teamId, model.PERMISSION_VIEW_TEAM) {
|
2018-10-09 15:25:57 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_VIEW_TEAM)
|
|
|
|
|
return
|
2018-09-28 10:06:40 -04:00
|
|
|
}
|
2018-10-09 15:25:57 -04:00
|
|
|
}
|
2018-09-28 10:06:40 -04:00
|
|
|
|
2018-12-06 13:19:32 -05:00
|
|
|
var autocomplete model.UserAutocomplete
|
2018-12-06 16:55:06 +01:00
|
|
|
|
2019-09-18 20:27:32 +02:00
|
|
|
var err *model.AppError
|
|
|
|
|
options, err = c.App.RestrictUsersSearchByPermissions(c.App.Session.UserId, options)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-09 15:25:57 -04:00
|
|
|
if len(channelId) > 0 {
|
|
|
|
|
// Applying the provided teamId here is useful for DMs and GMs which don't belong
|
|
|
|
|
// to a team. Applying it when the channel does belong to a team makes less sense,
|
2018-10-17 11:24:12 -04:00
|
|
|
// but the permissions are checked above regardless.
|
|
|
|
|
result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, options)
|
2018-04-17 18:39:08 -04:00
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-28 11:04:13 -04:00
|
|
|
autocomplete.Users = result.InChannel
|
|
|
|
|
autocomplete.OutOfChannel = result.OutOfChannel
|
|
|
|
|
} else if len(teamId) > 0 {
|
2018-10-17 11:24:12 -04:00
|
|
|
result, err := c.App.AutocompleteUsersInTeam(teamId, name, options)
|
2018-04-17 18:39:08 -04:00
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-28 11:04:13 -04:00
|
|
|
autocomplete.Users = result.InTeam
|
2017-03-13 08:29:41 -04:00
|
|
|
} else {
|
2018-10-17 11:24:12 -04:00
|
|
|
result, err := c.App.SearchUsersInTeam("", name, options)
|
2018-04-17 18:39:08 -04:00
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2017-03-13 08:29:41 -04:00
|
|
|
autocomplete.Users = result
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-01 16:55:18 +02:00
|
|
|
w.Write([]byte((autocomplete.ToJson())))
|
2017-03-13 08:29:41 -04:00
|
|
|
}
|
|
|
|
|
|
2017-01-30 08:30:02 -05:00
|
|
|
func updateUser(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user := model.UserFromJson(r.Body)
|
|
|
|
|
if user == nil {
|
|
|
|
|
c.SetInvalidParam("user")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-14 16:21:05 +01:00
|
|
|
// The user being updated in the payload must be the same one as indicated in the URL.
|
|
|
|
|
if user.Id != c.Params.UserId {
|
|
|
|
|
c.SetInvalidParam("user_id")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToUser(c.App.Session, user.Id) {
|
2017-01-30 08:30:02 -05:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-02 00:06:49 +01:00
|
|
|
ouser, err := c.App.GetUser(user.Id)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2017-10-04 11:04:56 -04:00
|
|
|
|
2019-02-02 00:06:49 +01:00
|
|
|
if c.App.Session.IsOAuth {
|
2017-10-04 11:04:56 -04:00
|
|
|
if ouser.Email != user.Email {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
c.Err.DetailedError += ", attempted email update by oauth app"
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-02 00:06:49 +01:00
|
|
|
// If eMail update is attempted by the currently logged in user, check if correct password was provided
|
|
|
|
|
if user.Email != "" && ouser.Email != user.Email && c.App.Session.UserId == c.Params.UserId {
|
|
|
|
|
err = c.App.DoubleCheckPassword(ouser, user.Password)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.SetInvalidParam("password")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-01 16:55:18 +02:00
|
|
|
ruser, err := c.App.UpdateUserAsUser(user, c.IsSystemAdmin())
|
|
|
|
|
if err != nil {
|
2017-01-30 08:30:02 -05:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
|
|
|
|
c.LogAudit("")
|
|
|
|
|
w.Write([]byte(ruser.ToJson()))
|
2017-01-30 08:30:02 -05:00
|
|
|
}
|
|
|
|
|
|
2017-02-16 09:46:55 -05:00
|
|
|
func patchUser(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
patch := model.UserPatchFromJson(r.Body)
|
|
|
|
|
if patch == nil {
|
|
|
|
|
c.SetInvalidParam("user")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) {
|
2017-02-16 09:46:55 -05:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-04-12 12:02:36 -07:00
|
|
|
ouser, err := c.App.GetUser(c.Params.UserId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.SetInvalidParam("user_id")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if c.App.Session.IsOAuth && patch.Email != nil {
|
2017-10-04 11:04:56 -04:00
|
|
|
if ouser.Email != *patch.Email {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
c.Err.DetailedError += ", attempted email update by oauth app"
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-02 00:06:49 +01:00
|
|
|
// If eMail update is attempted by the currently logged in user, check if correct password was provided
|
|
|
|
|
if patch.Email != nil && ouser.Email != *patch.Email && c.App.Session.UserId == c.Params.UserId {
|
|
|
|
|
if patch.Password == nil {
|
|
|
|
|
c.SetInvalidParam("password")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err = c.App.DoubleCheckPassword(ouser, *patch.Password); err != nil {
|
2019-02-04 18:54:57 +01:00
|
|
|
c.Err = err
|
2019-02-02 00:06:49 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-01 16:55:18 +02:00
|
|
|
ruser, err := c.App.PatchUser(c.Params.UserId, patch, c.IsSystemAdmin())
|
|
|
|
|
if err != nil {
|
2017-02-16 09:46:55 -05:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
|
|
|
|
c.App.SetAutoResponderStatus(ruser, ouser.NotifyProps)
|
|
|
|
|
c.LogAudit("")
|
|
|
|
|
w.Write([]byte(ruser.ToJson()))
|
2017-02-16 09:46:55 -05:00
|
|
|
}
|
|
|
|
|
|
2017-02-07 10:46:40 -08:00
|
|
|
func deleteUser(c *Context, w http.ResponseWriter, r *http.Request) {
|
2017-02-05 12:20:17 -05:00
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
userId := c.Params.UserId
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToUser(c.App.Session, userId) {
|
2017-02-05 12:20:17 -05:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
2017-02-07 10:46:40 -08:00
|
|
|
|
2019-02-20 16:56:26 +01:00
|
|
|
// if EnableUserDeactivation flag is disabled the user cannot deactivate himself.
|
|
|
|
|
if c.Params.UserId == c.App.Session.UserId && !*c.App.Config().TeamSettings.EnableUserDeactivation && !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) {
|
|
|
|
|
c.Err = model.NewAppError("deleteUser", "api.user.update_active.not_enable.app_error", nil, "userId="+c.Params.UserId, http.StatusUnauthorized)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
user, err := c.App.GetUser(userId)
|
|
|
|
|
if err != nil {
|
2017-02-05 12:20:17 -05:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
if _, err = c.App.UpdateActive(user, false); err != nil {
|
2017-02-05 12:20:17 -05:00
|
|
|
c.Err = err
|
2017-02-07 10:46:40 -08:00
|
|
|
return
|
2017-02-05 12:20:17 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-01 16:13:16 -05:00
|
|
|
func updateUserRoles(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
props := model.MapFromJson(r.Body)
|
|
|
|
|
|
|
|
|
|
newRoles := props["roles"]
|
|
|
|
|
if !model.IsValidUserRoles(newRoles) {
|
|
|
|
|
c.SetInvalidParam("roles")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_ROLES) {
|
2017-02-01 16:13:16 -05:00
|
|
|
c.SetPermissionError(model.PERMISSION_MANAGE_ROLES)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-31 12:00:21 -04:00
|
|
|
if _, err := c.App.UpdateUserRoles(c.Params.UserId, newRoles, true); err != nil {
|
2017-02-01 16:13:16 -05:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-22 16:20:59 +01:00
|
|
|
c.LogAudit(fmt.Sprintf("user=%s roles=%s", c.Params.UserId, newRoles))
|
2017-02-01 16:13:16 -05:00
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-18 00:06:33 +09:00
|
|
|
func updateUserActive(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
props := model.StringInterfaceFromJson(r.Body)
|
|
|
|
|
|
|
|
|
|
active, ok := props["active"].(bool)
|
|
|
|
|
if !ok {
|
|
|
|
|
c.SetInvalidParam("active")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// true when you're trying to de-activate yourself
|
2018-11-28 10:56:21 -08:00
|
|
|
isSelfDeactive := !active && c.Params.UserId == c.App.Session.UserId
|
2017-04-18 00:06:33 +09:00
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !isSelfDeactive && !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) {
|
2017-08-31 15:03:16 +01:00
|
|
|
c.Err = model.NewAppError("updateUserActive", "api.user.update_active.permissions.app_error", nil, "userId="+c.Params.UserId, http.StatusForbidden)
|
2017-04-18 00:06:33 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-28 16:20:08 +02:00
|
|
|
// if EnableUserDeactivation flag is disabled the user cannot deactivate himself.
|
2019-02-12 08:37:54 -05:00
|
|
|
if isSelfDeactive && !*c.App.Config().TeamSettings.EnableUserDeactivation {
|
2018-05-28 16:20:08 +02:00
|
|
|
c.Err = model.NewAppError("updateUserActive", "api.user.update_active.not_enable.app_error", nil, "userId="+c.Params.UserId, http.StatusUnauthorized)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
user, err := c.App.GetUser(c.Params.UserId)
|
|
|
|
|
if err != nil {
|
2017-12-08 14:14:55 -05:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-11-15 15:43:52 +01:00
|
|
|
if active && user.IsGuest() && !*c.App.Config().GuestAccountsSettings.Enable {
|
|
|
|
|
c.Err = model.NewAppError("updateUserActive", "api.user.update_active.cannot_enable_guest_when_guest_feature_is_disabled.app_error", nil, "userId="+c.Params.UserId, http.StatusUnauthorized)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
if _, err = c.App.UpdateActive(user, active); err != nil {
|
2017-04-18 00:06:33 +09:00
|
|
|
c.Err = err
|
|
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
2019-02-28 23:30:26 +01:00
|
|
|
c.LogAudit(fmt.Sprintf("user_id=%s active=%v", user.Id, active))
|
2018-08-01 16:55:18 +02:00
|
|
|
if isSelfDeactive {
|
2018-11-07 10:20:07 -08:00
|
|
|
c.App.Srv.Go(func() {
|
2018-08-01 16:55:18 +02:00
|
|
|
if err = c.App.SendDeactivateAccountEmail(user.Email, user.Locale, c.App.GetSiteURL()); err != nil {
|
|
|
|
|
mlog.Error(err.Error())
|
|
|
|
|
}
|
|
|
|
|
})
|
|
|
|
|
}
|
|
|
|
|
ReturnStatusOK(w)
|
2017-04-18 00:06:33 +09:00
|
|
|
}
|
|
|
|
|
|
2018-01-04 09:45:59 -08:00
|
|
|
func updateUserAuth(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
if !c.IsSystemAdmin() {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
userAuth := model.UserAuthFromJson(r.Body)
|
|
|
|
|
if userAuth == nil {
|
|
|
|
|
c.SetInvalidParam("user")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-01 16:55:18 +02:00
|
|
|
user, err := c.App.UpdateUserAuth(c.Params.UserId, userAuth)
|
|
|
|
|
if err != nil {
|
2018-01-04 09:45:59 -08:00
|
|
|
c.Err = err
|
2018-12-17 12:04:30 -08:00
|
|
|
return
|
2018-01-04 09:45:59 -08:00
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
2019-02-22 16:20:59 +01:00
|
|
|
c.LogAudit(fmt.Sprintf("updated user %s auth to service=%v", c.Params.UserId, user.AuthService))
|
2018-08-01 16:55:18 +02:00
|
|
|
w.Write([]byte(user.ToJson()))
|
2018-01-04 09:45:59 -08:00
|
|
|
}
|
|
|
|
|
|
2019-03-01 18:56:11 +01:00
|
|
|
// Deprecated: checkUserMfa is deprecated and should not be used anymore, starting with version 6.0 it will be disabled.
|
|
|
|
|
// Clients should attempt a login without MFA and will receive a MFA error when it's required.
|
2017-03-27 09:21:48 -04:00
|
|
|
func checkUserMfa(c *Context, w http.ResponseWriter, r *http.Request) {
|
2019-03-01 18:56:11 +01:00
|
|
|
|
|
|
|
|
if *c.App.Config().ServiceSettings.DisableLegacyMFA {
|
|
|
|
|
http.NotFound(w, r)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-27 09:21:48 -04:00
|
|
|
props := model.MapFromJson(r.Body)
|
|
|
|
|
|
|
|
|
|
loginId := props["login_id"]
|
|
|
|
|
if len(loginId) == 0 {
|
|
|
|
|
c.SetInvalidParam("login_id")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
resp := map[string]interface{}{}
|
|
|
|
|
resp["mfa_required"] = false
|
|
|
|
|
|
2018-12-12 11:50:19 +01:00
|
|
|
if !*c.App.Config().ServiceSettings.EnableMultifactorAuthentication {
|
2017-03-27 09:21:48 -04:00
|
|
|
w.Write([]byte(model.StringInterfaceToJson(resp)))
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-04 09:48:26 -07:00
|
|
|
if *c.App.Config().ServiceSettings.ExperimentalEnableHardenedMode {
|
|
|
|
|
resp["mfa_required"] = true
|
|
|
|
|
} else if user, err := c.App.GetUserForLogin("", loginId); err == nil {
|
2017-03-27 09:21:48 -04:00
|
|
|
resp["mfa_required"] = user.MfaActive
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
w.Write([]byte(model.StringInterfaceToJson(resp)))
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-13 08:29:56 -04:00
|
|
|
func updateUserMfa(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if c.App.Session.IsOAuth {
|
2017-10-04 11:04:56 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
c.Err.DetailedError += ", attempted access by oauth app"
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) {
|
2017-03-13 08:29:56 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
props := model.StringInterfaceFromJson(r.Body)
|
|
|
|
|
activate, ok := props["activate"].(bool)
|
|
|
|
|
if !ok {
|
|
|
|
|
c.SetInvalidParam("activate")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
code := ""
|
|
|
|
|
if activate {
|
|
|
|
|
code, ok = props["code"].(string)
|
|
|
|
|
if !ok || len(code) == 0 {
|
|
|
|
|
c.SetInvalidParam("code")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("attempt")
|
|
|
|
|
|
2017-09-06 17:12:54 -05:00
|
|
|
if err := c.App.UpdateMfa(activate, c.Params.UserId, code); err != nil {
|
2017-03-13 08:29:56 -04:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("success - mfa updated")
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-27 09:21:48 -04:00
|
|
|
func generateMfaSecret(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if c.App.Session.IsOAuth {
|
2017-10-04 11:04:56 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
c.Err.DetailedError += ", attempted access by oauth app"
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) {
|
2017-03-27 09:21:48 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-06 17:12:54 -05:00
|
|
|
secret, err := c.App.GenerateMfaSecret(c.Params.UserId)
|
2017-03-27 09:21:48 -04:00
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
w.Header().Set("Cache-Control", "no-cache")
|
|
|
|
|
w.Header().Set("Pragma", "no-cache")
|
|
|
|
|
w.Header().Set("Expires", "0")
|
|
|
|
|
w.Write([]byte(secret.ToJson()))
|
|
|
|
|
}
|
|
|
|
|
|
2017-02-07 09:35:58 -08:00
|
|
|
func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
props := model.MapFromJson(r.Body)
|
|
|
|
|
newPassword := props["new_password"]
|
|
|
|
|
|
|
|
|
|
c.LogAudit("attempted")
|
|
|
|
|
|
|
|
|
|
var err *model.AppError
|
2018-11-28 10:56:21 -08:00
|
|
|
if c.Params.UserId == c.App.Session.UserId {
|
2017-02-07 09:35:58 -08:00
|
|
|
currentPassword := props["current_password"]
|
|
|
|
|
if len(currentPassword) <= 0 {
|
|
|
|
|
c.SetInvalidParam("current_password")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-06 17:12:54 -05:00
|
|
|
err = c.App.UpdatePasswordAsUser(c.Params.UserId, currentPassword, newPassword)
|
2018-11-28 10:56:21 -08:00
|
|
|
} else if c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) {
|
|
|
|
|
err = c.App.UpdatePasswordByUserIdSendEmail(c.Params.UserId, newPassword, c.App.T("api.user.reset_password.method"))
|
2017-02-07 09:35:58 -08:00
|
|
|
} else {
|
|
|
|
|
err = model.NewAppError("updatePassword", "api.user.update_password.context.app_error", nil, "", http.StatusForbidden)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.LogAudit("failed")
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
|
|
|
|
c.LogAudit("completed")
|
|
|
|
|
ReturnStatusOK(w)
|
2017-02-07 09:35:58 -08:00
|
|
|
}
|
|
|
|
|
|
2017-02-07 10:46:40 -08:00
|
|
|
func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
props := model.MapFromJson(r.Body)
|
|
|
|
|
|
2017-04-27 10:55:03 -04:00
|
|
|
token := props["token"]
|
|
|
|
|
if len(token) != model.TOKEN_SIZE {
|
|
|
|
|
c.SetInvalidParam("token")
|
2017-02-07 10:46:40 -08:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
newPassword := props["new_password"]
|
|
|
|
|
|
2017-04-27 10:55:03 -04:00
|
|
|
c.LogAudit("attempt - token=" + token)
|
2017-02-07 10:46:40 -08:00
|
|
|
|
2017-09-06 17:12:54 -05:00
|
|
|
if err := c.App.ResetPasswordFromToken(token, newPassword); err != nil {
|
2017-04-27 10:55:03 -04:00
|
|
|
c.LogAudit("fail - token=" + token)
|
2017-02-07 10:46:40 -08:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-27 10:55:03 -04:00
|
|
|
c.LogAudit("success - token=" + token)
|
2017-02-07 10:46:40 -08:00
|
|
|
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
props := model.MapFromJson(r.Body)
|
|
|
|
|
|
|
|
|
|
email := props["email"]
|
|
|
|
|
if len(email) == 0 {
|
|
|
|
|
c.SetInvalidParam("email")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-01 16:55:18 +02:00
|
|
|
sent, err := c.App.SendPasswordReset(email, c.App.GetSiteURL())
|
|
|
|
|
if err != nil {
|
2018-06-04 09:48:26 -07:00
|
|
|
if *c.App.Config().ServiceSettings.ExperimentalEnableHardenedMode {
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
} else {
|
|
|
|
|
c.Err = err
|
|
|
|
|
}
|
2017-02-07 10:46:40 -08:00
|
|
|
return
|
2018-08-01 16:55:18 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if sent {
|
2017-02-07 10:46:40 -08:00
|
|
|
c.LogAudit("sent=" + email)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-30 08:30:02 -05:00
|
|
|
func login(c *Context, w http.ResponseWriter, r *http.Request) {
|
2019-06-12 18:35:53 +02:00
|
|
|
// Mask all sensitive errors, with the exception of the following
|
2018-06-04 09:48:26 -07:00
|
|
|
defer func() {
|
2019-06-10 23:25:25 +02:00
|
|
|
if c.Err == nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
unmaskedErrors := []string{
|
|
|
|
|
"mfa.validate_token.authenticate.app_error",
|
|
|
|
|
"api.user.check_user_mfa.bad_code.app_error",
|
|
|
|
|
"api.user.login.blank_pwd.app_error",
|
|
|
|
|
"api.user.login.bot_login_forbidden.app_error",
|
|
|
|
|
"api.user.login.client_side_cert.certificate.app_error",
|
|
|
|
|
"api.user.login.inactive.app_error",
|
|
|
|
|
"api.user.login.not_verified.app_error",
|
2019-06-12 18:35:53 +02:00
|
|
|
"api.user.check_user_login_attempts.too_many.app_error",
|
2019-06-18 07:56:18 -04:00
|
|
|
"app.team.join_user_to_team.max_accounts.app_error",
|
|
|
|
|
"store.sql_user.save.max_accounts.app_error",
|
2018-06-04 09:48:26 -07:00
|
|
|
}
|
2019-06-10 23:25:25 +02:00
|
|
|
|
|
|
|
|
maskError := true
|
|
|
|
|
|
|
|
|
|
for _, unmaskedError := range unmaskedErrors {
|
|
|
|
|
if c.Err.Id == unmaskedError {
|
|
|
|
|
maskError = false
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !maskError {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
config := c.App.Config()
|
|
|
|
|
enableUsername := *config.EmailSettings.EnableSignInWithUsername
|
|
|
|
|
enableEmail := *config.EmailSettings.EnableSignInWithEmail
|
|
|
|
|
samlEnabled := *config.SamlSettings.Enable
|
|
|
|
|
gitlabEnabled := *config.GetSSOService("gitlab").Enable
|
|
|
|
|
googleEnabled := *config.GetSSOService("google").Enable
|
|
|
|
|
office365Enabled := *config.GetSSOService("office365").Enable
|
|
|
|
|
|
|
|
|
|
if samlEnabled || gitlabEnabled || googleEnabled || office365Enabled {
|
|
|
|
|
c.Err = model.NewAppError("login", "api.user.login.invalid_credentials_sso", nil, "", http.StatusUnauthorized)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if enableUsername && !enableEmail {
|
|
|
|
|
c.Err = model.NewAppError("login", "api.user.login.invalid_credentials_username", nil, "", http.StatusUnauthorized)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !enableUsername && enableEmail {
|
|
|
|
|
c.Err = model.NewAppError("login", "api.user.login.invalid_credentials_email", nil, "", http.StatusUnauthorized)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.Err = model.NewAppError("login", "api.user.login.invalid_credentials_email_username", nil, "", http.StatusUnauthorized)
|
2018-06-04 09:48:26 -07:00
|
|
|
}()
|
|
|
|
|
|
2017-01-30 08:30:02 -05:00
|
|
|
props := model.MapFromJson(r.Body)
|
|
|
|
|
|
|
|
|
|
id := props["id"]
|
|
|
|
|
loginId := props["login_id"]
|
|
|
|
|
password := props["password"]
|
|
|
|
|
mfaToken := props["token"]
|
|
|
|
|
deviceId := props["device_id"]
|
|
|
|
|
ldapOnly := props["ldap_only"] == "true"
|
|
|
|
|
|
2018-06-12 10:16:39 -07:00
|
|
|
if *c.App.Config().ExperimentalSettings.ClientSideCertEnable {
|
|
|
|
|
if license := c.App.License(); license == nil || !*license.Features.SAML {
|
2018-06-19 19:40:26 +02:00
|
|
|
c.Err = model.NewAppError("ClientSideCertNotAllowed", "api.user.login.client_side_cert.license.app_error", nil, "", http.StatusBadRequest)
|
2018-06-12 10:16:39 -07:00
|
|
|
return
|
2018-12-06 16:55:06 +01:00
|
|
|
}
|
2019-01-12 07:38:34 +09:00
|
|
|
certPem, certSubject, certEmail := c.App.CheckForClientSideCert(r)
|
2018-12-06 16:55:06 +01:00
|
|
|
mlog.Debug("Client Cert", mlog.String("cert_subject", certSubject), mlog.String("cert_email", certEmail))
|
2018-06-12 10:16:39 -07:00
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
if len(certPem) == 0 || len(certEmail) == 0 {
|
|
|
|
|
c.Err = model.NewAppError("ClientSideCertMissing", "api.user.login.client_side_cert.certificate.app_error", nil, "", http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if *c.App.Config().ExperimentalSettings.ClientSideCertCheck == model.CLIENT_SIDE_CERT_CHECK_PRIMARY_AUTH {
|
|
|
|
|
loginId = certEmail
|
|
|
|
|
password = "certificate"
|
2018-06-12 10:16:39 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-30 08:30:02 -05:00
|
|
|
c.LogAuditWithUserId(id, "attempt - login_id="+loginId)
|
2018-05-10 09:46:09 -07:00
|
|
|
user, err := c.App.AuthenticateUserForLogin(id, loginId, password, mfaToken, ldapOnly)
|
2018-06-12 10:16:39 -07:00
|
|
|
|
2017-01-30 08:30:02 -05:00
|
|
|
if err != nil {
|
|
|
|
|
c.LogAuditWithUserId(id, "failure - login_id="+loginId)
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-22 22:13:39 +02:00
|
|
|
if user.IsGuest() {
|
|
|
|
|
if c.App.License() == nil {
|
|
|
|
|
c.Err = model.NewAppError("login", "api.user.login.guest_accounts.license.error", nil, "", http.StatusUnauthorized)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if !*c.App.Config().GuestAccountsSettings.Enable {
|
|
|
|
|
c.Err = model.NewAppError("login", "api.user.login.guest_accounts.disabled.error", nil, "", http.StatusUnauthorized)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-30 08:30:02 -05:00
|
|
|
c.LogAuditWithUserId(user.Id, "authenticated")
|
|
|
|
|
|
2019-10-31 12:50:43 +01:00
|
|
|
err = c.App.DoLogin(w, r, user, deviceId)
|
2017-01-30 08:30:02 -05:00
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAuditWithUserId(user.Id, "success")
|
|
|
|
|
|
2019-06-11 15:09:00 -04:00
|
|
|
if r.Header.Get(model.HEADER_REQUESTED_WITH) == model.HEADER_REQUESTED_WITH_XML {
|
2019-10-31 12:50:43 +01:00
|
|
|
c.App.AttachSessionCookies(w, r)
|
2019-06-11 15:09:00 -04:00
|
|
|
}
|
|
|
|
|
|
2019-04-16 17:59:07 +01:00
|
|
|
userTermsOfService, err := c.App.GetUserTermsOfService(user.Id)
|
|
|
|
|
if err != nil && err.StatusCode != http.StatusNotFound {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if userTermsOfService != nil {
|
|
|
|
|
user.TermsOfServiceId = userTermsOfService.TermsOfServiceId
|
|
|
|
|
user.TermsOfServiceCreateAt = userTermsOfService.CreateAt
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-30 08:30:02 -05:00
|
|
|
user.Sanitize(map[string]bool{})
|
|
|
|
|
|
|
|
|
|
w.Write([]byte(user.ToJson()))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func logout(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
Logout(c, w, r)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func Logout(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.LogAudit("")
|
|
|
|
|
c.RemoveSessionCookie(w, r)
|
2018-11-28 10:56:21 -08:00
|
|
|
if c.App.Session.Id != "" {
|
|
|
|
|
if err := c.App.RevokeSessionById(c.App.Session.Id); err != nil {
|
2017-01-30 08:30:02 -05:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
2017-02-17 10:31:01 -05:00
|
|
|
|
|
|
|
|
func getSessions(c *Context, w http.ResponseWriter, r *http.Request) {
|
2017-02-21 21:07:57 +09:00
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) {
|
2017-02-21 21:07:57 +09:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-01 16:55:18 +02:00
|
|
|
sessions, err := c.App.GetSessions(c.Params.UserId)
|
|
|
|
|
if err != nil {
|
2017-02-21 21:07:57 +09:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
2018-08-01 16:55:18 +02:00
|
|
|
}
|
2017-02-21 21:07:57 +09:00
|
|
|
|
2018-08-01 16:55:18 +02:00
|
|
|
for _, session := range sessions {
|
|
|
|
|
session.Sanitize()
|
2017-02-21 21:07:57 +09:00
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
|
|
|
|
w.Write([]byte(model.SessionsToJson(sessions)))
|
2017-02-17 10:31:01 -05:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) {
|
2017-02-21 21:07:57 +09:00
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) {
|
2017-02-21 21:07:57 +09:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
props := model.MapFromJson(r.Body)
|
|
|
|
|
sessionId := props["session_id"]
|
|
|
|
|
if sessionId == "" {
|
|
|
|
|
c.SetInvalidParam("session_id")
|
2017-08-10 04:36:59 +08:00
|
|
|
return
|
2017-02-21 21:07:57 +09:00
|
|
|
}
|
|
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
session, err := c.App.GetSessionById(sessionId)
|
|
|
|
|
if err != nil {
|
2017-10-04 11:04:17 -04:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if session.UserId != c.Params.UserId {
|
|
|
|
|
c.SetInvalidUrlParam("user_id")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := c.App.RevokeSession(session); err != nil {
|
2017-02-21 21:07:57 +09:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
|
|
|
|
|
2017-10-16 23:50:31 -04:00
|
|
|
func revokeAllSessionsForUser(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) {
|
2017-10-16 23:50:31 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := c.App.RevokeAllSessions(c.Params.UserId); err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
|
|
|
|
|
2019-07-01 23:28:46 +02:00
|
|
|
func revokeAllSessionsAllUsers(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := c.App.RevokeSessionsFromAllUsers(); err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-27 09:17:34 -04:00
|
|
|
func attachDeviceId(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
props := model.MapFromJson(r.Body)
|
|
|
|
|
|
|
|
|
|
deviceId := props["device_id"]
|
|
|
|
|
if len(deviceId) == 0 {
|
|
|
|
|
c.SetInvalidParam("device_id")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// A special case where we logout of all other sessions with the same device id
|
2018-11-28 10:56:21 -08:00
|
|
|
if err := c.App.RevokeSessionsForDeviceId(c.App.Session.UserId, deviceId, c.App.Session.Id); err != nil {
|
2017-03-27 09:17:34 -04:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
c.App.ClearSessionCacheForUser(c.App.Session.UserId)
|
|
|
|
|
c.App.Session.SetExpireInDays(*c.App.Config().ServiceSettings.SessionLengthMobileInDays)
|
2017-03-27 09:17:34 -04:00
|
|
|
|
2017-10-18 15:36:43 -07:00
|
|
|
maxAge := *c.App.Config().ServiceSettings.SessionLengthMobileInDays * 60 * 60 * 24
|
2017-03-27 09:17:34 -04:00
|
|
|
|
|
|
|
|
secure := false
|
|
|
|
|
if app.GetProtocol(r) == "https" {
|
|
|
|
|
secure = true
|
|
|
|
|
}
|
|
|
|
|
|
2019-05-03 13:52:32 -07:00
|
|
|
subpath, _ := utils.GetSubpathFromConfig(c.App.Config())
|
|
|
|
|
|
2017-03-27 09:17:34 -04:00
|
|
|
expiresAt := time.Unix(model.GetMillis()/1000+int64(maxAge), 0)
|
|
|
|
|
sessionCookie := &http.Cookie{
|
|
|
|
|
Name: model.SESSION_COOKIE_TOKEN,
|
2018-11-28 10:56:21 -08:00
|
|
|
Value: c.App.Session.Token,
|
2019-05-03 13:52:32 -07:00
|
|
|
Path: subpath,
|
2017-03-27 09:17:34 -04:00
|
|
|
MaxAge: maxAge,
|
|
|
|
|
Expires: expiresAt,
|
|
|
|
|
HttpOnly: true,
|
2018-02-20 12:49:45 -08:00
|
|
|
Domain: c.App.GetCookieDomain(),
|
2017-03-27 09:17:34 -04:00
|
|
|
Secure: secure,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
http.SetCookie(w, sessionCookie)
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if err := c.App.AttachDeviceId(c.App.Session.Id, deviceId, c.App.Session.ExpiresAt); err != nil {
|
2017-03-27 09:17:34 -04:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("")
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-21 09:06:08 -04:00
|
|
|
func getUserAudits(c *Context, w http.ResponseWriter, r *http.Request) {
|
2017-02-21 21:07:57 +09:00
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) {
|
2017-02-21 21:07:57 +09:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-08-01 16:55:18 +02:00
|
|
|
audits, err := c.App.GetAuditsPage(c.Params.UserId, c.Params.Page, c.Params.PerPage)
|
|
|
|
|
if err != nil {
|
2017-02-21 21:07:57 +09:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
|
|
|
|
w.Write([]byte(audits.ToJson()))
|
2017-02-21 21:07:57 +09:00
|
|
|
}
|
2017-02-24 14:27:47 +01:00
|
|
|
|
2017-03-24 16:42:05 -04:00
|
|
|
func verifyUserEmail(c *Context, w http.ResponseWriter, r *http.Request) {
|
2017-02-24 14:27:47 +01:00
|
|
|
props := model.MapFromJson(r.Body)
|
|
|
|
|
|
2017-04-27 10:55:03 -04:00
|
|
|
token := props["token"]
|
|
|
|
|
if len(token) != model.TOKEN_SIZE {
|
|
|
|
|
c.SetInvalidParam("token")
|
2017-02-24 14:27:47 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-06 17:12:54 -05:00
|
|
|
if err := c.App.VerifyEmailFromToken(token); err != nil {
|
2017-08-31 15:03:16 +01:00
|
|
|
c.Err = model.NewAppError("verifyUserEmail", "api.user.verify_email.bad_link.app_error", nil, err.Error(), http.StatusBadRequest)
|
2017-04-27 10:55:03 -04:00
|
|
|
return
|
2017-02-24 14:27:47 +01:00
|
|
|
}
|
2018-08-01 16:55:18 +02:00
|
|
|
|
|
|
|
|
c.LogAudit("Email Verified")
|
|
|
|
|
ReturnStatusOK(w)
|
2017-02-24 14:27:47 +01:00
|
|
|
}
|
2017-03-24 16:42:05 -04:00
|
|
|
|
|
|
|
|
func sendVerificationEmail(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
props := model.MapFromJson(r.Body)
|
|
|
|
|
|
|
|
|
|
email := props["email"]
|
|
|
|
|
if len(email) == 0 {
|
|
|
|
|
c.SetInvalidParam("email")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-05-10 09:46:09 -07:00
|
|
|
user, err := c.App.GetUserForLogin("", email)
|
2017-03-24 16:42:05 -04:00
|
|
|
if err != nil {
|
|
|
|
|
// Don't want to leak whether the email is valid or not
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-20 15:50:52 +01:00
|
|
|
if err = c.App.SendEmailVerification(user, user.Email); err != nil {
|
2017-04-27 10:55:03 -04:00
|
|
|
// Don't want to leak whether the email is valid or not
|
2018-04-27 12:49:45 -07:00
|
|
|
mlog.Error(err.Error())
|
2017-04-27 10:55:03 -04:00
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
return
|
2017-03-24 16:42:05 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
2017-04-10 08:19:49 -04:00
|
|
|
|
|
|
|
|
func switchAccountType(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
switchRequest := model.SwitchRequestFromJson(r.Body)
|
|
|
|
|
if switchRequest == nil {
|
|
|
|
|
c.SetInvalidParam("switch_request")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
link := ""
|
|
|
|
|
var err *model.AppError
|
|
|
|
|
|
|
|
|
|
if switchRequest.EmailToOAuth() {
|
2017-09-06 17:12:54 -05:00
|
|
|
link, err = c.App.SwitchEmailToOAuth(w, r, switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.NewService)
|
2017-04-10 08:19:49 -04:00
|
|
|
} else if switchRequest.OAuthToEmail() {
|
|
|
|
|
c.SessionRequired()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
link, err = c.App.SwitchOAuthToEmail(switchRequest.Email, switchRequest.NewPassword, c.App.Session.UserId)
|
2017-04-10 08:19:49 -04:00
|
|
|
} else if switchRequest.EmailToLdap() {
|
2018-05-10 09:46:09 -07:00
|
|
|
link, err = c.App.SwitchEmailToLdap(switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.LdapLoginId, switchRequest.NewPassword)
|
2017-04-10 08:19:49 -04:00
|
|
|
} else if switchRequest.LdapToEmail() {
|
2017-09-06 17:12:54 -05:00
|
|
|
link, err = c.App.SwitchLdapToEmail(switchRequest.Password, switchRequest.MfaCode, switchRequest.Email, switchRequest.NewPassword)
|
2017-04-10 08:19:49 -04:00
|
|
|
} else {
|
|
|
|
|
c.SetInvalidParam("switch_request")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("success")
|
|
|
|
|
w.Write([]byte(model.MapToJson(map[string]string{"follow_link": link})))
|
|
|
|
|
}
|
2017-07-31 12:59:32 -04:00
|
|
|
|
|
|
|
|
func createUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if c.App.Session.IsOAuth {
|
2017-10-04 11:04:56 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN)
|
|
|
|
|
c.Err.DetailedError += ", attempted access by oauth app"
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-31 12:59:32 -04:00
|
|
|
accessToken := model.UserAccessTokenFromJson(r.Body)
|
|
|
|
|
if accessToken == nil {
|
|
|
|
|
c.SetInvalidParam("user_access_token")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if accessToken.Description == "" {
|
|
|
|
|
c.SetInvalidParam("description")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("")
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_CREATE_USER_ACCESS_TOKEN) {
|
2017-07-31 12:59:32 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
MM-12393 Server side of bot accounts. (#10378)
* bots model, store and api (#9903)
* bots model, store and api
Fixes: MM-13100, MM-13101, MM-13103, MM-13105, MMM-13119
* uncomment tests incorrectly commented, and fix merge issues
* add etags support
* add missing licenses
* remove unused sqlbuilder.go (for now...)
* rejig permissions
* split out READ_BOTS into READ_BOTS and READ_OTHERS_BOTS, the latter
implicitly allowing the former
* make MANAGE_OTHERS_BOTS imply MANAGE_BOTS
* conform to general rest api pattern
* eliminate redundant http.StatusOK
* Update api4/bot.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* s/model.UserFromBotModel/model.UserFromBot/g
* Update model/bot.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* Update model/client4.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* move sessionHasPermissionToManageBot to app/authorization.go
* use api.ApiSessionRequired for createBot
* introduce BOT_DESCRIPTION_MAX_RUNES constant
* MM-13512 Prevent getting a user by email based on privacy settings (#10021)
* MM-13512 Prevent getting a user by email based on privacy settings
* Add additional config settings to tests
* upgrade db to 5.7 (#10019)
* MM-13526 Add validation when setting a user's Locale field (#10022)
* Fix typos (#10024)
* Fixing first user being created with system admin privilages without being explicity specified. (#10014)
* Revert "Support for Embeded chat (#9129)" (#10017)
This reverts commit 3fcecd521a5c6ccfdb52fb4c3fb1f8c6ea528a4e.
* s/DisableBot/UpdateBotActive
* add permissions on upgrade
* Update NOTICE.txt (#10054)
- add new dependency (text)
- handle switch to forked dependency (go-gomail -> go-mail)
- misc copyright owner updates
* avoid leaking bot knowledge without permission
* [GH-6798] added a new api endpoint to get the bulk reactions for posts (#10049)
* 6798 added a new api to get the bulk reactions for posts
* 6798 added the permsission check before getting the reactions
* GH-6798 added a new app function for the new endpoint
* 6798 added a store method to get reactions for multiple posts
* 6798 connected the app function with the new store function
* 6798 fixed the review comments
* MM-13559 Update model.post.is_valid.file_ids.app_error text per report (#10055)
Ticket: https://mattermost.atlassian.net/browse/MM-13559
Report: https://github.com/mattermost/mattermost-server/issues/10023
* Trigger Login Hooks with OAuth (#10061)
* make BotStore.GetAll deterministic even on duplicate CreateAt
* fix spurious TestMuteCommandSpecificChannel test failure
See
https://community-daily.mattermost.com/core/pl/px9p8s3dzbg1pf3ddrm5cr36uw
* fix race in TestExportUserChannels
* TestExportUserChannels: remove SaveMember call, as it is redundant and used to be silently failing anyway
* MM-13117: bot tokens (#10111)
* eliminate redundant Client/AdminClient declarations
* harden TestUpdateChannelScheme to API failures
* eliminate unnecessary config restoration
* minor cleanup
* make TestGenerateMfaSecret config dependency explicit
* TestCreateUserAccessToken for bots
* TestGetUserAccessToken* for bots
* leverage SessionHasPermissionToUserOrBot for user token APIs
* Test(Revoke|Disable|Enable)UserAccessToken
* make EnableUserAccessTokens explicit, so as to not rely on local config.json
* uncomment TestResetPassword, but still skip
* mark assert(Invalid)Token as helper
* fix whitespace issues
* fix mangled comments
* MM-13116: bot plugin api (#10113)
* MM-13117: expose bot API to plugins
This also changes the `CreatorId` column definition to allow for plugin
ids, as the default unless the plugin overrides is to use the plugin id
here. This branch hasn't hit master yet, so no migration needed.
* gofmt issues
* expunge use of BotList in plugin/client API
* introduce model.BotGetOptions
* use botUserId term for clarity
* MM-13129 Adding functionality to deal with orphaned bots (#10238)
* Add way to list orphaned bots.
* Add /assign route to modify ownership of bot accounts.
* Apply suggestions from code review
Co-Authored-By: crspeller <crspeller@gmail.com>
* MM-13120: add IsBot field to returned user objects (#10103)
* MM-13104: forbid bot login (#10251)
* MM-13104: disallow bot login
* fix shadowing
* MM-13136 Disable user bots when user is disabled. (#10293)
* Disable user bots when user is disabled.
* Grammer.
Co-Authored-By: crspeller <crspeller@gmail.com>
* Fixing bot branch for test changes.
* Don't use external dependancies in bot plugin tests.
* Rename bot CreatorId to OwnerId
* Adding ability to re-enable bots
* Fixing IsBot to not attempt to be saved to DB.
* Adding diagnostics and licencing counting for bot accounts.
* Modifying gorp to allow reading of '-' fields.
* Removing unnessisary nil values from UserCountOptions.
* Changing comment to GoDoc format
* Improving user count SQL
* Some improvments from feedback.
* Omit empty on User.IsBot
2019-03-05 07:06:45 -08:00
|
|
|
if !c.App.SessionHasPermissionToUserOrBot(c.App.Session, c.Params.UserId) {
|
2017-07-31 12:59:32 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
accessToken.UserId = c.Params.UserId
|
|
|
|
|
accessToken.Token = ""
|
|
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
accessToken, err := c.App.CreateUserAccessToken(accessToken)
|
2017-07-31 12:59:32 -04:00
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("success - token_id=" + accessToken.Id)
|
|
|
|
|
w.Write([]byte(accessToken.ToJson()))
|
|
|
|
|
}
|
|
|
|
|
|
2018-01-11 16:30:55 -05:00
|
|
|
func searchUserAccessTokens(c *Context, w http.ResponseWriter, r *http.Request) {
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) {
|
2018-01-11 16:30:55 -05:00
|
|
|
c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
props := model.UserAccessTokenSearchFromJson(r.Body)
|
|
|
|
|
if props == nil {
|
|
|
|
|
c.SetInvalidParam("user_access_token_search")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(props.Term) == 0 {
|
|
|
|
|
c.SetInvalidParam("term")
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-12-06 16:55:06 +01:00
|
|
|
|
2018-01-11 16:30:55 -05:00
|
|
|
accessTokens, err := c.App.SearchUserAccessTokens(props.Term)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
w.Write([]byte(model.UserAccessTokenListToJson(accessTokens)))
|
|
|
|
|
}
|
|
|
|
|
|
2017-07-31 12:59:32 -04:00
|
|
|
func getUserAccessTokens(c *Context, w http.ResponseWriter, r *http.Request) {
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) {
|
2018-01-05 14:46:48 -05:00
|
|
|
c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
accessTokens, err := c.App.GetUserAccessTokens(c.Params.Page, c.Params.PerPage)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
w.Write([]byte(model.UserAccessTokenListToJson(accessTokens)))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getUserAccessTokensForUser(c *Context, w http.ResponseWriter, r *http.Request) {
|
2017-07-31 12:59:32 -04:00
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_READ_USER_ACCESS_TOKEN) {
|
2017-07-31 12:59:32 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_READ_USER_ACCESS_TOKEN)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
MM-12393 Server side of bot accounts. (#10378)
* bots model, store and api (#9903)
* bots model, store and api
Fixes: MM-13100, MM-13101, MM-13103, MM-13105, MMM-13119
* uncomment tests incorrectly commented, and fix merge issues
* add etags support
* add missing licenses
* remove unused sqlbuilder.go (for now...)
* rejig permissions
* split out READ_BOTS into READ_BOTS and READ_OTHERS_BOTS, the latter
implicitly allowing the former
* make MANAGE_OTHERS_BOTS imply MANAGE_BOTS
* conform to general rest api pattern
* eliminate redundant http.StatusOK
* Update api4/bot.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* s/model.UserFromBotModel/model.UserFromBot/g
* Update model/bot.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* Update model/client4.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* move sessionHasPermissionToManageBot to app/authorization.go
* use api.ApiSessionRequired for createBot
* introduce BOT_DESCRIPTION_MAX_RUNES constant
* MM-13512 Prevent getting a user by email based on privacy settings (#10021)
* MM-13512 Prevent getting a user by email based on privacy settings
* Add additional config settings to tests
* upgrade db to 5.7 (#10019)
* MM-13526 Add validation when setting a user's Locale field (#10022)
* Fix typos (#10024)
* Fixing first user being created with system admin privilages without being explicity specified. (#10014)
* Revert "Support for Embeded chat (#9129)" (#10017)
This reverts commit 3fcecd521a5c6ccfdb52fb4c3fb1f8c6ea528a4e.
* s/DisableBot/UpdateBotActive
* add permissions on upgrade
* Update NOTICE.txt (#10054)
- add new dependency (text)
- handle switch to forked dependency (go-gomail -> go-mail)
- misc copyright owner updates
* avoid leaking bot knowledge without permission
* [GH-6798] added a new api endpoint to get the bulk reactions for posts (#10049)
* 6798 added a new api to get the bulk reactions for posts
* 6798 added the permsission check before getting the reactions
* GH-6798 added a new app function for the new endpoint
* 6798 added a store method to get reactions for multiple posts
* 6798 connected the app function with the new store function
* 6798 fixed the review comments
* MM-13559 Update model.post.is_valid.file_ids.app_error text per report (#10055)
Ticket: https://mattermost.atlassian.net/browse/MM-13559
Report: https://github.com/mattermost/mattermost-server/issues/10023
* Trigger Login Hooks with OAuth (#10061)
* make BotStore.GetAll deterministic even on duplicate CreateAt
* fix spurious TestMuteCommandSpecificChannel test failure
See
https://community-daily.mattermost.com/core/pl/px9p8s3dzbg1pf3ddrm5cr36uw
* fix race in TestExportUserChannels
* TestExportUserChannels: remove SaveMember call, as it is redundant and used to be silently failing anyway
* MM-13117: bot tokens (#10111)
* eliminate redundant Client/AdminClient declarations
* harden TestUpdateChannelScheme to API failures
* eliminate unnecessary config restoration
* minor cleanup
* make TestGenerateMfaSecret config dependency explicit
* TestCreateUserAccessToken for bots
* TestGetUserAccessToken* for bots
* leverage SessionHasPermissionToUserOrBot for user token APIs
* Test(Revoke|Disable|Enable)UserAccessToken
* make EnableUserAccessTokens explicit, so as to not rely on local config.json
* uncomment TestResetPassword, but still skip
* mark assert(Invalid)Token as helper
* fix whitespace issues
* fix mangled comments
* MM-13116: bot plugin api (#10113)
* MM-13117: expose bot API to plugins
This also changes the `CreatorId` column definition to allow for plugin
ids, as the default unless the plugin overrides is to use the plugin id
here. This branch hasn't hit master yet, so no migration needed.
* gofmt issues
* expunge use of BotList in plugin/client API
* introduce model.BotGetOptions
* use botUserId term for clarity
* MM-13129 Adding functionality to deal with orphaned bots (#10238)
* Add way to list orphaned bots.
* Add /assign route to modify ownership of bot accounts.
* Apply suggestions from code review
Co-Authored-By: crspeller <crspeller@gmail.com>
* MM-13120: add IsBot field to returned user objects (#10103)
* MM-13104: forbid bot login (#10251)
* MM-13104: disallow bot login
* fix shadowing
* MM-13136 Disable user bots when user is disabled. (#10293)
* Disable user bots when user is disabled.
* Grammer.
Co-Authored-By: crspeller <crspeller@gmail.com>
* Fixing bot branch for test changes.
* Don't use external dependancies in bot plugin tests.
* Rename bot CreatorId to OwnerId
* Adding ability to re-enable bots
* Fixing IsBot to not attempt to be saved to DB.
* Adding diagnostics and licencing counting for bot accounts.
* Modifying gorp to allow reading of '-' fields.
* Removing unnessisary nil values from UserCountOptions.
* Changing comment to GoDoc format
* Improving user count SQL
* Some improvments from feedback.
* Omit empty on User.IsBot
2019-03-05 07:06:45 -08:00
|
|
|
if !c.App.SessionHasPermissionToUserOrBot(c.App.Session, c.Params.UserId) {
|
2017-07-31 12:59:32 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-06 17:12:54 -05:00
|
|
|
accessTokens, err := c.App.GetUserAccessTokensForUser(c.Params.UserId, c.Params.Page, c.Params.PerPage)
|
2017-07-31 12:59:32 -04:00
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
w.Write([]byte(model.UserAccessTokenListToJson(accessTokens)))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func getUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireTokenId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_READ_USER_ACCESS_TOKEN) {
|
2017-07-31 12:59:32 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_READ_USER_ACCESS_TOKEN)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-06 17:12:54 -05:00
|
|
|
accessToken, err := c.App.GetUserAccessToken(c.Params.TokenId, true)
|
2017-07-31 12:59:32 -04:00
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
MM-12393 Server side of bot accounts. (#10378)
* bots model, store and api (#9903)
* bots model, store and api
Fixes: MM-13100, MM-13101, MM-13103, MM-13105, MMM-13119
* uncomment tests incorrectly commented, and fix merge issues
* add etags support
* add missing licenses
* remove unused sqlbuilder.go (for now...)
* rejig permissions
* split out READ_BOTS into READ_BOTS and READ_OTHERS_BOTS, the latter
implicitly allowing the former
* make MANAGE_OTHERS_BOTS imply MANAGE_BOTS
* conform to general rest api pattern
* eliminate redundant http.StatusOK
* Update api4/bot.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* s/model.UserFromBotModel/model.UserFromBot/g
* Update model/bot.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* Update model/client4.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* move sessionHasPermissionToManageBot to app/authorization.go
* use api.ApiSessionRequired for createBot
* introduce BOT_DESCRIPTION_MAX_RUNES constant
* MM-13512 Prevent getting a user by email based on privacy settings (#10021)
* MM-13512 Prevent getting a user by email based on privacy settings
* Add additional config settings to tests
* upgrade db to 5.7 (#10019)
* MM-13526 Add validation when setting a user's Locale field (#10022)
* Fix typos (#10024)
* Fixing first user being created with system admin privilages without being explicity specified. (#10014)
* Revert "Support for Embeded chat (#9129)" (#10017)
This reverts commit 3fcecd521a5c6ccfdb52fb4c3fb1f8c6ea528a4e.
* s/DisableBot/UpdateBotActive
* add permissions on upgrade
* Update NOTICE.txt (#10054)
- add new dependency (text)
- handle switch to forked dependency (go-gomail -> go-mail)
- misc copyright owner updates
* avoid leaking bot knowledge without permission
* [GH-6798] added a new api endpoint to get the bulk reactions for posts (#10049)
* 6798 added a new api to get the bulk reactions for posts
* 6798 added the permsission check before getting the reactions
* GH-6798 added a new app function for the new endpoint
* 6798 added a store method to get reactions for multiple posts
* 6798 connected the app function with the new store function
* 6798 fixed the review comments
* MM-13559 Update model.post.is_valid.file_ids.app_error text per report (#10055)
Ticket: https://mattermost.atlassian.net/browse/MM-13559
Report: https://github.com/mattermost/mattermost-server/issues/10023
* Trigger Login Hooks with OAuth (#10061)
* make BotStore.GetAll deterministic even on duplicate CreateAt
* fix spurious TestMuteCommandSpecificChannel test failure
See
https://community-daily.mattermost.com/core/pl/px9p8s3dzbg1pf3ddrm5cr36uw
* fix race in TestExportUserChannels
* TestExportUserChannels: remove SaveMember call, as it is redundant and used to be silently failing anyway
* MM-13117: bot tokens (#10111)
* eliminate redundant Client/AdminClient declarations
* harden TestUpdateChannelScheme to API failures
* eliminate unnecessary config restoration
* minor cleanup
* make TestGenerateMfaSecret config dependency explicit
* TestCreateUserAccessToken for bots
* TestGetUserAccessToken* for bots
* leverage SessionHasPermissionToUserOrBot for user token APIs
* Test(Revoke|Disable|Enable)UserAccessToken
* make EnableUserAccessTokens explicit, so as to not rely on local config.json
* uncomment TestResetPassword, but still skip
* mark assert(Invalid)Token as helper
* fix whitespace issues
* fix mangled comments
* MM-13116: bot plugin api (#10113)
* MM-13117: expose bot API to plugins
This also changes the `CreatorId` column definition to allow for plugin
ids, as the default unless the plugin overrides is to use the plugin id
here. This branch hasn't hit master yet, so no migration needed.
* gofmt issues
* expunge use of BotList in plugin/client API
* introduce model.BotGetOptions
* use botUserId term for clarity
* MM-13129 Adding functionality to deal with orphaned bots (#10238)
* Add way to list orphaned bots.
* Add /assign route to modify ownership of bot accounts.
* Apply suggestions from code review
Co-Authored-By: crspeller <crspeller@gmail.com>
* MM-13120: add IsBot field to returned user objects (#10103)
* MM-13104: forbid bot login (#10251)
* MM-13104: disallow bot login
* fix shadowing
* MM-13136 Disable user bots when user is disabled. (#10293)
* Disable user bots when user is disabled.
* Grammer.
Co-Authored-By: crspeller <crspeller@gmail.com>
* Fixing bot branch for test changes.
* Don't use external dependancies in bot plugin tests.
* Rename bot CreatorId to OwnerId
* Adding ability to re-enable bots
* Fixing IsBot to not attempt to be saved to DB.
* Adding diagnostics and licencing counting for bot accounts.
* Modifying gorp to allow reading of '-' fields.
* Removing unnessisary nil values from UserCountOptions.
* Changing comment to GoDoc format
* Improving user count SQL
* Some improvments from feedback.
* Omit empty on User.IsBot
2019-03-05 07:06:45 -08:00
|
|
|
if !c.App.SessionHasPermissionToUserOrBot(c.App.Session, accessToken.UserId) {
|
2017-07-31 12:59:32 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
w.Write([]byte(accessToken.ToJson()))
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func revokeUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
props := model.MapFromJson(r.Body)
|
|
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
tokenId := props["token_id"]
|
2017-07-31 12:59:32 -04:00
|
|
|
if tokenId == "" {
|
|
|
|
|
c.SetInvalidParam("token_id")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("")
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) {
|
2017-07-31 12:59:32 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_REVOKE_USER_ACCESS_TOKEN)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-06 17:12:54 -05:00
|
|
|
accessToken, err := c.App.GetUserAccessToken(tokenId, false)
|
2017-07-31 12:59:32 -04:00
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
MM-12393 Server side of bot accounts. (#10378)
* bots model, store and api (#9903)
* bots model, store and api
Fixes: MM-13100, MM-13101, MM-13103, MM-13105, MMM-13119
* uncomment tests incorrectly commented, and fix merge issues
* add etags support
* add missing licenses
* remove unused sqlbuilder.go (for now...)
* rejig permissions
* split out READ_BOTS into READ_BOTS and READ_OTHERS_BOTS, the latter
implicitly allowing the former
* make MANAGE_OTHERS_BOTS imply MANAGE_BOTS
* conform to general rest api pattern
* eliminate redundant http.StatusOK
* Update api4/bot.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* s/model.UserFromBotModel/model.UserFromBot/g
* Update model/bot.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* Update model/client4.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* move sessionHasPermissionToManageBot to app/authorization.go
* use api.ApiSessionRequired for createBot
* introduce BOT_DESCRIPTION_MAX_RUNES constant
* MM-13512 Prevent getting a user by email based on privacy settings (#10021)
* MM-13512 Prevent getting a user by email based on privacy settings
* Add additional config settings to tests
* upgrade db to 5.7 (#10019)
* MM-13526 Add validation when setting a user's Locale field (#10022)
* Fix typos (#10024)
* Fixing first user being created with system admin privilages without being explicity specified. (#10014)
* Revert "Support for Embeded chat (#9129)" (#10017)
This reverts commit 3fcecd521a5c6ccfdb52fb4c3fb1f8c6ea528a4e.
* s/DisableBot/UpdateBotActive
* add permissions on upgrade
* Update NOTICE.txt (#10054)
- add new dependency (text)
- handle switch to forked dependency (go-gomail -> go-mail)
- misc copyright owner updates
* avoid leaking bot knowledge without permission
* [GH-6798] added a new api endpoint to get the bulk reactions for posts (#10049)
* 6798 added a new api to get the bulk reactions for posts
* 6798 added the permsission check before getting the reactions
* GH-6798 added a new app function for the new endpoint
* 6798 added a store method to get reactions for multiple posts
* 6798 connected the app function with the new store function
* 6798 fixed the review comments
* MM-13559 Update model.post.is_valid.file_ids.app_error text per report (#10055)
Ticket: https://mattermost.atlassian.net/browse/MM-13559
Report: https://github.com/mattermost/mattermost-server/issues/10023
* Trigger Login Hooks with OAuth (#10061)
* make BotStore.GetAll deterministic even on duplicate CreateAt
* fix spurious TestMuteCommandSpecificChannel test failure
See
https://community-daily.mattermost.com/core/pl/px9p8s3dzbg1pf3ddrm5cr36uw
* fix race in TestExportUserChannels
* TestExportUserChannels: remove SaveMember call, as it is redundant and used to be silently failing anyway
* MM-13117: bot tokens (#10111)
* eliminate redundant Client/AdminClient declarations
* harden TestUpdateChannelScheme to API failures
* eliminate unnecessary config restoration
* minor cleanup
* make TestGenerateMfaSecret config dependency explicit
* TestCreateUserAccessToken for bots
* TestGetUserAccessToken* for bots
* leverage SessionHasPermissionToUserOrBot for user token APIs
* Test(Revoke|Disable|Enable)UserAccessToken
* make EnableUserAccessTokens explicit, so as to not rely on local config.json
* uncomment TestResetPassword, but still skip
* mark assert(Invalid)Token as helper
* fix whitespace issues
* fix mangled comments
* MM-13116: bot plugin api (#10113)
* MM-13117: expose bot API to plugins
This also changes the `CreatorId` column definition to allow for plugin
ids, as the default unless the plugin overrides is to use the plugin id
here. This branch hasn't hit master yet, so no migration needed.
* gofmt issues
* expunge use of BotList in plugin/client API
* introduce model.BotGetOptions
* use botUserId term for clarity
* MM-13129 Adding functionality to deal with orphaned bots (#10238)
* Add way to list orphaned bots.
* Add /assign route to modify ownership of bot accounts.
* Apply suggestions from code review
Co-Authored-By: crspeller <crspeller@gmail.com>
* MM-13120: add IsBot field to returned user objects (#10103)
* MM-13104: forbid bot login (#10251)
* MM-13104: disallow bot login
* fix shadowing
* MM-13136 Disable user bots when user is disabled. (#10293)
* Disable user bots when user is disabled.
* Grammer.
Co-Authored-By: crspeller <crspeller@gmail.com>
* Fixing bot branch for test changes.
* Don't use external dependancies in bot plugin tests.
* Rename bot CreatorId to OwnerId
* Adding ability to re-enable bots
* Fixing IsBot to not attempt to be saved to DB.
* Adding diagnostics and licencing counting for bot accounts.
* Modifying gorp to allow reading of '-' fields.
* Removing unnessisary nil values from UserCountOptions.
* Changing comment to GoDoc format
* Improving user count SQL
* Some improvments from feedback.
* Omit empty on User.IsBot
2019-03-05 07:06:45 -08:00
|
|
|
if !c.App.SessionHasPermissionToUserOrBot(c.App.Session, accessToken.UserId) {
|
2017-07-31 12:59:32 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
if err = c.App.RevokeUserAccessToken(accessToken); err != nil {
|
2017-07-31 12:59:32 -04:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("success - token_id=" + accessToken.Id)
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
2017-10-19 08:10:29 -04:00
|
|
|
|
|
|
|
|
func disableUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
props := model.MapFromJson(r.Body)
|
|
|
|
|
tokenId := props["token_id"]
|
|
|
|
|
|
|
|
|
|
if tokenId == "" {
|
|
|
|
|
c.SetInvalidParam("token_id")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("")
|
|
|
|
|
|
|
|
|
|
// No separate permission for this action for now
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) {
|
2017-10-19 08:10:29 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_REVOKE_USER_ACCESS_TOKEN)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
accessToken, err := c.App.GetUserAccessToken(tokenId, false)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
MM-12393 Server side of bot accounts. (#10378)
* bots model, store and api (#9903)
* bots model, store and api
Fixes: MM-13100, MM-13101, MM-13103, MM-13105, MMM-13119
* uncomment tests incorrectly commented, and fix merge issues
* add etags support
* add missing licenses
* remove unused sqlbuilder.go (for now...)
* rejig permissions
* split out READ_BOTS into READ_BOTS and READ_OTHERS_BOTS, the latter
implicitly allowing the former
* make MANAGE_OTHERS_BOTS imply MANAGE_BOTS
* conform to general rest api pattern
* eliminate redundant http.StatusOK
* Update api4/bot.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* s/model.UserFromBotModel/model.UserFromBot/g
* Update model/bot.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* Update model/client4.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* move sessionHasPermissionToManageBot to app/authorization.go
* use api.ApiSessionRequired for createBot
* introduce BOT_DESCRIPTION_MAX_RUNES constant
* MM-13512 Prevent getting a user by email based on privacy settings (#10021)
* MM-13512 Prevent getting a user by email based on privacy settings
* Add additional config settings to tests
* upgrade db to 5.7 (#10019)
* MM-13526 Add validation when setting a user's Locale field (#10022)
* Fix typos (#10024)
* Fixing first user being created with system admin privilages without being explicity specified. (#10014)
* Revert "Support for Embeded chat (#9129)" (#10017)
This reverts commit 3fcecd521a5c6ccfdb52fb4c3fb1f8c6ea528a4e.
* s/DisableBot/UpdateBotActive
* add permissions on upgrade
* Update NOTICE.txt (#10054)
- add new dependency (text)
- handle switch to forked dependency (go-gomail -> go-mail)
- misc copyright owner updates
* avoid leaking bot knowledge without permission
* [GH-6798] added a new api endpoint to get the bulk reactions for posts (#10049)
* 6798 added a new api to get the bulk reactions for posts
* 6798 added the permsission check before getting the reactions
* GH-6798 added a new app function for the new endpoint
* 6798 added a store method to get reactions for multiple posts
* 6798 connected the app function with the new store function
* 6798 fixed the review comments
* MM-13559 Update model.post.is_valid.file_ids.app_error text per report (#10055)
Ticket: https://mattermost.atlassian.net/browse/MM-13559
Report: https://github.com/mattermost/mattermost-server/issues/10023
* Trigger Login Hooks with OAuth (#10061)
* make BotStore.GetAll deterministic even on duplicate CreateAt
* fix spurious TestMuteCommandSpecificChannel test failure
See
https://community-daily.mattermost.com/core/pl/px9p8s3dzbg1pf3ddrm5cr36uw
* fix race in TestExportUserChannels
* TestExportUserChannels: remove SaveMember call, as it is redundant and used to be silently failing anyway
* MM-13117: bot tokens (#10111)
* eliminate redundant Client/AdminClient declarations
* harden TestUpdateChannelScheme to API failures
* eliminate unnecessary config restoration
* minor cleanup
* make TestGenerateMfaSecret config dependency explicit
* TestCreateUserAccessToken for bots
* TestGetUserAccessToken* for bots
* leverage SessionHasPermissionToUserOrBot for user token APIs
* Test(Revoke|Disable|Enable)UserAccessToken
* make EnableUserAccessTokens explicit, so as to not rely on local config.json
* uncomment TestResetPassword, but still skip
* mark assert(Invalid)Token as helper
* fix whitespace issues
* fix mangled comments
* MM-13116: bot plugin api (#10113)
* MM-13117: expose bot API to plugins
This also changes the `CreatorId` column definition to allow for plugin
ids, as the default unless the plugin overrides is to use the plugin id
here. This branch hasn't hit master yet, so no migration needed.
* gofmt issues
* expunge use of BotList in plugin/client API
* introduce model.BotGetOptions
* use botUserId term for clarity
* MM-13129 Adding functionality to deal with orphaned bots (#10238)
* Add way to list orphaned bots.
* Add /assign route to modify ownership of bot accounts.
* Apply suggestions from code review
Co-Authored-By: crspeller <crspeller@gmail.com>
* MM-13120: add IsBot field to returned user objects (#10103)
* MM-13104: forbid bot login (#10251)
* MM-13104: disallow bot login
* fix shadowing
* MM-13136 Disable user bots when user is disabled. (#10293)
* Disable user bots when user is disabled.
* Grammer.
Co-Authored-By: crspeller <crspeller@gmail.com>
* Fixing bot branch for test changes.
* Don't use external dependancies in bot plugin tests.
* Rename bot CreatorId to OwnerId
* Adding ability to re-enable bots
* Fixing IsBot to not attempt to be saved to DB.
* Adding diagnostics and licencing counting for bot accounts.
* Modifying gorp to allow reading of '-' fields.
* Removing unnessisary nil values from UserCountOptions.
* Changing comment to GoDoc format
* Improving user count SQL
* Some improvments from feedback.
* Omit empty on User.IsBot
2019-03-05 07:06:45 -08:00
|
|
|
if !c.App.SessionHasPermissionToUserOrBot(c.App.Session, accessToken.UserId) {
|
2017-10-19 08:10:29 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
if err = c.App.DisableUserAccessToken(accessToken); err != nil {
|
2017-10-19 08:10:29 -04:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("success - token_id=" + accessToken.Id)
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func enableUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
props := model.MapFromJson(r.Body)
|
|
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
tokenId := props["token_id"]
|
2017-10-19 08:10:29 -04:00
|
|
|
if tokenId == "" {
|
|
|
|
|
c.SetInvalidParam("token_id")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("")
|
|
|
|
|
|
|
|
|
|
// No separate permission for this action for now
|
2018-11-28 10:56:21 -08:00
|
|
|
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_CREATE_USER_ACCESS_TOKEN) {
|
2017-10-19 08:10:29 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
accessToken, err := c.App.GetUserAccessToken(tokenId, false)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
MM-12393 Server side of bot accounts. (#10378)
* bots model, store and api (#9903)
* bots model, store and api
Fixes: MM-13100, MM-13101, MM-13103, MM-13105, MMM-13119
* uncomment tests incorrectly commented, and fix merge issues
* add etags support
* add missing licenses
* remove unused sqlbuilder.go (for now...)
* rejig permissions
* split out READ_BOTS into READ_BOTS and READ_OTHERS_BOTS, the latter
implicitly allowing the former
* make MANAGE_OTHERS_BOTS imply MANAGE_BOTS
* conform to general rest api pattern
* eliminate redundant http.StatusOK
* Update api4/bot.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* s/model.UserFromBotModel/model.UserFromBot/g
* Update model/bot.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* Update model/client4.go
Co-Authored-By: lieut-data <jesse.hallam@gmail.com>
* move sessionHasPermissionToManageBot to app/authorization.go
* use api.ApiSessionRequired for createBot
* introduce BOT_DESCRIPTION_MAX_RUNES constant
* MM-13512 Prevent getting a user by email based on privacy settings (#10021)
* MM-13512 Prevent getting a user by email based on privacy settings
* Add additional config settings to tests
* upgrade db to 5.7 (#10019)
* MM-13526 Add validation when setting a user's Locale field (#10022)
* Fix typos (#10024)
* Fixing first user being created with system admin privilages without being explicity specified. (#10014)
* Revert "Support for Embeded chat (#9129)" (#10017)
This reverts commit 3fcecd521a5c6ccfdb52fb4c3fb1f8c6ea528a4e.
* s/DisableBot/UpdateBotActive
* add permissions on upgrade
* Update NOTICE.txt (#10054)
- add new dependency (text)
- handle switch to forked dependency (go-gomail -> go-mail)
- misc copyright owner updates
* avoid leaking bot knowledge without permission
* [GH-6798] added a new api endpoint to get the bulk reactions for posts (#10049)
* 6798 added a new api to get the bulk reactions for posts
* 6798 added the permsission check before getting the reactions
* GH-6798 added a new app function for the new endpoint
* 6798 added a store method to get reactions for multiple posts
* 6798 connected the app function with the new store function
* 6798 fixed the review comments
* MM-13559 Update model.post.is_valid.file_ids.app_error text per report (#10055)
Ticket: https://mattermost.atlassian.net/browse/MM-13559
Report: https://github.com/mattermost/mattermost-server/issues/10023
* Trigger Login Hooks with OAuth (#10061)
* make BotStore.GetAll deterministic even on duplicate CreateAt
* fix spurious TestMuteCommandSpecificChannel test failure
See
https://community-daily.mattermost.com/core/pl/px9p8s3dzbg1pf3ddrm5cr36uw
* fix race in TestExportUserChannels
* TestExportUserChannels: remove SaveMember call, as it is redundant and used to be silently failing anyway
* MM-13117: bot tokens (#10111)
* eliminate redundant Client/AdminClient declarations
* harden TestUpdateChannelScheme to API failures
* eliminate unnecessary config restoration
* minor cleanup
* make TestGenerateMfaSecret config dependency explicit
* TestCreateUserAccessToken for bots
* TestGetUserAccessToken* for bots
* leverage SessionHasPermissionToUserOrBot for user token APIs
* Test(Revoke|Disable|Enable)UserAccessToken
* make EnableUserAccessTokens explicit, so as to not rely on local config.json
* uncomment TestResetPassword, but still skip
* mark assert(Invalid)Token as helper
* fix whitespace issues
* fix mangled comments
* MM-13116: bot plugin api (#10113)
* MM-13117: expose bot API to plugins
This also changes the `CreatorId` column definition to allow for plugin
ids, as the default unless the plugin overrides is to use the plugin id
here. This branch hasn't hit master yet, so no migration needed.
* gofmt issues
* expunge use of BotList in plugin/client API
* introduce model.BotGetOptions
* use botUserId term for clarity
* MM-13129 Adding functionality to deal with orphaned bots (#10238)
* Add way to list orphaned bots.
* Add /assign route to modify ownership of bot accounts.
* Apply suggestions from code review
Co-Authored-By: crspeller <crspeller@gmail.com>
* MM-13120: add IsBot field to returned user objects (#10103)
* MM-13104: forbid bot login (#10251)
* MM-13104: disallow bot login
* fix shadowing
* MM-13136 Disable user bots when user is disabled. (#10293)
* Disable user bots when user is disabled.
* Grammer.
Co-Authored-By: crspeller <crspeller@gmail.com>
* Fixing bot branch for test changes.
* Don't use external dependancies in bot plugin tests.
* Rename bot CreatorId to OwnerId
* Adding ability to re-enable bots
* Fixing IsBot to not attempt to be saved to DB.
* Adding diagnostics and licencing counting for bot accounts.
* Modifying gorp to allow reading of '-' fields.
* Removing unnessisary nil values from UserCountOptions.
* Changing comment to GoDoc format
* Improving user count SQL
* Some improvments from feedback.
* Omit empty on User.IsBot
2019-03-05 07:06:45 -08:00
|
|
|
if !c.App.SessionHasPermissionToUserOrBot(c.App.Session, accessToken.UserId) {
|
2017-10-19 08:10:29 -04:00
|
|
|
c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-06 16:55:06 +01:00
|
|
|
if err = c.App.EnableUserAccessToken(accessToken); err != nil {
|
2017-10-19 08:10:29 -04:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c.LogAudit("success - token_id=" + accessToken.Id)
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
2018-09-26 20:49:22 +00:00
|
|
|
|
2018-11-09 02:18:14 +05:30
|
|
|
func saveUserTermsOfService(c *Context, w http.ResponseWriter, r *http.Request) {
|
2018-09-26 20:49:22 +00:00
|
|
|
props := model.StringInterfaceFromJson(r.Body)
|
|
|
|
|
|
2018-11-28 10:56:21 -08:00
|
|
|
userId := c.App.Session.UserId
|
2018-10-10 00:55:47 +00:00
|
|
|
termsOfServiceId := props["termsOfServiceId"].(string)
|
2018-09-26 20:49:22 +00:00
|
|
|
accepted := props["accepted"].(bool)
|
|
|
|
|
|
2018-10-10 00:55:47 +00:00
|
|
|
if _, err := c.App.GetTermsOfService(termsOfServiceId); err != nil {
|
2018-09-26 20:49:22 +00:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-11-09 02:18:14 +05:30
|
|
|
if err := c.App.SaveUserTermsOfService(userId, termsOfServiceId, accepted); err != nil {
|
2018-09-26 20:49:22 +00:00
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-10-10 00:55:47 +00:00
|
|
|
c.LogAudit("TermsOfServiceId=" + termsOfServiceId + ", accepted=" + strconv.FormatBool(accepted))
|
2018-09-26 20:49:22 +00:00
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
2018-11-09 02:18:14 +05:30
|
|
|
|
|
|
|
|
func getUserTermsOfService(c *Context, w http.ResponseWriter, r *http.Request) {
|
2018-11-28 10:56:21 -08:00
|
|
|
userId := c.App.Session.UserId
|
2018-12-06 16:55:06 +01:00
|
|
|
result, err := c.App.GetUserTermsOfService(userId)
|
|
|
|
|
if err != nil {
|
2018-11-09 02:18:14 +05:30
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
2018-12-06 16:55:06 +01:00
|
|
|
w.Write([]byte(result.ToJson()))
|
2018-11-09 02:18:14 +05:30
|
|
|
}
|
2019-07-22 22:13:39 +02:00
|
|
|
|
|
|
|
|
func promoteGuestToUser(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.App.License() == nil {
|
|
|
|
|
c.Err = model.NewAppError("Api4.promoteGuestToUser", "api.team.promote_guest_to_user.license.error", nil, "", http.StatusNotImplemented)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !*c.App.Config().GuestAccountsSettings.Enable {
|
|
|
|
|
c.Err = model.NewAppError("Api4.promoteGuestToUser", "api.team.promote_guest_to_user.disabled.error", nil, "", http.StatusNotImplemented)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_PROMOTE_GUEST) {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_PROMOTE_GUEST)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user, err := c.App.GetUser(c.Params.UserId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !user.IsGuest() {
|
|
|
|
|
c.Err = model.NewAppError("Api4.promoteGuestToUser", "api.user.promote_guest_to_user.no_guest.app_error", nil, "", http.StatusNotImplemented)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := c.App.PromoteGuestToUser(user, c.App.Session.UserId); err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func demoteUserToGuest(c *Context, w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
c.RequireUserId()
|
|
|
|
|
if c.Err != nil {
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if c.App.License() == nil {
|
|
|
|
|
c.Err = model.NewAppError("Api4.demoteUserToGuest", "api.team.demote_user_to_guest.license.error", nil, "", http.StatusNotImplemented)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !*c.App.Config().GuestAccountsSettings.Enable {
|
|
|
|
|
c.Err = model.NewAppError("Api4.demoteUserToGuest", "api.team.demote_user_to_guest.disabled.error", nil, "", http.StatusNotImplemented)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_DEMOTE_TO_GUEST) {
|
|
|
|
|
c.SetPermissionError(model.PERMISSION_DEMOTE_TO_GUEST)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
user, err := c.App.GetUser(c.Params.UserId)
|
|
|
|
|
if err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if user.IsGuest() {
|
|
|
|
|
c.Err = model.NewAppError("Api4.demoteUserToGuest", "api.user.demote_user_to_guest.already_guest.app_error", nil, "", http.StatusNotImplemented)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if err := c.App.DemoteUserToGuest(user); err != nil {
|
|
|
|
|
c.Err = err
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ReturnStatusOK(w)
|
|
|
|
|
}
|