github.com/demisto/mattermost-server@v4.9.0-rc3+incompatible/api4/user.go (about) 1 // Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package api4 5 6 import ( 7 "fmt" 8 "net/http" 9 "strconv" 10 "time" 11 12 l4g "github.com/alecthomas/log4go" 13 "github.com/mattermost/mattermost-server/app" 14 "github.com/mattermost/mattermost-server/model" 15 "github.com/mattermost/mattermost-server/store" 16 ) 17 18 func (api *API) InitUser() { 19 api.BaseRoutes.Users.Handle("", api.ApiHandler(createUser)).Methods("POST") 20 api.BaseRoutes.Users.Handle("", api.ApiSessionRequired(getUsers)).Methods("GET") 21 api.BaseRoutes.Users.Handle("/ids", api.ApiSessionRequired(getUsersByIds)).Methods("POST") 22 api.BaseRoutes.Users.Handle("/usernames", api.ApiSessionRequired(getUsersByNames)).Methods("POST") 23 api.BaseRoutes.Users.Handle("/search", api.ApiSessionRequired(searchUsers)).Methods("POST") 24 api.BaseRoutes.Users.Handle("/autocomplete", api.ApiSessionRequired(autocompleteUsers)).Methods("GET") 25 26 api.BaseRoutes.User.Handle("", api.ApiSessionRequired(getUser)).Methods("GET") 27 api.BaseRoutes.User.Handle("/image", api.ApiSessionRequiredTrustRequester(getProfileImage)).Methods("GET") 28 api.BaseRoutes.User.Handle("/image", api.ApiSessionRequired(setProfileImage)).Methods("POST") 29 api.BaseRoutes.User.Handle("", api.ApiSessionRequired(updateUser)).Methods("PUT") 30 api.BaseRoutes.User.Handle("/patch", api.ApiSessionRequired(patchUser)).Methods("PUT") 31 api.BaseRoutes.User.Handle("", api.ApiSessionRequired(deleteUser)).Methods("DELETE") 32 api.BaseRoutes.User.Handle("/roles", api.ApiSessionRequired(updateUserRoles)).Methods("PUT") 33 api.BaseRoutes.User.Handle("/active", api.ApiSessionRequired(updateUserActive)).Methods("PUT") 34 api.BaseRoutes.User.Handle("/password", api.ApiSessionRequired(updatePassword)).Methods("PUT") 35 api.BaseRoutes.Users.Handle("/password/reset", api.ApiHandler(resetPassword)).Methods("POST") 36 api.BaseRoutes.Users.Handle("/password/reset/send", api.ApiHandler(sendPasswordReset)).Methods("POST") 37 api.BaseRoutes.Users.Handle("/email/verify", api.ApiHandler(verifyUserEmail)).Methods("POST") 38 api.BaseRoutes.Users.Handle("/email/verify/send", api.ApiHandler(sendVerificationEmail)).Methods("POST") 39 40 api.BaseRoutes.User.Handle("/auth", api.ApiSessionRequiredTrustRequester(updateUserAuth)).Methods("PUT") 41 42 api.BaseRoutes.Users.Handle("/mfa", api.ApiHandler(checkUserMfa)).Methods("POST") 43 api.BaseRoutes.User.Handle("/mfa", api.ApiSessionRequiredMfa(updateUserMfa)).Methods("PUT") 44 api.BaseRoutes.User.Handle("/mfa/generate", api.ApiSessionRequiredMfa(generateMfaSecret)).Methods("POST") 45 46 api.BaseRoutes.Users.Handle("/login", api.ApiHandler(login)).Methods("POST") 47 api.BaseRoutes.Users.Handle("/login/switch", api.ApiHandler(switchAccountType)).Methods("POST") 48 api.BaseRoutes.Users.Handle("/logout", api.ApiHandler(logout)).Methods("POST") 49 50 api.BaseRoutes.UserByUsername.Handle("", api.ApiSessionRequired(getUserByUsername)).Methods("GET") 51 api.BaseRoutes.UserByEmail.Handle("", api.ApiSessionRequired(getUserByEmail)).Methods("GET") 52 53 api.BaseRoutes.User.Handle("/sessions", api.ApiSessionRequired(getSessions)).Methods("GET") 54 api.BaseRoutes.User.Handle("/sessions/revoke", api.ApiSessionRequired(revokeSession)).Methods("POST") 55 api.BaseRoutes.User.Handle("/sessions/revoke/all", api.ApiSessionRequired(revokeAllSessionsForUser)).Methods("POST") 56 api.BaseRoutes.Users.Handle("/sessions/device", api.ApiSessionRequired(attachDeviceId)).Methods("PUT") 57 api.BaseRoutes.User.Handle("/audits", api.ApiSessionRequired(getUserAudits)).Methods("GET") 58 59 api.BaseRoutes.User.Handle("/tokens", api.ApiSessionRequired(createUserAccessToken)).Methods("POST") 60 api.BaseRoutes.User.Handle("/tokens", api.ApiSessionRequired(getUserAccessTokensForUser)).Methods("GET") 61 api.BaseRoutes.Users.Handle("/tokens", api.ApiSessionRequired(getUserAccessTokens)).Methods("GET") 62 api.BaseRoutes.Users.Handle("/tokens/search", api.ApiSessionRequired(searchUserAccessTokens)).Methods("POST") 63 api.BaseRoutes.Users.Handle("/tokens/{token_id:[A-Za-z0-9]+}", api.ApiSessionRequired(getUserAccessToken)).Methods("GET") 64 api.BaseRoutes.Users.Handle("/tokens/revoke", api.ApiSessionRequired(revokeUserAccessToken)).Methods("POST") 65 api.BaseRoutes.Users.Handle("/tokens/disable", api.ApiSessionRequired(disableUserAccessToken)).Methods("POST") 66 api.BaseRoutes.Users.Handle("/tokens/enable", api.ApiSessionRequired(enableUserAccessToken)).Methods("POST") 67 } 68 69 func createUser(c *Context, w http.ResponseWriter, r *http.Request) { 70 user := model.UserFromJson(r.Body) 71 if user == nil { 72 c.SetInvalidParam("user") 73 return 74 } 75 76 hash := r.URL.Query().Get("h") 77 inviteId := r.URL.Query().Get("iid") 78 79 // No permission check required 80 81 var ruser *model.User 82 var err *model.AppError 83 if len(hash) > 0 { 84 ruser, err = c.App.CreateUserWithHash(user, hash, r.URL.Query().Get("d")) 85 } else if len(inviteId) > 0 { 86 ruser, err = c.App.CreateUserWithInviteId(user, inviteId) 87 } else if c.IsSystemAdmin() { 88 ruser, err = c.App.CreateUserAsAdmin(user) 89 } else { 90 ruser, err = c.App.CreateUserFromSignup(user) 91 } 92 93 if err != nil { 94 c.Err = err 95 return 96 } 97 98 w.WriteHeader(http.StatusCreated) 99 w.Write([]byte(ruser.ToJson())) 100 } 101 102 func getUser(c *Context, w http.ResponseWriter, r *http.Request) { 103 c.RequireUserId() 104 if c.Err != nil { 105 return 106 } 107 108 // No permission check required 109 110 var user *model.User 111 var err *model.AppError 112 113 if user, err = c.App.GetUser(c.Params.UserId); err != nil { 114 c.Err = err 115 return 116 } 117 118 etag := user.Etag(c.App.Config().PrivacySettings.ShowFullName, c.App.Config().PrivacySettings.ShowEmailAddress) 119 120 if c.HandleEtag(etag, "Get User", w, r) { 121 return 122 } else { 123 if c.Session.UserId == user.Id { 124 user.Sanitize(map[string]bool{}) 125 } else { 126 c.App.SanitizeProfile(user, c.IsSystemAdmin()) 127 } 128 c.App.UpdateLastActivityAtIfNeeded(c.Session) 129 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 130 w.Write([]byte(user.ToJson())) 131 return 132 } 133 } 134 135 func getUserByUsername(c *Context, w http.ResponseWriter, r *http.Request) { 136 c.RequireUsername() 137 if c.Err != nil { 138 return 139 } 140 141 // No permission check required 142 143 var user *model.User 144 var err *model.AppError 145 146 if user, err = c.App.GetUserByUsername(c.Params.Username); err != nil { 147 c.Err = err 148 return 149 } 150 151 etag := user.Etag(c.App.Config().PrivacySettings.ShowFullName, c.App.Config().PrivacySettings.ShowEmailAddress) 152 153 if c.HandleEtag(etag, "Get User", w, r) { 154 return 155 } else { 156 c.App.SanitizeProfile(user, c.IsSystemAdmin()) 157 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 158 w.Write([]byte(user.ToJson())) 159 return 160 } 161 } 162 163 func getUserByEmail(c *Context, w http.ResponseWriter, r *http.Request) { 164 c.RequireEmail() 165 if c.Err != nil { 166 return 167 } 168 169 // No permission check required 170 171 var user *model.User 172 var err *model.AppError 173 174 if user, err = c.App.GetUserByEmail(c.Params.Email); err != nil { 175 c.Err = err 176 return 177 } 178 179 etag := user.Etag(c.App.Config().PrivacySettings.ShowFullName, c.App.Config().PrivacySettings.ShowEmailAddress) 180 181 if c.HandleEtag(etag, "Get User", w, r) { 182 return 183 } else { 184 c.App.SanitizeProfile(user, c.IsSystemAdmin()) 185 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 186 w.Write([]byte(user.ToJson())) 187 return 188 } 189 } 190 191 func getProfileImage(c *Context, w http.ResponseWriter, r *http.Request) { 192 c.RequireUserId() 193 if c.Err != nil { 194 return 195 } 196 197 if users, err := c.App.GetUsersByIds([]string{c.Params.UserId}, c.IsSystemAdmin()); err != nil { 198 c.Err = err 199 return 200 } else { 201 if len(users) == 0 { 202 c.Err = err 203 } 204 205 user := users[0] 206 etag := strconv.FormatInt(user.LastPictureUpdate, 10) 207 if c.HandleEtag(etag, "Get Profile Image", w, r) { 208 return 209 } 210 211 var img []byte 212 img, readFailed, err := c.App.GetProfileImage(user) 213 if err != nil { 214 c.Err = err 215 return 216 } 217 218 if readFailed { 219 w.Header().Set("Cache-Control", fmt.Sprintf("max-age=%v, public", 5*60)) // 5 mins 220 } else { 221 w.Header().Set("Cache-Control", fmt.Sprintf("max-age=%v, public", 24*60*60)) // 24 hrs 222 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 223 } 224 225 w.Header().Set("Content-Type", "image/png") 226 w.Write(img) 227 } 228 } 229 230 func setProfileImage(c *Context, w http.ResponseWriter, r *http.Request) { 231 c.RequireUserId() 232 if c.Err != nil { 233 return 234 } 235 236 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 237 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 238 return 239 } 240 241 if len(*c.App.Config().FileSettings.DriverName) == 0 { 242 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.storage.app_error", nil, "", http.StatusNotImplemented) 243 return 244 } 245 246 if r.ContentLength > *c.App.Config().FileSettings.MaxFileSize { 247 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.too_large.app_error", nil, "", http.StatusRequestEntityTooLarge) 248 return 249 } 250 251 if err := r.ParseMultipartForm(*c.App.Config().FileSettings.MaxFileSize); err != nil { 252 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.parse.app_error", nil, err.Error(), http.StatusInternalServerError) 253 return 254 } 255 256 m := r.MultipartForm 257 258 imageArray, ok := m.File["image"] 259 if !ok { 260 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.no_file.app_error", nil, "", http.StatusBadRequest) 261 return 262 } 263 264 if len(imageArray) <= 0 { 265 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.array.app_error", nil, "", http.StatusBadRequest) 266 return 267 } 268 269 imageData := imageArray[0] 270 271 if err := c.App.SetProfileImage(c.Params.UserId, imageData); err != nil { 272 c.Err = err 273 return 274 } 275 276 c.LogAudit("") 277 ReturnStatusOK(w) 278 } 279 280 func getUsers(c *Context, w http.ResponseWriter, r *http.Request) { 281 inTeamId := r.URL.Query().Get("in_team") 282 notInTeamId := r.URL.Query().Get("not_in_team") 283 inChannelId := r.URL.Query().Get("in_channel") 284 notInChannelId := r.URL.Query().Get("not_in_channel") 285 withoutTeam := r.URL.Query().Get("without_team") 286 sort := r.URL.Query().Get("sort") 287 288 if len(notInChannelId) > 0 && len(inTeamId) == 0 { 289 c.SetInvalidUrlParam("team_id") 290 return 291 } 292 293 if sort != "" && sort != "last_activity_at" && sort != "create_at" && sort != "status" { 294 c.SetInvalidUrlParam("sort") 295 return 296 } 297 298 // Currently only supports sorting on a team 299 // or sort="status" on inChannelId 300 if (sort == "last_activity_at" || sort == "create_at") && (inTeamId == "" || notInTeamId != "" || inChannelId != "" || notInChannelId != "" || withoutTeam != "") { 301 c.SetInvalidUrlParam("sort") 302 return 303 } 304 if sort == "status" && inChannelId == "" { 305 c.SetInvalidUrlParam("sort") 306 return 307 } 308 309 var profiles []*model.User 310 var err *model.AppError 311 etag := "" 312 313 if withoutTeamBool, _ := strconv.ParseBool(withoutTeam); withoutTeamBool { 314 // Use a special permission for now 315 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_LIST_USERS_WITHOUT_TEAM) { 316 c.SetPermissionError(model.PERMISSION_LIST_USERS_WITHOUT_TEAM) 317 return 318 } 319 320 profiles, err = c.App.GetUsersWithoutTeamPage(c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 321 } else if len(notInChannelId) > 0 { 322 if !c.App.SessionHasPermissionToChannel(c.Session, notInChannelId, model.PERMISSION_READ_CHANNEL) { 323 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 324 return 325 } 326 327 profiles, err = c.App.GetUsersNotInChannelPage(inTeamId, notInChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 328 } else if len(notInTeamId) > 0 { 329 if !c.App.SessionHasPermissionToTeam(c.Session, notInTeamId, model.PERMISSION_VIEW_TEAM) { 330 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 331 return 332 } 333 334 etag = c.App.GetUsersNotInTeamEtag(inTeamId) 335 if c.HandleEtag(etag, "Get Users Not in Team", w, r) { 336 return 337 } 338 339 profiles, err = c.App.GetUsersNotInTeamPage(notInTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 340 } else if len(inTeamId) > 0 { 341 if !c.App.SessionHasPermissionToTeam(c.Session, inTeamId, model.PERMISSION_VIEW_TEAM) { 342 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 343 return 344 } 345 346 if sort == "last_activity_at" { 347 profiles, err = c.App.GetRecentlyActiveUsersForTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 348 } else if sort == "create_at" { 349 profiles, err = c.App.GetNewUsersForTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 350 } else { 351 etag = c.App.GetUsersInTeamEtag(inTeamId) 352 if c.HandleEtag(etag, "Get Users in Team", w, r) { 353 return 354 } 355 356 profiles, err = c.App.GetUsersInTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 357 } 358 } else if len(inChannelId) > 0 { 359 if !c.App.SessionHasPermissionToChannel(c.Session, inChannelId, model.PERMISSION_READ_CHANNEL) { 360 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 361 return 362 } 363 if sort == "status" { 364 profiles, err = c.App.GetUsersInChannelPageByStatus(inChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 365 } else { 366 profiles, err = c.App.GetUsersInChannelPage(inChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 367 } 368 } else { 369 // No permission check required 370 371 etag = c.App.GetUsersEtag() 372 if c.HandleEtag(etag, "Get Users", w, r) { 373 return 374 } 375 profiles, err = c.App.GetUsersPage(c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 376 } 377 378 if err != nil { 379 c.Err = err 380 return 381 } else { 382 if len(etag) > 0 { 383 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 384 } 385 c.App.UpdateLastActivityAtIfNeeded(c.Session) 386 w.Write([]byte(model.UserListToJson(profiles))) 387 } 388 } 389 390 func getUsersByIds(c *Context, w http.ResponseWriter, r *http.Request) { 391 userIds := model.ArrayFromJson(r.Body) 392 393 if len(userIds) == 0 { 394 c.SetInvalidParam("user_ids") 395 return 396 } 397 398 // No permission check required 399 400 if users, err := c.App.GetUsersByIds(userIds, c.IsSystemAdmin()); err != nil { 401 c.Err = err 402 return 403 } else { 404 w.Write([]byte(model.UserListToJson(users))) 405 } 406 } 407 408 func getUsersByNames(c *Context, w http.ResponseWriter, r *http.Request) { 409 usernames := model.ArrayFromJson(r.Body) 410 411 if len(usernames) == 0 { 412 c.SetInvalidParam("usernames") 413 return 414 } 415 416 // No permission check required 417 418 if users, err := c.App.GetUsersByUsernames(usernames, c.IsSystemAdmin()); err != nil { 419 c.Err = err 420 return 421 } else { 422 w.Write([]byte(model.UserListToJson(users))) 423 } 424 } 425 426 func searchUsers(c *Context, w http.ResponseWriter, r *http.Request) { 427 props := model.UserSearchFromJson(r.Body) 428 if props == nil { 429 c.SetInvalidParam("") 430 return 431 } 432 433 if len(props.Term) == 0 { 434 c.SetInvalidParam("term") 435 return 436 } 437 438 if props.TeamId == "" && props.NotInChannelId != "" { 439 c.SetInvalidParam("team_id") 440 return 441 } 442 443 if props.InChannelId != "" && !c.App.SessionHasPermissionToChannel(c.Session, props.InChannelId, model.PERMISSION_READ_CHANNEL) { 444 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 445 return 446 } 447 448 if props.NotInChannelId != "" && !c.App.SessionHasPermissionToChannel(c.Session, props.NotInChannelId, model.PERMISSION_READ_CHANNEL) { 449 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 450 return 451 } 452 453 if props.TeamId != "" && !c.App.SessionHasPermissionToTeam(c.Session, props.TeamId, model.PERMISSION_VIEW_TEAM) { 454 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 455 return 456 } 457 458 if props.NotInTeamId != "" && !c.App.SessionHasPermissionToTeam(c.Session, props.NotInTeamId, model.PERMISSION_VIEW_TEAM) { 459 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 460 return 461 } 462 463 searchOptions := map[string]bool{} 464 searchOptions[store.USER_SEARCH_OPTION_ALLOW_INACTIVE] = props.AllowInactive 465 466 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 467 hideFullName := !c.App.Config().PrivacySettings.ShowFullName 468 hideEmail := !c.App.Config().PrivacySettings.ShowEmailAddress 469 470 if hideFullName && hideEmail { 471 searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true 472 } else if hideFullName { 473 searchOptions[store.USER_SEARCH_OPTION_ALL_NO_FULL_NAME] = true 474 } else if hideEmail { 475 searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true 476 } 477 } 478 479 if profiles, err := c.App.SearchUsers(props, searchOptions, c.IsSystemAdmin()); err != nil { 480 c.Err = err 481 return 482 } else { 483 w.Write([]byte(model.UserListToJson(profiles))) 484 } 485 } 486 487 func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { 488 channelId := r.URL.Query().Get("in_channel") 489 teamId := r.URL.Query().Get("in_team") 490 name := r.URL.Query().Get("name") 491 492 autocomplete := new(model.UserAutocomplete) 493 var err *model.AppError 494 495 searchOptions := map[string]bool{} 496 497 hideFullName := !c.App.Config().PrivacySettings.ShowFullName 498 if hideFullName && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 499 searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true 500 } else { 501 searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true 502 } 503 504 if len(channelId) > 0 { 505 if !c.App.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { 506 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 507 return 508 } 509 510 result, _ := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin()) 511 autocomplete.Users = result.InChannel 512 autocomplete.OutOfChannel = result.OutOfChannel 513 } else if len(teamId) > 0 { 514 if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) { 515 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 516 return 517 } 518 519 result, _ := c.App.AutocompleteUsersInTeam(teamId, name, searchOptions, c.IsSystemAdmin()) 520 autocomplete.Users = result.InTeam 521 } else { 522 // No permission check required 523 result, _ := c.App.SearchUsersInTeam("", name, searchOptions, c.IsSystemAdmin()) 524 autocomplete.Users = result 525 } 526 527 if err != nil { 528 c.Err = err 529 return 530 } else { 531 w.Write([]byte((autocomplete.ToJson()))) 532 } 533 } 534 535 func updateUser(c *Context, w http.ResponseWriter, r *http.Request) { 536 c.RequireUserId() 537 if c.Err != nil { 538 return 539 } 540 541 user := model.UserFromJson(r.Body) 542 if user == nil { 543 c.SetInvalidParam("user") 544 return 545 } 546 547 if !c.App.SessionHasPermissionToUser(c.Session, user.Id) { 548 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 549 return 550 } 551 552 if c.Session.IsOAuth { 553 ouser, err := c.App.GetUser(user.Id) 554 if err != nil { 555 c.Err = err 556 return 557 } 558 559 if ouser.Email != user.Email { 560 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 561 c.Err.DetailedError += ", attempted email update by oauth app" 562 return 563 } 564 } 565 566 if ruser, err := c.App.UpdateUserAsUser(user, c.IsSystemAdmin()); err != nil { 567 c.Err = err 568 return 569 } else { 570 c.LogAudit("") 571 w.Write([]byte(ruser.ToJson())) 572 } 573 } 574 575 func patchUser(c *Context, w http.ResponseWriter, r *http.Request) { 576 c.RequireUserId() 577 if c.Err != nil { 578 return 579 } 580 581 patch := model.UserPatchFromJson(r.Body) 582 if patch == nil { 583 c.SetInvalidParam("user") 584 return 585 } 586 587 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 588 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 589 return 590 } 591 592 if c.Session.IsOAuth && patch.Email != nil { 593 ouser, err := c.App.GetUser(c.Params.UserId) 594 if err != nil { 595 c.Err = err 596 return 597 } 598 599 if ouser.Email != *patch.Email { 600 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 601 c.Err.DetailedError += ", attempted email update by oauth app" 602 return 603 } 604 } 605 606 if ruser, err := c.App.PatchUser(c.Params.UserId, patch, c.IsSystemAdmin()); err != nil { 607 c.Err = err 608 return 609 } else { 610 c.LogAudit("") 611 w.Write([]byte(ruser.ToJson())) 612 } 613 } 614 615 func deleteUser(c *Context, w http.ResponseWriter, r *http.Request) { 616 c.RequireUserId() 617 if c.Err != nil { 618 return 619 } 620 621 userId := c.Params.UserId 622 623 if !c.App.SessionHasPermissionToUser(c.Session, userId) { 624 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 625 return 626 } 627 628 var user *model.User 629 var err *model.AppError 630 631 if user, err = c.App.GetUser(userId); err != nil { 632 c.Err = err 633 return 634 } 635 636 if _, err := c.App.UpdateActive(user, false); err != nil { 637 c.Err = err 638 return 639 } 640 641 ReturnStatusOK(w) 642 } 643 644 func updateUserRoles(c *Context, w http.ResponseWriter, r *http.Request) { 645 c.RequireUserId() 646 if c.Err != nil { 647 return 648 } 649 650 props := model.MapFromJson(r.Body) 651 652 newRoles := props["roles"] 653 if !model.IsValidUserRoles(newRoles) { 654 c.SetInvalidParam("roles") 655 return 656 } 657 658 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_ROLES) { 659 c.SetPermissionError(model.PERMISSION_MANAGE_ROLES) 660 return 661 } 662 663 if _, err := c.App.UpdateUserRoles(c.Params.UserId, newRoles, true); err != nil { 664 c.Err = err 665 return 666 } else { 667 c.LogAuditWithUserId(c.Params.UserId, "roles="+newRoles) 668 } 669 670 ReturnStatusOK(w) 671 } 672 673 func updateUserActive(c *Context, w http.ResponseWriter, r *http.Request) { 674 c.RequireUserId() 675 if c.Err != nil { 676 return 677 } 678 679 props := model.StringInterfaceFromJson(r.Body) 680 681 active, ok := props["active"].(bool) 682 if !ok { 683 c.SetInvalidParam("active") 684 return 685 } 686 687 // true when you're trying to de-activate yourself 688 isSelfDeactive := !active && c.Params.UserId == c.Session.UserId 689 690 if !isSelfDeactive && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 691 c.Err = model.NewAppError("updateUserActive", "api.user.update_active.permissions.app_error", nil, "userId="+c.Params.UserId, http.StatusForbidden) 692 return 693 } 694 695 var user *model.User 696 var err *model.AppError 697 698 if user, err = c.App.GetUser(c.Params.UserId); err != nil { 699 c.Err = err 700 return 701 } 702 703 if _, err := c.App.UpdateActive(user, active); err != nil { 704 c.Err = err 705 } else { 706 c.LogAuditWithUserId(user.Id, fmt.Sprintf("active=%v", active)) 707 ReturnStatusOK(w) 708 } 709 } 710 711 func updateUserAuth(c *Context, w http.ResponseWriter, r *http.Request) { 712 if !c.IsSystemAdmin() { 713 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 714 return 715 } 716 717 c.RequireUserId() 718 if c.Err != nil { 719 return 720 } 721 722 userAuth := model.UserAuthFromJson(r.Body) 723 if userAuth == nil { 724 c.SetInvalidParam("user") 725 return 726 } 727 728 if user, err := c.App.UpdateUserAuth(c.Params.UserId, userAuth); err != nil { 729 c.Err = err 730 } else { 731 c.LogAuditWithUserId(c.Params.UserId, fmt.Sprintf("updated user auth to service=%v", user.AuthService)) 732 w.Write([]byte(user.ToJson())) 733 } 734 } 735 736 func checkUserMfa(c *Context, w http.ResponseWriter, r *http.Request) { 737 props := model.MapFromJson(r.Body) 738 739 loginId := props["login_id"] 740 if len(loginId) == 0 { 741 c.SetInvalidParam("login_id") 742 return 743 } 744 745 resp := map[string]interface{}{} 746 resp["mfa_required"] = false 747 748 if license := c.App.License(); license == nil || !*license.Features.MFA || !*c.App.Config().ServiceSettings.EnableMultifactorAuthentication { 749 w.Write([]byte(model.StringInterfaceToJson(resp))) 750 return 751 } 752 753 if user, err := c.App.GetUserForLogin(loginId, false); err == nil { 754 resp["mfa_required"] = user.MfaActive 755 } 756 757 w.Write([]byte(model.StringInterfaceToJson(resp))) 758 } 759 760 func updateUserMfa(c *Context, w http.ResponseWriter, r *http.Request) { 761 c.RequireUserId() 762 if c.Err != nil { 763 return 764 } 765 766 if c.Session.IsOAuth { 767 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 768 c.Err.DetailedError += ", attempted access by oauth app" 769 return 770 } 771 772 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 773 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 774 return 775 } 776 777 props := model.StringInterfaceFromJson(r.Body) 778 779 activate, ok := props["activate"].(bool) 780 if !ok { 781 c.SetInvalidParam("activate") 782 return 783 } 784 785 code := "" 786 if activate { 787 code, ok = props["code"].(string) 788 if !ok || len(code) == 0 { 789 c.SetInvalidParam("code") 790 return 791 } 792 } 793 794 c.LogAudit("attempt") 795 796 if err := c.App.UpdateMfa(activate, c.Params.UserId, code); err != nil { 797 c.Err = err 798 return 799 } 800 801 c.LogAudit("success - mfa updated") 802 ReturnStatusOK(w) 803 } 804 805 func generateMfaSecret(c *Context, w http.ResponseWriter, r *http.Request) { 806 c.RequireUserId() 807 if c.Err != nil { 808 return 809 } 810 811 if c.Session.IsOAuth { 812 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 813 c.Err.DetailedError += ", attempted access by oauth app" 814 return 815 } 816 817 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 818 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 819 return 820 } 821 822 secret, err := c.App.GenerateMfaSecret(c.Params.UserId) 823 if err != nil { 824 c.Err = err 825 return 826 } 827 828 w.Header().Set("Cache-Control", "no-cache") 829 w.Header().Set("Pragma", "no-cache") 830 w.Header().Set("Expires", "0") 831 w.Write([]byte(secret.ToJson())) 832 } 833 834 func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) { 835 c.RequireUserId() 836 if c.Err != nil { 837 return 838 } 839 840 props := model.MapFromJson(r.Body) 841 842 newPassword := props["new_password"] 843 844 c.LogAudit("attempted") 845 846 var err *model.AppError 847 if c.Params.UserId == c.Session.UserId { 848 currentPassword := props["current_password"] 849 if len(currentPassword) <= 0 { 850 c.SetInvalidParam("current_password") 851 return 852 } 853 854 err = c.App.UpdatePasswordAsUser(c.Params.UserId, currentPassword, newPassword) 855 } else if c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 856 err = c.App.UpdatePasswordByUserIdSendEmail(c.Params.UserId, newPassword, c.T("api.user.reset_password.method")) 857 } else { 858 err = model.NewAppError("updatePassword", "api.user.update_password.context.app_error", nil, "", http.StatusForbidden) 859 } 860 861 if err != nil { 862 c.LogAudit("failed") 863 c.Err = err 864 return 865 } else { 866 c.LogAudit("completed") 867 ReturnStatusOK(w) 868 } 869 } 870 871 func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) { 872 props := model.MapFromJson(r.Body) 873 874 token := props["token"] 875 if len(token) != model.TOKEN_SIZE { 876 c.SetInvalidParam("token") 877 return 878 } 879 880 newPassword := props["new_password"] 881 882 c.LogAudit("attempt - token=" + token) 883 884 if err := c.App.ResetPasswordFromToken(token, newPassword); err != nil { 885 c.LogAudit("fail - token=" + token) 886 c.Err = err 887 return 888 } 889 890 c.LogAudit("success - token=" + token) 891 892 ReturnStatusOK(w) 893 } 894 895 func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) { 896 props := model.MapFromJson(r.Body) 897 898 email := props["email"] 899 if len(email) == 0 { 900 c.SetInvalidParam("email") 901 return 902 } 903 904 if sent, err := c.App.SendPasswordReset(email, c.App.GetSiteURL()); err != nil { 905 c.Err = err 906 return 907 } else if sent { 908 c.LogAudit("sent=" + email) 909 } 910 911 ReturnStatusOK(w) 912 } 913 914 func login(c *Context, w http.ResponseWriter, r *http.Request) { 915 props := model.MapFromJson(r.Body) 916 917 id := props["id"] 918 loginId := props["login_id"] 919 password := props["password"] 920 mfaToken := props["token"] 921 deviceId := props["device_id"] 922 ldapOnly := props["ldap_only"] == "true" 923 924 c.LogAuditWithUserId(id, "attempt - login_id="+loginId) 925 user, err := c.App.AuthenticateUserForLogin(id, loginId, password, mfaToken, deviceId, ldapOnly) 926 if err != nil { 927 c.LogAuditWithUserId(id, "failure - login_id="+loginId) 928 c.Err = err 929 return 930 } 931 932 c.LogAuditWithUserId(user.Id, "authenticated") 933 934 var session *model.Session 935 session, err = c.App.DoLogin(w, r, user, deviceId) 936 if err != nil { 937 c.Err = err 938 return 939 } 940 941 c.LogAuditWithUserId(user.Id, "success") 942 943 c.Session = *session 944 945 user.Sanitize(map[string]bool{}) 946 947 w.Write([]byte(user.ToJson())) 948 } 949 950 func logout(c *Context, w http.ResponseWriter, r *http.Request) { 951 data := make(map[string]string) 952 data["user_id"] = c.Session.UserId 953 954 Logout(c, w, r) 955 956 } 957 958 func Logout(c *Context, w http.ResponseWriter, r *http.Request) { 959 c.LogAudit("") 960 c.RemoveSessionCookie(w, r) 961 if c.Session.Id != "" { 962 if err := c.App.RevokeSessionById(c.Session.Id); err != nil { 963 c.Err = err 964 return 965 } 966 } 967 968 ReturnStatusOK(w) 969 } 970 971 func getSessions(c *Context, w http.ResponseWriter, r *http.Request) { 972 c.RequireUserId() 973 if c.Err != nil { 974 return 975 } 976 977 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 978 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 979 return 980 } 981 982 if sessions, err := c.App.GetSessions(c.Params.UserId); err != nil { 983 c.Err = err 984 return 985 } else { 986 for _, session := range sessions { 987 session.Sanitize() 988 } 989 990 w.Write([]byte(model.SessionsToJson(sessions))) 991 return 992 } 993 } 994 995 func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) { 996 c.RequireUserId() 997 if c.Err != nil { 998 return 999 } 1000 1001 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1002 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1003 return 1004 } 1005 1006 props := model.MapFromJson(r.Body) 1007 sessionId := props["session_id"] 1008 1009 if sessionId == "" { 1010 c.SetInvalidParam("session_id") 1011 return 1012 } 1013 1014 var session *model.Session 1015 var err *model.AppError 1016 if session, err = c.App.GetSessionById(sessionId); err != nil { 1017 c.Err = err 1018 return 1019 } 1020 1021 if session.UserId != c.Params.UserId { 1022 c.SetInvalidUrlParam("user_id") 1023 return 1024 } 1025 1026 if err := c.App.RevokeSession(session); err != nil { 1027 c.Err = err 1028 return 1029 } 1030 1031 ReturnStatusOK(w) 1032 } 1033 1034 func revokeAllSessionsForUser(c *Context, w http.ResponseWriter, r *http.Request) { 1035 c.RequireUserId() 1036 if c.Err != nil { 1037 return 1038 } 1039 1040 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1041 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1042 return 1043 } 1044 1045 if err := c.App.RevokeAllSessions(c.Params.UserId); err != nil { 1046 c.Err = err 1047 return 1048 } 1049 1050 ReturnStatusOK(w) 1051 } 1052 1053 func attachDeviceId(c *Context, w http.ResponseWriter, r *http.Request) { 1054 props := model.MapFromJson(r.Body) 1055 1056 deviceId := props["device_id"] 1057 if len(deviceId) == 0 { 1058 c.SetInvalidParam("device_id") 1059 return 1060 } 1061 1062 // A special case where we logout of all other sessions with the same device id 1063 if err := c.App.RevokeSessionsForDeviceId(c.Session.UserId, deviceId, c.Session.Id); err != nil { 1064 c.Err = err 1065 return 1066 } 1067 1068 c.App.ClearSessionCacheForUser(c.Session.UserId) 1069 c.Session.SetExpireInDays(*c.App.Config().ServiceSettings.SessionLengthMobileInDays) 1070 1071 maxAge := *c.App.Config().ServiceSettings.SessionLengthMobileInDays * 60 * 60 * 24 1072 1073 secure := false 1074 if app.GetProtocol(r) == "https" { 1075 secure = true 1076 } 1077 1078 expiresAt := time.Unix(model.GetMillis()/1000+int64(maxAge), 0) 1079 sessionCookie := &http.Cookie{ 1080 Name: model.SESSION_COOKIE_TOKEN, 1081 Value: c.Session.Token, 1082 Path: "/", 1083 MaxAge: maxAge, 1084 Expires: expiresAt, 1085 HttpOnly: true, 1086 Domain: c.App.GetCookieDomain(), 1087 Secure: secure, 1088 } 1089 1090 http.SetCookie(w, sessionCookie) 1091 1092 if err := c.App.AttachDeviceId(c.Session.Id, deviceId, c.Session.ExpiresAt); err != nil { 1093 c.Err = err 1094 return 1095 } 1096 1097 c.LogAudit("") 1098 ReturnStatusOK(w) 1099 } 1100 1101 func getUserAudits(c *Context, w http.ResponseWriter, r *http.Request) { 1102 c.RequireUserId() 1103 if c.Err != nil { 1104 return 1105 } 1106 1107 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1108 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1109 return 1110 } 1111 1112 if audits, err := c.App.GetAuditsPage(c.Params.UserId, c.Params.Page, c.Params.PerPage); err != nil { 1113 c.Err = err 1114 return 1115 } else { 1116 w.Write([]byte(audits.ToJson())) 1117 return 1118 } 1119 } 1120 1121 func verifyUserEmail(c *Context, w http.ResponseWriter, r *http.Request) { 1122 props := model.MapFromJson(r.Body) 1123 1124 token := props["token"] 1125 if len(token) != model.TOKEN_SIZE { 1126 c.SetInvalidParam("token") 1127 return 1128 } 1129 1130 if err := c.App.VerifyEmailFromToken(token); err != nil { 1131 c.Err = model.NewAppError("verifyUserEmail", "api.user.verify_email.bad_link.app_error", nil, err.Error(), http.StatusBadRequest) 1132 return 1133 } else { 1134 c.LogAudit("Email Verified") 1135 ReturnStatusOK(w) 1136 return 1137 } 1138 } 1139 1140 func sendVerificationEmail(c *Context, w http.ResponseWriter, r *http.Request) { 1141 props := model.MapFromJson(r.Body) 1142 1143 email := props["email"] 1144 if len(email) == 0 { 1145 c.SetInvalidParam("email") 1146 return 1147 } 1148 1149 user, err := c.App.GetUserForLogin(email, false) 1150 if err != nil { 1151 // Don't want to leak whether the email is valid or not 1152 ReturnStatusOK(w) 1153 return 1154 } 1155 1156 err = c.App.SendEmailVerification(user) 1157 if err != nil { 1158 // Don't want to leak whether the email is valid or not 1159 l4g.Error(err.Error()) 1160 ReturnStatusOK(w) 1161 return 1162 } 1163 1164 ReturnStatusOK(w) 1165 } 1166 1167 func switchAccountType(c *Context, w http.ResponseWriter, r *http.Request) { 1168 switchRequest := model.SwitchRequestFromJson(r.Body) 1169 if switchRequest == nil { 1170 c.SetInvalidParam("switch_request") 1171 return 1172 } 1173 1174 link := "" 1175 var err *model.AppError 1176 1177 if switchRequest.EmailToOAuth() { 1178 link, err = c.App.SwitchEmailToOAuth(w, r, switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.NewService) 1179 } else if switchRequest.OAuthToEmail() { 1180 c.SessionRequired() 1181 if c.Err != nil { 1182 return 1183 } 1184 1185 link, err = c.App.SwitchOAuthToEmail(switchRequest.Email, switchRequest.NewPassword, c.Session.UserId) 1186 } else if switchRequest.EmailToLdap() { 1187 link, err = c.App.SwitchEmailToLdap(switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.LdapId, switchRequest.NewPassword) 1188 } else if switchRequest.LdapToEmail() { 1189 link, err = c.App.SwitchLdapToEmail(switchRequest.Password, switchRequest.MfaCode, switchRequest.Email, switchRequest.NewPassword) 1190 } else { 1191 c.SetInvalidParam("switch_request") 1192 return 1193 } 1194 1195 if err != nil { 1196 c.Err = err 1197 return 1198 } 1199 1200 c.LogAudit("success") 1201 w.Write([]byte(model.MapToJson(map[string]string{"follow_link": link}))) 1202 } 1203 1204 func createUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1205 c.RequireUserId() 1206 if c.Err != nil { 1207 return 1208 } 1209 1210 if c.Session.IsOAuth { 1211 c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN) 1212 c.Err.DetailedError += ", attempted access by oauth app" 1213 return 1214 } 1215 1216 accessToken := model.UserAccessTokenFromJson(r.Body) 1217 if accessToken == nil { 1218 c.SetInvalidParam("user_access_token") 1219 return 1220 } 1221 1222 if accessToken.Description == "" { 1223 c.SetInvalidParam("description") 1224 return 1225 } 1226 1227 c.LogAudit("") 1228 1229 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_CREATE_USER_ACCESS_TOKEN) { 1230 c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN) 1231 return 1232 } 1233 1234 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1235 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1236 return 1237 } 1238 1239 accessToken.UserId = c.Params.UserId 1240 accessToken.Token = "" 1241 1242 var err *model.AppError 1243 accessToken, err = c.App.CreateUserAccessToken(accessToken) 1244 if err != nil { 1245 c.Err = err 1246 return 1247 } 1248 1249 c.LogAudit("success - token_id=" + accessToken.Id) 1250 w.Write([]byte(accessToken.ToJson())) 1251 } 1252 1253 func searchUserAccessTokens(c *Context, w http.ResponseWriter, r *http.Request) { 1254 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 1255 c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) 1256 return 1257 } 1258 props := model.UserAccessTokenSearchFromJson(r.Body) 1259 if props == nil { 1260 c.SetInvalidParam("user_access_token_search") 1261 return 1262 } 1263 1264 if len(props.Term) == 0 { 1265 c.SetInvalidParam("term") 1266 return 1267 } 1268 accessTokens, err := c.App.SearchUserAccessTokens(props.Term) 1269 if err != nil { 1270 c.Err = err 1271 return 1272 } 1273 1274 w.Write([]byte(model.UserAccessTokenListToJson(accessTokens))) 1275 } 1276 1277 func getUserAccessTokens(c *Context, w http.ResponseWriter, r *http.Request) { 1278 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 1279 c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) 1280 return 1281 } 1282 1283 accessTokens, err := c.App.GetUserAccessTokens(c.Params.Page, c.Params.PerPage) 1284 if err != nil { 1285 c.Err = err 1286 return 1287 } 1288 1289 w.Write([]byte(model.UserAccessTokenListToJson(accessTokens))) 1290 } 1291 1292 func getUserAccessTokensForUser(c *Context, w http.ResponseWriter, r *http.Request) { 1293 c.RequireUserId() 1294 if c.Err != nil { 1295 return 1296 } 1297 1298 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_READ_USER_ACCESS_TOKEN) { 1299 c.SetPermissionError(model.PERMISSION_READ_USER_ACCESS_TOKEN) 1300 return 1301 } 1302 1303 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1304 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1305 return 1306 } 1307 1308 accessTokens, err := c.App.GetUserAccessTokensForUser(c.Params.UserId, c.Params.Page, c.Params.PerPage) 1309 if err != nil { 1310 c.Err = err 1311 return 1312 } 1313 1314 w.Write([]byte(model.UserAccessTokenListToJson(accessTokens))) 1315 } 1316 1317 func getUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1318 c.RequireTokenId() 1319 if c.Err != nil { 1320 return 1321 } 1322 1323 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_READ_USER_ACCESS_TOKEN) { 1324 c.SetPermissionError(model.PERMISSION_READ_USER_ACCESS_TOKEN) 1325 return 1326 } 1327 1328 accessToken, err := c.App.GetUserAccessToken(c.Params.TokenId, true) 1329 if err != nil { 1330 c.Err = err 1331 return 1332 } 1333 1334 if !c.App.SessionHasPermissionToUser(c.Session, accessToken.UserId) { 1335 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1336 return 1337 } 1338 1339 w.Write([]byte(accessToken.ToJson())) 1340 } 1341 1342 func revokeUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1343 props := model.MapFromJson(r.Body) 1344 tokenId := props["token_id"] 1345 1346 if tokenId == "" { 1347 c.SetInvalidParam("token_id") 1348 } 1349 1350 c.LogAudit("") 1351 1352 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) { 1353 c.SetPermissionError(model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) 1354 return 1355 } 1356 1357 accessToken, err := c.App.GetUserAccessToken(tokenId, false) 1358 if err != nil { 1359 c.Err = err 1360 return 1361 } 1362 1363 if !c.App.SessionHasPermissionToUser(c.Session, accessToken.UserId) { 1364 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1365 return 1366 } 1367 1368 err = c.App.RevokeUserAccessToken(accessToken) 1369 if err != nil { 1370 c.Err = err 1371 return 1372 } 1373 1374 c.LogAudit("success - token_id=" + accessToken.Id) 1375 ReturnStatusOK(w) 1376 } 1377 1378 func disableUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1379 props := model.MapFromJson(r.Body) 1380 tokenId := props["token_id"] 1381 1382 if tokenId == "" { 1383 c.SetInvalidParam("token_id") 1384 } 1385 1386 c.LogAudit("") 1387 1388 // No separate permission for this action for now 1389 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) { 1390 c.SetPermissionError(model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) 1391 return 1392 } 1393 1394 accessToken, err := c.App.GetUserAccessToken(tokenId, false) 1395 if err != nil { 1396 c.Err = err 1397 return 1398 } 1399 1400 if !c.App.SessionHasPermissionToUser(c.Session, accessToken.UserId) { 1401 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1402 return 1403 } 1404 1405 err = c.App.DisableUserAccessToken(accessToken) 1406 if err != nil { 1407 c.Err = err 1408 return 1409 } 1410 1411 c.LogAudit("success - token_id=" + accessToken.Id) 1412 ReturnStatusOK(w) 1413 } 1414 1415 func enableUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1416 props := model.MapFromJson(r.Body) 1417 tokenId := props["token_id"] 1418 1419 if tokenId == "" { 1420 c.SetInvalidParam("token_id") 1421 } 1422 1423 c.LogAudit("") 1424 1425 // No separate permission for this action for now 1426 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_CREATE_USER_ACCESS_TOKEN) { 1427 c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN) 1428 return 1429 } 1430 1431 accessToken, err := c.App.GetUserAccessToken(tokenId, false) 1432 if err != nil { 1433 c.Err = err 1434 return 1435 } 1436 1437 if !c.App.SessionHasPermissionToUser(c.Session, accessToken.UserId) { 1438 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1439 return 1440 } 1441 1442 err = c.App.EnableUserAccessToken(accessToken) 1443 if err != nil { 1444 c.Err = err 1445 return 1446 } 1447 1448 c.LogAudit("success - token_id=" + accessToken.Id) 1449 ReturnStatusOK(w) 1450 }