github.com/dschalla/mattermost-server@v4.8.1-rc1+incompatible/api4/user.go (about) 1 // Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package api4 5 6 import ( 7 "fmt" 8 "net/http" 9 "strconv" 10 "time" 11 12 l4g "github.com/alecthomas/log4go" 13 "github.com/mattermost/mattermost-server/app" 14 "github.com/mattermost/mattermost-server/model" 15 "github.com/mattermost/mattermost-server/store" 16 ) 17 18 func (api *API) InitUser() { 19 api.BaseRoutes.Users.Handle("", api.ApiHandler(createUser)).Methods("POST") 20 api.BaseRoutes.Users.Handle("", api.ApiSessionRequired(getUsers)).Methods("GET") 21 api.BaseRoutes.Users.Handle("/ids", api.ApiSessionRequired(getUsersByIds)).Methods("POST") 22 api.BaseRoutes.Users.Handle("/usernames", api.ApiSessionRequired(getUsersByNames)).Methods("POST") 23 api.BaseRoutes.Users.Handle("/search", api.ApiSessionRequired(searchUsers)).Methods("POST") 24 api.BaseRoutes.Users.Handle("/autocomplete", api.ApiSessionRequired(autocompleteUsers)).Methods("GET") 25 26 api.BaseRoutes.User.Handle("", api.ApiSessionRequired(getUser)).Methods("GET") 27 api.BaseRoutes.User.Handle("/image", api.ApiSessionRequiredTrustRequester(getProfileImage)).Methods("GET") 28 api.BaseRoutes.User.Handle("/image", api.ApiSessionRequired(setProfileImage)).Methods("POST") 29 api.BaseRoutes.User.Handle("", api.ApiSessionRequired(updateUser)).Methods("PUT") 30 api.BaseRoutes.User.Handle("/patch", api.ApiSessionRequired(patchUser)).Methods("PUT") 31 api.BaseRoutes.User.Handle("", api.ApiSessionRequired(deleteUser)).Methods("DELETE") 32 api.BaseRoutes.User.Handle("/roles", api.ApiSessionRequired(updateUserRoles)).Methods("PUT") 33 api.BaseRoutes.User.Handle("/active", api.ApiSessionRequired(updateUserActive)).Methods("PUT") 34 api.BaseRoutes.User.Handle("/password", api.ApiSessionRequired(updatePassword)).Methods("PUT") 35 api.BaseRoutes.Users.Handle("/password/reset", api.ApiHandler(resetPassword)).Methods("POST") 36 api.BaseRoutes.Users.Handle("/password/reset/send", api.ApiHandler(sendPasswordReset)).Methods("POST") 37 api.BaseRoutes.Users.Handle("/email/verify", api.ApiHandler(verifyUserEmail)).Methods("POST") 38 api.BaseRoutes.Users.Handle("/email/verify/send", api.ApiHandler(sendVerificationEmail)).Methods("POST") 39 40 api.BaseRoutes.User.Handle("/auth", api.ApiSessionRequiredTrustRequester(updateUserAuth)).Methods("PUT") 41 42 api.BaseRoutes.Users.Handle("/mfa", api.ApiHandler(checkUserMfa)).Methods("POST") 43 api.BaseRoutes.User.Handle("/mfa", api.ApiSessionRequiredMfa(updateUserMfa)).Methods("PUT") 44 api.BaseRoutes.User.Handle("/mfa/generate", api.ApiSessionRequiredMfa(generateMfaSecret)).Methods("POST") 45 46 api.BaseRoutes.Users.Handle("/login", api.ApiHandler(login)).Methods("POST") 47 api.BaseRoutes.Users.Handle("/login/switch", api.ApiHandler(switchAccountType)).Methods("POST") 48 api.BaseRoutes.Users.Handle("/logout", api.ApiHandler(logout)).Methods("POST") 49 50 api.BaseRoutes.UserByUsername.Handle("", api.ApiSessionRequired(getUserByUsername)).Methods("GET") 51 api.BaseRoutes.UserByEmail.Handle("", api.ApiSessionRequired(getUserByEmail)).Methods("GET") 52 53 api.BaseRoutes.User.Handle("/sessions", api.ApiSessionRequired(getSessions)).Methods("GET") 54 api.BaseRoutes.User.Handle("/sessions/revoke", api.ApiSessionRequired(revokeSession)).Methods("POST") 55 api.BaseRoutes.User.Handle("/sessions/revoke/all", api.ApiSessionRequired(revokeAllSessionsForUser)).Methods("POST") 56 api.BaseRoutes.Users.Handle("/sessions/device", api.ApiSessionRequired(attachDeviceId)).Methods("PUT") 57 api.BaseRoutes.User.Handle("/audits", api.ApiSessionRequired(getUserAudits)).Methods("GET") 58 59 api.BaseRoutes.User.Handle("/tokens", api.ApiSessionRequired(createUserAccessToken)).Methods("POST") 60 api.BaseRoutes.User.Handle("/tokens", api.ApiSessionRequired(getUserAccessTokensForUser)).Methods("GET") 61 api.BaseRoutes.Users.Handle("/tokens", api.ApiSessionRequired(getUserAccessTokens)).Methods("GET") 62 api.BaseRoutes.Users.Handle("/tokens/search", api.ApiSessionRequired(searchUserAccessTokens)).Methods("POST") 63 api.BaseRoutes.Users.Handle("/tokens/{token_id:[A-Za-z0-9]+}", api.ApiSessionRequired(getUserAccessToken)).Methods("GET") 64 api.BaseRoutes.Users.Handle("/tokens/revoke", api.ApiSessionRequired(revokeUserAccessToken)).Methods("POST") 65 api.BaseRoutes.Users.Handle("/tokens/disable", api.ApiSessionRequired(disableUserAccessToken)).Methods("POST") 66 api.BaseRoutes.Users.Handle("/tokens/enable", api.ApiSessionRequired(enableUserAccessToken)).Methods("POST") 67 } 68 69 func createUser(c *Context, w http.ResponseWriter, r *http.Request) { 70 user := model.UserFromJson(r.Body) 71 if user == nil { 72 c.SetInvalidParam("user") 73 return 74 } 75 76 hash := r.URL.Query().Get("h") 77 inviteId := r.URL.Query().Get("iid") 78 79 // No permission check required 80 81 var ruser *model.User 82 var err *model.AppError 83 if len(hash) > 0 { 84 ruser, err = c.App.CreateUserWithHash(user, hash, r.URL.Query().Get("d")) 85 } else if len(inviteId) > 0 { 86 ruser, err = c.App.CreateUserWithInviteId(user, inviteId) 87 } else if c.IsSystemAdmin() { 88 ruser, err = c.App.CreateUserAsAdmin(user) 89 } else { 90 ruser, err = c.App.CreateUserFromSignup(user) 91 } 92 93 if err != nil { 94 c.Err = err 95 return 96 } 97 98 w.WriteHeader(http.StatusCreated) 99 w.Write([]byte(ruser.ToJson())) 100 } 101 102 func getUser(c *Context, w http.ResponseWriter, r *http.Request) { 103 c.RequireUserId() 104 if c.Err != nil { 105 return 106 } 107 108 // No permission check required 109 110 var user *model.User 111 var err *model.AppError 112 113 if user, err = c.App.GetUser(c.Params.UserId); err != nil { 114 c.Err = err 115 return 116 } 117 118 etag := user.Etag(c.App.Config().PrivacySettings.ShowFullName, c.App.Config().PrivacySettings.ShowEmailAddress) 119 120 if c.HandleEtag(etag, "Get User", w, r) { 121 return 122 } else { 123 if c.Session.UserId == user.Id { 124 user.Sanitize(map[string]bool{}) 125 } else { 126 c.App.SanitizeProfile(user, c.IsSystemAdmin()) 127 } 128 c.App.UpdateLastActivityAtIfNeeded(c.Session) 129 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 130 w.Write([]byte(user.ToJson())) 131 return 132 } 133 } 134 135 func getUserByUsername(c *Context, w http.ResponseWriter, r *http.Request) { 136 c.RequireUsername() 137 if c.Err != nil { 138 return 139 } 140 141 // No permission check required 142 143 var user *model.User 144 var err *model.AppError 145 146 if user, err = c.App.GetUserByUsername(c.Params.Username); err != nil { 147 c.Err = err 148 return 149 } 150 151 etag := user.Etag(c.App.Config().PrivacySettings.ShowFullName, c.App.Config().PrivacySettings.ShowEmailAddress) 152 153 if c.HandleEtag(etag, "Get User", w, r) { 154 return 155 } else { 156 c.App.SanitizeProfile(user, c.IsSystemAdmin()) 157 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 158 w.Write([]byte(user.ToJson())) 159 return 160 } 161 } 162 163 func getUserByEmail(c *Context, w http.ResponseWriter, r *http.Request) { 164 c.RequireEmail() 165 if c.Err != nil { 166 return 167 } 168 169 // No permission check required 170 171 var user *model.User 172 var err *model.AppError 173 174 if user, err = c.App.GetUserByEmail(c.Params.Email); err != nil { 175 c.Err = err 176 return 177 } 178 179 etag := user.Etag(c.App.Config().PrivacySettings.ShowFullName, c.App.Config().PrivacySettings.ShowEmailAddress) 180 181 if c.HandleEtag(etag, "Get User", w, r) { 182 return 183 } else { 184 c.App.SanitizeProfile(user, c.IsSystemAdmin()) 185 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 186 w.Write([]byte(user.ToJson())) 187 return 188 } 189 } 190 191 func getProfileImage(c *Context, w http.ResponseWriter, r *http.Request) { 192 c.RequireUserId() 193 if c.Err != nil { 194 return 195 } 196 197 if users, err := c.App.GetUsersByIds([]string{c.Params.UserId}, c.IsSystemAdmin()); err != nil { 198 c.Err = err 199 return 200 } else { 201 if len(users) == 0 { 202 c.Err = err 203 } 204 205 user := users[0] 206 etag := strconv.FormatInt(user.LastPictureUpdate, 10) 207 if c.HandleEtag(etag, "Get Profile Image", w, r) { 208 return 209 } 210 211 var img []byte 212 img, readFailed, err := c.App.GetProfileImage(user) 213 if err != nil { 214 c.Err = err 215 return 216 } 217 218 if readFailed { 219 w.Header().Set("Cache-Control", fmt.Sprintf("max-age=%v, public", 5*60)) // 5 mins 220 } else { 221 w.Header().Set("Cache-Control", fmt.Sprintf("max-age=%v, public", 24*60*60)) // 24 hrs 222 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 223 } 224 225 w.Header().Set("Content-Type", "image/png") 226 w.Write(img) 227 } 228 } 229 230 func setProfileImage(c *Context, w http.ResponseWriter, r *http.Request) { 231 c.RequireUserId() 232 if c.Err != nil { 233 return 234 } 235 236 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 237 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 238 return 239 } 240 241 if len(*c.App.Config().FileSettings.DriverName) == 0 { 242 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.storage.app_error", nil, "", http.StatusNotImplemented) 243 return 244 } 245 246 if r.ContentLength > *c.App.Config().FileSettings.MaxFileSize { 247 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.too_large.app_error", nil, "", http.StatusRequestEntityTooLarge) 248 return 249 } 250 251 if err := r.ParseMultipartForm(*c.App.Config().FileSettings.MaxFileSize); err != nil { 252 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.parse.app_error", nil, err.Error(), http.StatusInternalServerError) 253 return 254 } 255 256 m := r.MultipartForm 257 258 imageArray, ok := m.File["image"] 259 if !ok { 260 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.no_file.app_error", nil, "", http.StatusBadRequest) 261 return 262 } 263 264 if len(imageArray) <= 0 { 265 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.array.app_error", nil, "", http.StatusBadRequest) 266 return 267 } 268 269 imageData := imageArray[0] 270 271 if err := c.App.SetProfileImage(c.Params.UserId, imageData); err != nil { 272 c.Err = err 273 return 274 } 275 276 c.LogAudit("") 277 ReturnStatusOK(w) 278 } 279 280 func getUsers(c *Context, w http.ResponseWriter, r *http.Request) { 281 inTeamId := r.URL.Query().Get("in_team") 282 notInTeamId := r.URL.Query().Get("not_in_team") 283 inChannelId := r.URL.Query().Get("in_channel") 284 notInChannelId := r.URL.Query().Get("not_in_channel") 285 withoutTeam := r.URL.Query().Get("without_team") 286 sort := r.URL.Query().Get("sort") 287 288 if len(notInChannelId) > 0 && len(inTeamId) == 0 { 289 c.SetInvalidUrlParam("team_id") 290 return 291 } 292 293 if sort != "" && sort != "last_activity_at" && sort != "create_at" { 294 c.SetInvalidUrlParam("sort") 295 return 296 } 297 298 // Currently only supports sorting on a team 299 if (sort == "last_activity_at" || sort == "create_at") && (inTeamId == "" || notInTeamId != "" || inChannelId != "" || notInChannelId != "" || withoutTeam != "") { 300 c.SetInvalidUrlParam("sort") 301 return 302 } 303 304 var profiles []*model.User 305 var err *model.AppError 306 etag := "" 307 308 if withoutTeamBool, _ := strconv.ParseBool(withoutTeam); withoutTeamBool { 309 // Use a special permission for now 310 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_LIST_USERS_WITHOUT_TEAM) { 311 c.SetPermissionError(model.PERMISSION_LIST_USERS_WITHOUT_TEAM) 312 return 313 } 314 315 profiles, err = c.App.GetUsersWithoutTeamPage(c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 316 } else if len(notInChannelId) > 0 { 317 if !c.App.SessionHasPermissionToChannel(c.Session, notInChannelId, model.PERMISSION_READ_CHANNEL) { 318 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 319 return 320 } 321 322 profiles, err = c.App.GetUsersNotInChannelPage(inTeamId, notInChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 323 } else if len(notInTeamId) > 0 { 324 if !c.App.SessionHasPermissionToTeam(c.Session, notInTeamId, model.PERMISSION_VIEW_TEAM) { 325 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 326 return 327 } 328 329 etag = c.App.GetUsersNotInTeamEtag(inTeamId) 330 if c.HandleEtag(etag, "Get Users Not in Team", w, r) { 331 return 332 } 333 334 profiles, err = c.App.GetUsersNotInTeamPage(notInTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 335 } else if len(inTeamId) > 0 { 336 if !c.App.SessionHasPermissionToTeam(c.Session, inTeamId, model.PERMISSION_VIEW_TEAM) { 337 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 338 return 339 } 340 341 if sort == "last_activity_at" { 342 profiles, err = c.App.GetRecentlyActiveUsersForTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 343 } else if sort == "create_at" { 344 profiles, err = c.App.GetNewUsersForTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 345 } else { 346 etag = c.App.GetUsersInTeamEtag(inTeamId) 347 if c.HandleEtag(etag, "Get Users in Team", w, r) { 348 return 349 } 350 351 profiles, err = c.App.GetUsersInTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 352 } 353 } else if len(inChannelId) > 0 { 354 if !c.App.SessionHasPermissionToChannel(c.Session, inChannelId, model.PERMISSION_READ_CHANNEL) { 355 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 356 return 357 } 358 359 profiles, err = c.App.GetUsersInChannelPage(inChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 360 } else { 361 // No permission check required 362 363 etag = c.App.GetUsersEtag() 364 if c.HandleEtag(etag, "Get Users", w, r) { 365 return 366 } 367 profiles, err = c.App.GetUsersPage(c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 368 } 369 370 if err != nil { 371 c.Err = err 372 return 373 } else { 374 if len(etag) > 0 { 375 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 376 } 377 c.App.UpdateLastActivityAtIfNeeded(c.Session) 378 w.Write([]byte(model.UserListToJson(profiles))) 379 } 380 } 381 382 func getUsersByIds(c *Context, w http.ResponseWriter, r *http.Request) { 383 userIds := model.ArrayFromJson(r.Body) 384 385 if len(userIds) == 0 { 386 c.SetInvalidParam("user_ids") 387 return 388 } 389 390 // No permission check required 391 392 if users, err := c.App.GetUsersByIds(userIds, c.IsSystemAdmin()); err != nil { 393 c.Err = err 394 return 395 } else { 396 w.Write([]byte(model.UserListToJson(users))) 397 } 398 } 399 400 func getUsersByNames(c *Context, w http.ResponseWriter, r *http.Request) { 401 usernames := model.ArrayFromJson(r.Body) 402 403 if len(usernames) == 0 { 404 c.SetInvalidParam("usernames") 405 return 406 } 407 408 // No permission check required 409 410 if users, err := c.App.GetUsersByUsernames(usernames, c.IsSystemAdmin()); err != nil { 411 c.Err = err 412 return 413 } else { 414 w.Write([]byte(model.UserListToJson(users))) 415 } 416 } 417 418 func searchUsers(c *Context, w http.ResponseWriter, r *http.Request) { 419 props := model.UserSearchFromJson(r.Body) 420 if props == nil { 421 c.SetInvalidParam("") 422 return 423 } 424 425 if len(props.Term) == 0 { 426 c.SetInvalidParam("term") 427 return 428 } 429 430 if props.TeamId == "" && props.NotInChannelId != "" { 431 c.SetInvalidParam("team_id") 432 return 433 } 434 435 if props.InChannelId != "" && !c.App.SessionHasPermissionToChannel(c.Session, props.InChannelId, model.PERMISSION_READ_CHANNEL) { 436 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 437 return 438 } 439 440 if props.NotInChannelId != "" && !c.App.SessionHasPermissionToChannel(c.Session, props.NotInChannelId, model.PERMISSION_READ_CHANNEL) { 441 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 442 return 443 } 444 445 if props.TeamId != "" && !c.App.SessionHasPermissionToTeam(c.Session, props.TeamId, model.PERMISSION_VIEW_TEAM) { 446 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 447 return 448 } 449 450 if props.NotInTeamId != "" && !c.App.SessionHasPermissionToTeam(c.Session, props.NotInTeamId, model.PERMISSION_VIEW_TEAM) { 451 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 452 return 453 } 454 455 searchOptions := map[string]bool{} 456 searchOptions[store.USER_SEARCH_OPTION_ALLOW_INACTIVE] = props.AllowInactive 457 458 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 459 hideFullName := !c.App.Config().PrivacySettings.ShowFullName 460 hideEmail := !c.App.Config().PrivacySettings.ShowEmailAddress 461 462 if hideFullName && hideEmail { 463 searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true 464 } else if hideFullName { 465 searchOptions[store.USER_SEARCH_OPTION_ALL_NO_FULL_NAME] = true 466 } else if hideEmail { 467 searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true 468 } 469 } 470 471 if profiles, err := c.App.SearchUsers(props, searchOptions, c.IsSystemAdmin()); err != nil { 472 c.Err = err 473 return 474 } else { 475 w.Write([]byte(model.UserListToJson(profiles))) 476 } 477 } 478 479 func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { 480 channelId := r.URL.Query().Get("in_channel") 481 teamId := r.URL.Query().Get("in_team") 482 name := r.URL.Query().Get("name") 483 484 autocomplete := new(model.UserAutocomplete) 485 var err *model.AppError 486 487 searchOptions := map[string]bool{} 488 489 hideFullName := !c.App.Config().PrivacySettings.ShowFullName 490 if hideFullName && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 491 searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true 492 } else { 493 searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true 494 } 495 496 if len(channelId) > 0 { 497 if !c.App.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { 498 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 499 return 500 } 501 502 result, _ := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin()) 503 autocomplete.Users = result.InChannel 504 autocomplete.OutOfChannel = result.OutOfChannel 505 } else if len(teamId) > 0 { 506 if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) { 507 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 508 return 509 } 510 511 result, _ := c.App.AutocompleteUsersInTeam(teamId, name, searchOptions, c.IsSystemAdmin()) 512 autocomplete.Users = result.InTeam 513 } else { 514 // No permission check required 515 result, _ := c.App.SearchUsersInTeam("", name, searchOptions, c.IsSystemAdmin()) 516 autocomplete.Users = result 517 } 518 519 if err != nil { 520 c.Err = err 521 return 522 } else { 523 w.Write([]byte((autocomplete.ToJson()))) 524 } 525 } 526 527 func updateUser(c *Context, w http.ResponseWriter, r *http.Request) { 528 c.RequireUserId() 529 if c.Err != nil { 530 return 531 } 532 533 user := model.UserFromJson(r.Body) 534 if user == nil { 535 c.SetInvalidParam("user") 536 return 537 } 538 539 if !c.App.SessionHasPermissionToUser(c.Session, user.Id) { 540 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 541 return 542 } 543 544 if c.Session.IsOAuth { 545 ouser, err := c.App.GetUser(user.Id) 546 if err != nil { 547 c.Err = err 548 return 549 } 550 551 if ouser.Email != user.Email { 552 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 553 c.Err.DetailedError += ", attempted email update by oauth app" 554 return 555 } 556 } 557 558 if ruser, err := c.App.UpdateUserAsUser(user, c.IsSystemAdmin()); err != nil { 559 c.Err = err 560 return 561 } else { 562 c.LogAudit("") 563 w.Write([]byte(ruser.ToJson())) 564 } 565 } 566 567 func patchUser(c *Context, w http.ResponseWriter, r *http.Request) { 568 c.RequireUserId() 569 if c.Err != nil { 570 return 571 } 572 573 patch := model.UserPatchFromJson(r.Body) 574 if patch == nil { 575 c.SetInvalidParam("user") 576 return 577 } 578 579 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 580 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 581 return 582 } 583 584 if c.Session.IsOAuth && patch.Email != nil { 585 ouser, err := c.App.GetUser(c.Params.UserId) 586 if err != nil { 587 c.Err = err 588 return 589 } 590 591 if ouser.Email != *patch.Email { 592 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 593 c.Err.DetailedError += ", attempted email update by oauth app" 594 return 595 } 596 } 597 598 if ruser, err := c.App.PatchUser(c.Params.UserId, patch, c.IsSystemAdmin()); err != nil { 599 c.Err = err 600 return 601 } else { 602 c.LogAudit("") 603 w.Write([]byte(ruser.ToJson())) 604 } 605 } 606 607 func deleteUser(c *Context, w http.ResponseWriter, r *http.Request) { 608 c.RequireUserId() 609 if c.Err != nil { 610 return 611 } 612 613 userId := c.Params.UserId 614 615 if !c.App.SessionHasPermissionToUser(c.Session, userId) { 616 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 617 return 618 } 619 620 var user *model.User 621 var err *model.AppError 622 623 if user, err = c.App.GetUser(userId); err != nil { 624 c.Err = err 625 return 626 } 627 628 if _, err := c.App.UpdateActive(user, false); err != nil { 629 c.Err = err 630 return 631 } 632 633 ReturnStatusOK(w) 634 } 635 636 func updateUserRoles(c *Context, w http.ResponseWriter, r *http.Request) { 637 c.RequireUserId() 638 if c.Err != nil { 639 return 640 } 641 642 props := model.MapFromJson(r.Body) 643 644 newRoles := props["roles"] 645 if !model.IsValidUserRoles(newRoles) { 646 c.SetInvalidParam("roles") 647 return 648 } 649 650 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_ROLES) { 651 c.SetPermissionError(model.PERMISSION_MANAGE_ROLES) 652 return 653 } 654 655 if _, err := c.App.UpdateUserRoles(c.Params.UserId, newRoles, true); err != nil { 656 c.Err = err 657 return 658 } else { 659 c.LogAuditWithUserId(c.Params.UserId, "roles="+newRoles) 660 } 661 662 ReturnStatusOK(w) 663 } 664 665 func updateUserActive(c *Context, w http.ResponseWriter, r *http.Request) { 666 c.RequireUserId() 667 if c.Err != nil { 668 return 669 } 670 671 props := model.StringInterfaceFromJson(r.Body) 672 673 active, ok := props["active"].(bool) 674 if !ok { 675 c.SetInvalidParam("active") 676 return 677 } 678 679 // true when you're trying to de-activate yourself 680 isSelfDeactive := !active && c.Params.UserId == c.Session.UserId 681 682 if !isSelfDeactive && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 683 c.Err = model.NewAppError("updateUserActive", "api.user.update_active.permissions.app_error", nil, "userId="+c.Params.UserId, http.StatusForbidden) 684 return 685 } 686 687 var user *model.User 688 var err *model.AppError 689 690 if user, err = c.App.GetUser(c.Params.UserId); err != nil { 691 c.Err = err 692 return 693 } 694 695 if _, err := c.App.UpdateActive(user, active); err != nil { 696 c.Err = err 697 } else { 698 c.LogAuditWithUserId(user.Id, fmt.Sprintf("active=%v", active)) 699 ReturnStatusOK(w) 700 } 701 } 702 703 func updateUserAuth(c *Context, w http.ResponseWriter, r *http.Request) { 704 if !c.IsSystemAdmin() { 705 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 706 return 707 } 708 709 c.RequireUserId() 710 if c.Err != nil { 711 return 712 } 713 714 userAuth := model.UserAuthFromJson(r.Body) 715 if userAuth == nil { 716 c.SetInvalidParam("user") 717 return 718 } 719 720 if user, err := c.App.UpdateUserAuth(c.Params.UserId, userAuth); err != nil { 721 c.Err = err 722 } else { 723 c.LogAuditWithUserId(c.Params.UserId, fmt.Sprintf("updated user auth to service=%v", user.AuthService)) 724 w.Write([]byte(user.ToJson())) 725 } 726 } 727 728 func checkUserMfa(c *Context, w http.ResponseWriter, r *http.Request) { 729 props := model.MapFromJson(r.Body) 730 731 loginId := props["login_id"] 732 if len(loginId) == 0 { 733 c.SetInvalidParam("login_id") 734 return 735 } 736 737 resp := map[string]interface{}{} 738 resp["mfa_required"] = false 739 740 if license := c.App.License(); license == nil || !*license.Features.MFA || !*c.App.Config().ServiceSettings.EnableMultifactorAuthentication { 741 w.Write([]byte(model.StringInterfaceToJson(resp))) 742 return 743 } 744 745 if user, err := c.App.GetUserForLogin(loginId, false); err == nil { 746 resp["mfa_required"] = user.MfaActive 747 } 748 749 w.Write([]byte(model.StringInterfaceToJson(resp))) 750 } 751 752 func updateUserMfa(c *Context, w http.ResponseWriter, r *http.Request) { 753 c.RequireUserId() 754 if c.Err != nil { 755 return 756 } 757 758 if c.Session.IsOAuth { 759 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 760 c.Err.DetailedError += ", attempted access by oauth app" 761 return 762 } 763 764 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 765 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 766 return 767 } 768 769 props := model.StringInterfaceFromJson(r.Body) 770 771 activate, ok := props["activate"].(bool) 772 if !ok { 773 c.SetInvalidParam("activate") 774 return 775 } 776 777 code := "" 778 if activate { 779 code, ok = props["code"].(string) 780 if !ok || len(code) == 0 { 781 c.SetInvalidParam("code") 782 return 783 } 784 } 785 786 c.LogAudit("attempt") 787 788 if err := c.App.UpdateMfa(activate, c.Params.UserId, code); err != nil { 789 c.Err = err 790 return 791 } 792 793 c.LogAudit("success - mfa updated") 794 ReturnStatusOK(w) 795 } 796 797 func generateMfaSecret(c *Context, w http.ResponseWriter, r *http.Request) { 798 c.RequireUserId() 799 if c.Err != nil { 800 return 801 } 802 803 if c.Session.IsOAuth { 804 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 805 c.Err.DetailedError += ", attempted access by oauth app" 806 return 807 } 808 809 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 810 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 811 return 812 } 813 814 secret, err := c.App.GenerateMfaSecret(c.Params.UserId) 815 if err != nil { 816 c.Err = err 817 return 818 } 819 820 w.Header().Set("Cache-Control", "no-cache") 821 w.Header().Set("Pragma", "no-cache") 822 w.Header().Set("Expires", "0") 823 w.Write([]byte(secret.ToJson())) 824 } 825 826 func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) { 827 c.RequireUserId() 828 if c.Err != nil { 829 return 830 } 831 832 props := model.MapFromJson(r.Body) 833 834 newPassword := props["new_password"] 835 836 c.LogAudit("attempted") 837 838 var err *model.AppError 839 if c.Params.UserId == c.Session.UserId { 840 currentPassword := props["current_password"] 841 if len(currentPassword) <= 0 { 842 c.SetInvalidParam("current_password") 843 return 844 } 845 846 err = c.App.UpdatePasswordAsUser(c.Params.UserId, currentPassword, newPassword) 847 } else if c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 848 err = c.App.UpdatePasswordByUserIdSendEmail(c.Params.UserId, newPassword, c.T("api.user.reset_password.method")) 849 } else { 850 err = model.NewAppError("updatePassword", "api.user.update_password.context.app_error", nil, "", http.StatusForbidden) 851 } 852 853 if err != nil { 854 c.LogAudit("failed") 855 c.Err = err 856 return 857 } else { 858 c.LogAudit("completed") 859 ReturnStatusOK(w) 860 } 861 } 862 863 func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) { 864 props := model.MapFromJson(r.Body) 865 866 token := props["token"] 867 if len(token) != model.TOKEN_SIZE { 868 c.SetInvalidParam("token") 869 return 870 } 871 872 newPassword := props["new_password"] 873 874 c.LogAudit("attempt - token=" + token) 875 876 if err := c.App.ResetPasswordFromToken(token, newPassword); err != nil { 877 c.LogAudit("fail - token=" + token) 878 c.Err = err 879 return 880 } 881 882 c.LogAudit("success - token=" + token) 883 884 ReturnStatusOK(w) 885 } 886 887 func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) { 888 props := model.MapFromJson(r.Body) 889 890 email := props["email"] 891 if len(email) == 0 { 892 c.SetInvalidParam("email") 893 return 894 } 895 896 if sent, err := c.App.SendPasswordReset(email, c.App.GetSiteURL()); err != nil { 897 c.Err = err 898 return 899 } else if sent { 900 c.LogAudit("sent=" + email) 901 } 902 903 ReturnStatusOK(w) 904 } 905 906 func login(c *Context, w http.ResponseWriter, r *http.Request) { 907 props := model.MapFromJson(r.Body) 908 909 id := props["id"] 910 loginId := props["login_id"] 911 password := props["password"] 912 mfaToken := props["token"] 913 deviceId := props["device_id"] 914 ldapOnly := props["ldap_only"] == "true" 915 916 c.LogAuditWithUserId(id, "attempt - login_id="+loginId) 917 user, err := c.App.AuthenticateUserForLogin(id, loginId, password, mfaToken, deviceId, ldapOnly) 918 if err != nil { 919 c.LogAuditWithUserId(id, "failure - login_id="+loginId) 920 c.Err = err 921 return 922 } 923 924 c.LogAuditWithUserId(user.Id, "authenticated") 925 926 var session *model.Session 927 session, err = c.App.DoLogin(w, r, user, deviceId) 928 if err != nil { 929 c.Err = err 930 return 931 } 932 933 c.LogAuditWithUserId(user.Id, "success") 934 935 c.Session = *session 936 937 user.Sanitize(map[string]bool{}) 938 939 w.Write([]byte(user.ToJson())) 940 } 941 942 func logout(c *Context, w http.ResponseWriter, r *http.Request) { 943 data := make(map[string]string) 944 data["user_id"] = c.Session.UserId 945 946 Logout(c, w, r) 947 948 } 949 950 func Logout(c *Context, w http.ResponseWriter, r *http.Request) { 951 c.LogAudit("") 952 c.RemoveSessionCookie(w, r) 953 if c.Session.Id != "" { 954 if err := c.App.RevokeSessionById(c.Session.Id); err != nil { 955 c.Err = err 956 return 957 } 958 } 959 960 ReturnStatusOK(w) 961 } 962 963 func getSessions(c *Context, w http.ResponseWriter, r *http.Request) { 964 c.RequireUserId() 965 if c.Err != nil { 966 return 967 } 968 969 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 970 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 971 return 972 } 973 974 if sessions, err := c.App.GetSessions(c.Params.UserId); err != nil { 975 c.Err = err 976 return 977 } else { 978 for _, session := range sessions { 979 session.Sanitize() 980 } 981 982 w.Write([]byte(model.SessionsToJson(sessions))) 983 return 984 } 985 } 986 987 func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) { 988 c.RequireUserId() 989 if c.Err != nil { 990 return 991 } 992 993 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 994 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 995 return 996 } 997 998 props := model.MapFromJson(r.Body) 999 sessionId := props["session_id"] 1000 1001 if sessionId == "" { 1002 c.SetInvalidParam("session_id") 1003 return 1004 } 1005 1006 var session *model.Session 1007 var err *model.AppError 1008 if session, err = c.App.GetSessionById(sessionId); err != nil { 1009 c.Err = err 1010 return 1011 } 1012 1013 if session.UserId != c.Params.UserId { 1014 c.SetInvalidUrlParam("user_id") 1015 return 1016 } 1017 1018 if err := c.App.RevokeSession(session); err != nil { 1019 c.Err = err 1020 return 1021 } 1022 1023 ReturnStatusOK(w) 1024 } 1025 1026 func revokeAllSessionsForUser(c *Context, w http.ResponseWriter, r *http.Request) { 1027 c.RequireUserId() 1028 if c.Err != nil { 1029 return 1030 } 1031 1032 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1033 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1034 return 1035 } 1036 1037 if err := c.App.RevokeAllSessions(c.Params.UserId); err != nil { 1038 c.Err = err 1039 return 1040 } 1041 1042 ReturnStatusOK(w) 1043 } 1044 1045 func attachDeviceId(c *Context, w http.ResponseWriter, r *http.Request) { 1046 props := model.MapFromJson(r.Body) 1047 1048 deviceId := props["device_id"] 1049 if len(deviceId) == 0 { 1050 c.SetInvalidParam("device_id") 1051 return 1052 } 1053 1054 // A special case where we logout of all other sessions with the same device id 1055 if err := c.App.RevokeSessionsForDeviceId(c.Session.UserId, deviceId, c.Session.Id); err != nil { 1056 c.Err = err 1057 return 1058 } 1059 1060 c.App.ClearSessionCacheForUser(c.Session.UserId) 1061 c.Session.SetExpireInDays(*c.App.Config().ServiceSettings.SessionLengthMobileInDays) 1062 1063 maxAge := *c.App.Config().ServiceSettings.SessionLengthMobileInDays * 60 * 60 * 24 1064 1065 secure := false 1066 if app.GetProtocol(r) == "https" { 1067 secure = true 1068 } 1069 1070 expiresAt := time.Unix(model.GetMillis()/1000+int64(maxAge), 0) 1071 sessionCookie := &http.Cookie{ 1072 Name: model.SESSION_COOKIE_TOKEN, 1073 Value: c.Session.Token, 1074 Path: "/", 1075 MaxAge: maxAge, 1076 Expires: expiresAt, 1077 HttpOnly: true, 1078 Domain: c.App.GetCookieDomain(), 1079 Secure: secure, 1080 } 1081 1082 http.SetCookie(w, sessionCookie) 1083 1084 if err := c.App.AttachDeviceId(c.Session.Id, deviceId, c.Session.ExpiresAt); err != nil { 1085 c.Err = err 1086 return 1087 } 1088 1089 c.LogAudit("") 1090 ReturnStatusOK(w) 1091 } 1092 1093 func getUserAudits(c *Context, w http.ResponseWriter, r *http.Request) { 1094 c.RequireUserId() 1095 if c.Err != nil { 1096 return 1097 } 1098 1099 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1100 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1101 return 1102 } 1103 1104 if audits, err := c.App.GetAuditsPage(c.Params.UserId, c.Params.Page, c.Params.PerPage); err != nil { 1105 c.Err = err 1106 return 1107 } else { 1108 w.Write([]byte(audits.ToJson())) 1109 return 1110 } 1111 } 1112 1113 func verifyUserEmail(c *Context, w http.ResponseWriter, r *http.Request) { 1114 props := model.MapFromJson(r.Body) 1115 1116 token := props["token"] 1117 if len(token) != model.TOKEN_SIZE { 1118 c.SetInvalidParam("token") 1119 return 1120 } 1121 1122 if err := c.App.VerifyEmailFromToken(token); err != nil { 1123 c.Err = model.NewAppError("verifyUserEmail", "api.user.verify_email.bad_link.app_error", nil, err.Error(), http.StatusBadRequest) 1124 return 1125 } else { 1126 c.LogAudit("Email Verified") 1127 ReturnStatusOK(w) 1128 return 1129 } 1130 } 1131 1132 func sendVerificationEmail(c *Context, w http.ResponseWriter, r *http.Request) { 1133 props := model.MapFromJson(r.Body) 1134 1135 email := props["email"] 1136 if len(email) == 0 { 1137 c.SetInvalidParam("email") 1138 return 1139 } 1140 1141 user, err := c.App.GetUserForLogin(email, false) 1142 if err != nil { 1143 // Don't want to leak whether the email is valid or not 1144 ReturnStatusOK(w) 1145 return 1146 } 1147 1148 err = c.App.SendEmailVerification(user) 1149 if err != nil { 1150 // Don't want to leak whether the email is valid or not 1151 l4g.Error(err.Error()) 1152 ReturnStatusOK(w) 1153 return 1154 } 1155 1156 ReturnStatusOK(w) 1157 } 1158 1159 func switchAccountType(c *Context, w http.ResponseWriter, r *http.Request) { 1160 switchRequest := model.SwitchRequestFromJson(r.Body) 1161 if switchRequest == nil { 1162 c.SetInvalidParam("switch_request") 1163 return 1164 } 1165 1166 link := "" 1167 var err *model.AppError 1168 1169 if switchRequest.EmailToOAuth() { 1170 link, err = c.App.SwitchEmailToOAuth(w, r, switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.NewService) 1171 } else if switchRequest.OAuthToEmail() { 1172 c.SessionRequired() 1173 if c.Err != nil { 1174 return 1175 } 1176 1177 link, err = c.App.SwitchOAuthToEmail(switchRequest.Email, switchRequest.NewPassword, c.Session.UserId) 1178 } else if switchRequest.EmailToLdap() { 1179 link, err = c.App.SwitchEmailToLdap(switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.LdapId, switchRequest.NewPassword) 1180 } else if switchRequest.LdapToEmail() { 1181 link, err = c.App.SwitchLdapToEmail(switchRequest.Password, switchRequest.MfaCode, switchRequest.Email, switchRequest.NewPassword) 1182 } else { 1183 c.SetInvalidParam("switch_request") 1184 return 1185 } 1186 1187 if err != nil { 1188 c.Err = err 1189 return 1190 } 1191 1192 c.LogAudit("success") 1193 w.Write([]byte(model.MapToJson(map[string]string{"follow_link": link}))) 1194 } 1195 1196 func createUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1197 c.RequireUserId() 1198 if c.Err != nil { 1199 return 1200 } 1201 1202 if c.Session.IsOAuth { 1203 c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN) 1204 c.Err.DetailedError += ", attempted access by oauth app" 1205 return 1206 } 1207 1208 accessToken := model.UserAccessTokenFromJson(r.Body) 1209 if accessToken == nil { 1210 c.SetInvalidParam("user_access_token") 1211 return 1212 } 1213 1214 if accessToken.Description == "" { 1215 c.SetInvalidParam("description") 1216 return 1217 } 1218 1219 c.LogAudit("") 1220 1221 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_CREATE_USER_ACCESS_TOKEN) { 1222 c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN) 1223 return 1224 } 1225 1226 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1227 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1228 return 1229 } 1230 1231 accessToken.UserId = c.Params.UserId 1232 accessToken.Token = "" 1233 1234 var err *model.AppError 1235 accessToken, err = c.App.CreateUserAccessToken(accessToken) 1236 if err != nil { 1237 c.Err = err 1238 return 1239 } 1240 1241 c.LogAudit("success - token_id=" + accessToken.Id) 1242 w.Write([]byte(accessToken.ToJson())) 1243 } 1244 1245 func searchUserAccessTokens(c *Context, w http.ResponseWriter, r *http.Request) { 1246 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 1247 c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) 1248 return 1249 } 1250 props := model.UserAccessTokenSearchFromJson(r.Body) 1251 if props == nil { 1252 c.SetInvalidParam("user_access_token_search") 1253 return 1254 } 1255 1256 if len(props.Term) == 0 { 1257 c.SetInvalidParam("term") 1258 return 1259 } 1260 accessTokens, err := c.App.SearchUserAccessTokens(props.Term) 1261 if err != nil { 1262 c.Err = err 1263 return 1264 } 1265 1266 w.Write([]byte(model.UserAccessTokenListToJson(accessTokens))) 1267 } 1268 1269 func getUserAccessTokens(c *Context, w http.ResponseWriter, r *http.Request) { 1270 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 1271 c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) 1272 return 1273 } 1274 1275 accessTokens, err := c.App.GetUserAccessTokens(c.Params.Page, c.Params.PerPage) 1276 if err != nil { 1277 c.Err = err 1278 return 1279 } 1280 1281 w.Write([]byte(model.UserAccessTokenListToJson(accessTokens))) 1282 } 1283 1284 func getUserAccessTokensForUser(c *Context, w http.ResponseWriter, r *http.Request) { 1285 c.RequireUserId() 1286 if c.Err != nil { 1287 return 1288 } 1289 1290 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_READ_USER_ACCESS_TOKEN) { 1291 c.SetPermissionError(model.PERMISSION_READ_USER_ACCESS_TOKEN) 1292 return 1293 } 1294 1295 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1296 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1297 return 1298 } 1299 1300 accessTokens, err := c.App.GetUserAccessTokensForUser(c.Params.UserId, c.Params.Page, c.Params.PerPage) 1301 if err != nil { 1302 c.Err = err 1303 return 1304 } 1305 1306 w.Write([]byte(model.UserAccessTokenListToJson(accessTokens))) 1307 } 1308 1309 func getUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1310 c.RequireTokenId() 1311 if c.Err != nil { 1312 return 1313 } 1314 1315 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_READ_USER_ACCESS_TOKEN) { 1316 c.SetPermissionError(model.PERMISSION_READ_USER_ACCESS_TOKEN) 1317 return 1318 } 1319 1320 accessToken, err := c.App.GetUserAccessToken(c.Params.TokenId, true) 1321 if err != nil { 1322 c.Err = err 1323 return 1324 } 1325 1326 if !c.App.SessionHasPermissionToUser(c.Session, accessToken.UserId) { 1327 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1328 return 1329 } 1330 1331 w.Write([]byte(accessToken.ToJson())) 1332 } 1333 1334 func revokeUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1335 props := model.MapFromJson(r.Body) 1336 tokenId := props["token_id"] 1337 1338 if tokenId == "" { 1339 c.SetInvalidParam("token_id") 1340 } 1341 1342 c.LogAudit("") 1343 1344 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) { 1345 c.SetPermissionError(model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) 1346 return 1347 } 1348 1349 accessToken, err := c.App.GetUserAccessToken(tokenId, false) 1350 if err != nil { 1351 c.Err = err 1352 return 1353 } 1354 1355 if !c.App.SessionHasPermissionToUser(c.Session, accessToken.UserId) { 1356 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1357 return 1358 } 1359 1360 err = c.App.RevokeUserAccessToken(accessToken) 1361 if err != nil { 1362 c.Err = err 1363 return 1364 } 1365 1366 c.LogAudit("success - token_id=" + accessToken.Id) 1367 ReturnStatusOK(w) 1368 } 1369 1370 func disableUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1371 props := model.MapFromJson(r.Body) 1372 tokenId := props["token_id"] 1373 1374 if tokenId == "" { 1375 c.SetInvalidParam("token_id") 1376 } 1377 1378 c.LogAudit("") 1379 1380 // No separate permission for this action for now 1381 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) { 1382 c.SetPermissionError(model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) 1383 return 1384 } 1385 1386 accessToken, err := c.App.GetUserAccessToken(tokenId, false) 1387 if err != nil { 1388 c.Err = err 1389 return 1390 } 1391 1392 if !c.App.SessionHasPermissionToUser(c.Session, accessToken.UserId) { 1393 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1394 return 1395 } 1396 1397 err = c.App.DisableUserAccessToken(accessToken) 1398 if err != nil { 1399 c.Err = err 1400 return 1401 } 1402 1403 c.LogAudit("success - token_id=" + accessToken.Id) 1404 ReturnStatusOK(w) 1405 } 1406 1407 func enableUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1408 props := model.MapFromJson(r.Body) 1409 tokenId := props["token_id"] 1410 1411 if tokenId == "" { 1412 c.SetInvalidParam("token_id") 1413 } 1414 1415 c.LogAudit("") 1416 1417 // No separate permission for this action for now 1418 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_CREATE_USER_ACCESS_TOKEN) { 1419 c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN) 1420 return 1421 } 1422 1423 accessToken, err := c.App.GetUserAccessToken(tokenId, false) 1424 if err != nil { 1425 c.Err = err 1426 return 1427 } 1428 1429 if !c.App.SessionHasPermissionToUser(c.Session, accessToken.UserId) { 1430 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1431 return 1432 } 1433 1434 err = c.App.EnableUserAccessToken(accessToken) 1435 if err != nil { 1436 c.Err = err 1437 return 1438 } 1439 1440 c.LogAudit("success - token_id=" + accessToken.Id) 1441 ReturnStatusOK(w) 1442 }