github.com/gigforks/mattermost-server@v4.9.1-0.20180619094218-800d97fa55d0+incompatible/api4/user.go (about) 1 // Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package api4 5 6 import ( 7 "fmt" 8 "net/http" 9 "strconv" 10 "time" 11 12 "github.com/mattermost/mattermost-server/app" 13 "github.com/mattermost/mattermost-server/mlog" 14 "github.com/mattermost/mattermost-server/model" 15 "github.com/mattermost/mattermost-server/store" 16 ) 17 18 func (api *API) InitUser() { 19 api.BaseRoutes.Users.Handle("", api.ApiHandler(createUser)).Methods("POST") 20 api.BaseRoutes.Users.Handle("", api.ApiSessionRequired(getUsers)).Methods("GET") 21 api.BaseRoutes.Users.Handle("/ids", api.ApiSessionRequired(getUsersByIds)).Methods("POST") 22 api.BaseRoutes.Users.Handle("/usernames", api.ApiSessionRequired(getUsersByNames)).Methods("POST") 23 api.BaseRoutes.Users.Handle("/search", api.ApiSessionRequired(searchUsers)).Methods("POST") 24 api.BaseRoutes.Users.Handle("/autocomplete", api.ApiSessionRequired(autocompleteUsers)).Methods("GET") 25 26 api.BaseRoutes.User.Handle("", api.ApiSessionRequired(getUser)).Methods("GET") 27 api.BaseRoutes.User.Handle("/image", api.ApiSessionRequiredTrustRequester(getProfileImage)).Methods("GET") 28 api.BaseRoutes.User.Handle("/image", api.ApiSessionRequired(setProfileImage)).Methods("POST") 29 api.BaseRoutes.User.Handle("", api.ApiSessionRequired(updateUser)).Methods("PUT") 30 api.BaseRoutes.User.Handle("/patch", api.ApiSessionRequired(patchUser)).Methods("PUT") 31 api.BaseRoutes.User.Handle("", api.ApiSessionRequired(deleteUser)).Methods("DELETE") 32 api.BaseRoutes.User.Handle("/roles", api.ApiSessionRequired(updateUserRoles)).Methods("PUT") 33 api.BaseRoutes.User.Handle("/active", api.ApiSessionRequired(updateUserActive)).Methods("PUT") 34 api.BaseRoutes.User.Handle("/password", api.ApiSessionRequired(updatePassword)).Methods("PUT") 35 api.BaseRoutes.Users.Handle("/password/reset", api.ApiHandler(resetPassword)).Methods("POST") 36 api.BaseRoutes.Users.Handle("/password/reset/send", api.ApiHandler(sendPasswordReset)).Methods("POST") 37 api.BaseRoutes.Users.Handle("/email/verify", api.ApiHandler(verifyUserEmail)).Methods("POST") 38 api.BaseRoutes.Users.Handle("/email/verify/send", api.ApiHandler(sendVerificationEmail)).Methods("POST") 39 40 api.BaseRoutes.User.Handle("/auth", api.ApiSessionRequiredTrustRequester(updateUserAuth)).Methods("PUT") 41 42 api.BaseRoutes.Users.Handle("/mfa", api.ApiHandler(checkUserMfa)).Methods("POST") 43 api.BaseRoutes.User.Handle("/mfa", api.ApiSessionRequiredMfa(updateUserMfa)).Methods("PUT") 44 api.BaseRoutes.User.Handle("/mfa/generate", api.ApiSessionRequiredMfa(generateMfaSecret)).Methods("POST") 45 46 api.BaseRoutes.Users.Handle("/login", api.ApiHandler(login)).Methods("POST") 47 api.BaseRoutes.Users.Handle("/login/switch", api.ApiHandler(switchAccountType)).Methods("POST") 48 api.BaseRoutes.Users.Handle("/logout", api.ApiHandler(logout)).Methods("POST") 49 50 api.BaseRoutes.UserByUsername.Handle("", api.ApiSessionRequired(getUserByUsername)).Methods("GET") 51 api.BaseRoutes.UserByEmail.Handle("", api.ApiSessionRequired(getUserByEmail)).Methods("GET") 52 53 api.BaseRoutes.User.Handle("/sessions", api.ApiSessionRequired(getSessions)).Methods("GET") 54 api.BaseRoutes.User.Handle("/sessions/revoke", api.ApiSessionRequired(revokeSession)).Methods("POST") 55 api.BaseRoutes.User.Handle("/sessions/revoke/all", api.ApiSessionRequired(revokeAllSessionsForUser)).Methods("POST") 56 api.BaseRoutes.Users.Handle("/sessions/device", api.ApiSessionRequired(attachDeviceId)).Methods("PUT") 57 api.BaseRoutes.User.Handle("/audits", api.ApiSessionRequired(getUserAudits)).Methods("GET") 58 59 api.BaseRoutes.User.Handle("/tokens", api.ApiSessionRequired(createUserAccessToken)).Methods("POST") 60 api.BaseRoutes.User.Handle("/tokens", api.ApiSessionRequired(getUserAccessTokensForUser)).Methods("GET") 61 api.BaseRoutes.Users.Handle("/tokens", api.ApiSessionRequired(getUserAccessTokens)).Methods("GET") 62 api.BaseRoutes.Users.Handle("/tokens/search", api.ApiSessionRequired(searchUserAccessTokens)).Methods("POST") 63 api.BaseRoutes.Users.Handle("/tokens/{token_id:[A-Za-z0-9]+}", api.ApiSessionRequired(getUserAccessToken)).Methods("GET") 64 api.BaseRoutes.Users.Handle("/tokens/revoke", api.ApiSessionRequired(revokeUserAccessToken)).Methods("POST") 65 api.BaseRoutes.Users.Handle("/tokens/disable", api.ApiSessionRequired(disableUserAccessToken)).Methods("POST") 66 api.BaseRoutes.Users.Handle("/tokens/enable", api.ApiSessionRequired(enableUserAccessToken)).Methods("POST") 67 } 68 69 func createUser(c *Context, w http.ResponseWriter, r *http.Request) { 70 user := model.UserFromJson(r.Body) 71 if user == nil { 72 c.SetInvalidParam("user") 73 return 74 } 75 76 tokenId := r.URL.Query().Get("t") 77 inviteId := r.URL.Query().Get("iid") 78 79 // No permission check required 80 81 var ruser *model.User 82 var err *model.AppError 83 if len(tokenId) > 0 { 84 ruser, err = c.App.CreateUserWithToken(user, tokenId) 85 } else if len(inviteId) > 0 { 86 ruser, err = c.App.CreateUserWithInviteId(user, inviteId) 87 } else if c.IsSystemAdmin() { 88 ruser, err = c.App.CreateUserAsAdmin(user) 89 } else { 90 ruser, err = c.App.CreateUserFromSignup(user) 91 } 92 93 if err != nil { 94 c.Err = err 95 return 96 } 97 98 w.WriteHeader(http.StatusCreated) 99 w.Write([]byte(ruser.ToJson())) 100 } 101 102 func getUser(c *Context, w http.ResponseWriter, r *http.Request) { 103 c.RequireUserId() 104 if c.Err != nil { 105 return 106 } 107 108 // No permission check required 109 110 var user *model.User 111 var err *model.AppError 112 113 if user, err = c.App.GetUser(c.Params.UserId); err != nil { 114 c.Err = err 115 return 116 } 117 118 etag := user.Etag(c.App.Config().PrivacySettings.ShowFullName, c.App.Config().PrivacySettings.ShowEmailAddress) 119 120 if c.HandleEtag(etag, "Get User", w, r) { 121 return 122 } else { 123 if c.Session.UserId == user.Id { 124 user.Sanitize(map[string]bool{}) 125 } else { 126 c.App.SanitizeProfile(user, c.IsSystemAdmin()) 127 } 128 c.App.UpdateLastActivityAtIfNeeded(c.Session) 129 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 130 w.Write([]byte(user.ToJson())) 131 return 132 } 133 } 134 135 func getUserByUsername(c *Context, w http.ResponseWriter, r *http.Request) { 136 c.RequireUsername() 137 if c.Err != nil { 138 return 139 } 140 141 // No permission check required 142 143 var user *model.User 144 var err *model.AppError 145 146 if user, err = c.App.GetUserByUsername(c.Params.Username); err != nil { 147 c.Err = err 148 return 149 } 150 151 etag := user.Etag(c.App.Config().PrivacySettings.ShowFullName, c.App.Config().PrivacySettings.ShowEmailAddress) 152 153 if c.HandleEtag(etag, "Get User", w, r) { 154 return 155 } else { 156 c.App.SanitizeProfile(user, c.IsSystemAdmin()) 157 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 158 w.Write([]byte(user.ToJson())) 159 return 160 } 161 } 162 163 func getUserByEmail(c *Context, w http.ResponseWriter, r *http.Request) { 164 c.RequireEmail() 165 if c.Err != nil { 166 return 167 } 168 169 // No permission check required 170 171 var user *model.User 172 var err *model.AppError 173 174 if user, err = c.App.GetUserByEmail(c.Params.Email); err != nil { 175 c.Err = err 176 return 177 } 178 179 etag := user.Etag(c.App.Config().PrivacySettings.ShowFullName, c.App.Config().PrivacySettings.ShowEmailAddress) 180 181 if c.HandleEtag(etag, "Get User", w, r) { 182 return 183 } else { 184 c.App.SanitizeProfile(user, c.IsSystemAdmin()) 185 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 186 w.Write([]byte(user.ToJson())) 187 return 188 } 189 } 190 191 func getProfileImage(c *Context, w http.ResponseWriter, r *http.Request) { 192 c.RequireUserId() 193 if c.Err != nil { 194 return 195 } 196 197 if users, err := c.App.GetUsersByIds([]string{c.Params.UserId}, c.IsSystemAdmin()); err != nil { 198 c.Err = err 199 return 200 } else { 201 if len(users) == 0 { 202 c.Err = model.NewAppError("getProfileImage", "api.user.get_profile_image.not_found.app_error", nil, "", http.StatusNotFound) 203 return 204 } 205 206 user := users[0] 207 etag := strconv.FormatInt(user.LastPictureUpdate, 10) 208 if c.HandleEtag(etag, "Get Profile Image", w, r) { 209 return 210 } 211 212 var img []byte 213 img, readFailed, err := c.App.GetProfileImage(user) 214 if err != nil { 215 c.Err = err 216 return 217 } 218 219 if readFailed { 220 w.Header().Set("Cache-Control", fmt.Sprintf("max-age=%v, public", 5*60)) // 5 mins 221 } else { 222 w.Header().Set("Cache-Control", fmt.Sprintf("max-age=%v, public", 24*60*60)) // 24 hrs 223 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 224 } 225 226 w.Header().Set("Content-Type", "image/png") 227 w.Write(img) 228 } 229 } 230 231 func setProfileImage(c *Context, w http.ResponseWriter, r *http.Request) { 232 c.RequireUserId() 233 if c.Err != nil { 234 return 235 } 236 237 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 238 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 239 return 240 } 241 242 if len(*c.App.Config().FileSettings.DriverName) == 0 { 243 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.storage.app_error", nil, "", http.StatusNotImplemented) 244 return 245 } 246 247 if r.ContentLength > *c.App.Config().FileSettings.MaxFileSize { 248 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.too_large.app_error", nil, "", http.StatusRequestEntityTooLarge) 249 return 250 } 251 252 if err := r.ParseMultipartForm(*c.App.Config().FileSettings.MaxFileSize); err != nil { 253 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.parse.app_error", nil, err.Error(), http.StatusInternalServerError) 254 return 255 } 256 257 m := r.MultipartForm 258 259 imageArray, ok := m.File["image"] 260 if !ok { 261 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.no_file.app_error", nil, "", http.StatusBadRequest) 262 return 263 } 264 265 if len(imageArray) <= 0 { 266 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.array.app_error", nil, "", http.StatusBadRequest) 267 return 268 } 269 270 imageData := imageArray[0] 271 272 if err := c.App.SetProfileImage(c.Params.UserId, imageData); err != nil { 273 c.Err = err 274 return 275 } 276 277 c.LogAudit("") 278 ReturnStatusOK(w) 279 } 280 281 func getUsers(c *Context, w http.ResponseWriter, r *http.Request) { 282 inTeamId := r.URL.Query().Get("in_team") 283 notInTeamId := r.URL.Query().Get("not_in_team") 284 inChannelId := r.URL.Query().Get("in_channel") 285 notInChannelId := r.URL.Query().Get("not_in_channel") 286 withoutTeam := r.URL.Query().Get("without_team") 287 sort := r.URL.Query().Get("sort") 288 289 if len(notInChannelId) > 0 && len(inTeamId) == 0 { 290 c.SetInvalidUrlParam("team_id") 291 return 292 } 293 294 if sort != "" && sort != "last_activity_at" && sort != "create_at" && sort != "status" { 295 c.SetInvalidUrlParam("sort") 296 return 297 } 298 299 // Currently only supports sorting on a team 300 // or sort="status" on inChannelId 301 if (sort == "last_activity_at" || sort == "create_at") && (inTeamId == "" || notInTeamId != "" || inChannelId != "" || notInChannelId != "" || withoutTeam != "") { 302 c.SetInvalidUrlParam("sort") 303 return 304 } 305 if sort == "status" && inChannelId == "" { 306 c.SetInvalidUrlParam("sort") 307 return 308 } 309 310 var profiles []*model.User 311 var err *model.AppError 312 etag := "" 313 314 if withoutTeamBool, _ := strconv.ParseBool(withoutTeam); withoutTeamBool { 315 // Use a special permission for now 316 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_LIST_USERS_WITHOUT_TEAM) { 317 c.SetPermissionError(model.PERMISSION_LIST_USERS_WITHOUT_TEAM) 318 return 319 } 320 321 profiles, err = c.App.GetUsersWithoutTeamPage(c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 322 } else if len(notInChannelId) > 0 { 323 if !c.App.SessionHasPermissionToChannel(c.Session, notInChannelId, model.PERMISSION_READ_CHANNEL) { 324 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 325 return 326 } 327 328 profiles, err = c.App.GetUsersNotInChannelPage(inTeamId, notInChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 329 } else if len(notInTeamId) > 0 { 330 if !c.App.SessionHasPermissionToTeam(c.Session, notInTeamId, model.PERMISSION_VIEW_TEAM) { 331 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 332 return 333 } 334 335 etag = c.App.GetUsersNotInTeamEtag(inTeamId) 336 if c.HandleEtag(etag, "Get Users Not in Team", w, r) { 337 return 338 } 339 340 profiles, err = c.App.GetUsersNotInTeamPage(notInTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 341 } else if len(inTeamId) > 0 { 342 if !c.App.SessionHasPermissionToTeam(c.Session, inTeamId, model.PERMISSION_VIEW_TEAM) { 343 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 344 return 345 } 346 347 if sort == "last_activity_at" { 348 profiles, err = c.App.GetRecentlyActiveUsersForTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 349 } else if sort == "create_at" { 350 profiles, err = c.App.GetNewUsersForTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 351 } else { 352 etag = c.App.GetUsersInTeamEtag(inTeamId) 353 if c.HandleEtag(etag, "Get Users in Team", w, r) { 354 return 355 } 356 357 profiles, err = c.App.GetUsersInTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 358 } 359 } else if len(inChannelId) > 0 { 360 if !c.App.SessionHasPermissionToChannel(c.Session, inChannelId, model.PERMISSION_READ_CHANNEL) { 361 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 362 return 363 } 364 if sort == "status" { 365 profiles, err = c.App.GetUsersInChannelPageByStatus(inChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 366 } else { 367 profiles, err = c.App.GetUsersInChannelPage(inChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 368 } 369 } else { 370 // No permission check required 371 372 etag = c.App.GetUsersEtag() 373 if c.HandleEtag(etag, "Get Users", w, r) { 374 return 375 } 376 profiles, err = c.App.GetUsersPage(c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 377 } 378 379 if err != nil { 380 c.Err = err 381 return 382 } else { 383 if len(etag) > 0 { 384 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 385 } 386 c.App.UpdateLastActivityAtIfNeeded(c.Session) 387 w.Write([]byte(model.UserListToJson(profiles))) 388 } 389 } 390 391 func getUsersByIds(c *Context, w http.ResponseWriter, r *http.Request) { 392 userIds := model.ArrayFromJson(r.Body) 393 394 if len(userIds) == 0 { 395 c.SetInvalidParam("user_ids") 396 return 397 } 398 399 // No permission check required 400 401 if users, err := c.App.GetUsersByIds(userIds, c.IsSystemAdmin()); err != nil { 402 c.Err = err 403 return 404 } else { 405 w.Write([]byte(model.UserListToJson(users))) 406 } 407 } 408 409 func getUsersByNames(c *Context, w http.ResponseWriter, r *http.Request) { 410 usernames := model.ArrayFromJson(r.Body) 411 412 if len(usernames) == 0 { 413 c.SetInvalidParam("usernames") 414 return 415 } 416 417 // No permission check required 418 419 if users, err := c.App.GetUsersByUsernames(usernames, c.IsSystemAdmin()); err != nil { 420 c.Err = err 421 return 422 } else { 423 w.Write([]byte(model.UserListToJson(users))) 424 } 425 } 426 427 func searchUsers(c *Context, w http.ResponseWriter, r *http.Request) { 428 props := model.UserSearchFromJson(r.Body) 429 if props == nil { 430 c.SetInvalidParam("") 431 return 432 } 433 434 if len(props.Term) == 0 { 435 c.SetInvalidParam("term") 436 return 437 } 438 439 if props.TeamId == "" && props.NotInChannelId != "" { 440 c.SetInvalidParam("team_id") 441 return 442 } 443 444 if props.InChannelId != "" && !c.App.SessionHasPermissionToChannel(c.Session, props.InChannelId, model.PERMISSION_READ_CHANNEL) { 445 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 446 return 447 } 448 449 if props.NotInChannelId != "" && !c.App.SessionHasPermissionToChannel(c.Session, props.NotInChannelId, model.PERMISSION_READ_CHANNEL) { 450 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 451 return 452 } 453 454 if props.TeamId != "" && !c.App.SessionHasPermissionToTeam(c.Session, props.TeamId, model.PERMISSION_VIEW_TEAM) { 455 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 456 return 457 } 458 459 if props.NotInTeamId != "" && !c.App.SessionHasPermissionToTeam(c.Session, props.NotInTeamId, model.PERMISSION_VIEW_TEAM) { 460 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 461 return 462 } 463 464 searchOptions := map[string]bool{} 465 searchOptions[store.USER_SEARCH_OPTION_ALLOW_INACTIVE] = props.AllowInactive 466 467 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 468 hideFullName := !c.App.Config().PrivacySettings.ShowFullName 469 hideEmail := !c.App.Config().PrivacySettings.ShowEmailAddress 470 471 if hideFullName && hideEmail { 472 searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true 473 } else if hideFullName { 474 searchOptions[store.USER_SEARCH_OPTION_ALL_NO_FULL_NAME] = true 475 } else if hideEmail { 476 searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true 477 } 478 } 479 480 if profiles, err := c.App.SearchUsers(props, searchOptions, c.IsSystemAdmin()); err != nil { 481 c.Err = err 482 return 483 } else { 484 w.Write([]byte(model.UserListToJson(profiles))) 485 } 486 } 487 488 func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { 489 channelId := r.URL.Query().Get("in_channel") 490 teamId := r.URL.Query().Get("in_team") 491 name := r.URL.Query().Get("name") 492 493 autocomplete := new(model.UserAutocomplete) 494 var err *model.AppError 495 496 searchOptions := map[string]bool{} 497 498 hideFullName := !c.App.Config().PrivacySettings.ShowFullName 499 if hideFullName && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 500 searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY_NO_FULL_NAME] = true 501 } else { 502 searchOptions[store.USER_SEARCH_OPTION_NAMES_ONLY] = true 503 } 504 505 if len(channelId) > 0 { 506 if !c.App.SessionHasPermissionToChannel(c.Session, channelId, model.PERMISSION_READ_CHANNEL) { 507 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 508 return 509 } 510 511 result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, searchOptions, c.IsSystemAdmin()) 512 if err != nil { 513 c.Err = err 514 return 515 } 516 517 autocomplete.Users = result.InChannel 518 autocomplete.OutOfChannel = result.OutOfChannel 519 } else if len(teamId) > 0 { 520 if !c.App.SessionHasPermissionToTeam(c.Session, teamId, model.PERMISSION_VIEW_TEAM) { 521 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 522 return 523 } 524 525 result, err := c.App.AutocompleteUsersInTeam(teamId, name, searchOptions, c.IsSystemAdmin()) 526 if err != nil { 527 c.Err = err 528 return 529 } 530 531 autocomplete.Users = result.InTeam 532 } else { 533 // No permission check required 534 result, err := c.App.SearchUsersInTeam("", name, searchOptions, c.IsSystemAdmin()) 535 if err != nil { 536 c.Err = err 537 return 538 } 539 autocomplete.Users = result 540 } 541 542 if err != nil { 543 c.Err = err 544 return 545 } else { 546 w.Write([]byte((autocomplete.ToJson()))) 547 } 548 } 549 550 func updateUser(c *Context, w http.ResponseWriter, r *http.Request) { 551 c.RequireUserId() 552 if c.Err != nil { 553 return 554 } 555 556 user := model.UserFromJson(r.Body) 557 if user == nil { 558 c.SetInvalidParam("user") 559 return 560 } 561 562 if !c.App.SessionHasPermissionToUser(c.Session, user.Id) { 563 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 564 return 565 } 566 567 if c.Session.IsOAuth { 568 ouser, err := c.App.GetUser(user.Id) 569 if err != nil { 570 c.Err = err 571 return 572 } 573 574 if ouser.Email != user.Email { 575 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 576 c.Err.DetailedError += ", attempted email update by oauth app" 577 return 578 } 579 } 580 581 if ruser, err := c.App.UpdateUserAsUser(user, c.IsSystemAdmin()); err != nil { 582 c.Err = err 583 return 584 } else { 585 c.LogAudit("") 586 w.Write([]byte(ruser.ToJson())) 587 } 588 } 589 590 func patchUser(c *Context, w http.ResponseWriter, r *http.Request) { 591 c.RequireUserId() 592 if c.Err != nil { 593 return 594 } 595 596 patch := model.UserPatchFromJson(r.Body) 597 if patch == nil { 598 c.SetInvalidParam("user") 599 return 600 } 601 602 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 603 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 604 return 605 } 606 607 ouser, err := c.App.GetUser(c.Params.UserId) 608 if err != nil { 609 c.SetInvalidParam("user_id") 610 return 611 } 612 613 if c.Session.IsOAuth && patch.Email != nil { 614 if err != nil { 615 c.Err = err 616 return 617 } 618 619 if ouser.Email != *patch.Email { 620 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 621 c.Err.DetailedError += ", attempted email update by oauth app" 622 return 623 } 624 } 625 626 if ruser, err := c.App.PatchUser(c.Params.UserId, patch, c.IsSystemAdmin()); err != nil { 627 c.Err = err 628 return 629 } else { 630 c.App.SetAutoResponderStatus(ruser, ouser.NotifyProps) 631 c.LogAudit("") 632 w.Write([]byte(ruser.ToJson())) 633 } 634 } 635 636 func deleteUser(c *Context, w http.ResponseWriter, r *http.Request) { 637 c.RequireUserId() 638 if c.Err != nil { 639 return 640 } 641 642 userId := c.Params.UserId 643 644 if !c.App.SessionHasPermissionToUser(c.Session, userId) { 645 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 646 return 647 } 648 649 var user *model.User 650 var err *model.AppError 651 652 if user, err = c.App.GetUser(userId); err != nil { 653 c.Err = err 654 return 655 } 656 657 if _, err := c.App.UpdateActive(user, false); err != nil { 658 c.Err = err 659 return 660 } 661 662 ReturnStatusOK(w) 663 } 664 665 func updateUserRoles(c *Context, w http.ResponseWriter, r *http.Request) { 666 c.RequireUserId() 667 if c.Err != nil { 668 return 669 } 670 671 props := model.MapFromJson(r.Body) 672 673 newRoles := props["roles"] 674 if !model.IsValidUserRoles(newRoles) { 675 c.SetInvalidParam("roles") 676 return 677 } 678 679 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_ROLES) { 680 c.SetPermissionError(model.PERMISSION_MANAGE_ROLES) 681 return 682 } 683 684 if _, err := c.App.UpdateUserRoles(c.Params.UserId, newRoles, true); err != nil { 685 c.Err = err 686 return 687 } else { 688 c.LogAuditWithUserId(c.Params.UserId, "roles="+newRoles) 689 } 690 691 ReturnStatusOK(w) 692 } 693 694 func updateUserActive(c *Context, w http.ResponseWriter, r *http.Request) { 695 c.RequireUserId() 696 if c.Err != nil { 697 return 698 } 699 700 props := model.StringInterfaceFromJson(r.Body) 701 702 active, ok := props["active"].(bool) 703 if !ok { 704 c.SetInvalidParam("active") 705 return 706 } 707 708 // true when you're trying to de-activate yourself 709 isSelfDeactive := !active && c.Params.UserId == c.Session.UserId 710 711 if !isSelfDeactive && !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 712 c.Err = model.NewAppError("updateUserActive", "api.user.update_active.permissions.app_error", nil, "userId="+c.Params.UserId, http.StatusForbidden) 713 return 714 } 715 716 var user *model.User 717 var err *model.AppError 718 719 if user, err = c.App.GetUser(c.Params.UserId); err != nil { 720 c.Err = err 721 return 722 } 723 724 if _, err := c.App.UpdateActive(user, active); err != nil { 725 c.Err = err 726 } else { 727 c.LogAuditWithUserId(user.Id, fmt.Sprintf("active=%v", active)) 728 ReturnStatusOK(w) 729 } 730 } 731 732 func updateUserAuth(c *Context, w http.ResponseWriter, r *http.Request) { 733 if !c.IsSystemAdmin() { 734 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 735 return 736 } 737 738 c.RequireUserId() 739 if c.Err != nil { 740 return 741 } 742 743 userAuth := model.UserAuthFromJson(r.Body) 744 if userAuth == nil { 745 c.SetInvalidParam("user") 746 return 747 } 748 749 if user, err := c.App.UpdateUserAuth(c.Params.UserId, userAuth); err != nil { 750 c.Err = err 751 } else { 752 c.LogAuditWithUserId(c.Params.UserId, fmt.Sprintf("updated user auth to service=%v", user.AuthService)) 753 w.Write([]byte(user.ToJson())) 754 } 755 } 756 757 func checkUserMfa(c *Context, w http.ResponseWriter, r *http.Request) { 758 props := model.MapFromJson(r.Body) 759 760 loginId := props["login_id"] 761 if len(loginId) == 0 { 762 c.SetInvalidParam("login_id") 763 return 764 } 765 766 resp := map[string]interface{}{} 767 resp["mfa_required"] = false 768 769 if license := c.App.License(); license == nil || !*license.Features.MFA || !*c.App.Config().ServiceSettings.EnableMultifactorAuthentication { 770 w.Write([]byte(model.StringInterfaceToJson(resp))) 771 return 772 } 773 774 if user, err := c.App.GetUserForLogin("", loginId); err == nil { 775 resp["mfa_required"] = user.MfaActive 776 } 777 778 w.Write([]byte(model.StringInterfaceToJson(resp))) 779 } 780 781 func updateUserMfa(c *Context, w http.ResponseWriter, r *http.Request) { 782 c.RequireUserId() 783 if c.Err != nil { 784 return 785 } 786 787 if c.Session.IsOAuth { 788 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 789 c.Err.DetailedError += ", attempted access by oauth app" 790 return 791 } 792 793 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 794 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 795 return 796 } 797 798 props := model.StringInterfaceFromJson(r.Body) 799 800 activate, ok := props["activate"].(bool) 801 if !ok { 802 c.SetInvalidParam("activate") 803 return 804 } 805 806 code := "" 807 if activate { 808 code, ok = props["code"].(string) 809 if !ok || len(code) == 0 { 810 c.SetInvalidParam("code") 811 return 812 } 813 } 814 815 c.LogAudit("attempt") 816 817 if err := c.App.UpdateMfa(activate, c.Params.UserId, code); err != nil { 818 c.Err = err 819 return 820 } 821 822 c.LogAudit("success - mfa updated") 823 ReturnStatusOK(w) 824 } 825 826 func generateMfaSecret(c *Context, w http.ResponseWriter, r *http.Request) { 827 c.RequireUserId() 828 if c.Err != nil { 829 return 830 } 831 832 if c.Session.IsOAuth { 833 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 834 c.Err.DetailedError += ", attempted access by oauth app" 835 return 836 } 837 838 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 839 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 840 return 841 } 842 843 secret, err := c.App.GenerateMfaSecret(c.Params.UserId) 844 if err != nil { 845 c.Err = err 846 return 847 } 848 849 w.Header().Set("Cache-Control", "no-cache") 850 w.Header().Set("Pragma", "no-cache") 851 w.Header().Set("Expires", "0") 852 w.Write([]byte(secret.ToJson())) 853 } 854 855 func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) { 856 c.RequireUserId() 857 if c.Err != nil { 858 return 859 } 860 861 props := model.MapFromJson(r.Body) 862 863 newPassword := props["new_password"] 864 865 c.LogAudit("attempted") 866 867 var err *model.AppError 868 if c.Params.UserId == c.Session.UserId { 869 currentPassword := props["current_password"] 870 if len(currentPassword) <= 0 { 871 c.SetInvalidParam("current_password") 872 return 873 } 874 875 err = c.App.UpdatePasswordAsUser(c.Params.UserId, currentPassword, newPassword) 876 } else if c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 877 err = c.App.UpdatePasswordByUserIdSendEmail(c.Params.UserId, newPassword, c.T("api.user.reset_password.method")) 878 } else { 879 err = model.NewAppError("updatePassword", "api.user.update_password.context.app_error", nil, "", http.StatusForbidden) 880 } 881 882 if err != nil { 883 c.LogAudit("failed") 884 c.Err = err 885 return 886 } else { 887 c.LogAudit("completed") 888 ReturnStatusOK(w) 889 } 890 } 891 892 func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) { 893 props := model.MapFromJson(r.Body) 894 895 token := props["token"] 896 if len(token) != model.TOKEN_SIZE { 897 c.SetInvalidParam("token") 898 return 899 } 900 901 newPassword := props["new_password"] 902 903 c.LogAudit("attempt - token=" + token) 904 905 if err := c.App.ResetPasswordFromToken(token, newPassword); err != nil { 906 c.LogAudit("fail - token=" + token) 907 c.Err = err 908 return 909 } 910 911 c.LogAudit("success - token=" + token) 912 913 ReturnStatusOK(w) 914 } 915 916 func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) { 917 props := model.MapFromJson(r.Body) 918 919 email := props["email"] 920 if len(email) == 0 { 921 c.SetInvalidParam("email") 922 return 923 } 924 925 if sent, err := c.App.SendPasswordReset(email, c.App.GetSiteURL()); err != nil { 926 c.Err = err 927 return 928 } else if sent { 929 c.LogAudit("sent=" + email) 930 } 931 932 ReturnStatusOK(w) 933 } 934 935 func login(c *Context, w http.ResponseWriter, r *http.Request) { 936 props := model.MapFromJson(r.Body) 937 938 id := props["id"] 939 loginId := props["login_id"] 940 password := props["password"] 941 mfaToken := props["token"] 942 deviceId := props["device_id"] 943 ldapOnly := props["ldap_only"] == "true" 944 945 c.LogAuditWithUserId(id, "attempt - login_id="+loginId) 946 user, err := c.App.AuthenticateUserForLogin(id, loginId, password, mfaToken, ldapOnly) 947 if err != nil { 948 c.LogAuditWithUserId(id, "failure - login_id="+loginId) 949 c.Err = err 950 return 951 } 952 953 c.LogAuditWithUserId(user.Id, "authenticated") 954 955 var session *model.Session 956 session, err = c.App.DoLogin(w, r, user, deviceId) 957 if err != nil { 958 c.Err = err 959 return 960 } 961 962 c.LogAuditWithUserId(user.Id, "success") 963 964 c.Session = *session 965 966 user.Sanitize(map[string]bool{}) 967 968 w.Write([]byte(user.ToJson())) 969 } 970 971 func logout(c *Context, w http.ResponseWriter, r *http.Request) { 972 data := make(map[string]string) 973 data["user_id"] = c.Session.UserId 974 975 Logout(c, w, r) 976 977 } 978 979 func Logout(c *Context, w http.ResponseWriter, r *http.Request) { 980 c.LogAudit("") 981 c.RemoveSessionCookie(w, r) 982 if c.Session.Id != "" { 983 if err := c.App.RevokeSessionById(c.Session.Id); err != nil { 984 c.Err = err 985 return 986 } 987 } 988 989 ReturnStatusOK(w) 990 } 991 992 func getSessions(c *Context, w http.ResponseWriter, r *http.Request) { 993 c.RequireUserId() 994 if c.Err != nil { 995 return 996 } 997 998 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 999 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1000 return 1001 } 1002 1003 if sessions, err := c.App.GetSessions(c.Params.UserId); err != nil { 1004 c.Err = err 1005 return 1006 } else { 1007 for _, session := range sessions { 1008 session.Sanitize() 1009 } 1010 1011 w.Write([]byte(model.SessionsToJson(sessions))) 1012 return 1013 } 1014 } 1015 1016 func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) { 1017 c.RequireUserId() 1018 if c.Err != nil { 1019 return 1020 } 1021 1022 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1023 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1024 return 1025 } 1026 1027 props := model.MapFromJson(r.Body) 1028 sessionId := props["session_id"] 1029 1030 if sessionId == "" { 1031 c.SetInvalidParam("session_id") 1032 return 1033 } 1034 1035 var session *model.Session 1036 var err *model.AppError 1037 if session, err = c.App.GetSessionById(sessionId); err != nil { 1038 c.Err = err 1039 return 1040 } 1041 1042 if session.UserId != c.Params.UserId { 1043 c.SetInvalidUrlParam("user_id") 1044 return 1045 } 1046 1047 if err := c.App.RevokeSession(session); err != nil { 1048 c.Err = err 1049 return 1050 } 1051 1052 ReturnStatusOK(w) 1053 } 1054 1055 func revokeAllSessionsForUser(c *Context, w http.ResponseWriter, r *http.Request) { 1056 c.RequireUserId() 1057 if c.Err != nil { 1058 return 1059 } 1060 1061 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1062 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1063 return 1064 } 1065 1066 if err := c.App.RevokeAllSessions(c.Params.UserId); err != nil { 1067 c.Err = err 1068 return 1069 } 1070 1071 ReturnStatusOK(w) 1072 } 1073 1074 func attachDeviceId(c *Context, w http.ResponseWriter, r *http.Request) { 1075 props := model.MapFromJson(r.Body) 1076 1077 deviceId := props["device_id"] 1078 if len(deviceId) == 0 { 1079 c.SetInvalidParam("device_id") 1080 return 1081 } 1082 1083 // A special case where we logout of all other sessions with the same device id 1084 if err := c.App.RevokeSessionsForDeviceId(c.Session.UserId, deviceId, c.Session.Id); err != nil { 1085 c.Err = err 1086 return 1087 } 1088 1089 c.App.ClearSessionCacheForUser(c.Session.UserId) 1090 c.Session.SetExpireInDays(*c.App.Config().ServiceSettings.SessionLengthMobileInDays) 1091 1092 maxAge := *c.App.Config().ServiceSettings.SessionLengthMobileInDays * 60 * 60 * 24 1093 1094 secure := false 1095 if app.GetProtocol(r) == "https" { 1096 secure = true 1097 } 1098 1099 expiresAt := time.Unix(model.GetMillis()/1000+int64(maxAge), 0) 1100 sessionCookie := &http.Cookie{ 1101 Name: model.SESSION_COOKIE_TOKEN, 1102 Value: c.Session.Token, 1103 Path: "/", 1104 MaxAge: maxAge, 1105 Expires: expiresAt, 1106 HttpOnly: true, 1107 Domain: c.App.GetCookieDomain(), 1108 Secure: secure, 1109 } 1110 1111 http.SetCookie(w, sessionCookie) 1112 1113 if err := c.App.AttachDeviceId(c.Session.Id, deviceId, c.Session.ExpiresAt); err != nil { 1114 c.Err = err 1115 return 1116 } 1117 1118 c.LogAudit("") 1119 ReturnStatusOK(w) 1120 } 1121 1122 func getUserAudits(c *Context, w http.ResponseWriter, r *http.Request) { 1123 c.RequireUserId() 1124 if c.Err != nil { 1125 return 1126 } 1127 1128 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1129 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1130 return 1131 } 1132 1133 if audits, err := c.App.GetAuditsPage(c.Params.UserId, c.Params.Page, c.Params.PerPage); err != nil { 1134 c.Err = err 1135 return 1136 } else { 1137 w.Write([]byte(audits.ToJson())) 1138 return 1139 } 1140 } 1141 1142 func verifyUserEmail(c *Context, w http.ResponseWriter, r *http.Request) { 1143 props := model.MapFromJson(r.Body) 1144 1145 token := props["token"] 1146 if len(token) != model.TOKEN_SIZE { 1147 c.SetInvalidParam("token") 1148 return 1149 } 1150 1151 if err := c.App.VerifyEmailFromToken(token); err != nil { 1152 c.Err = model.NewAppError("verifyUserEmail", "api.user.verify_email.bad_link.app_error", nil, err.Error(), http.StatusBadRequest) 1153 return 1154 } else { 1155 c.LogAudit("Email Verified") 1156 ReturnStatusOK(w) 1157 return 1158 } 1159 } 1160 1161 func sendVerificationEmail(c *Context, w http.ResponseWriter, r *http.Request) { 1162 props := model.MapFromJson(r.Body) 1163 1164 email := props["email"] 1165 if len(email) == 0 { 1166 c.SetInvalidParam("email") 1167 return 1168 } 1169 1170 user, err := c.App.GetUserForLogin("", email) 1171 if err != nil { 1172 // Don't want to leak whether the email is valid or not 1173 ReturnStatusOK(w) 1174 return 1175 } 1176 1177 err = c.App.SendEmailVerification(user) 1178 if err != nil { 1179 // Don't want to leak whether the email is valid or not 1180 mlog.Error(err.Error()) 1181 ReturnStatusOK(w) 1182 return 1183 } 1184 1185 ReturnStatusOK(w) 1186 } 1187 1188 func switchAccountType(c *Context, w http.ResponseWriter, r *http.Request) { 1189 switchRequest := model.SwitchRequestFromJson(r.Body) 1190 if switchRequest == nil { 1191 c.SetInvalidParam("switch_request") 1192 return 1193 } 1194 1195 link := "" 1196 var err *model.AppError 1197 1198 if switchRequest.EmailToOAuth() { 1199 link, err = c.App.SwitchEmailToOAuth(w, r, switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.NewService) 1200 } else if switchRequest.OAuthToEmail() { 1201 c.SessionRequired() 1202 if c.Err != nil { 1203 return 1204 } 1205 1206 link, err = c.App.SwitchOAuthToEmail(switchRequest.Email, switchRequest.NewPassword, c.Session.UserId) 1207 } else if switchRequest.EmailToLdap() { 1208 link, err = c.App.SwitchEmailToLdap(switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.LdapLoginId, switchRequest.NewPassword) 1209 } else if switchRequest.LdapToEmail() { 1210 link, err = c.App.SwitchLdapToEmail(switchRequest.Password, switchRequest.MfaCode, switchRequest.Email, switchRequest.NewPassword) 1211 } else { 1212 c.SetInvalidParam("switch_request") 1213 return 1214 } 1215 1216 if err != nil { 1217 c.Err = err 1218 return 1219 } 1220 1221 c.LogAudit("success") 1222 w.Write([]byte(model.MapToJson(map[string]string{"follow_link": link}))) 1223 } 1224 1225 func createUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1226 c.RequireUserId() 1227 if c.Err != nil { 1228 return 1229 } 1230 1231 if c.Session.IsOAuth { 1232 c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN) 1233 c.Err.DetailedError += ", attempted access by oauth app" 1234 return 1235 } 1236 1237 accessToken := model.UserAccessTokenFromJson(r.Body) 1238 if accessToken == nil { 1239 c.SetInvalidParam("user_access_token") 1240 return 1241 } 1242 1243 if accessToken.Description == "" { 1244 c.SetInvalidParam("description") 1245 return 1246 } 1247 1248 c.LogAudit("") 1249 1250 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_CREATE_USER_ACCESS_TOKEN) { 1251 c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN) 1252 return 1253 } 1254 1255 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1256 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1257 return 1258 } 1259 1260 accessToken.UserId = c.Params.UserId 1261 accessToken.Token = "" 1262 1263 var err *model.AppError 1264 accessToken, err = c.App.CreateUserAccessToken(accessToken) 1265 if err != nil { 1266 c.Err = err 1267 return 1268 } 1269 1270 c.LogAudit("success - token_id=" + accessToken.Id) 1271 w.Write([]byte(accessToken.ToJson())) 1272 } 1273 1274 func searchUserAccessTokens(c *Context, w http.ResponseWriter, r *http.Request) { 1275 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 1276 c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) 1277 return 1278 } 1279 props := model.UserAccessTokenSearchFromJson(r.Body) 1280 if props == nil { 1281 c.SetInvalidParam("user_access_token_search") 1282 return 1283 } 1284 1285 if len(props.Term) == 0 { 1286 c.SetInvalidParam("term") 1287 return 1288 } 1289 accessTokens, err := c.App.SearchUserAccessTokens(props.Term) 1290 if err != nil { 1291 c.Err = err 1292 return 1293 } 1294 1295 w.Write([]byte(model.UserAccessTokenListToJson(accessTokens))) 1296 } 1297 1298 func getUserAccessTokens(c *Context, w http.ResponseWriter, r *http.Request) { 1299 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { 1300 c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) 1301 return 1302 } 1303 1304 accessTokens, err := c.App.GetUserAccessTokens(c.Params.Page, c.Params.PerPage) 1305 if err != nil { 1306 c.Err = err 1307 return 1308 } 1309 1310 w.Write([]byte(model.UserAccessTokenListToJson(accessTokens))) 1311 } 1312 1313 func getUserAccessTokensForUser(c *Context, w http.ResponseWriter, r *http.Request) { 1314 c.RequireUserId() 1315 if c.Err != nil { 1316 return 1317 } 1318 1319 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_READ_USER_ACCESS_TOKEN) { 1320 c.SetPermissionError(model.PERMISSION_READ_USER_ACCESS_TOKEN) 1321 return 1322 } 1323 1324 if !c.App.SessionHasPermissionToUser(c.Session, c.Params.UserId) { 1325 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1326 return 1327 } 1328 1329 accessTokens, err := c.App.GetUserAccessTokensForUser(c.Params.UserId, c.Params.Page, c.Params.PerPage) 1330 if err != nil { 1331 c.Err = err 1332 return 1333 } 1334 1335 w.Write([]byte(model.UserAccessTokenListToJson(accessTokens))) 1336 } 1337 1338 func getUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1339 c.RequireTokenId() 1340 if c.Err != nil { 1341 return 1342 } 1343 1344 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_READ_USER_ACCESS_TOKEN) { 1345 c.SetPermissionError(model.PERMISSION_READ_USER_ACCESS_TOKEN) 1346 return 1347 } 1348 1349 accessToken, err := c.App.GetUserAccessToken(c.Params.TokenId, true) 1350 if err != nil { 1351 c.Err = err 1352 return 1353 } 1354 1355 if !c.App.SessionHasPermissionToUser(c.Session, accessToken.UserId) { 1356 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1357 return 1358 } 1359 1360 w.Write([]byte(accessToken.ToJson())) 1361 } 1362 1363 func revokeUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1364 props := model.MapFromJson(r.Body) 1365 tokenId := props["token_id"] 1366 1367 if tokenId == "" { 1368 c.SetInvalidParam("token_id") 1369 } 1370 1371 c.LogAudit("") 1372 1373 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) { 1374 c.SetPermissionError(model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) 1375 return 1376 } 1377 1378 accessToken, err := c.App.GetUserAccessToken(tokenId, false) 1379 if err != nil { 1380 c.Err = err 1381 return 1382 } 1383 1384 if !c.App.SessionHasPermissionToUser(c.Session, accessToken.UserId) { 1385 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1386 return 1387 } 1388 1389 err = c.App.RevokeUserAccessToken(accessToken) 1390 if err != nil { 1391 c.Err = err 1392 return 1393 } 1394 1395 c.LogAudit("success - token_id=" + accessToken.Id) 1396 ReturnStatusOK(w) 1397 } 1398 1399 func disableUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1400 props := model.MapFromJson(r.Body) 1401 tokenId := props["token_id"] 1402 1403 if tokenId == "" { 1404 c.SetInvalidParam("token_id") 1405 } 1406 1407 c.LogAudit("") 1408 1409 // No separate permission for this action for now 1410 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) { 1411 c.SetPermissionError(model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) 1412 return 1413 } 1414 1415 accessToken, err := c.App.GetUserAccessToken(tokenId, false) 1416 if err != nil { 1417 c.Err = err 1418 return 1419 } 1420 1421 if !c.App.SessionHasPermissionToUser(c.Session, accessToken.UserId) { 1422 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1423 return 1424 } 1425 1426 err = c.App.DisableUserAccessToken(accessToken) 1427 if err != nil { 1428 c.Err = err 1429 return 1430 } 1431 1432 c.LogAudit("success - token_id=" + accessToken.Id) 1433 ReturnStatusOK(w) 1434 } 1435 1436 func enableUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1437 props := model.MapFromJson(r.Body) 1438 tokenId := props["token_id"] 1439 1440 if tokenId == "" { 1441 c.SetInvalidParam("token_id") 1442 } 1443 1444 c.LogAudit("") 1445 1446 // No separate permission for this action for now 1447 if !c.App.SessionHasPermissionTo(c.Session, model.PERMISSION_CREATE_USER_ACCESS_TOKEN) { 1448 c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN) 1449 return 1450 } 1451 1452 accessToken, err := c.App.GetUserAccessToken(tokenId, false) 1453 if err != nil { 1454 c.Err = err 1455 return 1456 } 1457 1458 if !c.App.SessionHasPermissionToUser(c.Session, accessToken.UserId) { 1459 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1460 return 1461 } 1462 1463 err = c.App.EnableUserAccessToken(accessToken) 1464 if err != nil { 1465 c.Err = err 1466 return 1467 } 1468 1469 c.LogAudit("success - token_id=" + accessToken.Id) 1470 ReturnStatusOK(w) 1471 }