github.com/masterhung0112/hk_server/v5@v5.0.0-20220302090640-ec71aef15e1c/api4/user_local.go (about)

     1  // Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
     2  // See LICENSE.txt for license information.
     3  
     4  package api4
     5  
     6  import (
     7  	"net/http"
     8  	"strconv"
     9  
    10  	"github.com/masterhung0112/hk_server/v5/audit"
    11  	"github.com/masterhung0112/hk_server/v5/model"
    12  	"github.com/masterhung0112/hk_server/v5/store"
    13  )
    14  
    15  func (api *API) InitUserLocal() {
    16  	api.BaseRoutes.Users.Handle("", api.ApiLocal(localGetUsers)).Methods("GET")
    17  	api.BaseRoutes.Users.Handle("", api.ApiLocal(localPermanentDeleteAllUsers)).Methods("DELETE")
    18  	api.BaseRoutes.Users.Handle("", api.ApiLocal(createUser)).Methods("POST")
    19  	api.BaseRoutes.Users.Handle("/password/reset/send", api.ApiLocal(sendPasswordReset)).Methods("POST")
    20  	api.BaseRoutes.Users.Handle("/ids", api.ApiLocal(localGetUsersByIds)).Methods("POST")
    21  
    22  	api.BaseRoutes.User.Handle("", api.ApiLocal(localGetUser)).Methods("GET")
    23  	api.BaseRoutes.User.Handle("", api.ApiLocal(updateUser)).Methods("PUT")
    24  	api.BaseRoutes.User.Handle("", api.ApiLocal(localDeleteUser)).Methods("DELETE")
    25  	api.BaseRoutes.User.Handle("/roles", api.ApiLocal(updateUserRoles)).Methods("PUT")
    26  	api.BaseRoutes.User.Handle("/mfa", api.ApiLocal(updateUserMfa)).Methods("PUT")
    27  	api.BaseRoutes.User.Handle("/active", api.ApiLocal(updateUserActive)).Methods("PUT")
    28  	api.BaseRoutes.User.Handle("/password", api.ApiLocal(updatePassword)).Methods("PUT")
    29  	api.BaseRoutes.User.Handle("/convert_to_bot", api.ApiLocal(convertUserToBot)).Methods("POST")
    30  	api.BaseRoutes.User.Handle("/email/verify/member", api.ApiLocal(verifyUserEmailWithoutToken)).Methods("POST")
    31  	api.BaseRoutes.User.Handle("/promote", api.ApiLocal(promoteGuestToUser)).Methods("POST")
    32  	api.BaseRoutes.User.Handle("/demote", api.ApiLocal(demoteUserToGuest)).Methods("POST")
    33  
    34  	api.BaseRoutes.UserByUsername.Handle("", api.ApiLocal(localGetUserByUsername)).Methods("GET")
    35  	api.BaseRoutes.UserByEmail.Handle("", api.ApiLocal(localGetUserByEmail)).Methods("GET")
    36  
    37  	api.BaseRoutes.Users.Handle("/tokens/revoke", api.ApiLocal(revokeUserAccessToken)).Methods("POST")
    38  	api.BaseRoutes.User.Handle("/tokens", api.ApiLocal(getUserAccessTokensForUser)).Methods("GET")
    39  	api.BaseRoutes.User.Handle("/tokens", api.ApiLocal(createUserAccessToken)).Methods("POST")
    40  
    41  	api.BaseRoutes.Users.Handle("/migrate_auth/ldap", api.ApiLocal(migrateAuthToLDAP)).Methods("POST")
    42  	api.BaseRoutes.Users.Handle("/migrate_auth/saml", api.ApiLocal(migrateAuthToSaml)).Methods("POST")
    43  
    44  	api.BaseRoutes.User.Handle("/uploads", api.ApiLocal(localGetUploadsForUser)).Methods("GET")
    45  }
    46  
    47  func localGetUsers(c *Context, w http.ResponseWriter, r *http.Request) {
    48  	inTeamId := r.URL.Query().Get("in_team")
    49  	notInTeamId := r.URL.Query().Get("not_in_team")
    50  	inChannelId := r.URL.Query().Get("in_channel")
    51  	notInChannelId := r.URL.Query().Get("not_in_channel")
    52  	groupConstrained := r.URL.Query().Get("group_constrained")
    53  	withoutTeam := r.URL.Query().Get("without_team")
    54  	active := r.URL.Query().Get("active")
    55  	inactive := r.URL.Query().Get("inactive")
    56  	role := r.URL.Query().Get("role")
    57  	sort := r.URL.Query().Get("sort")
    58  
    59  	if notInChannelId != "" && inTeamId == "" {
    60  		c.SetInvalidUrlParam("team_id")
    61  		return
    62  	}
    63  
    64  	if sort != "" && sort != "last_activity_at" && sort != "create_at" && sort != "status" {
    65  		c.SetInvalidUrlParam("sort")
    66  		return
    67  	}
    68  
    69  	// Currently only supports sorting on a team
    70  	// or sort="status" on inChannelId
    71  	if (sort == "last_activity_at" || sort == "create_at") && (inTeamId == "" || notInTeamId != "" || inChannelId != "" || notInChannelId != "" || withoutTeam != "") {
    72  		c.SetInvalidUrlParam("sort")
    73  		return
    74  	}
    75  	if sort == "status" && inChannelId == "" {
    76  		c.SetInvalidUrlParam("sort")
    77  		return
    78  	}
    79  
    80  	withoutTeamBool, _ := strconv.ParseBool(withoutTeam)
    81  	groupConstrainedBool, _ := strconv.ParseBool(groupConstrained)
    82  	activeBool, _ := strconv.ParseBool(active)
    83  	inactiveBool, _ := strconv.ParseBool(inactive)
    84  
    85  	userGetOptions := &model.UserGetOptions{
    86  		InTeamId:         inTeamId,
    87  		InChannelId:      inChannelId,
    88  		NotInTeamId:      notInTeamId,
    89  		NotInChannelId:   notInChannelId,
    90  		GroupConstrained: groupConstrainedBool,
    91  		WithoutTeam:      withoutTeamBool,
    92  		Active:           activeBool,
    93  		Inactive:         inactiveBool,
    94  		Role:             role,
    95  		Sort:             sort,
    96  		Page:             c.Params.Page,
    97  		PerPage:          c.Params.PerPage,
    98  		ViewRestrictions: nil,
    99  	}
   100  
   101  	var err *model.AppError
   102  	var profiles []*model.User
   103  	etag := ""
   104  
   105  	if withoutTeamBool, _ := strconv.ParseBool(withoutTeam); withoutTeamBool {
   106  		profiles, err = c.App.GetUsersWithoutTeamPage(userGetOptions, c.IsSystemAdmin())
   107  	} else if notInChannelId != "" {
   108  		profiles, err = c.App.GetUsersNotInChannelPage(inTeamId, notInChannelId, groupConstrainedBool, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin(), nil)
   109  	} else if notInTeamId != "" {
   110  		etag = c.App.GetUsersNotInTeamEtag(inTeamId, "")
   111  		if c.HandleEtag(etag, "Get Users Not in Team", w, r) {
   112  			return
   113  		}
   114  
   115  		profiles, err = c.App.GetUsersNotInTeamPage(notInTeamId, groupConstrainedBool, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin(), nil)
   116  	} else if inTeamId != "" {
   117  		if sort == "last_activity_at" {
   118  			profiles, err = c.App.GetRecentlyActiveUsersForTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin(), nil)
   119  		} else if sort == "create_at" {
   120  			profiles, err = c.App.GetNewUsersForTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin(), nil)
   121  		} else {
   122  			etag = c.App.GetUsersInTeamEtag(inTeamId, "")
   123  			if c.HandleEtag(etag, "Get Users in Team", w, r) {
   124  				return
   125  			}
   126  			profiles, err = c.App.GetUsersInTeamPage(userGetOptions, c.IsSystemAdmin())
   127  		}
   128  	} else if inChannelId != "" {
   129  		if sort == "status" {
   130  			profiles, err = c.App.GetUsersInChannelPageByStatus(userGetOptions, c.IsSystemAdmin())
   131  		} else {
   132  			profiles, err = c.App.GetUsersInChannelPage(userGetOptions, c.IsSystemAdmin())
   133  		}
   134  	} else {
   135  		profiles, err = c.App.GetUsersPage(userGetOptions, c.IsSystemAdmin())
   136  	}
   137  
   138  	if err != nil {
   139  		c.Err = err
   140  		return
   141  	}
   142  
   143  	if etag != "" {
   144  		w.Header().Set(model.HEADER_ETAG_SERVER, etag)
   145  	}
   146  	w.Write([]byte(model.UserListToJson(profiles)))
   147  }
   148  
   149  func localGetUsersByIds(c *Context, w http.ResponseWriter, r *http.Request) {
   150  	userIds := model.ArrayFromJson(r.Body)
   151  
   152  	if len(userIds) == 0 {
   153  		c.SetInvalidParam("user_ids")
   154  		return
   155  	}
   156  
   157  	sinceString := r.URL.Query().Get("since")
   158  
   159  	options := &store.UserGetByIdsOpts{
   160  		IsAdmin: c.IsSystemAdmin(),
   161  	}
   162  
   163  	if sinceString != "" {
   164  		since, parseError := strconv.ParseInt(sinceString, 10, 64)
   165  		if parseError != nil {
   166  			c.SetInvalidParam("since")
   167  			return
   168  		}
   169  		options.Since = since
   170  	}
   171  
   172  	users, err := c.App.GetUsersByIds(userIds, options)
   173  	if err != nil {
   174  		c.Err = err
   175  		return
   176  	}
   177  
   178  	w.Write([]byte(model.UserListToJson(users)))
   179  }
   180  
   181  func localGetUser(c *Context, w http.ResponseWriter, r *http.Request) {
   182  	c.RequireUserId()
   183  	if c.Err != nil {
   184  		return
   185  	}
   186  
   187  	user, err := c.App.GetUser(c.Params.UserId)
   188  	if err != nil {
   189  		c.Err = err
   190  		return
   191  	}
   192  
   193  	userTermsOfService, err := c.App.GetUserTermsOfService(user.Id)
   194  	if err != nil && err.StatusCode != http.StatusNotFound {
   195  		c.Err = err
   196  		return
   197  	}
   198  
   199  	if userTermsOfService != nil {
   200  		user.TermsOfServiceId = userTermsOfService.TermsOfServiceId
   201  		user.TermsOfServiceCreateAt = userTermsOfService.CreateAt
   202  	}
   203  
   204  	etag := user.Etag(*c.App.Config().PrivacySettings.ShowFullName, *c.App.Config().PrivacySettings.ShowEmailAddress)
   205  
   206  	if c.HandleEtag(etag, "Get User", w, r) {
   207  		return
   208  	}
   209  
   210  	c.App.SanitizeProfile(user, c.IsSystemAdmin())
   211  	w.Header().Set(model.HEADER_ETAG_SERVER, etag)
   212  	w.Write([]byte(user.ToJson()))
   213  }
   214  
   215  func localDeleteUser(c *Context, w http.ResponseWriter, r *http.Request) {
   216  	c.RequireUserId()
   217  	if c.Err != nil {
   218  		return
   219  	}
   220  
   221  	userId := c.Params.UserId
   222  
   223  	auditRec := c.MakeAuditRecord("localDeleteUser", audit.Fail)
   224  	defer c.LogAuditRec(auditRec)
   225  
   226  	user, err := c.App.GetUser(userId)
   227  	if err != nil {
   228  		c.Err = err
   229  		return
   230  	}
   231  	auditRec.AddMeta("user", user)
   232  
   233  	if c.Params.Permanent {
   234  		err = c.App.PermanentDeleteUser(c.AppContext, user)
   235  	} else {
   236  		_, err = c.App.UpdateActive(c.AppContext, user, false)
   237  	}
   238  	if err != nil {
   239  		c.Err = err
   240  		return
   241  	}
   242  
   243  	auditRec.Success()
   244  	ReturnStatusOK(w)
   245  }
   246  
   247  func localPermanentDeleteAllUsers(c *Context, w http.ResponseWriter, r *http.Request) {
   248  	auditRec := c.MakeAuditRecord("localPermanentDeleteAllUsers", audit.Fail)
   249  	defer c.LogAuditRec(auditRec)
   250  
   251  	if err := c.App.PermanentDeleteAllUsers(c.AppContext); err != nil {
   252  		c.Err = err
   253  		return
   254  	}
   255  
   256  	auditRec.Success()
   257  	ReturnStatusOK(w)
   258  }
   259  
   260  func localGetUserByUsername(c *Context, w http.ResponseWriter, r *http.Request) {
   261  	c.RequireUsername()
   262  	if c.Err != nil {
   263  		return
   264  	}
   265  
   266  	user, err := c.App.GetUserByUsername(c.Params.Username)
   267  	if err != nil {
   268  		c.Err = err
   269  		return
   270  	}
   271  
   272  	userTermsOfService, err := c.App.GetUserTermsOfService(user.Id)
   273  	if err != nil && err.StatusCode != http.StatusNotFound {
   274  		c.Err = err
   275  		return
   276  	}
   277  
   278  	if userTermsOfService != nil {
   279  		user.TermsOfServiceId = userTermsOfService.TermsOfServiceId
   280  		user.TermsOfServiceCreateAt = userTermsOfService.CreateAt
   281  	}
   282  
   283  	etag := user.Etag(*c.App.Config().PrivacySettings.ShowFullName, *c.App.Config().PrivacySettings.ShowEmailAddress)
   284  
   285  	if c.HandleEtag(etag, "Get User", w, r) {
   286  		return
   287  	}
   288  
   289  	c.App.SanitizeProfile(user, c.IsSystemAdmin())
   290  	w.Header().Set(model.HEADER_ETAG_SERVER, etag)
   291  	w.Write([]byte(user.ToJson()))
   292  }
   293  
   294  func localGetUserByEmail(c *Context, w http.ResponseWriter, r *http.Request) {
   295  	c.SanitizeEmail()
   296  	if c.Err != nil {
   297  		return
   298  	}
   299  
   300  	sanitizeOptions := c.App.GetSanitizeOptions(c.IsSystemAdmin())
   301  	if !sanitizeOptions["email"] {
   302  		c.Err = model.NewAppError("getUserByEmail", "api.user.get_user_by_email.permissions.app_error", nil, "userId="+c.AppContext.Session().UserId, http.StatusForbidden)
   303  		return
   304  	}
   305  
   306  	user, err := c.App.GetUserByEmail(c.Params.Email)
   307  	if err != nil {
   308  		c.Err = err
   309  		return
   310  	}
   311  
   312  	etag := user.Etag(*c.App.Config().PrivacySettings.ShowFullName, *c.App.Config().PrivacySettings.ShowEmailAddress)
   313  
   314  	if c.HandleEtag(etag, "Get User", w, r) {
   315  		return
   316  	}
   317  
   318  	c.App.SanitizeProfile(user, c.IsSystemAdmin())
   319  	w.Header().Set(model.HEADER_ETAG_SERVER, etag)
   320  	w.Write([]byte(user.ToJson()))
   321  }
   322  
   323  func localGetUploadsForUser(c *Context, w http.ResponseWriter, r *http.Request) {
   324  	uss, err := c.App.GetUploadSessionsForUser(c.Params.UserId)
   325  	if err != nil {
   326  		c.Err = err
   327  		return
   328  	}
   329  
   330  	w.Write([]byte(model.UploadSessionsToJson(uss)))
   331  }