github.com/nhannv/mattermost-server@v5.11.1+incompatible/api4/user.go (about) 1 // Copyright (c) 2017-present Mattermost, Inc. All Rights Reserved. 2 // See License.txt for license information. 3 4 package api4 5 6 import ( 7 "fmt" 8 "io" 9 "io/ioutil" 10 "net/http" 11 "strconv" 12 "time" 13 14 "github.com/mattermost/mattermost-server/app" 15 "github.com/mattermost/mattermost-server/mlog" 16 "github.com/mattermost/mattermost-server/model" 17 ) 18 19 func (api *API) InitUser() { 20 api.BaseRoutes.Users.Handle("", api.ApiHandler(createUser)).Methods("POST") 21 api.BaseRoutes.Users.Handle("", api.ApiSessionRequired(getUsers)).Methods("GET") 22 api.BaseRoutes.Users.Handle("/ids", api.ApiSessionRequired(getUsersByIds)).Methods("POST") 23 api.BaseRoutes.Users.Handle("/usernames", api.ApiSessionRequired(getUsersByNames)).Methods("POST") 24 api.BaseRoutes.Users.Handle("/search", api.ApiSessionRequired(searchUsers)).Methods("POST") 25 api.BaseRoutes.Users.Handle("/autocomplete", api.ApiSessionRequired(autocompleteUsers)).Methods("GET") 26 api.BaseRoutes.Users.Handle("/stats", api.ApiSessionRequired(getTotalUsersStats)).Methods("GET") 27 28 api.BaseRoutes.User.Handle("", api.ApiSessionRequired(getUser)).Methods("GET") 29 api.BaseRoutes.User.Handle("/image/default", api.ApiSessionRequiredTrustRequester(getDefaultProfileImage)).Methods("GET") 30 api.BaseRoutes.User.Handle("/image", api.ApiSessionRequiredTrustRequester(getProfileImage)).Methods("GET") 31 api.BaseRoutes.User.Handle("/image", api.ApiSessionRequired(setProfileImage)).Methods("POST") 32 api.BaseRoutes.User.Handle("/image", api.ApiSessionRequired(setDefaultProfileImage)).Methods("DELETE") 33 api.BaseRoutes.User.Handle("", api.ApiSessionRequired(updateUser)).Methods("PUT") 34 api.BaseRoutes.User.Handle("/patch", api.ApiSessionRequired(patchUser)).Methods("PUT") 35 api.BaseRoutes.User.Handle("", api.ApiSessionRequired(deleteUser)).Methods("DELETE") 36 api.BaseRoutes.User.Handle("/roles", api.ApiSessionRequired(updateUserRoles)).Methods("PUT") 37 api.BaseRoutes.User.Handle("/active", api.ApiSessionRequired(updateUserActive)).Methods("PUT") 38 api.BaseRoutes.User.Handle("/password", api.ApiSessionRequired(updatePassword)).Methods("PUT") 39 api.BaseRoutes.Users.Handle("/password/reset", api.ApiHandler(resetPassword)).Methods("POST") 40 api.BaseRoutes.Users.Handle("/password/reset/send", api.ApiHandler(sendPasswordReset)).Methods("POST") 41 api.BaseRoutes.Users.Handle("/email/verify", api.ApiHandler(verifyUserEmail)).Methods("POST") 42 api.BaseRoutes.Users.Handle("/email/verify/send", api.ApiHandler(sendVerificationEmail)).Methods("POST") 43 api.BaseRoutes.User.Handle("/terms_of_service", api.ApiSessionRequired(saveUserTermsOfService)).Methods("POST") 44 api.BaseRoutes.User.Handle("/terms_of_service", api.ApiSessionRequired(getUserTermsOfService)).Methods("GET") 45 46 api.BaseRoutes.User.Handle("/auth", api.ApiSessionRequiredTrustRequester(updateUserAuth)).Methods("PUT") 47 48 api.BaseRoutes.Users.Handle("/mfa", api.ApiHandler(checkUserMfa)).Methods("POST") 49 api.BaseRoutes.User.Handle("/mfa", api.ApiSessionRequiredMfa(updateUserMfa)).Methods("PUT") 50 api.BaseRoutes.User.Handle("/mfa/generate", api.ApiSessionRequiredMfa(generateMfaSecret)).Methods("POST") 51 52 api.BaseRoutes.Users.Handle("/login", api.ApiHandler(login)).Methods("POST") 53 api.BaseRoutes.Users.Handle("/login/switch", api.ApiHandler(switchAccountType)).Methods("POST") 54 api.BaseRoutes.Users.Handle("/logout", api.ApiHandler(logout)).Methods("POST") 55 56 api.BaseRoutes.UserByUsername.Handle("", api.ApiSessionRequired(getUserByUsername)).Methods("GET") 57 api.BaseRoutes.UserByEmail.Handle("", api.ApiSessionRequired(getUserByEmail)).Methods("GET") 58 59 api.BaseRoutes.User.Handle("/sessions", api.ApiSessionRequired(getSessions)).Methods("GET") 60 api.BaseRoutes.User.Handle("/sessions/revoke", api.ApiSessionRequired(revokeSession)).Methods("POST") 61 api.BaseRoutes.User.Handle("/sessions/revoke/all", api.ApiSessionRequired(revokeAllSessionsForUser)).Methods("POST") 62 api.BaseRoutes.Users.Handle("/sessions/device", api.ApiSessionRequired(attachDeviceId)).Methods("PUT") 63 api.BaseRoutes.User.Handle("/audits", api.ApiSessionRequired(getUserAudits)).Methods("GET") 64 65 api.BaseRoutes.User.Handle("/tokens", api.ApiSessionRequired(createUserAccessToken)).Methods("POST") 66 api.BaseRoutes.User.Handle("/tokens", api.ApiSessionRequired(getUserAccessTokensForUser)).Methods("GET") 67 api.BaseRoutes.Users.Handle("/tokens", api.ApiSessionRequired(getUserAccessTokens)).Methods("GET") 68 api.BaseRoutes.Users.Handle("/tokens/search", api.ApiSessionRequired(searchUserAccessTokens)).Methods("POST") 69 api.BaseRoutes.Users.Handle("/tokens/{token_id:[A-Za-z0-9]+}", api.ApiSessionRequired(getUserAccessToken)).Methods("GET") 70 api.BaseRoutes.Users.Handle("/tokens/revoke", api.ApiSessionRequired(revokeUserAccessToken)).Methods("POST") 71 api.BaseRoutes.Users.Handle("/tokens/disable", api.ApiSessionRequired(disableUserAccessToken)).Methods("POST") 72 api.BaseRoutes.Users.Handle("/tokens/enable", api.ApiSessionRequired(enableUserAccessToken)).Methods("POST") 73 } 74 75 func createUser(c *Context, w http.ResponseWriter, r *http.Request) { 76 user := model.UserFromJson(r.Body) 77 if user == nil { 78 c.SetInvalidParam("user") 79 return 80 } 81 82 tokenId := r.URL.Query().Get("t") 83 inviteId := r.URL.Query().Get("iid") 84 85 // No permission check required 86 87 var ruser *model.User 88 var err *model.AppError 89 if len(tokenId) > 0 { 90 ruser, err = c.App.CreateUserWithToken(user, tokenId) 91 } else if len(inviteId) > 0 { 92 ruser, err = c.App.CreateUserWithInviteId(user, inviteId) 93 } else if c.IsSystemAdmin() { 94 ruser, err = c.App.CreateUserAsAdmin(user) 95 } else { 96 ruser, err = c.App.CreateUserFromSignup(user) 97 } 98 99 if err != nil { 100 c.Err = err 101 return 102 } 103 104 w.WriteHeader(http.StatusCreated) 105 w.Write([]byte(ruser.ToJson())) 106 } 107 108 func getUser(c *Context, w http.ResponseWriter, r *http.Request) { 109 c.RequireUserId() 110 if c.Err != nil { 111 return 112 } 113 114 // No permission check required 115 116 user, err := c.App.GetUser(c.Params.UserId) 117 if err != nil { 118 c.Err = err 119 return 120 } 121 122 if c.IsSystemAdmin() || c.App.Session.UserId == user.Id { 123 userTermsOfService, err := c.App.GetUserTermsOfService(user.Id) 124 if err != nil && err.StatusCode != http.StatusNotFound { 125 c.Err = err 126 return 127 } 128 129 if userTermsOfService != nil { 130 user.TermsOfServiceId = userTermsOfService.TermsOfServiceId 131 user.TermsOfServiceCreateAt = userTermsOfService.CreateAt 132 } 133 } 134 135 etag := user.Etag(*c.App.Config().PrivacySettings.ShowFullName, *c.App.Config().PrivacySettings.ShowEmailAddress) 136 137 if c.HandleEtag(etag, "Get User", w, r) { 138 return 139 } 140 141 if c.App.Session.UserId == user.Id { 142 user.Sanitize(map[string]bool{}) 143 } else { 144 c.App.SanitizeProfile(user, c.IsSystemAdmin()) 145 } 146 c.App.UpdateLastActivityAtIfNeeded(c.App.Session) 147 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 148 w.Write([]byte(user.ToJson())) 149 } 150 151 func getUserByUsername(c *Context, w http.ResponseWriter, r *http.Request) { 152 c.RequireUsername() 153 if c.Err != nil { 154 return 155 } 156 157 // No permission check required 158 159 user, err := c.App.GetUserByUsername(c.Params.Username) 160 if err != nil { 161 c.Err = err 162 return 163 } 164 165 if c.IsSystemAdmin() || c.App.Session.UserId == user.Id { 166 userTermsOfService, err := c.App.GetUserTermsOfService(user.Id) 167 if err != nil && err.StatusCode != http.StatusNotFound { 168 c.Err = err 169 return 170 } 171 172 if userTermsOfService != nil { 173 user.TermsOfServiceId = userTermsOfService.TermsOfServiceId 174 user.TermsOfServiceCreateAt = userTermsOfService.CreateAt 175 } 176 } 177 178 etag := user.Etag(*c.App.Config().PrivacySettings.ShowFullName, *c.App.Config().PrivacySettings.ShowEmailAddress) 179 180 if c.HandleEtag(etag, "Get User", w, r) { 181 return 182 } 183 184 if c.App.Session.UserId == user.Id { 185 user.Sanitize(map[string]bool{}) 186 } else { 187 c.App.SanitizeProfile(user, c.IsSystemAdmin()) 188 } 189 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 190 w.Write([]byte(user.ToJson())) 191 } 192 193 func getUserByEmail(c *Context, w http.ResponseWriter, r *http.Request) { 194 c.RequireEmail() 195 if c.Err != nil { 196 return 197 } 198 199 // No permission check required, but still prevent users who can't see another user's email address from using this 200 201 sanitizeOptions := c.App.GetSanitizeOptions(c.IsSystemAdmin()) 202 if !sanitizeOptions["email"] { 203 c.Err = model.NewAppError("getUserByEmail", "api.user.get_user_by_email.permissions.app_error", nil, "userId="+c.App.Session.UserId, http.StatusForbidden) 204 return 205 } 206 207 user, err := c.App.GetUserByEmail(c.Params.Email) 208 if err != nil { 209 c.Err = err 210 return 211 } 212 213 etag := user.Etag(*c.App.Config().PrivacySettings.ShowFullName, *c.App.Config().PrivacySettings.ShowEmailAddress) 214 215 if c.HandleEtag(etag, "Get User", w, r) { 216 return 217 } 218 219 c.App.SanitizeProfile(user, c.IsSystemAdmin()) 220 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 221 w.Write([]byte(user.ToJson())) 222 } 223 224 func getDefaultProfileImage(c *Context, w http.ResponseWriter, r *http.Request) { 225 c.RequireUserId() 226 if c.Err != nil { 227 return 228 } 229 230 users, err := c.App.GetUsersByIds([]string{c.Params.UserId}, c.IsSystemAdmin()) 231 if err != nil { 232 c.Err = err 233 return 234 } 235 236 if len(users) == 0 { 237 c.Err = model.NewAppError("getProfileImage", "api.user.get_profile_image.not_found.app_error", nil, "", http.StatusNotFound) 238 return 239 } 240 241 user := users[0] 242 img, err := c.App.GetDefaultProfileImage(user) 243 if err != nil { 244 c.Err = err 245 return 246 } 247 248 w.Header().Set("Cache-Control", fmt.Sprintf("max-age=%v, public", 24*60*60)) // 24 hrs 249 w.Header().Set("Content-Type", "image/png") 250 w.Write(img) 251 } 252 253 func getProfileImage(c *Context, w http.ResponseWriter, r *http.Request) { 254 c.RequireUserId() 255 if c.Err != nil { 256 return 257 } 258 259 users, err := c.App.GetUsersByIds([]string{c.Params.UserId}, c.IsSystemAdmin()) 260 if err != nil { 261 c.Err = err 262 return 263 } 264 265 if len(users) == 0 { 266 c.Err = model.NewAppError("getProfileImage", "api.user.get_profile_image.not_found.app_error", nil, "", http.StatusNotFound) 267 return 268 } 269 270 user := users[0] 271 etag := strconv.FormatInt(user.LastPictureUpdate, 10) 272 if c.HandleEtag(etag, "Get Profile Image", w, r) { 273 return 274 } 275 276 img, readFailed, err := c.App.GetProfileImage(user) 277 if err != nil { 278 c.Err = err 279 return 280 } 281 282 if readFailed { 283 w.Header().Set("Cache-Control", fmt.Sprintf("max-age=%v, public", 5*60)) // 5 mins 284 } else { 285 w.Header().Set("Cache-Control", fmt.Sprintf("max-age=%v, public", 24*60*60)) // 24 hrs 286 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 287 } 288 289 w.Header().Set("Content-Type", "image/png") 290 w.Write(img) 291 } 292 293 func setProfileImage(c *Context, w http.ResponseWriter, r *http.Request) { 294 defer io.Copy(ioutil.Discard, r.Body) 295 296 c.RequireUserId() 297 if c.Err != nil { 298 return 299 } 300 301 if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) { 302 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 303 return 304 } 305 306 if len(*c.App.Config().FileSettings.DriverName) == 0 { 307 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.storage.app_error", nil, "", http.StatusNotImplemented) 308 return 309 } 310 311 if r.ContentLength > *c.App.Config().FileSettings.MaxFileSize { 312 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.too_large.app_error", nil, "", http.StatusRequestEntityTooLarge) 313 return 314 } 315 316 if err := r.ParseMultipartForm(*c.App.Config().FileSettings.MaxFileSize); err != nil { 317 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.parse.app_error", nil, err.Error(), http.StatusInternalServerError) 318 return 319 } 320 321 m := r.MultipartForm 322 imageArray, ok := m.File["image"] 323 if !ok { 324 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.no_file.app_error", nil, "", http.StatusBadRequest) 325 return 326 } 327 328 if len(imageArray) <= 0 { 329 c.Err = model.NewAppError("uploadProfileImage", "api.user.upload_profile_user.array.app_error", nil, "", http.StatusBadRequest) 330 return 331 } 332 333 imageData := imageArray[0] 334 if err := c.App.SetProfileImage(c.Params.UserId, imageData); err != nil { 335 c.Err = err 336 return 337 } 338 339 c.LogAudit("") 340 ReturnStatusOK(w) 341 } 342 343 func setDefaultProfileImage(c *Context, w http.ResponseWriter, r *http.Request) { 344 c.RequireUserId() 345 if c.Err != nil { 346 return 347 } 348 349 if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) { 350 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 351 return 352 } 353 354 if len(*c.App.Config().FileSettings.DriverName) == 0 { 355 c.Err = model.NewAppError("setDefaultProfileImage", "api.user.upload_profile_user.storage.app_error", nil, "", http.StatusNotImplemented) 356 return 357 } 358 359 user, err := c.App.GetUser(c.Params.UserId) 360 if err != nil { 361 c.Err = err 362 return 363 } 364 365 if err := c.App.SetDefaultProfileImage(user); err != nil { 366 c.Err = err 367 return 368 } 369 370 c.LogAudit("") 371 ReturnStatusOK(w) 372 } 373 374 func getTotalUsersStats(c *Context, w http.ResponseWriter, r *http.Request) { 375 if c.Err != nil { 376 return 377 } 378 379 stats, err := c.App.GetTotalUsersStats() 380 if err != nil { 381 c.Err = err 382 return 383 } 384 385 w.Write([]byte(stats.ToJson())) 386 } 387 388 func getUsers(c *Context, w http.ResponseWriter, r *http.Request) { 389 inTeamId := r.URL.Query().Get("in_team") 390 notInTeamId := r.URL.Query().Get("not_in_team") 391 inChannelId := r.URL.Query().Get("in_channel") 392 notInChannelId := r.URL.Query().Get("not_in_channel") 393 withoutTeam := r.URL.Query().Get("without_team") 394 inactive := r.URL.Query().Get("inactive") 395 role := r.URL.Query().Get("role") 396 sort := r.URL.Query().Get("sort") 397 398 if len(notInChannelId) > 0 && len(inTeamId) == 0 { 399 c.SetInvalidUrlParam("team_id") 400 return 401 } 402 403 if sort != "" && sort != "last_activity_at" && sort != "create_at" && sort != "status" { 404 c.SetInvalidUrlParam("sort") 405 return 406 } 407 408 // Currently only supports sorting on a team 409 // or sort="status" on inChannelId 410 if (sort == "last_activity_at" || sort == "create_at") && (inTeamId == "" || notInTeamId != "" || inChannelId != "" || notInChannelId != "" || withoutTeam != "") { 411 c.SetInvalidUrlParam("sort") 412 return 413 } 414 if sort == "status" && inChannelId == "" { 415 c.SetInvalidUrlParam("sort") 416 return 417 } 418 419 withoutTeamBool, _ := strconv.ParseBool(withoutTeam) 420 inactiveBool, _ := strconv.ParseBool(inactive) 421 422 userGetOptions := &model.UserGetOptions{ 423 InTeamId: inTeamId, 424 InChannelId: inChannelId, 425 NotInTeamId: notInTeamId, 426 NotInChannelId: notInChannelId, 427 WithoutTeam: withoutTeamBool, 428 Inactive: inactiveBool, 429 Role: role, 430 Sort: sort, 431 Page: c.Params.Page, 432 PerPage: c.Params.PerPage, 433 } 434 435 var profiles []*model.User 436 var err *model.AppError 437 etag := "" 438 439 if withoutTeamBool, _ := strconv.ParseBool(withoutTeam); withoutTeamBool { 440 // Use a special permission for now 441 if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_LIST_USERS_WITHOUT_TEAM) { 442 c.SetPermissionError(model.PERMISSION_LIST_USERS_WITHOUT_TEAM) 443 return 444 } 445 446 profiles, err = c.App.GetUsersWithoutTeamPage(c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 447 } else if len(notInChannelId) > 0 { 448 if !c.App.SessionHasPermissionToChannel(c.App.Session, notInChannelId, model.PERMISSION_READ_CHANNEL) { 449 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 450 return 451 } 452 453 profiles, err = c.App.GetUsersNotInChannelPage(inTeamId, notInChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 454 } else if len(notInTeamId) > 0 { 455 if !c.App.SessionHasPermissionToTeam(c.App.Session, notInTeamId, model.PERMISSION_VIEW_TEAM) { 456 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 457 return 458 } 459 460 etag = c.App.GetUsersNotInTeamEtag(inTeamId) 461 if c.HandleEtag(etag, "Get Users Not in Team", w, r) { 462 return 463 } 464 465 profiles, err = c.App.GetUsersNotInTeamPage(notInTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 466 } else if len(inTeamId) > 0 { 467 if !c.App.SessionHasPermissionToTeam(c.App.Session, inTeamId, model.PERMISSION_VIEW_TEAM) { 468 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 469 return 470 } 471 472 if sort == "last_activity_at" { 473 profiles, err = c.App.GetRecentlyActiveUsersForTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 474 } else if sort == "create_at" { 475 profiles, err = c.App.GetNewUsersForTeamPage(inTeamId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 476 } else { 477 etag = c.App.GetUsersInTeamEtag(inTeamId) 478 if c.HandleEtag(etag, "Get Users in Team", w, r) { 479 return 480 } 481 profiles, err = c.App.GetUsersInTeamPage(userGetOptions, c.IsSystemAdmin()) 482 } 483 } else if len(inChannelId) > 0 { 484 if !c.App.SessionHasPermissionToChannel(c.App.Session, inChannelId, model.PERMISSION_READ_CHANNEL) { 485 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 486 return 487 } 488 if sort == "status" { 489 profiles, err = c.App.GetUsersInChannelPageByStatus(inChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 490 } else { 491 profiles, err = c.App.GetUsersInChannelPage(inChannelId, c.Params.Page, c.Params.PerPage, c.IsSystemAdmin()) 492 } 493 } else { 494 // No permission check required 495 496 etag = c.App.GetUsersEtag() 497 if c.HandleEtag(etag, "Get Users", w, r) { 498 return 499 } 500 profiles, err = c.App.GetUsersPage(userGetOptions, c.IsSystemAdmin()) 501 } 502 503 if err != nil { 504 c.Err = err 505 return 506 } 507 508 if len(etag) > 0 { 509 w.Header().Set(model.HEADER_ETAG_SERVER, etag) 510 } 511 c.App.UpdateLastActivityAtIfNeeded(c.App.Session) 512 w.Write([]byte(model.UserListToJson(profiles))) 513 } 514 515 func getUsersByIds(c *Context, w http.ResponseWriter, r *http.Request) { 516 userIds := model.ArrayFromJson(r.Body) 517 518 if len(userIds) == 0 { 519 c.SetInvalidParam("user_ids") 520 return 521 } 522 523 // No permission check required 524 525 users, err := c.App.GetUsersByIds(userIds, c.IsSystemAdmin()) 526 if err != nil { 527 c.Err = err 528 return 529 } 530 531 w.Write([]byte(model.UserListToJson(users))) 532 } 533 534 func getUsersByNames(c *Context, w http.ResponseWriter, r *http.Request) { 535 usernames := model.ArrayFromJson(r.Body) 536 537 if len(usernames) == 0 { 538 c.SetInvalidParam("usernames") 539 return 540 } 541 542 // No permission check required 543 544 users, err := c.App.GetUsersByUsernames(usernames, c.IsSystemAdmin()) 545 if err != nil { 546 c.Err = err 547 return 548 } 549 550 w.Write([]byte(model.UserListToJson(users))) 551 } 552 553 func searchUsers(c *Context, w http.ResponseWriter, r *http.Request) { 554 props := model.UserSearchFromJson(r.Body) 555 if props == nil { 556 c.SetInvalidParam("") 557 return 558 } 559 560 if len(props.Term) == 0 { 561 c.SetInvalidParam("term") 562 return 563 } 564 565 if props.TeamId == "" && props.NotInChannelId != "" { 566 c.SetInvalidParam("team_id") 567 return 568 } 569 570 if props.InChannelId != "" && !c.App.SessionHasPermissionToChannel(c.App.Session, props.InChannelId, model.PERMISSION_READ_CHANNEL) { 571 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 572 return 573 } 574 575 if props.NotInChannelId != "" && !c.App.SessionHasPermissionToChannel(c.App.Session, props.NotInChannelId, model.PERMISSION_READ_CHANNEL) { 576 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 577 return 578 } 579 580 if props.TeamId != "" && !c.App.SessionHasPermissionToTeam(c.App.Session, props.TeamId, model.PERMISSION_VIEW_TEAM) { 581 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 582 return 583 } 584 585 if props.NotInTeamId != "" && !c.App.SessionHasPermissionToTeam(c.App.Session, props.NotInTeamId, model.PERMISSION_VIEW_TEAM) { 586 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 587 return 588 } 589 590 if props.Limit <= 0 || props.Limit > model.USER_SEARCH_MAX_LIMIT { 591 c.SetInvalidParam("limit") 592 return 593 } 594 595 options := &model.UserSearchOptions{ 596 IsAdmin: c.IsSystemAdmin(), 597 AllowInactive: props.AllowInactive, 598 Limit: props.Limit, 599 Role: props.Role, 600 } 601 602 if c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) { 603 options.AllowEmails = true 604 options.AllowFullNames = true 605 } else { 606 options.AllowEmails = *c.App.Config().PrivacySettings.ShowEmailAddress 607 options.AllowFullNames = *c.App.Config().PrivacySettings.ShowFullName 608 } 609 610 profiles, err := c.App.SearchUsers(props, options) 611 if err != nil { 612 c.Err = err 613 return 614 } 615 616 w.Write([]byte(model.UserListToJson(profiles))) 617 } 618 619 func autocompleteUsers(c *Context, w http.ResponseWriter, r *http.Request) { 620 channelId := r.URL.Query().Get("in_channel") 621 teamId := r.URL.Query().Get("in_team") 622 name := r.URL.Query().Get("name") 623 limitStr := r.URL.Query().Get("limit") 624 limit, _ := strconv.Atoi(limitStr) 625 if limitStr == "" { 626 limit = model.USER_SEARCH_DEFAULT_LIMIT 627 } else if limit > model.USER_SEARCH_MAX_LIMIT { 628 limit = model.USER_SEARCH_MAX_LIMIT 629 } 630 631 options := &model.UserSearchOptions{ 632 IsAdmin: c.IsSystemAdmin(), 633 // Never autocomplete on emails. 634 AllowEmails: false, 635 Limit: limit, 636 } 637 638 if c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) { 639 options.AllowFullNames = true 640 } else { 641 options.AllowFullNames = *c.App.Config().PrivacySettings.ShowFullName 642 } 643 644 if len(channelId) > 0 { 645 if !c.App.SessionHasPermissionToChannel(c.App.Session, channelId, model.PERMISSION_READ_CHANNEL) { 646 c.SetPermissionError(model.PERMISSION_READ_CHANNEL) 647 return 648 } 649 } 650 651 if len(teamId) > 0 { 652 if !c.App.SessionHasPermissionToTeam(c.App.Session, teamId, model.PERMISSION_VIEW_TEAM) { 653 c.SetPermissionError(model.PERMISSION_VIEW_TEAM) 654 return 655 } 656 } 657 658 var autocomplete model.UserAutocomplete 659 660 if len(channelId) > 0 { 661 // Applying the provided teamId here is useful for DMs and GMs which don't belong 662 // to a team. Applying it when the channel does belong to a team makes less sense, 663 // but the permissions are checked above regardless. 664 result, err := c.App.AutocompleteUsersInChannel(teamId, channelId, name, options) 665 if err != nil { 666 c.Err = err 667 return 668 } 669 670 autocomplete.Users = result.InChannel 671 autocomplete.OutOfChannel = result.OutOfChannel 672 } else if len(teamId) > 0 { 673 result, err := c.App.AutocompleteUsersInTeam(teamId, name, options) 674 if err != nil { 675 c.Err = err 676 return 677 } 678 679 autocomplete.Users = result.InTeam 680 } else { 681 // No permission check required 682 result, err := c.App.SearchUsersInTeam("", name, options) 683 if err != nil { 684 c.Err = err 685 return 686 } 687 autocomplete.Users = result 688 } 689 690 w.Write([]byte((autocomplete.ToJson()))) 691 } 692 693 func updateUser(c *Context, w http.ResponseWriter, r *http.Request) { 694 c.RequireUserId() 695 if c.Err != nil { 696 return 697 } 698 699 user := model.UserFromJson(r.Body) 700 if user == nil { 701 c.SetInvalidParam("user") 702 return 703 } 704 705 // The user being updated in the payload must be the same one as indicated in the URL. 706 if user.Id != c.Params.UserId { 707 c.SetInvalidParam("user_id") 708 return 709 } 710 711 if !c.App.SessionHasPermissionToUser(c.App.Session, user.Id) { 712 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 713 return 714 } 715 716 ouser, err := c.App.GetUser(user.Id) 717 if err != nil { 718 c.Err = err 719 return 720 } 721 722 if c.App.Session.IsOAuth { 723 if ouser.Email != user.Email { 724 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 725 c.Err.DetailedError += ", attempted email update by oauth app" 726 return 727 } 728 } 729 730 // If eMail update is attempted by the currently logged in user, check if correct password was provided 731 if user.Email != "" && ouser.Email != user.Email && c.App.Session.UserId == c.Params.UserId { 732 err = c.App.DoubleCheckPassword(ouser, user.Password) 733 if err != nil { 734 c.SetInvalidParam("password") 735 return 736 } 737 } 738 739 ruser, err := c.App.UpdateUserAsUser(user, c.IsSystemAdmin()) 740 if err != nil { 741 c.Err = err 742 return 743 } 744 745 c.LogAudit("") 746 w.Write([]byte(ruser.ToJson())) 747 } 748 749 func patchUser(c *Context, w http.ResponseWriter, r *http.Request) { 750 c.RequireUserId() 751 if c.Err != nil { 752 return 753 } 754 755 patch := model.UserPatchFromJson(r.Body) 756 if patch == nil { 757 c.SetInvalidParam("user") 758 return 759 } 760 761 if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) { 762 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 763 return 764 } 765 766 ouser, err := c.App.GetUser(c.Params.UserId) 767 if err != nil { 768 c.SetInvalidParam("user_id") 769 return 770 } 771 772 if c.App.Session.IsOAuth && patch.Email != nil { 773 if err != nil { 774 c.Err = err 775 return 776 } 777 778 if ouser.Email != *patch.Email { 779 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 780 c.Err.DetailedError += ", attempted email update by oauth app" 781 return 782 } 783 } 784 785 // If eMail update is attempted by the currently logged in user, check if correct password was provided 786 if patch.Email != nil && ouser.Email != *patch.Email && c.App.Session.UserId == c.Params.UserId { 787 if patch.Password == nil { 788 c.SetInvalidParam("password") 789 return 790 } 791 792 if err = c.App.DoubleCheckPassword(ouser, *patch.Password); err != nil { 793 c.Err = err 794 return 795 } 796 } 797 798 ruser, err := c.App.PatchUser(c.Params.UserId, patch, c.IsSystemAdmin()) 799 if err != nil { 800 c.Err = err 801 return 802 } 803 804 c.App.SetAutoResponderStatus(ruser, ouser.NotifyProps) 805 c.LogAudit("") 806 w.Write([]byte(ruser.ToJson())) 807 } 808 809 func deleteUser(c *Context, w http.ResponseWriter, r *http.Request) { 810 c.RequireUserId() 811 if c.Err != nil { 812 return 813 } 814 815 userId := c.Params.UserId 816 817 if !c.App.SessionHasPermissionToUser(c.App.Session, userId) { 818 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 819 return 820 } 821 822 // if EnableUserDeactivation flag is disabled the user cannot deactivate himself. 823 if c.Params.UserId == c.App.Session.UserId && !*c.App.Config().TeamSettings.EnableUserDeactivation && !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) { 824 c.Err = model.NewAppError("deleteUser", "api.user.update_active.not_enable.app_error", nil, "userId="+c.Params.UserId, http.StatusUnauthorized) 825 return 826 } 827 828 user, err := c.App.GetUser(userId) 829 if err != nil { 830 c.Err = err 831 return 832 } 833 834 if _, err = c.App.UpdateActive(user, false); err != nil { 835 c.Err = err 836 return 837 } 838 839 ReturnStatusOK(w) 840 } 841 842 func updateUserRoles(c *Context, w http.ResponseWriter, r *http.Request) { 843 c.RequireUserId() 844 if c.Err != nil { 845 return 846 } 847 848 props := model.MapFromJson(r.Body) 849 850 newRoles := props["roles"] 851 if !model.IsValidUserRoles(newRoles) { 852 c.SetInvalidParam("roles") 853 return 854 } 855 856 if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_ROLES) { 857 c.SetPermissionError(model.PERMISSION_MANAGE_ROLES) 858 return 859 } 860 861 if _, err := c.App.UpdateUserRoles(c.Params.UserId, newRoles, true); err != nil { 862 c.Err = err 863 return 864 } 865 866 c.LogAudit(fmt.Sprintf("user=%s roles=%s", c.Params.UserId, newRoles)) 867 ReturnStatusOK(w) 868 } 869 870 func updateUserActive(c *Context, w http.ResponseWriter, r *http.Request) { 871 c.RequireUserId() 872 if c.Err != nil { 873 return 874 } 875 876 props := model.StringInterfaceFromJson(r.Body) 877 878 active, ok := props["active"].(bool) 879 if !ok { 880 c.SetInvalidParam("active") 881 return 882 } 883 884 // true when you're trying to de-activate yourself 885 isSelfDeactive := !active && c.Params.UserId == c.App.Session.UserId 886 887 if !isSelfDeactive && !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) { 888 c.Err = model.NewAppError("updateUserActive", "api.user.update_active.permissions.app_error", nil, "userId="+c.Params.UserId, http.StatusForbidden) 889 return 890 } 891 892 // if EnableUserDeactivation flag is disabled the user cannot deactivate himself. 893 if isSelfDeactive && !*c.App.Config().TeamSettings.EnableUserDeactivation { 894 c.Err = model.NewAppError("updateUserActive", "api.user.update_active.not_enable.app_error", nil, "userId="+c.Params.UserId, http.StatusUnauthorized) 895 return 896 } 897 898 user, err := c.App.GetUser(c.Params.UserId) 899 if err != nil { 900 c.Err = err 901 return 902 } 903 904 if _, err = c.App.UpdateActive(user, active); err != nil { 905 c.Err = err 906 } 907 908 c.LogAudit(fmt.Sprintf("user_id=%s active=%v", user.Id, active)) 909 if isSelfDeactive { 910 c.App.Srv.Go(func() { 911 if err = c.App.SendDeactivateAccountEmail(user.Email, user.Locale, c.App.GetSiteURL()); err != nil { 912 mlog.Error(err.Error()) 913 } 914 }) 915 } 916 ReturnStatusOK(w) 917 } 918 919 func updateUserAuth(c *Context, w http.ResponseWriter, r *http.Request) { 920 if !c.IsSystemAdmin() { 921 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 922 return 923 } 924 925 c.RequireUserId() 926 if c.Err != nil { 927 return 928 } 929 930 userAuth := model.UserAuthFromJson(r.Body) 931 if userAuth == nil { 932 c.SetInvalidParam("user") 933 return 934 } 935 936 user, err := c.App.UpdateUserAuth(c.Params.UserId, userAuth) 937 if err != nil { 938 c.Err = err 939 return 940 } 941 942 c.LogAudit(fmt.Sprintf("updated user %s auth to service=%v", c.Params.UserId, user.AuthService)) 943 w.Write([]byte(user.ToJson())) 944 } 945 946 // Deprecated: checkUserMfa is deprecated and should not be used anymore, starting with version 6.0 it will be disabled. 947 // Clients should attempt a login without MFA and will receive a MFA error when it's required. 948 func checkUserMfa(c *Context, w http.ResponseWriter, r *http.Request) { 949 950 if *c.App.Config().ServiceSettings.DisableLegacyMFA { 951 http.NotFound(w, r) 952 return 953 } 954 955 props := model.MapFromJson(r.Body) 956 957 loginId := props["login_id"] 958 if len(loginId) == 0 { 959 c.SetInvalidParam("login_id") 960 return 961 } 962 963 resp := map[string]interface{}{} 964 resp["mfa_required"] = false 965 966 if !*c.App.Config().ServiceSettings.EnableMultifactorAuthentication { 967 w.Write([]byte(model.StringInterfaceToJson(resp))) 968 return 969 } 970 971 if *c.App.Config().ServiceSettings.ExperimentalEnableHardenedMode { 972 resp["mfa_required"] = true 973 } else if user, err := c.App.GetUserForLogin("", loginId); err == nil { 974 resp["mfa_required"] = user.MfaActive 975 } 976 977 w.Write([]byte(model.StringInterfaceToJson(resp))) 978 } 979 980 func updateUserMfa(c *Context, w http.ResponseWriter, r *http.Request) { 981 c.RequireUserId() 982 if c.Err != nil { 983 return 984 } 985 986 if c.App.Session.IsOAuth { 987 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 988 c.Err.DetailedError += ", attempted access by oauth app" 989 return 990 } 991 992 if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) { 993 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 994 return 995 } 996 997 props := model.StringInterfaceFromJson(r.Body) 998 activate, ok := props["activate"].(bool) 999 if !ok { 1000 c.SetInvalidParam("activate") 1001 return 1002 } 1003 1004 code := "" 1005 if activate { 1006 code, ok = props["code"].(string) 1007 if !ok || len(code) == 0 { 1008 c.SetInvalidParam("code") 1009 return 1010 } 1011 } 1012 1013 c.LogAudit("attempt") 1014 1015 if err := c.App.UpdateMfa(activate, c.Params.UserId, code); err != nil { 1016 c.Err = err 1017 return 1018 } 1019 1020 c.LogAudit("success - mfa updated") 1021 ReturnStatusOK(w) 1022 } 1023 1024 func generateMfaSecret(c *Context, w http.ResponseWriter, r *http.Request) { 1025 c.RequireUserId() 1026 if c.Err != nil { 1027 return 1028 } 1029 1030 if c.App.Session.IsOAuth { 1031 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1032 c.Err.DetailedError += ", attempted access by oauth app" 1033 return 1034 } 1035 1036 if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) { 1037 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1038 return 1039 } 1040 1041 secret, err := c.App.GenerateMfaSecret(c.Params.UserId) 1042 if err != nil { 1043 c.Err = err 1044 return 1045 } 1046 1047 w.Header().Set("Cache-Control", "no-cache") 1048 w.Header().Set("Pragma", "no-cache") 1049 w.Header().Set("Expires", "0") 1050 w.Write([]byte(secret.ToJson())) 1051 } 1052 1053 func updatePassword(c *Context, w http.ResponseWriter, r *http.Request) { 1054 c.RequireUserId() 1055 if c.Err != nil { 1056 return 1057 } 1058 1059 props := model.MapFromJson(r.Body) 1060 newPassword := props["new_password"] 1061 1062 c.LogAudit("attempted") 1063 1064 var err *model.AppError 1065 if c.Params.UserId == c.App.Session.UserId { 1066 currentPassword := props["current_password"] 1067 if len(currentPassword) <= 0 { 1068 c.SetInvalidParam("current_password") 1069 return 1070 } 1071 1072 err = c.App.UpdatePasswordAsUser(c.Params.UserId, currentPassword, newPassword) 1073 } else if c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) { 1074 err = c.App.UpdatePasswordByUserIdSendEmail(c.Params.UserId, newPassword, c.App.T("api.user.reset_password.method")) 1075 } else { 1076 err = model.NewAppError("updatePassword", "api.user.update_password.context.app_error", nil, "", http.StatusForbidden) 1077 } 1078 1079 if err != nil { 1080 c.LogAudit("failed") 1081 c.Err = err 1082 return 1083 } 1084 1085 c.LogAudit("completed") 1086 ReturnStatusOK(w) 1087 } 1088 1089 func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) { 1090 props := model.MapFromJson(r.Body) 1091 1092 token := props["token"] 1093 if len(token) != model.TOKEN_SIZE { 1094 c.SetInvalidParam("token") 1095 return 1096 } 1097 1098 newPassword := props["new_password"] 1099 1100 c.LogAudit("attempt - token=" + token) 1101 1102 if err := c.App.ResetPasswordFromToken(token, newPassword); err != nil { 1103 c.LogAudit("fail - token=" + token) 1104 c.Err = err 1105 return 1106 } 1107 1108 c.LogAudit("success - token=" + token) 1109 1110 ReturnStatusOK(w) 1111 } 1112 1113 func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) { 1114 props := model.MapFromJson(r.Body) 1115 1116 email := props["email"] 1117 if len(email) == 0 { 1118 c.SetInvalidParam("email") 1119 return 1120 } 1121 1122 sent, err := c.App.SendPasswordReset(email, c.App.GetSiteURL()) 1123 if err != nil { 1124 if *c.App.Config().ServiceSettings.ExperimentalEnableHardenedMode { 1125 ReturnStatusOK(w) 1126 } else { 1127 c.Err = err 1128 } 1129 return 1130 } 1131 1132 if sent { 1133 c.LogAudit("sent=" + email) 1134 } 1135 1136 ReturnStatusOK(w) 1137 } 1138 1139 func login(c *Context, w http.ResponseWriter, r *http.Request) { 1140 // For hardened mode, translate all login errors to generic. MFA error being an exception, since it's required for 1141 // the login flow itself. 1142 defer func() { 1143 if *c.App.Config().ServiceSettings.ExperimentalEnableHardenedMode && c.Err != nil && c.Err.Id != "mfa.validate_token.authenticate.app_error" { 1144 c.Err = model.NewAppError("login", "api.user.login.invalid_credentials", nil, "", http.StatusUnauthorized) 1145 } 1146 }() 1147 1148 props := model.MapFromJson(r.Body) 1149 1150 id := props["id"] 1151 loginId := props["login_id"] 1152 password := props["password"] 1153 mfaToken := props["token"] 1154 deviceId := props["device_id"] 1155 ldapOnly := props["ldap_only"] == "true" 1156 1157 if *c.App.Config().ExperimentalSettings.ClientSideCertEnable { 1158 if license := c.App.License(); license == nil || !*license.Features.SAML { 1159 c.Err = model.NewAppError("ClientSideCertNotAllowed", "api.user.login.client_side_cert.license.app_error", nil, "", http.StatusBadRequest) 1160 return 1161 } 1162 certPem, certSubject, certEmail := c.App.CheckForClientSideCert(r) 1163 mlog.Debug("Client Cert", mlog.String("cert_subject", certSubject), mlog.String("cert_email", certEmail)) 1164 1165 if len(certPem) == 0 || len(certEmail) == 0 { 1166 c.Err = model.NewAppError("ClientSideCertMissing", "api.user.login.client_side_cert.certificate.app_error", nil, "", http.StatusBadRequest) 1167 return 1168 } 1169 1170 if *c.App.Config().ExperimentalSettings.ClientSideCertCheck == model.CLIENT_SIDE_CERT_CHECK_PRIMARY_AUTH { 1171 loginId = certEmail 1172 password = "certificate" 1173 } 1174 } 1175 1176 c.LogAuditWithUserId(id, "attempt - login_id="+loginId) 1177 user, err := c.App.AuthenticateUserForLogin(id, loginId, password, mfaToken, ldapOnly) 1178 1179 if err != nil { 1180 c.LogAuditWithUserId(id, "failure - login_id="+loginId) 1181 c.Err = err 1182 return 1183 } 1184 1185 c.LogAuditWithUserId(user.Id, "authenticated") 1186 1187 session, err := c.App.DoLogin(w, r, user, deviceId) 1188 if err != nil { 1189 c.Err = err 1190 return 1191 } 1192 1193 c.LogAuditWithUserId(user.Id, "success") 1194 1195 if r.Header.Get(model.HEADER_REQUESTED_WITH) == model.HEADER_REQUESTED_WITH_XML { 1196 c.App.AttachSessionCookies(w, r, session) 1197 } 1198 1199 userTermsOfService, err := c.App.GetUserTermsOfService(user.Id) 1200 if err != nil && err.StatusCode != http.StatusNotFound { 1201 c.Err = err 1202 return 1203 } 1204 1205 if userTermsOfService != nil { 1206 user.TermsOfServiceId = userTermsOfService.TermsOfServiceId 1207 user.TermsOfServiceCreateAt = userTermsOfService.CreateAt 1208 } 1209 1210 c.App.Session = *session 1211 1212 user.Sanitize(map[string]bool{}) 1213 1214 w.Write([]byte(user.ToJson())) 1215 } 1216 1217 func logout(c *Context, w http.ResponseWriter, r *http.Request) { 1218 Logout(c, w, r) 1219 } 1220 1221 func Logout(c *Context, w http.ResponseWriter, r *http.Request) { 1222 c.LogAudit("") 1223 c.RemoveSessionCookie(w, r) 1224 if c.App.Session.Id != "" { 1225 if err := c.App.RevokeSessionById(c.App.Session.Id); err != nil { 1226 c.Err = err 1227 return 1228 } 1229 } 1230 1231 ReturnStatusOK(w) 1232 } 1233 1234 func getSessions(c *Context, w http.ResponseWriter, r *http.Request) { 1235 c.RequireUserId() 1236 if c.Err != nil { 1237 return 1238 } 1239 1240 if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) { 1241 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1242 return 1243 } 1244 1245 sessions, err := c.App.GetSessions(c.Params.UserId) 1246 if err != nil { 1247 c.Err = err 1248 return 1249 } 1250 1251 for _, session := range sessions { 1252 session.Sanitize() 1253 } 1254 1255 w.Write([]byte(model.SessionsToJson(sessions))) 1256 } 1257 1258 func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) { 1259 c.RequireUserId() 1260 if c.Err != nil { 1261 return 1262 } 1263 1264 if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) { 1265 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1266 return 1267 } 1268 1269 props := model.MapFromJson(r.Body) 1270 sessionId := props["session_id"] 1271 if sessionId == "" { 1272 c.SetInvalidParam("session_id") 1273 return 1274 } 1275 1276 session, err := c.App.GetSessionById(sessionId) 1277 if err != nil { 1278 c.Err = err 1279 return 1280 } 1281 1282 if session.UserId != c.Params.UserId { 1283 c.SetInvalidUrlParam("user_id") 1284 return 1285 } 1286 1287 if err := c.App.RevokeSession(session); err != nil { 1288 c.Err = err 1289 return 1290 } 1291 1292 ReturnStatusOK(w) 1293 } 1294 1295 func revokeAllSessionsForUser(c *Context, w http.ResponseWriter, r *http.Request) { 1296 c.RequireUserId() 1297 if c.Err != nil { 1298 return 1299 } 1300 1301 if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) { 1302 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1303 return 1304 } 1305 1306 if err := c.App.RevokeAllSessions(c.Params.UserId); err != nil { 1307 c.Err = err 1308 return 1309 } 1310 1311 ReturnStatusOK(w) 1312 } 1313 1314 func attachDeviceId(c *Context, w http.ResponseWriter, r *http.Request) { 1315 props := model.MapFromJson(r.Body) 1316 1317 deviceId := props["device_id"] 1318 if len(deviceId) == 0 { 1319 c.SetInvalidParam("device_id") 1320 return 1321 } 1322 1323 // A special case where we logout of all other sessions with the same device id 1324 if err := c.App.RevokeSessionsForDeviceId(c.App.Session.UserId, deviceId, c.App.Session.Id); err != nil { 1325 c.Err = err 1326 return 1327 } 1328 1329 c.App.ClearSessionCacheForUser(c.App.Session.UserId) 1330 c.App.Session.SetExpireInDays(*c.App.Config().ServiceSettings.SessionLengthMobileInDays) 1331 1332 maxAge := *c.App.Config().ServiceSettings.SessionLengthMobileInDays * 60 * 60 * 24 1333 1334 secure := false 1335 if app.GetProtocol(r) == "https" { 1336 secure = true 1337 } 1338 1339 expiresAt := time.Unix(model.GetMillis()/1000+int64(maxAge), 0) 1340 sessionCookie := &http.Cookie{ 1341 Name: model.SESSION_COOKIE_TOKEN, 1342 Value: c.App.Session.Token, 1343 Path: "/", 1344 MaxAge: maxAge, 1345 Expires: expiresAt, 1346 HttpOnly: true, 1347 Domain: c.App.GetCookieDomain(), 1348 Secure: secure, 1349 } 1350 1351 http.SetCookie(w, sessionCookie) 1352 1353 if err := c.App.AttachDeviceId(c.App.Session.Id, deviceId, c.App.Session.ExpiresAt); err != nil { 1354 c.Err = err 1355 return 1356 } 1357 1358 c.LogAudit("") 1359 ReturnStatusOK(w) 1360 } 1361 1362 func getUserAudits(c *Context, w http.ResponseWriter, r *http.Request) { 1363 c.RequireUserId() 1364 if c.Err != nil { 1365 return 1366 } 1367 1368 if !c.App.SessionHasPermissionToUser(c.App.Session, c.Params.UserId) { 1369 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1370 return 1371 } 1372 1373 audits, err := c.App.GetAuditsPage(c.Params.UserId, c.Params.Page, c.Params.PerPage) 1374 if err != nil { 1375 c.Err = err 1376 return 1377 } 1378 1379 w.Write([]byte(audits.ToJson())) 1380 } 1381 1382 func verifyUserEmail(c *Context, w http.ResponseWriter, r *http.Request) { 1383 props := model.MapFromJson(r.Body) 1384 1385 token := props["token"] 1386 if len(token) != model.TOKEN_SIZE { 1387 c.SetInvalidParam("token") 1388 return 1389 } 1390 1391 if err := c.App.VerifyEmailFromToken(token); err != nil { 1392 c.Err = model.NewAppError("verifyUserEmail", "api.user.verify_email.bad_link.app_error", nil, err.Error(), http.StatusBadRequest) 1393 return 1394 } 1395 1396 c.LogAudit("Email Verified") 1397 ReturnStatusOK(w) 1398 } 1399 1400 func sendVerificationEmail(c *Context, w http.ResponseWriter, r *http.Request) { 1401 props := model.MapFromJson(r.Body) 1402 1403 email := props["email"] 1404 if len(email) == 0 { 1405 c.SetInvalidParam("email") 1406 return 1407 } 1408 1409 user, err := c.App.GetUserForLogin("", email) 1410 if err != nil { 1411 // Don't want to leak whether the email is valid or not 1412 ReturnStatusOK(w) 1413 return 1414 } 1415 1416 if err = c.App.SendEmailVerification(user, user.Email); err != nil { 1417 // Don't want to leak whether the email is valid or not 1418 mlog.Error(err.Error()) 1419 ReturnStatusOK(w) 1420 return 1421 } 1422 1423 ReturnStatusOK(w) 1424 } 1425 1426 func switchAccountType(c *Context, w http.ResponseWriter, r *http.Request) { 1427 switchRequest := model.SwitchRequestFromJson(r.Body) 1428 if switchRequest == nil { 1429 c.SetInvalidParam("switch_request") 1430 return 1431 } 1432 1433 link := "" 1434 var err *model.AppError 1435 1436 if switchRequest.EmailToOAuth() { 1437 link, err = c.App.SwitchEmailToOAuth(w, r, switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.NewService) 1438 } else if switchRequest.OAuthToEmail() { 1439 c.SessionRequired() 1440 if c.Err != nil { 1441 return 1442 } 1443 1444 link, err = c.App.SwitchOAuthToEmail(switchRequest.Email, switchRequest.NewPassword, c.App.Session.UserId) 1445 } else if switchRequest.EmailToLdap() { 1446 link, err = c.App.SwitchEmailToLdap(switchRequest.Email, switchRequest.Password, switchRequest.MfaCode, switchRequest.LdapLoginId, switchRequest.NewPassword) 1447 } else if switchRequest.LdapToEmail() { 1448 link, err = c.App.SwitchLdapToEmail(switchRequest.Password, switchRequest.MfaCode, switchRequest.Email, switchRequest.NewPassword) 1449 } else { 1450 c.SetInvalidParam("switch_request") 1451 return 1452 } 1453 1454 if err != nil { 1455 c.Err = err 1456 return 1457 } 1458 1459 c.LogAudit("success") 1460 w.Write([]byte(model.MapToJson(map[string]string{"follow_link": link}))) 1461 } 1462 1463 func createUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1464 c.RequireUserId() 1465 if c.Err != nil { 1466 return 1467 } 1468 1469 if c.App.Session.IsOAuth { 1470 c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN) 1471 c.Err.DetailedError += ", attempted access by oauth app" 1472 return 1473 } 1474 1475 accessToken := model.UserAccessTokenFromJson(r.Body) 1476 if accessToken == nil { 1477 c.SetInvalidParam("user_access_token") 1478 return 1479 } 1480 1481 if accessToken.Description == "" { 1482 c.SetInvalidParam("description") 1483 return 1484 } 1485 1486 c.LogAudit("") 1487 1488 if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_CREATE_USER_ACCESS_TOKEN) { 1489 c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN) 1490 return 1491 } 1492 1493 if !c.App.SessionHasPermissionToUserOrBot(c.App.Session, c.Params.UserId) { 1494 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1495 return 1496 } 1497 1498 accessToken.UserId = c.Params.UserId 1499 accessToken.Token = "" 1500 1501 accessToken, err := c.App.CreateUserAccessToken(accessToken) 1502 if err != nil { 1503 c.Err = err 1504 return 1505 } 1506 1507 c.LogAudit("success - token_id=" + accessToken.Id) 1508 w.Write([]byte(accessToken.ToJson())) 1509 } 1510 1511 func searchUserAccessTokens(c *Context, w http.ResponseWriter, r *http.Request) { 1512 if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) { 1513 c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) 1514 return 1515 } 1516 props := model.UserAccessTokenSearchFromJson(r.Body) 1517 if props == nil { 1518 c.SetInvalidParam("user_access_token_search") 1519 return 1520 } 1521 1522 if len(props.Term) == 0 { 1523 c.SetInvalidParam("term") 1524 return 1525 } 1526 1527 accessTokens, err := c.App.SearchUserAccessTokens(props.Term) 1528 if err != nil { 1529 c.Err = err 1530 return 1531 } 1532 1533 w.Write([]byte(model.UserAccessTokenListToJson(accessTokens))) 1534 } 1535 1536 func getUserAccessTokens(c *Context, w http.ResponseWriter, r *http.Request) { 1537 if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_MANAGE_SYSTEM) { 1538 c.SetPermissionError(model.PERMISSION_MANAGE_SYSTEM) 1539 return 1540 } 1541 1542 accessTokens, err := c.App.GetUserAccessTokens(c.Params.Page, c.Params.PerPage) 1543 if err != nil { 1544 c.Err = err 1545 return 1546 } 1547 1548 w.Write([]byte(model.UserAccessTokenListToJson(accessTokens))) 1549 } 1550 1551 func getUserAccessTokensForUser(c *Context, w http.ResponseWriter, r *http.Request) { 1552 c.RequireUserId() 1553 if c.Err != nil { 1554 return 1555 } 1556 1557 if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_READ_USER_ACCESS_TOKEN) { 1558 c.SetPermissionError(model.PERMISSION_READ_USER_ACCESS_TOKEN) 1559 return 1560 } 1561 1562 if !c.App.SessionHasPermissionToUserOrBot(c.App.Session, c.Params.UserId) { 1563 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1564 return 1565 } 1566 1567 accessTokens, err := c.App.GetUserAccessTokensForUser(c.Params.UserId, c.Params.Page, c.Params.PerPage) 1568 if err != nil { 1569 c.Err = err 1570 return 1571 } 1572 1573 w.Write([]byte(model.UserAccessTokenListToJson(accessTokens))) 1574 } 1575 1576 func getUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1577 c.RequireTokenId() 1578 if c.Err != nil { 1579 return 1580 } 1581 1582 if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_READ_USER_ACCESS_TOKEN) { 1583 c.SetPermissionError(model.PERMISSION_READ_USER_ACCESS_TOKEN) 1584 return 1585 } 1586 1587 accessToken, err := c.App.GetUserAccessToken(c.Params.TokenId, true) 1588 if err != nil { 1589 c.Err = err 1590 return 1591 } 1592 1593 if !c.App.SessionHasPermissionToUserOrBot(c.App.Session, accessToken.UserId) { 1594 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1595 return 1596 } 1597 1598 w.Write([]byte(accessToken.ToJson())) 1599 } 1600 1601 func revokeUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1602 props := model.MapFromJson(r.Body) 1603 1604 tokenId := props["token_id"] 1605 if tokenId == "" { 1606 c.SetInvalidParam("token_id") 1607 } 1608 1609 c.LogAudit("") 1610 1611 if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) { 1612 c.SetPermissionError(model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) 1613 return 1614 } 1615 1616 accessToken, err := c.App.GetUserAccessToken(tokenId, false) 1617 if err != nil { 1618 c.Err = err 1619 return 1620 } 1621 1622 if !c.App.SessionHasPermissionToUserOrBot(c.App.Session, accessToken.UserId) { 1623 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1624 return 1625 } 1626 1627 if err = c.App.RevokeUserAccessToken(accessToken); err != nil { 1628 c.Err = err 1629 return 1630 } 1631 1632 c.LogAudit("success - token_id=" + accessToken.Id) 1633 ReturnStatusOK(w) 1634 } 1635 1636 func disableUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1637 props := model.MapFromJson(r.Body) 1638 tokenId := props["token_id"] 1639 1640 if tokenId == "" { 1641 c.SetInvalidParam("token_id") 1642 } 1643 1644 c.LogAudit("") 1645 1646 // No separate permission for this action for now 1647 if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) { 1648 c.SetPermissionError(model.PERMISSION_REVOKE_USER_ACCESS_TOKEN) 1649 return 1650 } 1651 1652 accessToken, err := c.App.GetUserAccessToken(tokenId, false) 1653 if err != nil { 1654 c.Err = err 1655 return 1656 } 1657 1658 if !c.App.SessionHasPermissionToUserOrBot(c.App.Session, accessToken.UserId) { 1659 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1660 return 1661 } 1662 1663 if err = c.App.DisableUserAccessToken(accessToken); err != nil { 1664 c.Err = err 1665 return 1666 } 1667 1668 c.LogAudit("success - token_id=" + accessToken.Id) 1669 ReturnStatusOK(w) 1670 } 1671 1672 func enableUserAccessToken(c *Context, w http.ResponseWriter, r *http.Request) { 1673 props := model.MapFromJson(r.Body) 1674 1675 tokenId := props["token_id"] 1676 if tokenId == "" { 1677 c.SetInvalidParam("token_id") 1678 } 1679 1680 c.LogAudit("") 1681 1682 // No separate permission for this action for now 1683 if !c.App.SessionHasPermissionTo(c.App.Session, model.PERMISSION_CREATE_USER_ACCESS_TOKEN) { 1684 c.SetPermissionError(model.PERMISSION_CREATE_USER_ACCESS_TOKEN) 1685 return 1686 } 1687 1688 accessToken, err := c.App.GetUserAccessToken(tokenId, false) 1689 if err != nil { 1690 c.Err = err 1691 return 1692 } 1693 1694 if !c.App.SessionHasPermissionToUserOrBot(c.App.Session, accessToken.UserId) { 1695 c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) 1696 return 1697 } 1698 1699 if err = c.App.EnableUserAccessToken(accessToken); err != nil { 1700 c.Err = err 1701 return 1702 } 1703 1704 c.LogAudit("success - token_id=" + accessToken.Id) 1705 ReturnStatusOK(w) 1706 } 1707 1708 func saveUserTermsOfService(c *Context, w http.ResponseWriter, r *http.Request) { 1709 props := model.StringInterfaceFromJson(r.Body) 1710 1711 userId := c.App.Session.UserId 1712 termsOfServiceId := props["termsOfServiceId"].(string) 1713 accepted := props["accepted"].(bool) 1714 1715 if _, err := c.App.GetTermsOfService(termsOfServiceId); err != nil { 1716 c.Err = err 1717 return 1718 } 1719 1720 if err := c.App.SaveUserTermsOfService(userId, termsOfServiceId, accepted); err != nil { 1721 c.Err = err 1722 return 1723 } 1724 1725 c.LogAudit("TermsOfServiceId=" + termsOfServiceId + ", accepted=" + strconv.FormatBool(accepted)) 1726 ReturnStatusOK(w) 1727 } 1728 1729 func getUserTermsOfService(c *Context, w http.ResponseWriter, r *http.Request) { 1730 userId := c.App.Session.UserId 1731 result, err := c.App.GetUserTermsOfService(userId) 1732 if err != nil { 1733 c.Err = err 1734 return 1735 } 1736 w.Write([]byte(result.ToJson())) 1737 }