github.com/spline-fu/mattermost-server@v4.10.10+incompatible/app/user.go (about)

     1  // Copyright (c) 2016-present Mattermost, Inc. All Rights Reserved.
     2  // See License.txt for license information.
     3  
     4  package app
     5  
     6  import (
     7  	"bytes"
     8  	b64 "encoding/base64"
     9  	"fmt"
    10  	"hash/fnv"
    11  	"image"
    12  	"image/color"
    13  	"image/draw"
    14  	_ "image/gif"
    15  	_ "image/jpeg"
    16  	"image/png"
    17  	"io"
    18  	"io/ioutil"
    19  	"mime/multipart"
    20  	"net/http"
    21  	"path/filepath"
    22  	"strconv"
    23  	"strings"
    24  
    25  	"github.com/disintegration/imaging"
    26  	"github.com/golang/freetype"
    27  	"github.com/mattermost/mattermost-server/einterfaces"
    28  	"github.com/mattermost/mattermost-server/mlog"
    29  	"github.com/mattermost/mattermost-server/model"
    30  	"github.com/mattermost/mattermost-server/store"
    31  	"github.com/mattermost/mattermost-server/utils"
    32  )
    33  
    34  const (
    35  	TOKEN_TYPE_PASSWORD_RECOVERY  = "password_recovery"
    36  	TOKEN_TYPE_VERIFY_EMAIL       = "verify_email"
    37  	TOKEN_TYPE_TEAM_INVITATION    = "team_invitation"
    38  	PASSWORD_RECOVER_EXPIRY_TIME  = 1000 * 60 * 60      // 1 hour
    39  	TEAM_INVITATION_EXPIRY_TIME   = 1000 * 60 * 60 * 48 // 48 hours
    40  	IMAGE_PROFILE_PIXEL_DIMENSION = 128
    41  )
    42  
    43  func (a *App) CreateUserWithToken(user *model.User, tokenId string) (*model.User, *model.AppError) {
    44  	if err := a.IsUserSignUpAllowed(); err != nil {
    45  		return nil, err
    46  	}
    47  
    48  	result := <-a.Srv.Store.Token().GetByToken(tokenId)
    49  	if result.Err != nil {
    50  		return nil, model.NewAppError("CreateUserWithToken", "api.user.create_user.signup_link_invalid.app_error", nil, result.Err.Error(), http.StatusBadRequest)
    51  	}
    52  
    53  	token := result.Data.(*model.Token)
    54  	if token.Type != TOKEN_TYPE_TEAM_INVITATION {
    55  		return nil, model.NewAppError("CreateUserWithToken", "api.user.create_user.signup_link_invalid.app_error", nil, "", http.StatusBadRequest)
    56  	}
    57  
    58  	if model.GetMillis()-token.CreateAt >= TEAM_INVITATION_EXPIRY_TIME {
    59  		a.DeleteToken(token)
    60  		return nil, model.NewAppError("CreateUserWithToken", "api.user.create_user.signup_link_expired.app_error", nil, "", http.StatusBadRequest)
    61  	}
    62  
    63  	tokenData := model.MapFromJson(strings.NewReader(token.Extra))
    64  
    65  	var team *model.Team
    66  	if result := <-a.Srv.Store.Team().Get(tokenData["teamId"]); result.Err != nil {
    67  		return nil, result.Err
    68  	} else {
    69  		team = result.Data.(*model.Team)
    70  	}
    71  
    72  	user.Email = tokenData["email"]
    73  	user.EmailVerified = true
    74  
    75  	var ruser *model.User
    76  	var err *model.AppError
    77  	if ruser, err = a.CreateUser(user); err != nil {
    78  		return nil, err
    79  	}
    80  
    81  	if err := a.JoinUserToTeam(team, ruser, ""); err != nil {
    82  		return nil, err
    83  	}
    84  
    85  	a.AddDirectChannels(team.Id, ruser)
    86  
    87  	if err := a.DeleteToken(token); err != nil {
    88  		return nil, err
    89  	}
    90  
    91  	return ruser, nil
    92  }
    93  
    94  func (a *App) CreateUserWithInviteId(user *model.User, inviteId string) (*model.User, *model.AppError) {
    95  	if err := a.IsUserSignUpAllowed(); err != nil {
    96  		return nil, err
    97  	}
    98  
    99  	var team *model.Team
   100  	if result := <-a.Srv.Store.Team().GetByInviteId(inviteId); result.Err != nil {
   101  		return nil, result.Err
   102  	} else {
   103  		team = result.Data.(*model.Team)
   104  	}
   105  
   106  	user.EmailVerified = false
   107  
   108  	var ruser *model.User
   109  	var err *model.AppError
   110  	if ruser, err = a.CreateUser(user); err != nil {
   111  		return nil, err
   112  	}
   113  
   114  	if err := a.JoinUserToTeam(team, ruser, ""); err != nil {
   115  		return nil, err
   116  	}
   117  
   118  	a.AddDirectChannels(team.Id, ruser)
   119  
   120  	if err := a.SendWelcomeEmail(ruser.Id, ruser.Email, ruser.EmailVerified, ruser.Locale, a.GetSiteURL()); err != nil {
   121  		mlog.Error(err.Error())
   122  	}
   123  
   124  	return ruser, nil
   125  }
   126  
   127  func (a *App) CreateUserAsAdmin(user *model.User) (*model.User, *model.AppError) {
   128  	ruser, err := a.CreateUser(user)
   129  	if err != nil {
   130  		return nil, err
   131  	}
   132  
   133  	if err := a.SendWelcomeEmail(ruser.Id, ruser.Email, ruser.EmailVerified, ruser.Locale, a.GetSiteURL()); err != nil {
   134  		mlog.Error(err.Error())
   135  	}
   136  
   137  	return ruser, nil
   138  }
   139  
   140  func (a *App) CreateUserFromSignup(user *model.User) (*model.User, *model.AppError) {
   141  	if err := a.IsUserSignUpAllowed(); err != nil {
   142  		return nil, err
   143  	}
   144  
   145  	if !a.IsFirstUserAccount() && !*a.Config().TeamSettings.EnableOpenServer {
   146  		err := model.NewAppError("CreateUserFromSignup", "api.user.create_user.no_open_server", nil, "email="+user.Email, http.StatusForbidden)
   147  		return nil, err
   148  	}
   149  
   150  	user.EmailVerified = false
   151  
   152  	ruser, err := a.CreateUser(user)
   153  	if err != nil {
   154  		return nil, err
   155  	}
   156  
   157  	if err := a.SendWelcomeEmail(ruser.Id, ruser.Email, ruser.EmailVerified, ruser.Locale, a.GetSiteURL()); err != nil {
   158  		mlog.Error(err.Error())
   159  	}
   160  
   161  	return ruser, nil
   162  }
   163  
   164  func (a *App) IsUserSignUpAllowed() *model.AppError {
   165  	if !a.Config().EmailSettings.EnableSignUpWithEmail || !a.Config().TeamSettings.EnableUserCreation {
   166  		err := model.NewAppError("IsUserSignUpAllowed", "api.user.create_user.signup_email_disabled.app_error", nil, "", http.StatusNotImplemented)
   167  		return err
   168  	}
   169  	return nil
   170  }
   171  
   172  func (a *App) IsFirstUserAccount() bool {
   173  	if a.SessionCacheLength() == 0 {
   174  		if cr := <-a.Srv.Store.User().GetTotalUsersCount(); cr.Err != nil {
   175  			mlog.Error(fmt.Sprint(cr.Err))
   176  			return false
   177  		} else {
   178  			count := cr.Data.(int64)
   179  			if count <= 0 {
   180  				return true
   181  			}
   182  		}
   183  	}
   184  
   185  	return false
   186  }
   187  
   188  func (a *App) CreateUser(user *model.User) (*model.User, *model.AppError) {
   189  	if !user.IsLDAPUser() && !user.IsSAMLUser() && !CheckUserDomain(user, a.Config().TeamSettings.RestrictCreationToDomains) {
   190  		return nil, model.NewAppError("CreateUser", "api.user.create_user.accepted_domain.app_error", nil, "", http.StatusBadRequest)
   191  	}
   192  
   193  	user.Roles = model.SYSTEM_USER_ROLE_ID
   194  
   195  	// Below is a special case where the first user in the entire
   196  	// system is granted the system_admin role
   197  	if result := <-a.Srv.Store.User().GetTotalUsersCount(); result.Err != nil {
   198  		return nil, result.Err
   199  	} else {
   200  		count := result.Data.(int64)
   201  		if count <= 0 {
   202  			user.Roles = model.SYSTEM_ADMIN_ROLE_ID + " " + model.SYSTEM_USER_ROLE_ID
   203  		}
   204  	}
   205  
   206  	if _, ok := utils.GetSupportedLocales()[user.Locale]; !ok {
   207  		user.Locale = *a.Config().LocalizationSettings.DefaultClientLocale
   208  	}
   209  
   210  	if ruser, err := a.createUser(user); err != nil {
   211  		return nil, err
   212  	} else {
   213  		// This message goes to everyone, so the teamId, channelId and userId are irrelevant
   214  		message := model.NewWebSocketEvent(model.WEBSOCKET_EVENT_NEW_USER, "", "", "", nil)
   215  		message.Add("user_id", ruser.Id)
   216  		a.Publish(message)
   217  
   218  		return ruser, nil
   219  	}
   220  }
   221  
   222  func (a *App) createUser(user *model.User) (*model.User, *model.AppError) {
   223  	user.MakeNonNil()
   224  
   225  	if err := a.IsPasswordValid(user.Password); user.AuthService == "" && err != nil {
   226  		return nil, err
   227  	}
   228  
   229  	if result := <-a.Srv.Store.User().Save(user); result.Err != nil {
   230  		mlog.Error(fmt.Sprintf("Couldn't save the user err=%v", result.Err))
   231  		return nil, result.Err
   232  	} else {
   233  		ruser := result.Data.(*model.User)
   234  
   235  		if user.EmailVerified {
   236  			if err := a.VerifyUserEmail(ruser.Id); err != nil {
   237  				mlog.Error(fmt.Sprintf("Failed to set email verified err=%v", err))
   238  			}
   239  		}
   240  
   241  		pref := model.Preference{UserId: ruser.Id, Category: model.PREFERENCE_CATEGORY_TUTORIAL_STEPS, Name: ruser.Id, Value: "0"}
   242  		if presult := <-a.Srv.Store.Preference().Save(&model.Preferences{pref}); presult.Err != nil {
   243  			mlog.Error(fmt.Sprintf("Encountered error saving tutorial preference, err=%v", presult.Err.Message))
   244  		}
   245  
   246  		ruser.Sanitize(map[string]bool{})
   247  
   248  		return ruser, nil
   249  	}
   250  }
   251  
   252  func (a *App) CreateOAuthUser(service string, userData io.Reader, teamId string) (*model.User, *model.AppError) {
   253  	if !a.Config().TeamSettings.EnableUserCreation {
   254  		return nil, model.NewAppError("CreateOAuthUser", "api.user.create_user.disabled.app_error", nil, "", http.StatusNotImplemented)
   255  	}
   256  
   257  	var user *model.User
   258  	provider := einterfaces.GetOauthProvider(service)
   259  	if provider == nil {
   260  		return nil, model.NewAppError("CreateOAuthUser", "api.user.create_oauth_user.not_available.app_error", map[string]interface{}{"Service": strings.Title(service)}, "", http.StatusNotImplemented)
   261  	} else {
   262  		user = provider.GetUserFromJson(userData)
   263  	}
   264  
   265  	if user == nil {
   266  		return nil, model.NewAppError("CreateOAuthUser", "api.user.create_oauth_user.create.app_error", map[string]interface{}{"Service": service}, "", http.StatusInternalServerError)
   267  	}
   268  
   269  	suchan := a.Srv.Store.User().GetByAuth(user.AuthData, service)
   270  	euchan := a.Srv.Store.User().GetByEmail(user.Email)
   271  
   272  	found := true
   273  	count := 0
   274  	for found {
   275  		if found = a.IsUsernameTaken(user.Username); found {
   276  			user.Username = user.Username + strconv.Itoa(count)
   277  			count += 1
   278  		}
   279  	}
   280  
   281  	if result := <-suchan; result.Err == nil {
   282  		return result.Data.(*model.User), nil
   283  	}
   284  
   285  	if result := <-euchan; result.Err == nil {
   286  		authService := result.Data.(*model.User).AuthService
   287  		if authService == "" {
   288  			return nil, model.NewAppError("CreateOAuthUser", "api.user.create_oauth_user.already_attached.app_error", map[string]interface{}{"Service": service, "Auth": model.USER_AUTH_SERVICE_EMAIL}, "email="+user.Email, http.StatusBadRequest)
   289  		} else {
   290  			return nil, model.NewAppError("CreateOAuthUser", "api.user.create_oauth_user.already_attached.app_error", map[string]interface{}{"Service": service, "Auth": authService}, "email="+user.Email, http.StatusBadRequest)
   291  		}
   292  	}
   293  
   294  	user.EmailVerified = true
   295  
   296  	ruser, err := a.CreateUser(user)
   297  	if err != nil {
   298  		return nil, err
   299  	}
   300  
   301  	if len(teamId) > 0 {
   302  		err = a.AddUserToTeamByTeamId(teamId, user)
   303  		if err != nil {
   304  			return nil, err
   305  		}
   306  
   307  		err = a.AddDirectChannels(teamId, user)
   308  		if err != nil {
   309  			mlog.Error(err.Error())
   310  		}
   311  	}
   312  
   313  	return ruser, nil
   314  }
   315  
   316  // Check that a user's email domain matches a list of space-delimited domains as a string.
   317  func CheckUserDomain(user *model.User, domains string) bool {
   318  	if len(domains) == 0 {
   319  		return true
   320  	}
   321  
   322  	domainArray := strings.Fields(strings.TrimSpace(strings.ToLower(strings.Replace(strings.Replace(domains, "@", " ", -1), ",", " ", -1))))
   323  
   324  	for _, d := range domainArray {
   325  		if strings.HasSuffix(strings.ToLower(user.Email), "@"+d) {
   326  			return true
   327  		}
   328  	}
   329  
   330  	return false
   331  }
   332  
   333  // Check if the username is already used by another user. Return false if the username is invalid.
   334  func (a *App) IsUsernameTaken(name string) bool {
   335  
   336  	if !model.IsValidUsername(name) {
   337  		return false
   338  	}
   339  
   340  	if result := <-a.Srv.Store.User().GetByUsername(name); result.Err != nil {
   341  		return false
   342  	}
   343  
   344  	return true
   345  }
   346  
   347  func (a *App) GetUser(userId string) (*model.User, *model.AppError) {
   348  	if result := <-a.Srv.Store.User().Get(userId); result.Err != nil {
   349  		return nil, result.Err
   350  	} else {
   351  		return result.Data.(*model.User), nil
   352  	}
   353  }
   354  
   355  func (a *App) GetUserByUsername(username string) (*model.User, *model.AppError) {
   356  	if result := <-a.Srv.Store.User().GetByUsername(username); result.Err != nil && result.Err.Id == "store.sql_user.get_by_username.app_error" {
   357  		result.Err.StatusCode = http.StatusNotFound
   358  		return nil, result.Err
   359  	} else {
   360  		return result.Data.(*model.User), nil
   361  	}
   362  }
   363  
   364  func (a *App) GetUserByEmail(email string) (*model.User, *model.AppError) {
   365  
   366  	if result := <-a.Srv.Store.User().GetByEmail(email); result.Err != nil && result.Err.Id == "store.sql_user.missing_account.const" {
   367  		result.Err.StatusCode = http.StatusNotFound
   368  		return nil, result.Err
   369  	} else if result.Err != nil {
   370  		result.Err.StatusCode = http.StatusBadRequest
   371  		return nil, result.Err
   372  	} else {
   373  		return result.Data.(*model.User), nil
   374  	}
   375  }
   376  
   377  func (a *App) GetUserByAuth(authData *string, authService string) (*model.User, *model.AppError) {
   378  	if result := <-a.Srv.Store.User().GetByAuth(authData, authService); result.Err != nil {
   379  		return nil, result.Err
   380  	} else {
   381  		return result.Data.(*model.User), nil
   382  	}
   383  }
   384  
   385  func (a *App) GetUserForLogin(loginId string, onlyLdap bool) (*model.User, *model.AppError) {
   386  	license := a.License()
   387  	ldapAvailable := *a.Config().LdapSettings.Enable && a.Ldap != nil && license != nil && *license.Features.LDAP
   388  
   389  	if result := <-a.Srv.Store.User().GetForLogin(
   390  		loginId,
   391  		*a.Config().EmailSettings.EnableSignInWithUsername && !onlyLdap,
   392  		*a.Config().EmailSettings.EnableSignInWithEmail && !onlyLdap,
   393  		ldapAvailable,
   394  	); result.Err != nil && result.Err.Id == "store.sql_user.get_for_login.multiple_users" {
   395  		// don't fall back to LDAP in this case since we already know there's an LDAP user, but that it shouldn't work
   396  		result.Err.StatusCode = http.StatusBadRequest
   397  		return nil, result.Err
   398  	} else if result.Err != nil {
   399  		if !ldapAvailable {
   400  			// failed to find user and no LDAP server to fall back on
   401  			result.Err.StatusCode = http.StatusBadRequest
   402  			return nil, result.Err
   403  		}
   404  
   405  		// fall back to LDAP server to see if we can find a user
   406  		if ldapUser, ldapErr := a.Ldap.GetUser(loginId); ldapErr != nil {
   407  			ldapErr.StatusCode = http.StatusBadRequest
   408  			return nil, ldapErr
   409  		} else {
   410  			return ldapUser, nil
   411  		}
   412  	} else {
   413  		return result.Data.(*model.User), nil
   414  	}
   415  }
   416  
   417  func (a *App) GetUsers(offset int, limit int) ([]*model.User, *model.AppError) {
   418  	if result := <-a.Srv.Store.User().GetAllProfiles(offset, limit); result.Err != nil {
   419  		return nil, result.Err
   420  	} else {
   421  		return result.Data.([]*model.User), nil
   422  	}
   423  }
   424  
   425  func (a *App) GetUsersMap(offset int, limit int, asAdmin bool) (map[string]*model.User, *model.AppError) {
   426  	users, err := a.GetUsers(offset, limit)
   427  	if err != nil {
   428  		return nil, err
   429  	}
   430  
   431  	userMap := make(map[string]*model.User, len(users))
   432  
   433  	for _, user := range users {
   434  		a.SanitizeProfile(user, asAdmin)
   435  		userMap[user.Id] = user
   436  	}
   437  
   438  	return userMap, nil
   439  }
   440  
   441  func (a *App) GetUsersPage(page int, perPage int, asAdmin bool) ([]*model.User, *model.AppError) {
   442  	users, err := a.GetUsers(page*perPage, perPage)
   443  	if err != nil {
   444  		return nil, err
   445  	}
   446  
   447  	return a.sanitizeProfiles(users, asAdmin), nil
   448  }
   449  
   450  func (a *App) GetUsersEtag() string {
   451  	return fmt.Sprintf("%v.%v.%v", (<-a.Srv.Store.User().GetEtagForAllProfiles()).Data.(string), a.Config().PrivacySettings.ShowFullName, a.Config().PrivacySettings.ShowEmailAddress)
   452  }
   453  
   454  func (a *App) GetUsersInTeam(teamId string, offset int, limit int) ([]*model.User, *model.AppError) {
   455  	if result := <-a.Srv.Store.User().GetProfiles(teamId, offset, limit); result.Err != nil {
   456  		return nil, result.Err
   457  	} else {
   458  		return result.Data.([]*model.User), nil
   459  	}
   460  }
   461  
   462  func (a *App) GetUsersNotInTeam(teamId string, offset int, limit int) ([]*model.User, *model.AppError) {
   463  	if result := <-a.Srv.Store.User().GetProfilesNotInTeam(teamId, offset, limit); result.Err != nil {
   464  		return nil, result.Err
   465  	} else {
   466  		return result.Data.([]*model.User), nil
   467  	}
   468  }
   469  
   470  func (a *App) GetUsersInTeamMap(teamId string, offset int, limit int, asAdmin bool) (map[string]*model.User, *model.AppError) {
   471  	users, err := a.GetUsersInTeam(teamId, offset, limit)
   472  	if err != nil {
   473  		return nil, err
   474  	}
   475  
   476  	userMap := make(map[string]*model.User, len(users))
   477  
   478  	for _, user := range users {
   479  		a.SanitizeProfile(user, asAdmin)
   480  		userMap[user.Id] = user
   481  	}
   482  
   483  	return userMap, nil
   484  }
   485  
   486  func (a *App) GetUsersInTeamPage(teamId string, page int, perPage int, asAdmin bool) ([]*model.User, *model.AppError) {
   487  	users, err := a.GetUsersInTeam(teamId, page*perPage, perPage)
   488  	if err != nil {
   489  		return nil, err
   490  	}
   491  
   492  	return a.sanitizeProfiles(users, asAdmin), nil
   493  }
   494  
   495  func (a *App) GetUsersNotInTeamPage(teamId string, page int, perPage int, asAdmin bool) ([]*model.User, *model.AppError) {
   496  	users, err := a.GetUsersNotInTeam(teamId, page*perPage, perPage)
   497  	if err != nil {
   498  		return nil, err
   499  	}
   500  
   501  	return a.sanitizeProfiles(users, asAdmin), nil
   502  }
   503  
   504  func (a *App) GetUsersInTeamEtag(teamId string) string {
   505  	return fmt.Sprintf("%v.%v.%v", (<-a.Srv.Store.User().GetEtagForProfiles(teamId)).Data.(string), a.Config().PrivacySettings.ShowFullName, a.Config().PrivacySettings.ShowEmailAddress)
   506  }
   507  
   508  func (a *App) GetUsersNotInTeamEtag(teamId string) string {
   509  	return fmt.Sprintf("%v.%v.%v", (<-a.Srv.Store.User().GetEtagForProfilesNotInTeam(teamId)).Data.(string), a.Config().PrivacySettings.ShowFullName, a.Config().PrivacySettings.ShowEmailAddress)
   510  }
   511  
   512  func (a *App) GetUsersInChannel(channelId string, offset int, limit int) ([]*model.User, *model.AppError) {
   513  	if result := <-a.Srv.Store.User().GetProfilesInChannel(channelId, offset, limit); result.Err != nil {
   514  		return nil, result.Err
   515  	} else {
   516  		return result.Data.([]*model.User), nil
   517  	}
   518  }
   519  
   520  func (a *App) GetUsersInChannelByStatus(channelId string, offset int, limit int) ([]*model.User, *model.AppError) {
   521  	if result := <-a.Srv.Store.User().GetProfilesInChannelByStatus(channelId, offset, limit); result.Err != nil {
   522  		return nil, result.Err
   523  	} else {
   524  		return result.Data.([]*model.User), nil
   525  	}
   526  }
   527  
   528  func (a *App) GetUsersInChannelMap(channelId string, offset int, limit int, asAdmin bool) (map[string]*model.User, *model.AppError) {
   529  	users, err := a.GetUsersInChannel(channelId, offset, limit)
   530  	if err != nil {
   531  		return nil, err
   532  	}
   533  
   534  	userMap := make(map[string]*model.User, len(users))
   535  
   536  	for _, user := range users {
   537  		a.SanitizeProfile(user, asAdmin)
   538  		userMap[user.Id] = user
   539  	}
   540  
   541  	return userMap, nil
   542  }
   543  
   544  func (a *App) GetUsersInChannelPage(channelId string, page int, perPage int, asAdmin bool) ([]*model.User, *model.AppError) {
   545  	users, err := a.GetUsersInChannel(channelId, page*perPage, perPage)
   546  	if err != nil {
   547  		return nil, err
   548  	}
   549  
   550  	return a.sanitizeProfiles(users, asAdmin), nil
   551  }
   552  
   553  func (a *App) GetUsersInChannelPageByStatus(channelId string, page int, perPage int, asAdmin bool) ([]*model.User, *model.AppError) {
   554  	users, err := a.GetUsersInChannelByStatus(channelId, page*perPage, perPage)
   555  	if err != nil {
   556  		return nil, err
   557  	}
   558  
   559  	return a.sanitizeProfiles(users, asAdmin), nil
   560  }
   561  
   562  func (a *App) GetUsersNotInChannel(teamId string, channelId string, offset int, limit int) ([]*model.User, *model.AppError) {
   563  	if result := <-a.Srv.Store.User().GetProfilesNotInChannel(teamId, channelId, offset, limit); result.Err != nil {
   564  		return nil, result.Err
   565  	} else {
   566  		return result.Data.([]*model.User), nil
   567  	}
   568  }
   569  
   570  func (a *App) GetUsersNotInChannelMap(teamId string, channelId string, offset int, limit int, asAdmin bool) (map[string]*model.User, *model.AppError) {
   571  	users, err := a.GetUsersNotInChannel(teamId, channelId, offset, limit)
   572  	if err != nil {
   573  		return nil, err
   574  	}
   575  
   576  	userMap := make(map[string]*model.User, len(users))
   577  
   578  	for _, user := range users {
   579  		a.SanitizeProfile(user, asAdmin)
   580  		userMap[user.Id] = user
   581  	}
   582  
   583  	return userMap, nil
   584  }
   585  
   586  func (a *App) GetUsersNotInChannelPage(teamId string, channelId string, page int, perPage int, asAdmin bool) ([]*model.User, *model.AppError) {
   587  	users, err := a.GetUsersNotInChannel(teamId, channelId, page*perPage, perPage)
   588  	if err != nil {
   589  		return nil, err
   590  	}
   591  
   592  	return a.sanitizeProfiles(users, asAdmin), nil
   593  }
   594  
   595  func (a *App) GetUsersWithoutTeamPage(page int, perPage int, asAdmin bool) ([]*model.User, *model.AppError) {
   596  	users, err := a.GetUsersWithoutTeam(page*perPage, perPage)
   597  	if err != nil {
   598  		return nil, err
   599  	}
   600  
   601  	return a.sanitizeProfiles(users, asAdmin), nil
   602  }
   603  
   604  func (a *App) GetUsersWithoutTeam(offset int, limit int) ([]*model.User, *model.AppError) {
   605  	if result := <-a.Srv.Store.User().GetProfilesWithoutTeam(offset, limit); result.Err != nil {
   606  		return nil, result.Err
   607  	} else {
   608  		return result.Data.([]*model.User), nil
   609  	}
   610  }
   611  
   612  func (a *App) GetUsersByIds(userIds []string, asAdmin bool) ([]*model.User, *model.AppError) {
   613  	if result := <-a.Srv.Store.User().GetProfileByIds(userIds, true); result.Err != nil {
   614  		return nil, result.Err
   615  	} else {
   616  		users := result.Data.([]*model.User)
   617  		return a.sanitizeProfiles(users, asAdmin), nil
   618  	}
   619  }
   620  
   621  func (a *App) GetUsersByUsernames(usernames []string, asAdmin bool) ([]*model.User, *model.AppError) {
   622  	if result := <-a.Srv.Store.User().GetProfilesByUsernames(usernames, ""); result.Err != nil {
   623  		return nil, result.Err
   624  	} else {
   625  		users := result.Data.([]*model.User)
   626  		return a.sanitizeProfiles(users, asAdmin), nil
   627  	}
   628  }
   629  
   630  func (a *App) sanitizeProfiles(users []*model.User, asAdmin bool) []*model.User {
   631  	for _, u := range users {
   632  		a.SanitizeProfile(u, asAdmin)
   633  	}
   634  
   635  	return users
   636  }
   637  
   638  func (a *App) GenerateMfaSecret(userId string) (*model.MfaSecret, *model.AppError) {
   639  	if a.Mfa == nil {
   640  		return nil, model.NewAppError("generateMfaSecret", "api.user.generate_mfa_qr.not_available.app_error", nil, "", http.StatusNotImplemented)
   641  	}
   642  
   643  	var user *model.User
   644  	var err *model.AppError
   645  	if user, err = a.GetUser(userId); err != nil {
   646  		return nil, err
   647  	}
   648  
   649  	secret, img, err := a.Mfa.GenerateSecret(user)
   650  	if err != nil {
   651  		return nil, err
   652  	}
   653  
   654  	mfaSecret := &model.MfaSecret{Secret: secret, QRCode: b64.StdEncoding.EncodeToString(img)}
   655  	return mfaSecret, nil
   656  }
   657  
   658  func (a *App) ActivateMfa(userId, token string) *model.AppError {
   659  	if a.Mfa == nil {
   660  		err := model.NewAppError("ActivateMfa", "api.user.update_mfa.not_available.app_error", nil, "", http.StatusNotImplemented)
   661  		return err
   662  	}
   663  
   664  	var user *model.User
   665  	if result := <-a.Srv.Store.User().Get(userId); result.Err != nil {
   666  		return result.Err
   667  	} else {
   668  		user = result.Data.(*model.User)
   669  	}
   670  
   671  	if len(user.AuthService) > 0 && user.AuthService != model.USER_AUTH_SERVICE_LDAP {
   672  		return model.NewAppError("ActivateMfa", "api.user.activate_mfa.email_and_ldap_only.app_error", nil, "", http.StatusBadRequest)
   673  	}
   674  
   675  	if err := a.Mfa.Activate(user, token); err != nil {
   676  		return err
   677  	}
   678  
   679  	return nil
   680  }
   681  
   682  func (a *App) DeactivateMfa(userId string) *model.AppError {
   683  	if a.Mfa == nil {
   684  		err := model.NewAppError("DeactivateMfa", "api.user.update_mfa.not_available.app_error", nil, "", http.StatusNotImplemented)
   685  		return err
   686  	}
   687  
   688  	if err := a.Mfa.Deactivate(userId); err != nil {
   689  		return err
   690  	}
   691  
   692  	return nil
   693  }
   694  
   695  func CreateProfileImage(username string, userId string, initialFont string) ([]byte, *model.AppError) {
   696  	colors := []color.NRGBA{
   697  		{197, 8, 126, 255},
   698  		{227, 207, 18, 255},
   699  		{28, 181, 105, 255},
   700  		{35, 188, 224, 255},
   701  		{116, 49, 196, 255},
   702  		{197, 8, 126, 255},
   703  		{197, 19, 19, 255},
   704  		{250, 134, 6, 255},
   705  		{227, 207, 18, 255},
   706  		{123, 201, 71, 255},
   707  		{28, 181, 105, 255},
   708  		{35, 188, 224, 255},
   709  		{116, 49, 196, 255},
   710  		{197, 8, 126, 255},
   711  		{197, 19, 19, 255},
   712  		{250, 134, 6, 255},
   713  		{227, 207, 18, 255},
   714  		{123, 201, 71, 255},
   715  		{28, 181, 105, 255},
   716  		{35, 188, 224, 255},
   717  		{116, 49, 196, 255},
   718  		{197, 8, 126, 255},
   719  		{197, 19, 19, 255},
   720  		{250, 134, 6, 255},
   721  		{227, 207, 18, 255},
   722  		{123, 201, 71, 255},
   723  	}
   724  
   725  	h := fnv.New32a()
   726  	h.Write([]byte(userId))
   727  	seed := h.Sum32()
   728  
   729  	initial := string(strings.ToUpper(username)[0])
   730  
   731  	fontDir, _ := utils.FindDir("fonts")
   732  	fontBytes, err := ioutil.ReadFile(filepath.Join(fontDir, initialFont))
   733  	if err != nil {
   734  		return nil, model.NewAppError("CreateProfileImage", "api.user.create_profile_image.default_font.app_error", nil, err.Error(), http.StatusInternalServerError)
   735  	}
   736  	font, err := freetype.ParseFont(fontBytes)
   737  	if err != nil {
   738  		return nil, model.NewAppError("CreateProfileImage", "api.user.create_profile_image.default_font.app_error", nil, err.Error(), http.StatusInternalServerError)
   739  	}
   740  
   741  	color := colors[int64(seed)%int64(len(colors))]
   742  	dstImg := image.NewRGBA(image.Rect(0, 0, IMAGE_PROFILE_PIXEL_DIMENSION, IMAGE_PROFILE_PIXEL_DIMENSION))
   743  	srcImg := image.White
   744  	draw.Draw(dstImg, dstImg.Bounds(), &image.Uniform{color}, image.ZP, draw.Src)
   745  	size := float64(IMAGE_PROFILE_PIXEL_DIMENSION / 2)
   746  
   747  	c := freetype.NewContext()
   748  	c.SetFont(font)
   749  	c.SetFontSize(size)
   750  	c.SetClip(dstImg.Bounds())
   751  	c.SetDst(dstImg)
   752  	c.SetSrc(srcImg)
   753  
   754  	pt := freetype.Pt(IMAGE_PROFILE_PIXEL_DIMENSION/6, IMAGE_PROFILE_PIXEL_DIMENSION*2/3)
   755  	_, err = c.DrawString(initial, pt)
   756  	if err != nil {
   757  		return nil, model.NewAppError("CreateProfileImage", "api.user.create_profile_image.initial.app_error", nil, err.Error(), http.StatusInternalServerError)
   758  	}
   759  
   760  	buf := new(bytes.Buffer)
   761  
   762  	if imgErr := png.Encode(buf, dstImg); imgErr != nil {
   763  		return nil, model.NewAppError("CreateProfileImage", "api.user.create_profile_image.encode.app_error", nil, imgErr.Error(), http.StatusInternalServerError)
   764  	} else {
   765  		return buf.Bytes(), nil
   766  	}
   767  }
   768  
   769  func (a *App) GetProfileImage(user *model.User) ([]byte, bool, *model.AppError) {
   770  	var img []byte
   771  	readFailed := false
   772  
   773  	if len(*a.Config().FileSettings.DriverName) == 0 {
   774  		var err *model.AppError
   775  		if img, err = CreateProfileImage(user.Username, user.Id, a.Config().FileSettings.InitialFont); err != nil {
   776  			return nil, false, err
   777  		}
   778  	} else {
   779  		path := "users/" + user.Id + "/profile.png"
   780  
   781  		if data, err := a.ReadFile(path); err != nil {
   782  			readFailed = true
   783  
   784  			if img, err = CreateProfileImage(user.Username, user.Id, a.Config().FileSettings.InitialFont); err != nil {
   785  				return nil, false, err
   786  			}
   787  
   788  			if user.LastPictureUpdate == 0 {
   789  				if err := a.WriteFile(img, path); err != nil {
   790  					return nil, false, err
   791  				}
   792  			}
   793  
   794  		} else {
   795  			img = data
   796  		}
   797  	}
   798  
   799  	return img, readFailed, nil
   800  }
   801  
   802  func (a *App) SetProfileImage(userId string, imageData *multipart.FileHeader) *model.AppError {
   803  	file, err := imageData.Open()
   804  	if err != nil {
   805  		return model.NewAppError("SetProfileImage", "api.user.upload_profile_user.open.app_error", nil, err.Error(), http.StatusBadRequest)
   806  	}
   807  	defer file.Close()
   808  	return a.SetProfileImageFromFile(userId, file)
   809  }
   810  
   811  func (a *App) SetProfileImageFromFile(userId string, file multipart.File) *model.AppError {
   812  	// Decode image config first to check dimensions before loading the whole thing into memory later on
   813  	config, _, err := image.DecodeConfig(file)
   814  	if err != nil {
   815  		return model.NewAppError("SetProfileImage", "api.user.upload_profile_user.decode_config.app_error", nil, err.Error(), http.StatusBadRequest)
   816  	} else if config.Width*config.Height > model.MaxImageSize {
   817  		return model.NewAppError("SetProfileImage", "api.user.upload_profile_user.too_large.app_error", nil, err.Error(), http.StatusBadRequest)
   818  	}
   819  
   820  	file.Seek(0, 0)
   821  
   822  	// Decode image into Image object
   823  	img, _, err := image.Decode(file)
   824  	if err != nil {
   825  		return model.NewAppError("SetProfileImage", "api.user.upload_profile_user.decode.app_error", nil, err.Error(), http.StatusBadRequest)
   826  	}
   827  
   828  	file.Seek(0, 0)
   829  
   830  	orientation, _ := getImageOrientation(file)
   831  	img = makeImageUpright(img, orientation)
   832  
   833  	// Scale profile image
   834  	profileWidthAndHeight := 128
   835  	img = imaging.Fill(img, profileWidthAndHeight, profileWidthAndHeight, imaging.Center, imaging.Lanczos)
   836  
   837  	buf := new(bytes.Buffer)
   838  	err = png.Encode(buf, img)
   839  	if err != nil {
   840  		return model.NewAppError("SetProfileImage", "api.user.upload_profile_user.encode.app_error", nil, err.Error(), http.StatusInternalServerError)
   841  	}
   842  
   843  	path := "users/" + userId + "/profile.png"
   844  
   845  	if err := a.WriteFile(buf.Bytes(), path); err != nil {
   846  		return model.NewAppError("SetProfileImage", "api.user.upload_profile_user.upload_profile.app_error", nil, "", http.StatusInternalServerError)
   847  	}
   848  
   849  	<-a.Srv.Store.User().UpdateLastPictureUpdate(userId)
   850  
   851  	a.InvalidateCacheForUser(userId)
   852  
   853  	if user, err := a.GetUser(userId); err != nil {
   854  		mlog.Error(fmt.Sprintf("Error in getting users profile for id=%v forcing logout", userId), mlog.String("user_id", userId))
   855  	} else {
   856  		options := a.Config().GetSanitizeOptions()
   857  		user.SanitizeProfile(options)
   858  
   859  		message := model.NewWebSocketEvent(model.WEBSOCKET_EVENT_USER_UPDATED, "", "", "", nil)
   860  		message.Add("user", user)
   861  		a.Publish(message)
   862  	}
   863  
   864  	return nil
   865  }
   866  
   867  func (a *App) UpdatePasswordAsUser(userId, currentPassword, newPassword string) *model.AppError {
   868  	var user *model.User
   869  	var err *model.AppError
   870  
   871  	if user, err = a.GetUser(userId); err != nil {
   872  		return err
   873  	}
   874  
   875  	if user == nil {
   876  		err = model.NewAppError("updatePassword", "api.user.update_password.valid_account.app_error", nil, "", http.StatusBadRequest)
   877  		return err
   878  	}
   879  
   880  	if user.AuthData != nil && *user.AuthData != "" {
   881  		err = model.NewAppError("updatePassword", "api.user.update_password.oauth.app_error", nil, "auth_service="+user.AuthService, http.StatusBadRequest)
   882  		return err
   883  	}
   884  
   885  	if err := a.DoubleCheckPassword(user, currentPassword); err != nil {
   886  		if err.Id == "api.user.check_user_password.invalid.app_error" {
   887  			err = model.NewAppError("updatePassword", "api.user.update_password.incorrect.app_error", nil, "", http.StatusBadRequest)
   888  		}
   889  		return err
   890  	}
   891  
   892  	T := utils.GetUserTranslations(user.Locale)
   893  
   894  	return a.UpdatePasswordSendEmail(user, newPassword, T("api.user.update_password.menu"))
   895  }
   896  
   897  func (a *App) UpdateNonSSOUserActive(userId string, active bool) (*model.User, *model.AppError) {
   898  	var user *model.User
   899  	var err *model.AppError
   900  	if user, err = a.GetUser(userId); err != nil {
   901  		return nil, err
   902  	}
   903  
   904  	if user.IsSSOUser() {
   905  		err := model.NewAppError("UpdateActive", "api.user.update_active.no_deactivate_sso.app_error", nil, "userId="+user.Id, http.StatusBadRequest)
   906  		err.StatusCode = http.StatusBadRequest
   907  		return nil, err
   908  	}
   909  
   910  	return a.UpdateActive(user, active)
   911  }
   912  
   913  func (a *App) UpdateActive(user *model.User, active bool) (*model.User, *model.AppError) {
   914  	if active {
   915  		user.DeleteAt = 0
   916  	} else {
   917  		user.DeleteAt = model.GetMillis()
   918  	}
   919  
   920  	if result := <-a.Srv.Store.User().Update(user, true); result.Err != nil {
   921  		return nil, result.Err
   922  	} else {
   923  		if user.DeleteAt > 0 {
   924  			if err := a.RevokeAllSessions(user.Id); err != nil {
   925  				return nil, err
   926  			}
   927  		}
   928  
   929  		ruser := result.Data.([2]*model.User)[0]
   930  		options := a.Config().GetSanitizeOptions()
   931  		options["passwordupdate"] = false
   932  		ruser.Sanitize(options)
   933  
   934  		if !active {
   935  			a.SetStatusOffline(ruser.Id, false)
   936  		}
   937  
   938  		teamsForUser, err := a.GetTeamsForUser(user.Id)
   939  		if err != nil {
   940  			return nil, err
   941  		}
   942  
   943  		for _, team := range teamsForUser {
   944  			channelsForUser, err := a.GetChannelsForUser(team.Id, user.Id)
   945  			if err != nil {
   946  				return nil, err
   947  			}
   948  
   949  			for _, channel := range *channelsForUser {
   950  				a.InvalidateCacheForChannelMembers(channel.Id)
   951  			}
   952  		}
   953  
   954  		a.sendUpdatedUserEvent(*ruser)
   955  
   956  		return ruser, nil
   957  	}
   958  }
   959  
   960  func (a *App) SanitizeProfile(user *model.User, asAdmin bool) {
   961  	options := a.Config().GetSanitizeOptions()
   962  	if asAdmin {
   963  		options["email"] = true
   964  		options["fullname"] = true
   965  		options["authservice"] = true
   966  	}
   967  	user.SanitizeProfile(options)
   968  }
   969  
   970  func (a *App) UpdateUserAsUser(user *model.User, asAdmin bool) (*model.User, *model.AppError) {
   971  	updatedUser, err := a.UpdateUser(user, true)
   972  	if err != nil {
   973  		return nil, err
   974  	}
   975  
   976  	a.sendUpdatedUserEvent(*updatedUser)
   977  
   978  	return updatedUser, nil
   979  }
   980  
   981  func (a *App) PatchUser(userId string, patch *model.UserPatch, asAdmin bool) (*model.User, *model.AppError) {
   982  	user, err := a.GetUser(userId)
   983  	if err != nil {
   984  		return nil, err
   985  	}
   986  
   987  	user.Patch(patch)
   988  
   989  	updatedUser, err := a.UpdateUser(user, true)
   990  	if err != nil {
   991  		return nil, err
   992  	}
   993  
   994  	a.sendUpdatedUserEvent(*updatedUser)
   995  
   996  	return updatedUser, nil
   997  }
   998  
   999  func (a *App) UpdateUserAuth(userId string, userAuth *model.UserAuth) (*model.UserAuth, *model.AppError) {
  1000  	if userAuth.AuthData == nil || *userAuth.AuthData == "" || userAuth.AuthService == "" {
  1001  		userAuth.AuthData = nil
  1002  		userAuth.AuthService = ""
  1003  
  1004  		if err := a.IsPasswordValid(userAuth.Password); err != nil {
  1005  			return nil, err
  1006  		}
  1007  		password := model.HashPassword(userAuth.Password)
  1008  
  1009  		if result := <-a.Srv.Store.User().UpdatePassword(userId, password); result.Err != nil {
  1010  			return nil, result.Err
  1011  		}
  1012  	} else {
  1013  		userAuth.Password = ""
  1014  
  1015  		if result := <-a.Srv.Store.User().UpdateAuthData(userId, userAuth.AuthService, userAuth.AuthData, "", false); result.Err != nil {
  1016  			return nil, result.Err
  1017  		}
  1018  	}
  1019  
  1020  	return userAuth, nil
  1021  }
  1022  
  1023  func (a *App) sendUpdatedUserEvent(user model.User) {
  1024  	adminCopyOfUser := user.DeepCopy()
  1025  	a.SanitizeProfile(adminCopyOfUser, true)
  1026  	adminMessage := model.NewWebSocketEvent(model.WEBSOCKET_EVENT_USER_UPDATED, "", "", "", nil)
  1027  	adminMessage.Add("user", *adminCopyOfUser)
  1028  	adminMessage.Broadcast.ContainsSensitiveData = true
  1029  	a.Publish(adminMessage)
  1030  
  1031  	a.SanitizeProfile(&user, false)
  1032  	message := model.NewWebSocketEvent(model.WEBSOCKET_EVENT_USER_UPDATED, "", "", "", nil)
  1033  	message.Add("user", user)
  1034  	message.Broadcast.ContainsSanitizedData = true
  1035  	a.Publish(message)
  1036  }
  1037  
  1038  func (a *App) UpdateUser(user *model.User, sendNotifications bool) (*model.User, *model.AppError) {
  1039  	if !CheckUserDomain(user, a.Config().TeamSettings.RestrictCreationToDomains) {
  1040  		result := <-a.Srv.Store.User().Get(user.Id)
  1041  		if result.Err != nil {
  1042  			return nil, result.Err
  1043  		}
  1044  		prev := result.Data.(*model.User)
  1045  		if !prev.IsLDAPUser() && !prev.IsSAMLUser() && user.Email != prev.Email {
  1046  			return nil, model.NewAppError("UpdateUser", "api.user.create_user.accepted_domain.app_error", nil, "", http.StatusBadRequest)
  1047  		}
  1048  	}
  1049  
  1050  	if result := <-a.Srv.Store.User().Update(user, false); result.Err != nil {
  1051  		return nil, result.Err
  1052  	} else {
  1053  		rusers := result.Data.([2]*model.User)
  1054  
  1055  		if sendNotifications {
  1056  			if rusers[0].Email != rusers[1].Email {
  1057  				a.Go(func() {
  1058  					if err := a.SendEmailChangeEmail(rusers[1].Email, rusers[0].Email, rusers[0].Locale, a.GetSiteURL()); err != nil {
  1059  						mlog.Error(err.Error())
  1060  					}
  1061  				})
  1062  
  1063  				if a.Config().EmailSettings.RequireEmailVerification {
  1064  					a.Go(func() {
  1065  						if err := a.SendEmailVerification(rusers[0]); err != nil {
  1066  							mlog.Error(err.Error())
  1067  						}
  1068  					})
  1069  				}
  1070  			}
  1071  
  1072  			if rusers[0].Username != rusers[1].Username {
  1073  				a.Go(func() {
  1074  					if err := a.SendChangeUsernameEmail(rusers[1].Username, rusers[0].Username, rusers[0].Email, rusers[0].Locale, a.GetSiteURL()); err != nil {
  1075  						mlog.Error(err.Error())
  1076  					}
  1077  				})
  1078  			}
  1079  		}
  1080  
  1081  		a.InvalidateCacheForUser(user.Id)
  1082  
  1083  		return rusers[0], nil
  1084  	}
  1085  }
  1086  
  1087  func (a *App) UpdateUserNotifyProps(userId string, props map[string]string) (*model.User, *model.AppError) {
  1088  	var user *model.User
  1089  	var err *model.AppError
  1090  	if user, err = a.GetUser(userId); err != nil {
  1091  		return nil, err
  1092  	}
  1093  
  1094  	user.NotifyProps = props
  1095  
  1096  	var ruser *model.User
  1097  	if ruser, err = a.UpdateUser(user, true); err != nil {
  1098  		return nil, err
  1099  	}
  1100  
  1101  	return ruser, nil
  1102  }
  1103  
  1104  func (a *App) UpdateMfa(activate bool, userId, token string) *model.AppError {
  1105  	if activate {
  1106  		if err := a.ActivateMfa(userId, token); err != nil {
  1107  			return err
  1108  		}
  1109  	} else {
  1110  		if err := a.DeactivateMfa(userId); err != nil {
  1111  			return err
  1112  		}
  1113  	}
  1114  
  1115  	a.Go(func() {
  1116  		var user *model.User
  1117  		var err *model.AppError
  1118  
  1119  		if user, err = a.GetUser(userId); err != nil {
  1120  			mlog.Error(err.Error())
  1121  			return
  1122  		}
  1123  
  1124  		if err := a.SendMfaChangeEmail(user.Email, activate, user.Locale, a.GetSiteURL()); err != nil {
  1125  			mlog.Error(err.Error())
  1126  		}
  1127  	})
  1128  
  1129  	return nil
  1130  }
  1131  
  1132  func (a *App) UpdatePasswordByUserIdSendEmail(userId, newPassword, method string) *model.AppError {
  1133  	var user *model.User
  1134  	var err *model.AppError
  1135  	if user, err = a.GetUser(userId); err != nil {
  1136  		return err
  1137  	}
  1138  
  1139  	return a.UpdatePasswordSendEmail(user, newPassword, method)
  1140  }
  1141  
  1142  func (a *App) UpdatePassword(user *model.User, newPassword string) *model.AppError {
  1143  	if err := a.IsPasswordValid(newPassword); err != nil {
  1144  		return err
  1145  	}
  1146  
  1147  	hashedPassword := model.HashPassword(newPassword)
  1148  
  1149  	if result := <-a.Srv.Store.User().UpdatePassword(user.Id, hashedPassword); result.Err != nil {
  1150  		return model.NewAppError("UpdatePassword", "api.user.update_password.failed.app_error", nil, result.Err.Error(), http.StatusInternalServerError)
  1151  	}
  1152  
  1153  	return nil
  1154  }
  1155  
  1156  func (a *App) UpdatePasswordSendEmail(user *model.User, newPassword, method string) *model.AppError {
  1157  	if err := a.UpdatePassword(user, newPassword); err != nil {
  1158  		return err
  1159  	}
  1160  
  1161  	a.Go(func() {
  1162  		if err := a.SendPasswordChangeEmail(user.Email, method, user.Locale, a.GetSiteURL()); err != nil {
  1163  			mlog.Error(err.Error())
  1164  		}
  1165  	})
  1166  
  1167  	return nil
  1168  }
  1169  
  1170  func (a *App) ResetPasswordFromToken(userSuppliedTokenString, newPassword string) *model.AppError {
  1171  	var token *model.Token
  1172  	var err *model.AppError
  1173  	if token, err = a.GetPasswordRecoveryToken(userSuppliedTokenString); err != nil {
  1174  		return err
  1175  	} else {
  1176  		if model.GetMillis()-token.CreateAt >= PASSWORD_RECOVER_EXPIRY_TIME {
  1177  			return model.NewAppError("resetPassword", "api.user.reset_password.link_expired.app_error", nil, "", http.StatusBadRequest)
  1178  		}
  1179  	}
  1180  
  1181  	var user *model.User
  1182  	if user, err = a.GetUser(token.Extra); err != nil {
  1183  		return err
  1184  	}
  1185  
  1186  	if user.IsSSOUser() {
  1187  		return model.NewAppError("ResetPasswordFromCode", "api.user.reset_password.sso.app_error", nil, "userId="+user.Id, http.StatusBadRequest)
  1188  	}
  1189  
  1190  	T := utils.GetUserTranslations(user.Locale)
  1191  
  1192  	if err := a.UpdatePasswordSendEmail(user, newPassword, T("api.user.reset_password.method")); err != nil {
  1193  		return err
  1194  	}
  1195  
  1196  	if err := a.DeleteToken(token); err != nil {
  1197  		mlog.Error(err.Error())
  1198  	}
  1199  
  1200  	return nil
  1201  }
  1202  
  1203  func (a *App) SendPasswordReset(email string, siteURL string) (bool, *model.AppError) {
  1204  	var user *model.User
  1205  	var err *model.AppError
  1206  	if user, err = a.GetUserByEmail(email); err != nil {
  1207  		return false, nil
  1208  	}
  1209  
  1210  	if user.AuthData != nil && len(*user.AuthData) != 0 {
  1211  		return false, model.NewAppError("SendPasswordReset", "api.user.send_password_reset.sso.app_error", nil, "userId="+user.Id, http.StatusBadRequest)
  1212  	}
  1213  
  1214  	var token *model.Token
  1215  	if token, err = a.CreatePasswordRecoveryToken(user.Id); err != nil {
  1216  		return false, err
  1217  	}
  1218  
  1219  	if _, err := a.SendPasswordResetEmail(user.Email, token, user.Locale, siteURL); err != nil {
  1220  		return false, model.NewAppError("SendPasswordReset", "api.user.send_password_reset.send.app_error", nil, "err="+err.Message, http.StatusInternalServerError)
  1221  	}
  1222  
  1223  	return true, nil
  1224  }
  1225  
  1226  func (a *App) CreatePasswordRecoveryToken(userId string) (*model.Token, *model.AppError) {
  1227  	token := model.NewToken(TOKEN_TYPE_PASSWORD_RECOVERY, userId)
  1228  
  1229  	if result := <-a.Srv.Store.Token().Save(token); result.Err != nil {
  1230  		return nil, result.Err
  1231  	}
  1232  
  1233  	return token, nil
  1234  }
  1235  
  1236  func (a *App) GetPasswordRecoveryToken(token string) (*model.Token, *model.AppError) {
  1237  	if result := <-a.Srv.Store.Token().GetByToken(token); result.Err != nil {
  1238  		return nil, model.NewAppError("GetPasswordRecoveryToken", "api.user.reset_password.invalid_link.app_error", nil, result.Err.Error(), http.StatusBadRequest)
  1239  	} else {
  1240  		token := result.Data.(*model.Token)
  1241  		if token.Type != TOKEN_TYPE_PASSWORD_RECOVERY {
  1242  			return nil, model.NewAppError("GetPasswordRecoveryToken", "api.user.reset_password.broken_token.app_error", nil, "", http.StatusBadRequest)
  1243  		}
  1244  		return token, nil
  1245  	}
  1246  }
  1247  
  1248  func (a *App) DeleteToken(token *model.Token) *model.AppError {
  1249  	if result := <-a.Srv.Store.Token().Delete(token.Token); result.Err != nil {
  1250  		return result.Err
  1251  	}
  1252  
  1253  	return nil
  1254  }
  1255  
  1256  func (a *App) UpdateUserRoles(userId string, newRoles string, sendWebSocketEvent bool) (*model.User, *model.AppError) {
  1257  	var user *model.User
  1258  	var err *model.AppError
  1259  	if user, err = a.GetUser(userId); err != nil {
  1260  		err.StatusCode = http.StatusBadRequest
  1261  		return nil, err
  1262  	}
  1263  
  1264  	if err := a.CheckRolesExist(strings.Fields(newRoles)); err != nil {
  1265  		return nil, err
  1266  	}
  1267  
  1268  	user.Roles = newRoles
  1269  	uchan := a.Srv.Store.User().Update(user, true)
  1270  	schan := a.Srv.Store.Session().UpdateRoles(user.Id, newRoles)
  1271  
  1272  	var ruser *model.User
  1273  	if result := <-uchan; result.Err != nil {
  1274  		return nil, result.Err
  1275  	} else {
  1276  		ruser = result.Data.([2]*model.User)[0]
  1277  	}
  1278  
  1279  	if result := <-schan; result.Err != nil {
  1280  		// soft error since the user roles were still updated
  1281  		mlog.Error(fmt.Sprint(result.Err))
  1282  	}
  1283  
  1284  	a.ClearSessionCacheForUser(user.Id)
  1285  
  1286  	if sendWebSocketEvent {
  1287  		message := model.NewWebSocketEvent(model.WEBSOCKET_EVENT_USER_ROLE_UPDATED, "", "", user.Id, nil)
  1288  		message.Add("user_id", user.Id)
  1289  		message.Add("roles", newRoles)
  1290  		a.Publish(message)
  1291  	}
  1292  
  1293  	return ruser, nil
  1294  }
  1295  
  1296  func (a *App) PermanentDeleteUser(user *model.User) *model.AppError {
  1297  	mlog.Warn(fmt.Sprintf("Attempting to permanently delete account %v id=%v", user.Email, user.Id), mlog.String("user_id", user.Id))
  1298  	if user.IsInRole(model.SYSTEM_ADMIN_ROLE_ID) {
  1299  		mlog.Warn(fmt.Sprintf("You are deleting %v that is a system administrator.  You may need to set another account as the system administrator using the command line tools.", user.Email))
  1300  	}
  1301  
  1302  	if _, err := a.UpdateActive(user, false); err != nil {
  1303  		return err
  1304  	}
  1305  
  1306  	if result := <-a.Srv.Store.Session().PermanentDeleteSessionsByUser(user.Id); result.Err != nil {
  1307  		return result.Err
  1308  	}
  1309  
  1310  	if result := <-a.Srv.Store.UserAccessToken().DeleteAllForUser(user.Id); result.Err != nil {
  1311  		return result.Err
  1312  	}
  1313  
  1314  	if result := <-a.Srv.Store.OAuth().PermanentDeleteAuthDataByUser(user.Id); result.Err != nil {
  1315  		return result.Err
  1316  	}
  1317  
  1318  	if result := <-a.Srv.Store.Webhook().PermanentDeleteIncomingByUser(user.Id); result.Err != nil {
  1319  		return result.Err
  1320  	}
  1321  
  1322  	if result := <-a.Srv.Store.Webhook().PermanentDeleteOutgoingByUser(user.Id); result.Err != nil {
  1323  		return result.Err
  1324  	}
  1325  
  1326  	if result := <-a.Srv.Store.Command().PermanentDeleteByUser(user.Id); result.Err != nil {
  1327  		return result.Err
  1328  	}
  1329  
  1330  	if result := <-a.Srv.Store.Preference().PermanentDeleteByUser(user.Id); result.Err != nil {
  1331  		return result.Err
  1332  	}
  1333  
  1334  	if result := <-a.Srv.Store.Channel().PermanentDeleteMembersByUser(user.Id); result.Err != nil {
  1335  		return result.Err
  1336  	}
  1337  
  1338  	if result := <-a.Srv.Store.Post().PermanentDeleteByUser(user.Id); result.Err != nil {
  1339  		return result.Err
  1340  	}
  1341  
  1342  	if result := <-a.Srv.Store.User().PermanentDelete(user.Id); result.Err != nil {
  1343  		return result.Err
  1344  	}
  1345  
  1346  	if result := <-a.Srv.Store.Audit().PermanentDeleteByUser(user.Id); result.Err != nil {
  1347  		return result.Err
  1348  	}
  1349  
  1350  	if result := <-a.Srv.Store.Team().RemoveAllMembersByUser(user.Id); result.Err != nil {
  1351  		return result.Err
  1352  	}
  1353  
  1354  	mlog.Warn(fmt.Sprintf("Permanently deleted account %v id=%v", user.Email, user.Id), mlog.String("user_id", user.Id))
  1355  
  1356  	return nil
  1357  }
  1358  
  1359  func (a *App) PermanentDeleteAllUsers() *model.AppError {
  1360  	if result := <-a.Srv.Store.User().GetAll(); result.Err != nil {
  1361  		return result.Err
  1362  	} else {
  1363  		users := result.Data.([]*model.User)
  1364  		for _, user := range users {
  1365  			a.PermanentDeleteUser(user)
  1366  		}
  1367  	}
  1368  
  1369  	return nil
  1370  }
  1371  
  1372  func (a *App) SendEmailVerification(user *model.User) *model.AppError {
  1373  	token, err := a.CreateVerifyEmailToken(user.Id)
  1374  	if err != nil {
  1375  		return err
  1376  	}
  1377  
  1378  	if _, err := a.GetStatus(user.Id); err != nil {
  1379  		return a.SendVerifyEmail(user.Email, user.Locale, a.GetSiteURL(), token.Token)
  1380  	} else {
  1381  		return a.SendEmailChangeVerifyEmail(user.Email, user.Locale, a.GetSiteURL(), token.Token)
  1382  	}
  1383  }
  1384  
  1385  func (a *App) VerifyEmailFromToken(userSuppliedTokenString string) *model.AppError {
  1386  	var token *model.Token
  1387  	var err *model.AppError
  1388  	if token, err = a.GetVerifyEmailToken(userSuppliedTokenString); err != nil {
  1389  		return err
  1390  	} else {
  1391  		if model.GetMillis()-token.CreateAt >= PASSWORD_RECOVER_EXPIRY_TIME {
  1392  			return model.NewAppError("resetPassword", "api.user.reset_password.link_expired.app_error", nil, "", http.StatusBadRequest)
  1393  		}
  1394  		if err := a.VerifyUserEmail(token.Extra); err != nil {
  1395  			return err
  1396  		}
  1397  		if err := a.DeleteToken(token); err != nil {
  1398  			mlog.Error(err.Error())
  1399  		}
  1400  	}
  1401  
  1402  	return nil
  1403  }
  1404  
  1405  func (a *App) CreateVerifyEmailToken(userId string) (*model.Token, *model.AppError) {
  1406  	token := model.NewToken(TOKEN_TYPE_VERIFY_EMAIL, userId)
  1407  
  1408  	if result := <-a.Srv.Store.Token().Save(token); result.Err != nil {
  1409  		return nil, result.Err
  1410  	}
  1411  
  1412  	return token, nil
  1413  }
  1414  
  1415  func (a *App) GetVerifyEmailToken(token string) (*model.Token, *model.AppError) {
  1416  	if result := <-a.Srv.Store.Token().GetByToken(token); result.Err != nil {
  1417  		return nil, model.NewAppError("GetVerifyEmailToken", "api.user.verify_email.bad_link.app_error", nil, result.Err.Error(), http.StatusBadRequest)
  1418  	} else {
  1419  		token := result.Data.(*model.Token)
  1420  		if token.Type != TOKEN_TYPE_VERIFY_EMAIL {
  1421  			return nil, model.NewAppError("GetVerifyEmailToken", "api.user.verify_email.broken_token.app_error", nil, "", http.StatusBadRequest)
  1422  		}
  1423  		return token, nil
  1424  	}
  1425  }
  1426  
  1427  func (a *App) VerifyUserEmail(userId string) *model.AppError {
  1428  	return (<-a.Srv.Store.User().VerifyEmail(userId)).Err
  1429  }
  1430  
  1431  func (a *App) SearchUsers(props *model.UserSearch, searchOptions map[string]bool, asAdmin bool) ([]*model.User, *model.AppError) {
  1432  	if props.WithoutTeam {
  1433  		return a.SearchUsersWithoutTeam(props.Term, searchOptions, asAdmin)
  1434  	} else if props.InChannelId != "" {
  1435  		return a.SearchUsersInChannel(props.InChannelId, props.Term, searchOptions, asAdmin)
  1436  	} else if props.NotInChannelId != "" {
  1437  		return a.SearchUsersNotInChannel(props.TeamId, props.NotInChannelId, props.Term, searchOptions, asAdmin)
  1438  	} else if props.NotInTeamId != "" {
  1439  		return a.SearchUsersNotInTeam(props.NotInTeamId, props.Term, searchOptions, asAdmin)
  1440  	} else {
  1441  		return a.SearchUsersInTeam(props.TeamId, props.Term, searchOptions, asAdmin)
  1442  	}
  1443  }
  1444  
  1445  func (a *App) SearchUsersInChannel(channelId string, term string, searchOptions map[string]bool, asAdmin bool) ([]*model.User, *model.AppError) {
  1446  	if result := <-a.Srv.Store.User().SearchInChannel(channelId, term, searchOptions); result.Err != nil {
  1447  		return nil, result.Err
  1448  	} else {
  1449  		users := result.Data.([]*model.User)
  1450  
  1451  		for _, user := range users {
  1452  			a.SanitizeProfile(user, asAdmin)
  1453  		}
  1454  
  1455  		return users, nil
  1456  	}
  1457  }
  1458  
  1459  func (a *App) SearchUsersNotInChannel(teamId string, channelId string, term string, searchOptions map[string]bool, asAdmin bool) ([]*model.User, *model.AppError) {
  1460  	if result := <-a.Srv.Store.User().SearchNotInChannel(teamId, channelId, term, searchOptions); result.Err != nil {
  1461  		return nil, result.Err
  1462  	} else {
  1463  		users := result.Data.([]*model.User)
  1464  
  1465  		for _, user := range users {
  1466  			a.SanitizeProfile(user, asAdmin)
  1467  		}
  1468  
  1469  		return users, nil
  1470  	}
  1471  }
  1472  
  1473  func (a *App) SearchUsersInTeam(teamId string, term string, searchOptions map[string]bool, asAdmin bool) ([]*model.User, *model.AppError) {
  1474  	if result := <-a.Srv.Store.User().Search(teamId, term, searchOptions); result.Err != nil {
  1475  		return nil, result.Err
  1476  	} else {
  1477  		users := result.Data.([]*model.User)
  1478  
  1479  		for _, user := range users {
  1480  			a.SanitizeProfile(user, asAdmin)
  1481  		}
  1482  
  1483  		return users, nil
  1484  	}
  1485  }
  1486  
  1487  func (a *App) SearchUsersNotInTeam(notInTeamId string, term string, searchOptions map[string]bool, asAdmin bool) ([]*model.User, *model.AppError) {
  1488  	if result := <-a.Srv.Store.User().SearchNotInTeam(notInTeamId, term, searchOptions); result.Err != nil {
  1489  		return nil, result.Err
  1490  	} else {
  1491  		users := result.Data.([]*model.User)
  1492  
  1493  		for _, user := range users {
  1494  			a.SanitizeProfile(user, asAdmin)
  1495  		}
  1496  
  1497  		return users, nil
  1498  	}
  1499  }
  1500  
  1501  func (a *App) SearchUsersWithoutTeam(term string, searchOptions map[string]bool, asAdmin bool) ([]*model.User, *model.AppError) {
  1502  	if result := <-a.Srv.Store.User().SearchWithoutTeam(term, searchOptions); result.Err != nil {
  1503  		return nil, result.Err
  1504  	} else {
  1505  		users := result.Data.([]*model.User)
  1506  
  1507  		for _, user := range users {
  1508  			a.SanitizeProfile(user, asAdmin)
  1509  		}
  1510  
  1511  		return users, nil
  1512  	}
  1513  }
  1514  
  1515  func (a *App) AutocompleteUsersInChannel(teamId string, channelId string, term string, searchOptions map[string]bool, asAdmin bool) (*model.UserAutocompleteInChannel, *model.AppError) {
  1516  	uchan := a.Srv.Store.User().SearchInChannel(channelId, term, searchOptions)
  1517  	nuchan := a.Srv.Store.User().SearchNotInChannel(teamId, channelId, term, searchOptions)
  1518  
  1519  	autocomplete := &model.UserAutocompleteInChannel{}
  1520  
  1521  	if result := <-uchan; result.Err != nil {
  1522  		return nil, result.Err
  1523  	} else {
  1524  		users := result.Data.([]*model.User)
  1525  
  1526  		for _, user := range users {
  1527  			a.SanitizeProfile(user, asAdmin)
  1528  		}
  1529  
  1530  		autocomplete.InChannel = users
  1531  	}
  1532  
  1533  	if result := <-nuchan; result.Err != nil {
  1534  		return nil, result.Err
  1535  	} else {
  1536  		users := result.Data.([]*model.User)
  1537  
  1538  		for _, user := range users {
  1539  			a.SanitizeProfile(user, asAdmin)
  1540  		}
  1541  
  1542  		autocomplete.OutOfChannel = users
  1543  	}
  1544  
  1545  	return autocomplete, nil
  1546  }
  1547  
  1548  func (a *App) AutocompleteUsersInTeam(teamId string, term string, searchOptions map[string]bool, asAdmin bool) (*model.UserAutocompleteInTeam, *model.AppError) {
  1549  	autocomplete := &model.UserAutocompleteInTeam{}
  1550  
  1551  	if result := <-a.Srv.Store.User().Search(teamId, term, searchOptions); result.Err != nil {
  1552  		return nil, result.Err
  1553  	} else {
  1554  		users := result.Data.([]*model.User)
  1555  
  1556  		for _, user := range users {
  1557  			a.SanitizeProfile(user, asAdmin)
  1558  		}
  1559  
  1560  		autocomplete.InTeam = users
  1561  	}
  1562  
  1563  	return autocomplete, nil
  1564  }
  1565  
  1566  func (a *App) UpdateOAuthUserAttrs(userData io.Reader, user *model.User, provider einterfaces.OauthProvider, service string) *model.AppError {
  1567  	oauthUser := provider.GetUserFromJson(userData)
  1568  
  1569  	if oauthUser == nil {
  1570  		return model.NewAppError("UpdateOAuthUserAttrs", "api.user.update_oauth_user_attrs.get_user.app_error", map[string]interface{}{"Service": service}, "", http.StatusBadRequest)
  1571  	}
  1572  
  1573  	userAttrsChanged := false
  1574  
  1575  	if oauthUser.Username != user.Username {
  1576  		if existingUser, _ := a.GetUserByUsername(oauthUser.Username); existingUser == nil {
  1577  			user.Username = oauthUser.Username
  1578  			userAttrsChanged = true
  1579  		}
  1580  	}
  1581  
  1582  	if oauthUser.GetFullName() != user.GetFullName() {
  1583  		user.FirstName = oauthUser.FirstName
  1584  		user.LastName = oauthUser.LastName
  1585  		userAttrsChanged = true
  1586  	}
  1587  
  1588  	if oauthUser.Email != user.Email {
  1589  		if existingUser, _ := a.GetUserByEmail(oauthUser.Email); existingUser == nil {
  1590  			user.Email = oauthUser.Email
  1591  			userAttrsChanged = true
  1592  		}
  1593  	}
  1594  
  1595  	if user.DeleteAt > 0 {
  1596  		// Make sure they are not disabled
  1597  		user.DeleteAt = 0
  1598  		userAttrsChanged = true
  1599  	}
  1600  
  1601  	if userAttrsChanged {
  1602  		var result store.StoreResult
  1603  		if result = <-a.Srv.Store.User().Update(user, true); result.Err != nil {
  1604  			return result.Err
  1605  		}
  1606  
  1607  		user = result.Data.([2]*model.User)[0]
  1608  		a.InvalidateCacheForUser(user.Id)
  1609  	}
  1610  
  1611  	return nil
  1612  }