Spaces:

Leon4gr45
/

kanban

Sleeping

App Files Files Community

kanban / server /api /users.go

Leon4gr45

Upload folder using huggingface_hub

13555f3 verified about 2 months ago

raw

history blame contribute delete

10.3 kB

	package api

	import (
	"encoding/json"
	"io"
	"net/http"

	"github.com/gorilla/mux"
	"github.com/mattermost/focalboard/server/model"
	"github.com/mattermost/focalboard/server/services/audit"
	"github.com/mattermost/focalboard/server/utils"
	)

	func (a API) registerUsersRoutes(r mux.Router) {
	// Users APIs
	r.HandleFunc("/users", a.sessionRequired(a.handleGetUsersList)).Methods("POST")
	r.HandleFunc("/users/me", a.sessionRequired(a.handleGetMe)).Methods("GET")
	r.HandleFunc("/users/me/memberships", a.sessionRequired(a.handleGetMyMemberships)).Methods("GET")
	r.HandleFunc("/users/{userID}", a.sessionRequired(a.handleGetUser)).Methods("GET")
	r.HandleFunc("/users/{userID}/config", a.sessionRequired(a.handleUpdateUserConfig)).Methods(http.MethodPut)
	r.HandleFunc("/users/me/config", a.sessionRequired(a.handleGetUserPreferences)).Methods(http.MethodGet)
	}

	func (a API) handleGetUsersList(w http.ResponseWriter, r http.Request) {
	// swagger:operation POST /users getUsersList
	//
	// Returns a user[]
	//
	// ---
	// produces:
	// - application/json
	// parameters:
	// - name: userID
	// in: path
	// description: User ID
	// required: true
	// type: string
	// security:
	// - BearerAuth: []
	// responses:
	// '200':
	// description: success
	// schema:
	// "$ref": "#/definitions/User"
	// default:
	// description: internal error
	// schema:
	// "$ref": "#/definitions/ErrorResponse"

	requestBody, err := io.ReadAll(r.Body)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}

	var userIDs []string
	if err = json.Unmarshal(requestBody, &userIDs); err != nil {
	a.errorResponse(w, r, err)
	return
	}

	auditRec := a.makeAuditRecord(r, "getUsersList", audit.Fail)
	defer a.audit.LogRecord(audit.LevelAuth, auditRec)

	var users []*model.User
	var error error

	if len(userIDs) == 0 {
	a.errorResponse(w, r, model.NewErrBadRequest("User IDs are empty"))
	return
	}

	if userIDs[0] == model.SingleUser {
	ws, _ := a.app.GetRootTeam()
	now := utils.GetMillis()
	user := &model.User{
	ID: model.SingleUser,
	Username: model.SingleUser,
	Email: model.SingleUser,
	CreateAt: ws.UpdateAt,
	UpdateAt: now,
	}
	users = append(users, user)
	} else {
	users, error = a.app.GetUsersList(userIDs)
	if error != nil {
	a.errorResponse(w, r, error)
	return
	}
	}

	ctx := r.Context()
	session := ctx.Value(sessionContextKey).(*model.Session)
	isSystemAdmin := a.permissions.HasPermissionTo(session.UserID, model.PermissionManageSystem)

	sanitizedUsers := make([]*model.User, 0)
	for _, user := range users {
	canSeeUser, err2 := a.app.CanSeeUser(session.UserID, user.ID)
	if err2 != nil {
	a.errorResponse(w, r, err2)
	return
	}
	if !canSeeUser {
	continue
	}
	if user.ID == session.UserID {
	user.Sanitize(map[string]bool{})
	} else {
	a.app.SanitizeProfile(user, isSystemAdmin)
	}
	sanitizedUsers = append(sanitizedUsers, user)
	}

	usersList, err := json.Marshal(sanitizedUsers)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}

	jsonStringResponse(w, http.StatusOK, string(usersList))
	auditRec.Success()
	}

	func (a API) handleGetMe(w http.ResponseWriter, r http.Request) {
	// swagger:operation GET /users/me getMe
	//
	// Returns the currently logged-in user
	//
	// ---
	// produces:
	// - application/json
	// parameters:
	// - name: teamID
	// in: path
	// description: Team ID
	// required: false
	// type: string
	// - name: channelID
	// in: path
	// description: Channel ID
	// required: false
	// type: string
	// security:
	// - BearerAuth: []
	// responses:
	// '200':
	// description: success
	// schema:
	// "$ref": "#/definitions/User"
	// default:
	// description: internal error
	// schema:
	// "$ref": "#/definitions/ErrorResponse"
	query := r.URL.Query()
	teamID := query.Get("teamID")
	channelID := query.Get("channelID")

	userID := getUserID(r)

	var user *model.User
	var err error

	auditRec := a.makeAuditRecord(r, "getMe", audit.Fail)
	defer a.audit.LogRecord(audit.LevelRead, auditRec)

	if userID == model.SingleUser {
	ws, _ := a.app.GetRootTeam()
	now := utils.GetMillis()
	user = &model.User{
	ID: model.SingleUser,
	Username: model.SingleUser,
	Email: model.SingleUser,
	CreateAt: ws.UpdateAt,
	UpdateAt: now,
	}
	} else {
	user, err = a.app.GetUser(userID)
	if err != nil {
	// ToDo: wrap with an invalid token error
	a.errorResponse(w, r, err)
	return
	}
	}

	if teamID != "" && a.permissions.HasPermissionToTeam(userID, teamID, model.PermissionManageTeam) {
	user.Permissions = append(user.Permissions, model.PermissionManageTeam.Id)
	}
	if a.permissions.HasPermissionTo(userID, model.PermissionManageSystem) {
	user.Permissions = append(user.Permissions, model.PermissionManageSystem.Id)
	}
	if channelID != "" && a.permissions.HasPermissionToChannel(userID, channelID, model.PermissionCreatePost) {
	user.Permissions = append(user.Permissions, model.PermissionCreatePost.Id)
	}

	user.Sanitize(map[string]bool{})
	userData, err := json.Marshal(user)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}
	jsonBytesResponse(w, http.StatusOK, userData)

	auditRec.AddMeta("userID", user.ID)
	auditRec.Success()
	}

	func (a API) handleGetMyMemberships(w http.ResponseWriter, r http.Request) {
	// swagger:operation GET /users/me/memberships getMyMemberships
	//
	// Returns the currently users board memberships
	//
	// ---
	// produces:
	// - application/json
	// security:
	// - BearerAuth: []
	// responses:
	// '200':
	// description: success
	// schema:
	// type: array
	// items:
	// "$ref": "#/definitions/BoardMember"
	// default:
	// description: internal error
	// schema:
	// "$ref": "#/definitions/ErrorResponse"

	userID := getUserID(r)

	auditRec := a.makeAuditRecord(r, "getMyBoardMemberships", audit.Fail)
	auditRec.AddMeta("userID", userID)
	defer a.audit.LogRecord(audit.LevelRead, auditRec)

	members, err := a.app.GetMembersForUser(userID)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}

	membersData, err := json.Marshal(members)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}

	jsonBytesResponse(w, http.StatusOK, membersData)

	auditRec.Success()
	}

	func (a API) handleGetUser(w http.ResponseWriter, r http.Request) {
	// swagger:operation GET /users/{userID} getUser
	//
	// Returns a user
	//
	// ---
	// produces:
	// - application/json
	// parameters:
	// - name: userID
	// in: path
	// description: User ID
	// required: true
	// type: string
	// security:
	// - BearerAuth: []
	// responses:
	// '200':
	// description: success
	// schema:
	// "$ref": "#/definitions/User"
	// default:
	// description: internal error
	// schema:
	// "$ref": "#/definitions/ErrorResponse"

	vars := mux.Vars(r)
	userID := vars["userID"]

	auditRec := a.makeAuditRecord(r, "postBlocks", audit.Fail)
	defer a.audit.LogRecord(audit.LevelRead, auditRec)
	auditRec.AddMeta("userID", userID)

	user, err := a.app.GetUser(userID)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}

	ctx := r.Context()
	session := ctx.Value(sessionContextKey).(*model.Session)

	canSeeUser, err := a.app.CanSeeUser(session.UserID, userID)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}
	if !canSeeUser {
	a.errorResponse(w, r, model.NewErrNotFound("user ID="+userID))
	return
	}

	if userID == session.UserID {
	user.Sanitize(map[string]bool{})
	} else {
	a.app.SanitizeProfile(user, a.permissions.HasPermissionTo(session.UserID, model.PermissionManageSystem))
	}

	userData, err := json.Marshal(user)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}

	jsonBytesResponse(w, http.StatusOK, userData)
	auditRec.Success()
	}

	func (a API) handleUpdateUserConfig(w http.ResponseWriter, r http.Request) {
	// swagger:operation PATCH /users/{userID}/config updateUserConfig
	//
	// Updates user config
	//
	// ---
	// produces:
	// - application/json
	// parameters:
	// - name: userID
	// in: path
	// description: User ID
	// required: true
	// type: string
	// - name: Body
	// in: body
	// description: User config patch to apply
	// required: true
	// schema:
	// "$ref": "#/definitions/UserPreferencesPatch"
	// security:
	// - BearerAuth: []
	// responses:
	// '200':
	// description: success
	// default:
	// description: internal error
	// schema:
	// "$ref": "#/definitions/ErrorResponse"

	requestBody, err := io.ReadAll(r.Body)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}

	var patch *model.UserPreferencesPatch
	err = json.Unmarshal(requestBody, &patch)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}

	vars := mux.Vars(r)
	userID := vars["userID"]

	ctx := r.Context()
	session := ctx.Value(sessionContextKey).(*model.Session)

	auditRec := a.makeAuditRecord(r, "updateUserConfig", audit.Fail)
	defer a.audit.LogRecord(audit.LevelModify, auditRec)

	// a user can update only own config
	if userID != session.UserID {
	a.errorResponse(w, r, model.NewErrForbidden(""))
	return
	}

	updatedConfig, err := a.app.UpdateUserConfig(userID, *patch)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}

	data, err := json.Marshal(updatedConfig)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}

	jsonBytesResponse(w, http.StatusOK, data)
	auditRec.Success()
	}

	func (a API) handleGetUserPreferences(w http.ResponseWriter, r http.Request) {
	// swagger:operation GET /users/me/config getUserConfig
	//
	// Returns an array of user preferences
	//
	// ---
	// produces:
	// - application/json
	// security:
	// - BearerAuth: []
	// responses:
	// '200':
	// description: success
	// schema:
	// "$ref": "#/definitions/Preferences"
	// default:
	// description: internal error
	// schema:
	// "$ref": "#/definitions/ErrorResponse"

	userID := getUserID(r)

	auditRec := a.makeAuditRecord(r, "getUserConfig", audit.Fail)
	defer a.audit.LogRecord(audit.LevelRead, auditRec)

	preferences, err := a.app.GetUserPreferences(userID)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}

	data, err := json.Marshal(preferences)
	if err != nil {
	a.errorResponse(w, r, err)
	return
	}

	jsonBytesResponse(w, http.StatusOK, data)
	auditRec.Success()
	}