Implementation of APIv4: POST users/{user_id}/image (#5537)

* APIv4: POST users/{user_id}/image

* removed 'return' and rebased to master

4 files changed, 144 insertions, 3 deletions

diff --git a/api4/user.go b/api4/user.go
index 9fa6568d3..822cd60c4 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -23,6 +23,7 @@ func InitUser() {
 
 	BaseRoutes.User.Handle("", ApiSessionRequired(getUser)).Methods("GET")
 	BaseRoutes.User.Handle("/image", ApiSessionRequired(getProfileImage)).Methods("GET")
+	BaseRoutes.User.Handle("/image", ApiSessionRequired(setProfileImage)).Methods("POST")
 	BaseRoutes.User.Handle("", ApiSessionRequired(updateUser)).Methods("PUT")
 	BaseRoutes.User.Handle("/patch", ApiSessionRequired(patchUser)).Methods("PUT")
 	BaseRoutes.User.Handle("", ApiSessionRequired(deleteUser)).Methods("DELETE")
@@ -197,6 +198,60 @@ func getProfileImage(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+func setProfileImage(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireUserId()
+	if c.Err != nil {
+		return
+	}
+
+	if !app.SessionHasPermissionToUser(c.Session, c.Params.UserId) {
+		c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
+		return
+	}
+
+	if len(utils.Cfg.FileSettings.DriverName) == 0 {
+		c.Err = model.NewLocAppError("uploadProfileImage", "api.user.upload_profile_user.storage.app_error", nil, "")
+		c.Err.StatusCode = http.StatusNotImplemented
+		return
+	}
+
+	if r.ContentLength > *utils.Cfg.FileSettings.MaxFileSize {
+		c.Err = model.NewLocAppError("uploadProfileImage", "api.user.upload_profile_user.too_large.app_error", nil, "")
+		c.Err.StatusCode = http.StatusRequestEntityTooLarge
+		return
+	}
+
+	if err := r.ParseMultipartForm(*utils.Cfg.FileSettings.MaxFileSize); err != nil {
+		c.Err = model.NewLocAppError("uploadProfileImage", "api.user.upload_profile_user.parse.app_error", nil, "")
+		return
+	}
+
+	m := r.MultipartForm
+
+	imageArray, ok := m.File["image"]
+	if !ok {
+		c.Err = model.NewLocAppError("uploadProfileImage", "api.user.upload_profile_user.no_file.app_error", nil, "")
+		c.Err.StatusCode = http.StatusBadRequest
+		return
+	}
+
+	if len(imageArray) <= 0 {
+		c.Err = model.NewLocAppError("uploadProfileImage", "api.user.upload_profile_user.array.app_error", nil, "")
+		c.Err.StatusCode = http.StatusBadRequest
+		return
+	}
+
+	imageData := imageArray[0]
+
+	if err := app.SetProfileImage(c.Session.UserId, imageData); err != nil {
+		c.Err = err
+		return
+	}
+
+	c.LogAudit("")
+	ReturnStatusOK(w)
+}
+
 func getUsers(c *Context, w http.ResponseWriter, r *http.Request) {
 	inTeamId := r.URL.Query().Get("in_team")
 	inChannelId := r.URL.Query().Get("in_channel")
diff --git a/api4/user_test.go b/api4/user_test.go
index 5cdab21f5..c83bc98a9 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -967,15 +967,15 @@ func TestVerify(t *testing.T) {
 
 	ruser, resp := Client.CreateUser(&user)
 
-	hashId := ruser.Id+utils.Cfg.EmailSettings.InviteSalt
+	hashId := ruser.Id + utils.Cfg.EmailSettings.InviteSalt
 	_, resp = Client.VerifyUserEmail(ruser.Id, hashId)
 	CheckNoError(t, resp)
 
-	hashId = ruser.Id+GenerateTestId()
+	hashId = ruser.Id + GenerateTestId()
 	_, resp = Client.VerifyUserEmail(ruser.Id, hashId)
 	CheckBadRequestStatus(t, resp)
 
-    // Comment per request from Joram, he will investigate why it fail with a wrong status
+	// Comment per request from Joram, he will investigate why it fail with a wrong status
 	// hashId = ruser.Id+GenerateTestId()
 	// _, resp = Client.VerifyUserEmail("", hashId)
 	// CheckBadRequestStatus(t, resp)
@@ -983,3 +983,47 @@ func TestVerify(t *testing.T) {
 	_, resp = Client.VerifyUserEmail(ruser.Id, "")
 	CheckBadRequestStatus(t, resp)
 }
+
+func TestSetProfileImage(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer TearDown()
+	Client := th.Client
+	user := th.BasicUser
+
+	data, err := readTestFile("test.png")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ok, resp := Client.SetProfileImage(user.Id, data)
+	if !ok {
+		t.Fatal(resp.Error)
+	}
+	CheckNoError(t, resp)
+
+	ok, resp = Client.SetProfileImage(model.NewId(), data)
+	if ok {
+		t.Fatal("Should return false, set profile image not allowed")
+	}
+	CheckForbiddenStatus(t, resp)
+
+	// status code returns either forbidden or unauthorized
+	// note: forbidden is set as default at Client4.SetProfileImage when request is terminated early by server
+	Client.Logout()
+	_, resp = Client.SetProfileImage(user.Id, data)
+	if resp.StatusCode == http.StatusForbidden {
+		CheckForbiddenStatus(t, resp)
+	} else if resp.StatusCode == http.StatusUnauthorized {
+		CheckUnauthorizedStatus(t, resp)
+	} else {
+		t.Fatal("Should have failed either forbidden or unauthorized")
+	}
+
+	_, resp = th.SystemAdminClient.SetProfileImage(user.Id, data)
+	CheckNoError(t, resp)
+
+	info := &model.FileInfo{Path: "users/" + user.Id + "/profile.png"}
+	if err := cleanupTestFile(info); err != nil {
+		t.Fatal(err)
+	}
+}
diff --git a/i18n/en.json b/i18n/en.json
index 312622ef8..d46812bd8 100644
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -3560,6 +3560,14 @@
     "translation": "We encountered an error while reading the file"
   },
   {
+    "id": "model.client.set_profile_user.no_file.app_error",
+    "translation": "No file under 'image' in request"
+  },
+  {
+    "id": "model.client.set_profile_user.writer.app_error",
+    "translation": "Unable to write request"
+  },
+  {
     "id": "model.command.is_valid.create_at.app_error",
     "translation": "Create at must be a valid time"
   },
diff --git a/model/client4.go b/model/client4.go
index e6c9192b9..0ccb94009 100644
--- a/model/client4.go
+++ b/model/client4.go
@@ -505,6 +505,40 @@ func (c *Client4) VerifyUserEmail(userId, hashId string) (bool, *Response) {
 	}
 }
 
+// SetProfileImage sets profile image of the user
+func (c *Client4) SetProfileImage(userId string, data []byte) (bool, *Response) {
+	body := &bytes.Buffer{}
+	writer := multipart.NewWriter(body)
+
+	if part, err := writer.CreateFormFile("image", "profile.png"); err != nil {
+		return false, &Response{Error: NewAppError("SetProfileImage", "model.client.set_profile_user.no_file.app_error", nil, err.Error(), http.StatusBadRequest)}
+	} else if _, err = io.Copy(part, bytes.NewBuffer(data)); err != nil {
+		return false, &Response{Error: NewAppError("SetProfileImage", "model.client.set_profile_user.no_file.app_error", nil, err.Error(), http.StatusBadRequest)}
+	}
+
+	if err := writer.Close(); err != nil {
+		return false, &Response{Error: NewAppError("SetProfileImage", "model.client.set_profile_user.writer.app_error", nil, err.Error(), http.StatusBadRequest)}
+	}
+
+	rq, _ := http.NewRequest("POST", c.ApiUrl+c.GetUserRoute(userId)+"/image", bytes.NewReader(body.Bytes()))
+	rq.Header.Set("Content-Type", writer.FormDataContentType())
+	rq.Close = true
+
+	if len(c.AuthToken) > 0 {
+		rq.Header.Set(HEADER_AUTH, c.AuthType+" "+c.AuthToken)
+	}
+
+	if rp, err := c.HttpClient.Do(rq); err != nil {
+		// set to http.StatusForbidden(403)
+		return false, &Response{StatusCode: http.StatusForbidden, Error: NewAppError(c.GetUserRoute(userId)+"/image", "model.client.connecting.app_error", nil, err.Error(), 403)}
+	} else if rp.StatusCode >= 300 {
+		return false, &Response{StatusCode: rp.StatusCode, Error: AppErrorFromJson(rp.Body)}
+	} else {
+		defer closeBody(rp)
+		return CheckStatusOK(rp), BuildResponse(rp)
+	}
+}
+
 // Team Section
 
 // CreateTeam creates a team in the system based on the provided team struct.