summaryrefslogtreecommitdiffstats
path: root/api/user.go
diff options
context:
space:
mode:
Diffstat (limited to 'api/user.go')
-rw-r--r--api/user.go166
1 files changed, 99 insertions, 67 deletions
diff --git a/api/user.go b/api/user.go
index 727accd1f..0a54b6a5d 100644
--- a/api/user.go
+++ b/api/user.go
@@ -5,10 +5,10 @@ package api
import (
"bytes"
- "code.google.com/p/freetype-go/freetype"
l4g "code.google.com/p/log4go"
b64 "encoding/base64"
"fmt"
+ "github.com/golang/freetype"
"github.com/gorilla/mux"
"github.com/mattermost/platform/model"
"github.com/mattermost/platform/store"
@@ -170,7 +170,7 @@ func CreateUser(c *Context, team *model.Team, user *model.User) *model.User {
channelRole := ""
if team.Email == user.Email {
- user.Roles = model.ROLE_ADMIN
+ user.Roles = model.ROLE_TEAM_ADMIN
channelRole = model.CHANNEL_ROLE_ADMIN
} else {
user.Roles = ""
@@ -216,8 +216,10 @@ func CreateUser(c *Context, team *model.Team, user *model.User) *model.User {
func fireAndForgetWelcomeEmail(name, email, teamDisplayName, link, siteURL string) {
go func() {
- subjectPage := NewServerTemplatePage("welcome_subject", siteURL)
- bodyPage := NewServerTemplatePage("welcome_body", siteURL)
+ subjectPage := NewServerTemplatePage("welcome_subject")
+ subjectPage.Props["SiteURL"] = siteURL
+ bodyPage := NewServerTemplatePage("welcome_body")
+ bodyPage.Props["SiteURL"] = siteURL
bodyPage.Props["Nickname"] = name
bodyPage.Props["TeamDisplayName"] = teamDisplayName
bodyPage.Props["FeedbackName"] = utils.Cfg.EmailSettings.FeedbackName
@@ -235,9 +237,11 @@ func FireAndForgetVerifyEmail(userId, userEmail, teamName, teamDisplayName, site
link := fmt.Sprintf("%s/verify_email?uid=%s&hid=%s&teamname=%s&email=%s", siteURL, userId, model.HashPassword(userId), teamName, userEmail)
- subjectPage := NewServerTemplatePage("verify_subject", siteURL)
+ subjectPage := NewServerTemplatePage("verify_subject")
+ subjectPage.Props["SiteURL"] = siteURL
subjectPage.Props["TeamDisplayName"] = teamDisplayName
- bodyPage := NewServerTemplatePage("verify_body", siteURL)
+ bodyPage := NewServerTemplatePage("verify_body")
+ bodyPage.Props["SiteURL"] = siteURL
bodyPage.Props["TeamDisplayName"] = teamDisplayName
bodyPage.Props["VerifyUrl"] = link
@@ -332,7 +336,7 @@ func Login(c *Context, w http.ResponseWriter, r *http.Request, user *model.User,
return
}
- session := &model.Session{UserId: user.Id, TeamId: user.TeamId, Roles: user.Roles, DeviceId: deviceId}
+ session := &model.Session{UserId: user.Id, TeamId: user.TeamId, Roles: user.Roles, DeviceId: deviceId, IsOAuth: false}
maxAge := model.SESSION_TIME_WEB_IN_SECS
@@ -374,13 +378,13 @@ func Login(c *Context, w http.ResponseWriter, r *http.Request, user *model.User,
return
} else {
session = result.Data.(*model.Session)
- sessionCache.Add(session.Id, session)
+ AddSessionToCache(session)
}
- w.Header().Set(model.HEADER_TOKEN, session.Id)
+ w.Header().Set(model.HEADER_TOKEN, session.Token)
sessionCookie := &http.Cookie{
Name: model.SESSION_TOKEN,
- Value: session.Id,
+ Value: session.Token,
Path: "/",
MaxAge: maxAge,
HttpOnly: true,
@@ -426,25 +430,27 @@ func login(c *Context, w http.ResponseWriter, r *http.Request) {
func revokeSession(c *Context, w http.ResponseWriter, r *http.Request) {
props := model.MapFromJson(r.Body)
- altId := props["id"]
+ id := props["id"]
- if result := <-Srv.Store.Session().GetSessions(c.Session.UserId); result.Err != nil {
+ if result := <-Srv.Store.Session().Get(id); result.Err != nil {
c.Err = result.Err
return
} else {
- sessions := result.Data.([]*model.Session)
+ session := result.Data.(*model.Session)
- for _, session := range sessions {
- if session.AltId == altId {
- c.LogAudit("session_id=" + session.AltId)
- sessionCache.Remove(session.Id)
- if result := <-Srv.Store.Session().Remove(session.Id); result.Err != nil {
- c.Err = result.Err
- return
- } else {
- w.Write([]byte(model.MapToJson(props)))
- return
- }
+ c.LogAudit("session_id=" + session.Id)
+
+ if session.IsOAuth {
+ RevokeAccessToken(session.Token)
+ } else {
+ sessionCache.Remove(session.Token)
+
+ if result := <-Srv.Store.Session().Remove(session.Id); result.Err != nil {
+ c.Err = result.Err
+ return
+ } else {
+ w.Write([]byte(model.MapToJson(props)))
+ return
}
}
}
@@ -458,8 +464,8 @@ func RevokeAllSession(c *Context, userId string) {
sessions := result.Data.([]*model.Session)
for _, session := range sessions {
- c.LogAuditWithUserId(userId, "session_id="+session.AltId)
- sessionCache.Remove(session.Id)
+ c.LogAuditWithUserId(userId, "session_id="+session.Id)
+ sessionCache.Remove(session.Token)
if result := <-Srv.Store.Session().Remove(session.Id); result.Err != nil {
c.Err = result.Err
return
@@ -922,7 +928,16 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
}
new_roles := props["new_roles"]
- // no check since we allow the clearing of Roles
+ if !model.IsValidRoles(new_roles) {
+ c.SetInvalidParam("updateRoles", "new_roles")
+ return
+ }
+
+ if model.IsInRole(new_roles, model.ROLE_SYSTEM_ADMIN) {
+ c.Err = model.NewAppError("updateRoles", "The system_admin role can only be set from the command line", "")
+ c.Err.StatusCode = http.StatusForbidden
+ return
+ }
var user *model.User
if result := <-Srv.Store.User().Get(user_id); result.Err != nil {
@@ -936,43 +951,15 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- if !strings.Contains(c.Session.Roles, model.ROLE_ADMIN) && !c.IsSystemAdmin() {
+ if !model.IsInRole(c.Session.Roles, model.ROLE_TEAM_ADMIN) && !c.IsSystemAdmin() {
c.Err = model.NewAppError("updateRoles", "You do not have the appropriate permissions", "userId="+user_id)
c.Err.StatusCode = http.StatusForbidden
return
}
- // make sure there is at least 1 other active admin
- if strings.Contains(user.Roles, model.ROLE_ADMIN) && !strings.Contains(new_roles, model.ROLE_ADMIN) {
- if result := <-Srv.Store.User().GetProfiles(user.TeamId); result.Err != nil {
- c.Err = result.Err
- return
- } else {
- activeAdmins := -1
- profileUsers := result.Data.(map[string]*model.User)
- for _, profileUser := range profileUsers {
- if profileUser.DeleteAt == 0 && strings.Contains(profileUser.Roles, model.ROLE_ADMIN) {
- activeAdmins = activeAdmins + 1
- }
- }
-
- if activeAdmins <= 0 {
- c.Err = model.NewAppError("updateRoles", "There must be at least one active admin", "userId="+user_id)
- return
- }
- }
- }
-
- user.Roles = new_roles
-
- var ruser *model.User
- if result := <-Srv.Store.User().Update(user, true); result.Err != nil {
- c.Err = result.Err
+ ruser := UpdateRoles(c, user, new_roles)
+ if c.Err != nil {
return
- } else {
- c.LogAuditWithUserId(user.Id, "roles="+new_roles)
-
- ruser = result.Data.([2]*model.User)[0]
}
uchan := Srv.Store.Session().UpdateRoles(user.Id, new_roles)
@@ -999,6 +986,45 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) {
w.Write([]byte(ruser.ToJson()))
}
+func UpdateRoles(c *Context, user *model.User, roles string) *model.User {
+ // make sure there is at least 1 other active admin
+
+ if !model.IsInRole(roles, model.ROLE_SYSTEM_ADMIN) {
+ if model.IsInRole(user.Roles, model.ROLE_TEAM_ADMIN) && !model.IsInRole(roles, model.ROLE_TEAM_ADMIN) {
+ if result := <-Srv.Store.User().GetProfiles(user.TeamId); result.Err != nil {
+ c.Err = result.Err
+ return nil
+ } else {
+ activeAdmins := -1
+ profileUsers := result.Data.(map[string]*model.User)
+ for _, profileUser := range profileUsers {
+ if profileUser.DeleteAt == 0 && model.IsInRole(profileUser.Roles, model.ROLE_TEAM_ADMIN) {
+ activeAdmins = activeAdmins + 1
+ }
+ }
+
+ if activeAdmins <= 0 {
+ c.Err = model.NewAppError("updateRoles", "There must be at least one active admin", "")
+ return nil
+ }
+ }
+ }
+ }
+
+ user.Roles = roles
+
+ var ruser *model.User
+ if result := <-Srv.Store.User().Update(user, true); result.Err != nil {
+ c.Err = result.Err
+ return nil
+ } else {
+ c.LogAuditWithUserId(user.Id, "roles="+roles)
+ ruser = result.Data.([2]*model.User)[0]
+ }
+
+ return ruser
+}
+
func updateActive(c *Context, w http.ResponseWriter, r *http.Request) {
props := model.MapFromJson(r.Body)
@@ -1022,14 +1048,14 @@ func updateActive(c *Context, w http.ResponseWriter, r *http.Request) {
return
}
- if !strings.Contains(c.Session.Roles, model.ROLE_ADMIN) && !c.IsSystemAdmin() {
+ if !model.IsInRole(c.Session.Roles, model.ROLE_TEAM_ADMIN) && !c.IsSystemAdmin() {
c.Err = model.NewAppError("updateActive", "You do not have the appropriate permissions", "userId="+user_id)
c.Err.StatusCode = http.StatusForbidden
return
}
// make sure there is at least 1 other active admin
- if !active && strings.Contains(user.Roles, model.ROLE_ADMIN) {
+ if !active && model.IsInRole(user.Roles, model.ROLE_TEAM_ADMIN) {
if result := <-Srv.Store.User().GetProfiles(user.TeamId); result.Err != nil {
c.Err = result.Err
return
@@ -1037,7 +1063,7 @@ func updateActive(c *Context, w http.ResponseWriter, r *http.Request) {
activeAdmins := -1
profileUsers := result.Data.(map[string]*model.User)
for _, profileUser := range profileUsers {
- if profileUser.DeleteAt == 0 && strings.Contains(profileUser.Roles, model.ROLE_ADMIN) {
+ if profileUser.DeleteAt == 0 && model.IsInRole(profileUser.Roles, model.ROLE_TEAM_ADMIN) {
activeAdmins = activeAdmins + 1
}
}
@@ -1113,8 +1139,10 @@ func sendPasswordReset(c *Context, w http.ResponseWriter, r *http.Request) {
link := fmt.Sprintf("%s/reset_password?d=%s&h=%s", c.GetTeamURLFromTeam(team), url.QueryEscape(data), url.QueryEscape(hash))
- subjectPage := NewServerTemplatePage("reset_subject", c.GetSiteURL())
- bodyPage := NewServerTemplatePage("reset_body", c.GetSiteURL())
+ subjectPage := NewServerTemplatePage("reset_subject")
+ subjectPage.Props["SiteURL"] = c.GetSiteURL()
+ bodyPage := NewServerTemplatePage("reset_body")
+ bodyPage.Props["SiteURL"] = c.GetSiteURL()
bodyPage.Props["ResetUrl"] = link
if err := utils.SendMail(email, subjectPage.Render(), bodyPage.Render()); err != nil {
@@ -1213,9 +1241,11 @@ func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) {
func fireAndForgetPasswordChangeEmail(email, teamDisplayName, teamURL, siteURL, method string) {
go func() {
- subjectPage := NewServerTemplatePage("password_change_subject", siteURL)
+ subjectPage := NewServerTemplatePage("password_change_subject")
+ subjectPage.Props["SiteURL"] = siteURL
subjectPage.Props["TeamDisplayName"] = teamDisplayName
- bodyPage := NewServerTemplatePage("password_change_body", siteURL)
+ bodyPage := NewServerTemplatePage("password_change_body")
+ bodyPage.Props["SiteURL"] = siteURL
bodyPage.Props["TeamDisplayName"] = teamDisplayName
bodyPage.Props["TeamURL"] = teamURL
bodyPage.Props["Method"] = method
@@ -1230,9 +1260,11 @@ func fireAndForgetPasswordChangeEmail(email, teamDisplayName, teamURL, siteURL,
func fireAndForgetEmailChangeEmail(email, teamDisplayName, teamURL, siteURL string) {
go func() {
- subjectPage := NewServerTemplatePage("email_change_subject", siteURL)
+ subjectPage := NewServerTemplatePage("email_change_subject")
+ subjectPage.Props["SiteURL"] = siteURL
subjectPage.Props["TeamDisplayName"] = teamDisplayName
- bodyPage := NewServerTemplatePage("email_change_body", siteURL)
+ bodyPage := NewServerTemplatePage("email_change_body")
+ bodyPage.Props["SiteURL"] = siteURL
bodyPage.Props["TeamDisplayName"] = teamDisplayName
bodyPage.Props["TeamURL"] = teamURL
generated by cgit v1.2.3-1-g7c22 (git 2.25.1) at 2024-07-12 22:02:55 +0000