diff options
Diffstat (limited to 'api4/user.go')
| -rw-r--r-- | api4/user.go | 169 |
1 files changed, 169 insertions, 0 deletions
diff --git a/api4/user.go b/api4/user.go new file mode 100644 index 000000000..9d38df1a1 --- /dev/null +++ b/api4/user.go @@ -0,0 +1,169 @@ +// Copyright (c) 2017 Mattermost, Inc. All Rights Reserved. +// See License.txt for license information. + +package api4 + +import ( + "net/http" + + l4g "github.com/alecthomas/log4go" + "github.com/mattermost/platform/app" + "github.com/mattermost/platform/model" + "github.com/mattermost/platform/utils" +) + +func InitUser() { + l4g.Debug(utils.T("api.user.init.debug")) + + BaseRoutes.Users.Handle("", ApiHandler(createUser)).Methods("POST") + BaseRoutes.User.Handle("", ApiSessionRequired(getUser)).Methods("GET") + BaseRoutes.User.Handle("", ApiSessionRequired(updateUser)).Methods("PUT") + + BaseRoutes.Users.Handle("/login", ApiHandler(login)).Methods("POST") + BaseRoutes.Users.Handle("/logout", ApiHandler(logout)).Methods("POST") + +} + +func createUser(c *Context, w http.ResponseWriter, r *http.Request) { + user := model.UserFromJson(r.Body) + if user == nil { + c.SetInvalidParam("user") + return + } + + hash := r.URL.Query().Get("h") + inviteId := r.URL.Query().Get("iid") + + // No permission check required + + var ruser *model.User + var err *model.AppError + if len(hash) > 0 { + ruser, err = app.CreateUserWithHash(user, hash, r.URL.Query().Get("d")) + } else if len(inviteId) > 0 { + ruser, err = app.CreateUserWithInviteId(user, inviteId, c.GetSiteURL()) + } else { + ruser, err = app.CreateUserFromSignup(user, c.GetSiteURL()) + } + + if err != nil { + c.Err = err + return + } + + w.WriteHeader(http.StatusCreated) + w.Write([]byte(ruser.ToJson())) +} + +func getUser(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireUserId() + if c.Err != nil { + return + } + + // No permission check required + + var user *model.User + var err *model.AppError + + if user, err = app.GetUser(c.Params.UserId); err != nil { + c.Err = err + return + } + + etag := user.Etag(utils.Cfg.PrivacySettings.ShowFullName, utils.Cfg.PrivacySettings.ShowEmailAddress) + + if HandleEtag(etag, "Get User", w, r) { + return + } else { + app.SanitizeProfile(user, c.IsSystemAdmin()) + w.Header().Set(model.HEADER_ETAG_SERVER, etag) + w.Write([]byte(user.ToJson())) + return + } +} + +func updateUser(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireUserId() + if c.Err != nil { + return + } + + user := model.UserFromJson(r.Body) + if user == nil { + c.SetInvalidParam("user") + return + } + + if !app.SessionHasPermissionToUser(c.Session, user.Id) { + c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS) + return + } + + if ruser, err := app.UpdateUserAsUser(user, c.GetSiteURL(), c.IsSystemAdmin()); err != nil { + c.Err = err + return + } else { + c.LogAudit("") + w.Write([]byte(ruser.ToJson())) + } +} + +func login(c *Context, w http.ResponseWriter, r *http.Request) { + props := model.MapFromJson(r.Body) + + id := props["id"] + loginId := props["login_id"] + password := props["password"] + mfaToken := props["token"] + deviceId := props["device_id"] + ldapOnly := props["ldap_only"] == "true" + + c.LogAuditWithUserId(id, "attempt - login_id="+loginId) + user, err := app.AuthenticateUserForLogin(id, loginId, password, mfaToken, deviceId, ldapOnly) + if err != nil { + c.LogAuditWithUserId(id, "failure - login_id="+loginId) + c.Err = err + return + } + + c.LogAuditWithUserId(user.Id, "authenticated") + + var session *model.Session + session, err = app.DoLogin(w, r, user, deviceId) + if err != nil { + c.Err = err + return + } + + c.LogAuditWithUserId(user.Id, "success") + + c.Session = *session + + user.Sanitize(map[string]bool{}) + + w.Write([]byte(user.ToJson())) +} + +func logout(c *Context, w http.ResponseWriter, r *http.Request) { + data := make(map[string]string) + data["user_id"] = c.Session.UserId + + Logout(c, w, r) + if c.Err == nil { + w.Write([]byte(model.MapToJson(data))) + } +} + +func Logout(c *Context, w http.ResponseWriter, r *http.Request) { + c.LogAudit("") + c.RemoveSessionCookie(w, r) + if c.Session.Id != "" { + if err := app.RevokeSessionById(c.Session.Id); err != nil { + c.Err = err + return + } + } + + ReturnStatusOK(w) +} |