From 1626a6de6f16ba0878160b0a7eae9f49b8d34d4f Mon Sep 17 00:00:00 2001 From: =Corey Hulen Date: Wed, 23 Sep 2015 12:49:28 -0700 Subject: PLT-349 adding team mgt to admin console --- api/user.go | 74 +++++++++++++++++++++++++++++++++++++++---------------------- 1 file changed, 48 insertions(+), 26 deletions(-) (limited to 'api/user.go') diff --git a/api/user.go b/api/user.go index d61afb027..348475e38 100644 --- a/api/user.go +++ b/api/user.go @@ -51,6 +51,7 @@ func InitUser(r *mux.Router) { sr.Handle("/me", ApiAppHandler(getMe)).Methods("GET") sr.Handle("/status", ApiUserRequiredActivity(getStatuses, false)).Methods("GET") sr.Handle("/profiles", ApiUserRequired(getProfiles)).Methods("GET") + sr.Handle("/profiles/{id:[A-Za-z0-9]+}", ApiUserRequired(getProfiles)).Methods("GET") sr.Handle("/{id:[A-Za-z0-9]+}", ApiUserRequired(getUser)).Methods("GET") sr.Handle("/{id:[A-Za-z0-9]+}/sessions", ApiUserRequired(getSessions)).Methods("GET") sr.Handle("/{id:[A-Za-z0-9]+}/audits", ApiUserRequired(getAudits)).Methods("GET") @@ -553,13 +554,26 @@ func getUser(c *Context, w http.ResponseWriter, r *http.Request) { } func getProfiles(c *Context, w http.ResponseWriter, r *http.Request) { + params := mux.Vars(r) + id, ok := params["id"] + if ok { + // You must be system admin to access another team + if id != c.Session.TeamId { + if !c.HasSystemAdminPermissions("getProfiles") { + return + } + } - etag := (<-Srv.Store.User().GetEtagForProfiles(c.Session.TeamId)).Data.(string) + } else { + id = c.Session.TeamId + } + + etag := (<-Srv.Store.User().GetEtagForProfiles(id)).Data.(string) if HandleEtag(etag, w, r) { return } - if result := <-Srv.Store.User().GetProfiles(c.Session.TeamId); result.Err != nil { + if result := <-Srv.Store.User().GetProfiles(id); result.Err != nil { c.Err = result.Err return } else { @@ -1158,29 +1172,35 @@ func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) { return } - hash := props["hash"] - if len(hash) == 0 { - c.SetInvalidParam("resetPassword", "hash") + name := props["name"] + if len(name) == 0 { + c.SetInvalidParam("resetPassword", "name") return } - data := model.MapFromJson(strings.NewReader(props["data"])) + userId := props["user_id"] + hash := props["hash"] + timeStr := "" - userId := data["user_id"] - if len(userId) != 26 { - c.SetInvalidParam("resetPassword", "data:user_id") - return - } + if !c.IsSystemAdmin() { + if len(hash) == 0 { + c.SetInvalidParam("resetPassword", "hash") + return + } - timeStr := data["time"] - if len(timeStr) == 0 { - c.SetInvalidParam("resetPassword", "data:time") - return + data := model.MapFromJson(strings.NewReader(props["data"])) + + userId = data["user_id"] + + timeStr = data["time"] + if len(timeStr) == 0 { + c.SetInvalidParam("resetPassword", "data:time") + return + } } - name := props["name"] - if len(name) == 0 { - c.SetInvalidParam("resetPassword", "name") + if len(userId) != 26 { + c.SetInvalidParam("resetPassword", "user_id") return } @@ -1208,15 +1228,17 @@ func resetPassword(c *Context, w http.ResponseWriter, r *http.Request) { return } - if !model.ComparePassword(hash, fmt.Sprintf("%v:%v", props["data"], utils.Cfg.EmailSettings.PasswordResetSalt)) { - c.Err = model.NewAppError("resetPassword", "The reset password link does not appear to be valid", "") - return - } + if !c.IsSystemAdmin() { + if !model.ComparePassword(hash, fmt.Sprintf("%v:%v", props["data"], utils.Cfg.EmailSettings.PasswordResetSalt)) { + c.Err = model.NewAppError("resetPassword", "The reset password link does not appear to be valid", "") + return + } - t, err := strconv.ParseInt(timeStr, 10, 64) - if err != nil || model.GetMillis()-t > 1000*60*60 { // one hour - c.Err = model.NewAppError("resetPassword", "The reset link has expired", "") - return + t, err := strconv.ParseInt(timeStr, 10, 64) + if err != nil || model.GetMillis()-t > 1000*60*60 { // one hour + c.Err = model.NewAppError("resetPassword", "The reset link has expired", "") + return + } } if result := <-Srv.Store.User().UpdatePassword(userId, model.HashPassword(newPassword)); result.Err != nil { -- cgit v1.2.3-1-g7c22 From 985aebf86120188c2a14adfab39af7c4da3c1c9d Mon Sep 17 00:00:00 2001 From: =Corey Hulen Date: Wed, 23 Sep 2015 15:16:48 -0700 Subject: Fixing state setting --- api/user.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'api/user.go') diff --git a/api/user.go b/api/user.go index 5be703bfb..2edbde3e2 100644 --- a/api/user.go +++ b/api/user.go @@ -938,8 +938,8 @@ func updateRoles(c *Context, w http.ResponseWriter, r *http.Request) { return } - if model.IsInRole(new_roles, model.ROLE_SYSTEM_ADMIN) { - c.Err = model.NewAppError("updateRoles", "The system_admin role can only be set from the command line", "") + if model.IsInRole(new_roles, model.ROLE_SYSTEM_ADMIN) && !c.IsSystemAdmin() { + c.Err = model.NewAppError("updateRoles", "The system_admin role can only be set by another system admin", "") c.Err.StatusCode = http.StatusForbidden return } -- cgit v1.2.3-1-g7c22 From 00112cae5123b02eee79e8b991618ed5069e07b1 Mon Sep 17 00:00:00 2001 From: =Corey Hulen Date: Wed, 23 Sep 2015 15:52:59 -0700 Subject: Assiging first user system_admin role --- api/user.go | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'api/user.go') diff --git a/api/user.go b/api/user.go index 2edbde3e2..3cce3cdd3 100644 --- a/api/user.go +++ b/api/user.go @@ -167,6 +167,19 @@ func CreateUser(c *Context, team *model.Team, user *model.User) *model.User { if team.Email == user.Email { user.Roles = model.ROLE_TEAM_ADMIN channelRole = model.CHANNEL_ROLE_ADMIN + + // Below is a speical case where the first user in the entire + // system is granted the system_admin role instead of admin + if result := <-Srv.Store.User().GetTotalUsersCount(); result.Err != nil { + c.Err = result.Err + return nil + } else { + count := result.Data.(int64) + if count <= 0 { + user.Roles = model.ROLE_SYSTEM_ADMIN + } + } + } else { user.Roles = "" } -- cgit v1.2.3-1-g7c22