From 66c5f7a31c5d0f26d394b94747c17ee55e5d5ce4 Mon Sep 17 00:00:00 2001
From: Saturnino Abril <saturnino.abril@gmail.com>
Date: Tue, 28 Feb 2017 22:11:56 +0900
Subject: Implementation of APIv4: POST users/{user_id}/image (#5537)

* APIv4: POST users/{user_id}/image

* removed 'return' and rebased to master
---
 api4/user.go      | 55 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 api4/user_test.go | 50 +++++++++++++++++++++++++++++++++++++++++++++++---
 2 files changed, 102 insertions(+), 3 deletions(-)

(limited to 'api4')

diff --git a/api4/user.go b/api4/user.go
index 9fa6568d3..822cd60c4 100644
--- a/api4/user.go
+++ b/api4/user.go
@@ -23,6 +23,7 @@ func InitUser() {
 
 	BaseRoutes.User.Handle("", ApiSessionRequired(getUser)).Methods("GET")
 	BaseRoutes.User.Handle("/image", ApiSessionRequired(getProfileImage)).Methods("GET")
+	BaseRoutes.User.Handle("/image", ApiSessionRequired(setProfileImage)).Methods("POST")
 	BaseRoutes.User.Handle("", ApiSessionRequired(updateUser)).Methods("PUT")
 	BaseRoutes.User.Handle("/patch", ApiSessionRequired(patchUser)).Methods("PUT")
 	BaseRoutes.User.Handle("", ApiSessionRequired(deleteUser)).Methods("DELETE")
@@ -197,6 +198,60 @@ func getProfileImage(c *Context, w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+func setProfileImage(c *Context, w http.ResponseWriter, r *http.Request) {
+	c.RequireUserId()
+	if c.Err != nil {
+		return
+	}
+
+	if !app.SessionHasPermissionToUser(c.Session, c.Params.UserId) {
+		c.SetPermissionError(model.PERMISSION_EDIT_OTHER_USERS)
+		return
+	}
+
+	if len(utils.Cfg.FileSettings.DriverName) == 0 {
+		c.Err = model.NewLocAppError("uploadProfileImage", "api.user.upload_profile_user.storage.app_error", nil, "")
+		c.Err.StatusCode = http.StatusNotImplemented
+		return
+	}
+
+	if r.ContentLength > *utils.Cfg.FileSettings.MaxFileSize {
+		c.Err = model.NewLocAppError("uploadProfileImage", "api.user.upload_profile_user.too_large.app_error", nil, "")
+		c.Err.StatusCode = http.StatusRequestEntityTooLarge
+		return
+	}
+
+	if err := r.ParseMultipartForm(*utils.Cfg.FileSettings.MaxFileSize); err != nil {
+		c.Err = model.NewLocAppError("uploadProfileImage", "api.user.upload_profile_user.parse.app_error", nil, "")
+		return
+	}
+
+	m := r.MultipartForm
+
+	imageArray, ok := m.File["image"]
+	if !ok {
+		c.Err = model.NewLocAppError("uploadProfileImage", "api.user.upload_profile_user.no_file.app_error", nil, "")
+		c.Err.StatusCode = http.StatusBadRequest
+		return
+	}
+
+	if len(imageArray) <= 0 {
+		c.Err = model.NewLocAppError("uploadProfileImage", "api.user.upload_profile_user.array.app_error", nil, "")
+		c.Err.StatusCode = http.StatusBadRequest
+		return
+	}
+
+	imageData := imageArray[0]
+
+	if err := app.SetProfileImage(c.Session.UserId, imageData); err != nil {
+		c.Err = err
+		return
+	}
+
+	c.LogAudit("")
+	ReturnStatusOK(w)
+}
+
 func getUsers(c *Context, w http.ResponseWriter, r *http.Request) {
 	inTeamId := r.URL.Query().Get("in_team")
 	inChannelId := r.URL.Query().Get("in_channel")
diff --git a/api4/user_test.go b/api4/user_test.go
index 5cdab21f5..c83bc98a9 100644
--- a/api4/user_test.go
+++ b/api4/user_test.go
@@ -967,15 +967,15 @@ func TestVerify(t *testing.T) {
 
 	ruser, resp := Client.CreateUser(&user)
 
-	hashId := ruser.Id+utils.Cfg.EmailSettings.InviteSalt
+	hashId := ruser.Id + utils.Cfg.EmailSettings.InviteSalt
 	_, resp = Client.VerifyUserEmail(ruser.Id, hashId)
 	CheckNoError(t, resp)
 
-	hashId = ruser.Id+GenerateTestId()
+	hashId = ruser.Id + GenerateTestId()
 	_, resp = Client.VerifyUserEmail(ruser.Id, hashId)
 	CheckBadRequestStatus(t, resp)
 
-    // Comment per request from Joram, he will investigate why it fail with a wrong status
+	// Comment per request from Joram, he will investigate why it fail with a wrong status
 	// hashId = ruser.Id+GenerateTestId()
 	// _, resp = Client.VerifyUserEmail("", hashId)
 	// CheckBadRequestStatus(t, resp)
@@ -983,3 +983,47 @@ func TestVerify(t *testing.T) {
 	_, resp = Client.VerifyUserEmail(ruser.Id, "")
 	CheckBadRequestStatus(t, resp)
 }
+
+func TestSetProfileImage(t *testing.T) {
+	th := Setup().InitBasic().InitSystemAdmin()
+	defer TearDown()
+	Client := th.Client
+	user := th.BasicUser
+
+	data, err := readTestFile("test.png")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ok, resp := Client.SetProfileImage(user.Id, data)
+	if !ok {
+		t.Fatal(resp.Error)
+	}
+	CheckNoError(t, resp)
+
+	ok, resp = Client.SetProfileImage(model.NewId(), data)
+	if ok {
+		t.Fatal("Should return false, set profile image not allowed")
+	}
+	CheckForbiddenStatus(t, resp)
+
+	// status code returns either forbidden or unauthorized
+	// note: forbidden is set as default at Client4.SetProfileImage when request is terminated early by server
+	Client.Logout()
+	_, resp = Client.SetProfileImage(user.Id, data)
+	if resp.StatusCode == http.StatusForbidden {
+		CheckForbiddenStatus(t, resp)
+	} else if resp.StatusCode == http.StatusUnauthorized {
+		CheckUnauthorizedStatus(t, resp)
+	} else {
+		t.Fatal("Should have failed either forbidden or unauthorized")
+	}
+
+	_, resp = th.SystemAdminClient.SetProfileImage(user.Id, data)
+	CheckNoError(t, resp)
+
+	info := &model.FileInfo{Path: "users/" + user.Id + "/profile.png"}
+	if err := cleanupTestFile(info); err != nil {
+		t.Fatal(err)
+	}
+}
-- 
cgit v1.2.3-1-g7c22