From 742bab6429aeb1b581275da3c06af99fe293baab Mon Sep 17 00:00:00 2001 From: Saturnino Abril Date: Tue, 18 Apr 2017 00:06:33 +0900 Subject: APIv4 PUT /users/{user_id}/active (#6118) --- api4/user.go | 32 ++++++++++++++++++++++++++++++++ api4/user_test.go | 43 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+) (limited to 'api4') diff --git a/api4/user.go b/api4/user.go index 05216ff40..70182c1ab 100644 --- a/api4/user.go +++ b/api4/user.go @@ -32,6 +32,7 @@ func InitUser() { BaseRoutes.User.Handle("/patch", ApiSessionRequired(patchUser)).Methods("PUT") BaseRoutes.User.Handle("", ApiSessionRequired(deleteUser)).Methods("DELETE") BaseRoutes.User.Handle("/roles", ApiSessionRequired(updateUserRoles)).Methods("PUT") + BaseRoutes.User.Handle("/active", ApiSessionRequired(updateUserActive)).Methods("PUT") BaseRoutes.User.Handle("/password", ApiSessionRequired(updatePassword)).Methods("PUT") BaseRoutes.Users.Handle("/password/reset", ApiHandler(resetPassword)).Methods("POST") BaseRoutes.Users.Handle("/password/reset/send", ApiHandler(sendPasswordReset)).Methods("POST") @@ -587,6 +588,37 @@ func updateUserRoles(c *Context, w http.ResponseWriter, r *http.Request) { ReturnStatusOK(w) } +func updateUserActive(c *Context, w http.ResponseWriter, r *http.Request) { + c.RequireUserId() + if c.Err != nil { + return + } + + props := model.StringInterfaceFromJson(r.Body) + + active, ok := props["active"].(bool) + if !ok { + c.SetInvalidParam("active") + return + } + + // true when you're trying to de-activate yourself + isSelfDeactive := !active && c.Params.UserId == c.Session.UserId + + if !isSelfDeactive && !app.SessionHasPermissionTo(c.Session, model.PERMISSION_MANAGE_SYSTEM) { + c.Err = model.NewLocAppError("updateUserActive", "api.user.update_active.permissions.app_error", nil, "userId="+c.Params.UserId) + c.Err.StatusCode = http.StatusForbidden + return + } + + if ruser, err := app.UpdateActiveNoLdap(c.Params.UserId, active); err != nil { + c.Err = err + } else { + c.LogAuditWithUserId(ruser.Id, fmt.Sprintf("active=%v", active)) + ReturnStatusOK(w) + } +} + func checkUserMfa(c *Context, w http.ResponseWriter, r *http.Request) { props := model.MapFromJson(r.Body) diff --git a/api4/user_test.go b/api4/user_test.go index 2ff665c8a..95271984c 100644 --- a/api4/user_test.go +++ b/api4/user_test.go @@ -850,6 +850,49 @@ func TestUpdateUserRoles(t *testing.T) { CheckBadRequestStatus(t, resp) } +func TestUpdateUserActive(t *testing.T) { + th := Setup().InitBasic().InitSystemAdmin() + Client := th.Client + SystemAdminClient := th.SystemAdminClient + user := th.BasicUser + + pass, resp := Client.UpdateUserActive(user.Id, false) + CheckNoError(t, resp) + + if !pass { + t.Fatal("should have returned true") + } + + pass, resp = Client.UpdateUserActive(user.Id, false) + CheckUnauthorizedStatus(t, resp) + + if pass { + t.Fatal("should have returned false") + } + + th.LoginBasic2() + + _, resp = Client.UpdateUserActive(user.Id, true) + CheckForbiddenStatus(t, resp) + + _, resp = Client.UpdateUserActive(GenerateTestId(), true) + CheckForbiddenStatus(t, resp) + + _, resp = Client.UpdateUserActive("junk", true) + CheckBadRequestStatus(t, resp) + + Client.Logout() + + _, resp = Client.UpdateUserActive(user.Id, true) + CheckUnauthorizedStatus(t, resp) + + _, resp = SystemAdminClient.UpdateUserActive(user.Id, true) + CheckNoError(t, resp) + + _, resp = SystemAdminClient.UpdateUserActive(user.Id, false) + CheckNoError(t, resp) +} + func TestGetUsers(t *testing.T) { th := Setup().InitBasic() defer TearDown() -- cgit v1.2.3-1-g7c22