tulip/server/manage-users.go

178 lines
4.7 KiB
Go
Raw Normal View History

package server
import (
"errors"
"github.com/1f349/tulip/database"
2024-03-11 12:39:52 +00:00
"github.com/1f349/tulip/database/types"
"github.com/1f349/tulip/pages"
2023-09-24 18:24:16 +01:00
"github.com/emersion/go-message/mail"
"github.com/google/uuid"
"github.com/julienschmidt/httprouter"
2023-09-24 18:24:16 +01:00
"log"
"net/http"
"net/url"
"strconv"
2023-10-10 18:06:43 +01:00
"strings"
2023-09-24 18:24:16 +01:00
"time"
)
func (h *HttpServer) ManageUsersGet(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
offset := 0
q := req.URL.Query()
if q.Has("offset") {
var err error
offset, err = strconv.Atoi(q.Get("offset"))
if err != nil {
http.Error(rw, "400 Bad Request: Invalid offset", http.StatusBadRequest)
return
}
}
2024-03-11 12:39:52 +00:00
var role types.UserRole
2024-03-12 21:04:25 +00:00
var userList []database.GetUserListRow
2024-03-11 12:39:52 +00:00
if h.DbTx(rw, func(tx *database.Queries) (err error) {
2024-03-12 21:04:25 +00:00
role, err = tx.GetUserRole(req.Context(), auth.ID)
if err != nil {
return
}
2024-03-12 21:04:25 +00:00
userList, err = tx.GetUserList(req.Context(), int64(offset))
return
}) {
return
}
2024-03-12 21:04:25 +00:00
2024-03-11 12:39:52 +00:00
if role != types.RoleAdmin {
http.Error(rw, "403 Forbidden", http.StatusForbidden)
return
}
m := map[string]any{
2023-10-10 18:06:43 +01:00
"ServiceName": h.conf.ServiceName,
"Users": userList,
"Offset": offset,
"EmailShow": req.URL.Query().Has("show-email"),
"CurrentAdmin": auth.ID,
2023-10-10 18:06:43 +01:00
"Namespace": h.conf.Namespace,
}
if q.Has("edit") {
for _, i := range userList {
2024-03-12 21:04:25 +00:00
if i.Subject == q.Get("edit") {
m["Edit"] = i
goto validEdit
}
}
http.Error(rw, "400 Bad Request: Invalid user to edit", http.StatusBadRequest)
return
}
validEdit:
rw.Header().Set("Content-Type", "text/html")
rw.WriteHeader(http.StatusOK)
pages.RenderPageTemplate(rw, "manage-users", m)
}
func (h *HttpServer) ManageUsersPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
err := req.ParseForm()
if err != nil {
http.Error(rw, "400 Bad Request: Failed to parse form", http.StatusBadRequest)
return
}
2024-03-11 12:39:52 +00:00
var role types.UserRole
if h.DbTx(rw, func(tx *database.Queries) (err error) {
2024-03-12 21:04:25 +00:00
role, err = tx.GetUserRole(req.Context(), auth.ID)
return
}) {
return
}
2024-03-11 12:39:52 +00:00
if role != types.RoleAdmin {
http.Error(rw, "400 Bad Request: Only admin users can manage users", http.StatusBadRequest)
return
}
offset := req.Form.Get("offset")
action := req.Form.Get("action")
name := req.Form.Get("name")
username := req.Form.Get("username")
email := req.Form.Get("email")
newRole, err := parseRoleValue(req.Form.Get("role"))
if err != nil {
http.Error(rw, "400 Bad Request: Invalid role", http.StatusBadRequest)
return
}
active := req.Form.Has("active")
switch action {
case "create":
2023-09-24 18:24:16 +01:00
// parse email for headers
address, err := mail.ParseAddress(email)
if err != nil {
http.Error(rw, "500 Internal Server Error: Failed to parse user email address", http.StatusInternalServerError)
return
}
2023-10-10 18:06:43 +01:00
n := strings.IndexByte(address.Address, '@')
// This case should never happen and fail the above address parsing
if n == -1 {
return
}
addrDomain := address.Address[n+1:]
2024-03-12 21:04:25 +00:00
var userSub string
2024-03-11 12:39:52 +00:00
if h.DbTx(rw, func(tx *database.Queries) (err error) {
2024-03-12 21:04:25 +00:00
userSub, err = tx.AddUser(req.Context(), database.AddUserParams{
Name: name,
Username: username,
Password: "",
Email: email,
EmailVerified: addrDomain == h.conf.Namespace,
Role: newRole,
UpdatedAt: time.Now(),
Active: active,
})
2023-10-10 18:06:43 +01:00
return err
}) {
return
}
2023-09-24 18:24:16 +01:00
u, u2 := uuid.NewString(), uuid.NewString()
2024-03-12 21:04:25 +00:00
h.mailLinkCache.Set(mailLinkKey{mailLinkResetPassword, u}, userSub, time.Now().Add(10*time.Minute))
h.mailLinkCache.Set(mailLinkKey{mailLinkDelete, u2}, userSub, time.Now().Add(10*time.Minute))
2023-09-24 18:24:16 +01:00
2023-10-10 18:06:43 +01:00
err = h.conf.Mail.SendEmailTemplate("mail-register-admin", "Register", name, address, map[string]any{
"RegisterUrl": h.conf.BaseUrl + "/mail/password/" + u,
2023-09-24 18:24:16 +01:00
})
if err != nil {
log.Println("[Tulip] Login: Failed to send register email:", err)
http.Error(rw, "500 Internal Server Error: Failed to send register email", http.StatusInternalServerError)
return
}
case "edit":
2024-03-11 12:39:52 +00:00
if h.DbTx(rw, func(tx *database.Queries) error {
sub := req.Form.Get("subject")
2024-03-12 21:04:25 +00:00
return tx.UpdateUserRole(req.Context(), database.UpdateUserRoleParams{
Active: active,
Role: newRole,
Subject: sub,
})
}) {
return
}
default:
http.Error(rw, "400 Bad Request: Invalid action", http.StatusBadRequest)
return
}
redirectUrl := url.URL{Path: "/manage/users", RawQuery: url.Values{"offset": []string{offset}}.Encode()}
http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
}
2024-03-11 12:39:52 +00:00
func parseRoleValue(role string) (types.UserRole, error) {
switch role {
case "member":
2024-03-11 12:39:52 +00:00
return types.RoleMember, nil
case "admin":
2024-03-11 12:39:52 +00:00
return types.RoleAdmin, nil
}
return 0, errors.New("invalid role value")
}