tulip/server/manage-users.go

package server

import (
	"errors"
	"github.com/1f349/tulip/database"
	"github.com/1f349/tulip/pages"
	"github.com/emersion/go-message/mail"
	"github.com/google/uuid"
	"github.com/julienschmidt/httprouter"
	"log"
	"net/http"
	"net/url"
	"strconv"
	"strings"
	"time"
)

func (h *HttpServer) ManageUsersGet(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
	offset := 0
	q := req.URL.Query()
	if q.Has("offset") {
		var err error
		offset, err = strconv.Atoi(q.Get("offset"))
		if err != nil {
			http.Error(rw, "400 Bad Request: Invalid offset", http.StatusBadRequest)
			return
		}
	}

	var role database.UserRole
	var userList []database.User
	if h.DbTx(rw, func(tx *database.Tx) (err error) {
		role, err = tx.GetUserRole(auth.Data.ID)
		if err != nil {
			return
		}
		userList, err = tx.GetUserList(offset)
		return
	}) {
		return
	}
	if role != database.RoleAdmin {
		http.Error(rw, "403 Forbidden", http.StatusForbidden)
		return
	}

	m := map[string]any{
		"ServiceName":  h.conf.ServiceName,
		"Users":        userList,
		"Offset":       offset,
		"EmailShow":    req.URL.Query().Has("show-email"),
		"CurrentAdmin": auth.Data.ID,
		"Namespace":    h.conf.Namespace,
	}
	if q.Has("edit") {
		for _, i := range userList {
			if i.Sub.String() == q.Get("edit") {
				m["Edit"] = i
				goto validEdit
			}
		}
		http.Error(rw, "400 Bad Request: Invalid user to edit", http.StatusBadRequest)
		return
	}

validEdit:
	rw.Header().Set("Content-Type", "text/html")
	rw.WriteHeader(http.StatusOK)
	pages.RenderPageTemplate(rw, "manage-users", m)
}

func (h *HttpServer) ManageUsersPost(rw http.ResponseWriter, req *http.Request, _ httprouter.Params, auth UserAuth) {
	err := req.ParseForm()
	if err != nil {
		http.Error(rw, "400 Bad Request: Failed to parse form", http.StatusBadRequest)
		return
	}

	var role database.UserRole
	if h.DbTx(rw, func(tx *database.Tx) (err error) {
		role, err = tx.GetUserRole(auth.Data.ID)
		return
	}) {
		return
	}
	if role != database.RoleAdmin {
		http.Error(rw, "400 Bad Request: Only admin users can manage users", http.StatusBadRequest)
		return
	}

	offset := req.Form.Get("offset")
	action := req.Form.Get("action")
	name := req.Form.Get("name")
	username := req.Form.Get("username")
	email := req.Form.Get("email")
	newRole, err := parseRoleValue(req.Form.Get("role"))
	if err != nil {
		http.Error(rw, "400 Bad Request: Invalid role", http.StatusBadRequest)
		return
	}
	active := req.Form.Has("active")

	switch action {
	case "create":
		// parse email for headers
		address, err := mail.ParseAddress(email)
		if err != nil {
			http.Error(rw, "500 Internal Server Error: Failed to parse user email address", http.StatusInternalServerError)
			return
		}
		n := strings.IndexByte(address.Address, '@')
		// This case should never happen and fail the above address parsing
		if n == -1 {
			return
		}
		addrDomain := address.Address[n+1:]

		var userSub uuid.UUID
		if h.DbTx(rw, func(tx *database.Tx) (err error) {
			userSub, err = tx.InsertUser(name, username, "", email, addrDomain == h.conf.Namespace, newRole, active)
			return err
		}) {
			return
		}

		u, u2 := uuid.New(), uuid.New()
		h.mailLinkCache.Set(mailLinkKey{mailLinkResetPassword, u}, userSub, time.Now().Add(10*time.Minute))
		h.mailLinkCache.Set(mailLinkKey{mailLinkDelete, u2}, userSub, time.Now().Add(10*time.Minute))

		err = h.conf.Mail.SendEmailTemplate("mail-register-admin", "Register", name, address, map[string]any{
			"RegisterUrl": h.conf.BaseUrl + "/mail/password/" + u.String(),
		})
		if err != nil {
			log.Println("[Tulip] Login: Failed to send register email:", err)
			http.Error(rw, "500 Internal Server Error: Failed to send register email", http.StatusInternalServerError)
			return
		}
	case "edit":
		if h.DbTx(rw, func(tx *database.Tx) error {
			sub, err := uuid.Parse(req.Form.Get("subject"))
			if err != nil {
				return err
			}
			return tx.UpdateUser(sub, newRole, active)
		}) {
			return
		}
	default:
		http.Error(rw, "400 Bad Request: Invalid action", http.StatusBadRequest)
		return
	}

	redirectUrl := url.URL{Path: "/manage/users", RawQuery: url.Values{"offset": []string{offset}}.Encode()}
	http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)
}

func parseRoleValue(role string) (database.UserRole, error) {
	switch role {
	case "member":
		return database.RoleMember, nil
	case "admin":
		return database.RoleAdmin, nil
	}
	return 0, errors.New("invalid role value")
}
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`package server`

			`import (`
			`"errors"`
			`"github.com/1f349/tulip/database"`
			`"github.com/1f349/tulip/pages"`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`"github.com/emersion/go-message/mail"`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`"github.com/google/uuid"`
			`"github.com/julienschmidt/httprouter"`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`"log"`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`"net/http"`
			`"net/url"`
			`"strconv"`
Pass config directly to server 2023-10-10 18:06:43 +01:00			`"strings"`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`"time"`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`)`

			`func (h HttpServer) ManageUsersGet(rw http.ResponseWriter, req http.Request, _ httprouter.Params, auth UserAuth) {`
			`offset := 0`
			`q := req.URL.Query()`
			`if q.Has("offset") {`
			`var err error`
			`offset, err = strconv.Atoi(q.Get("offset"))`
			`if err != nil {`
			`http.Error(rw, "400 Bad Request: Invalid offset", http.StatusBadRequest)`
			`return`
			`}`
			`}`

			`var role database.UserRole`
			`var userList []database.User`
			`if h.DbTx(rw, func(tx *database.Tx) (err error) {`
			`role, err = tx.GetUserRole(auth.Data.ID)`
			`if err != nil {`
			`return`
			`}`
			`userList, err = tx.GetUserList(offset)`
			`return`
			`}) {`
			`return`
			`}`
			`if role != database.RoleAdmin {`
			`http.Error(rw, "403 Forbidden", http.StatusForbidden)`
			`return`
			`}`

			`m := map[string]any{`
Pass config directly to server 2023-10-10 18:06:43 +01:00			`"ServiceName": h.conf.ServiceName,`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`"Users": userList,`
			`"Offset": offset,`
			`"EmailShow": req.URL.Query().Has("show-email"),`
			`"CurrentAdmin": auth.Data.ID,`
Pass config directly to server 2023-10-10 18:06:43 +01:00			`"Namespace": h.conf.Namespace,`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`}`
			`if q.Has("edit") {`
			`for _, i := range userList {`
			`if i.Sub.String() == q.Get("edit") {`
			`m["Edit"] = i`
			`goto validEdit`
			`}`
			`}`
			`http.Error(rw, "400 Bad Request: Invalid user to edit", http.StatusBadRequest)`
			`return`
			`}`

			`validEdit:`
			`rw.Header().Set("Content-Type", "text/html")`
			`rw.WriteHeader(http.StatusOK)`
			`pages.RenderPageTemplate(rw, "manage-users", m)`
			`}`

			`func (h HttpServer) ManageUsersPost(rw http.ResponseWriter, req http.Request, _ httprouter.Params, auth UserAuth) {`
			`err := req.ParseForm()`
			`if err != nil {`
			`http.Error(rw, "400 Bad Request: Failed to parse form", http.StatusBadRequest)`
			`return`
			`}`

			`var role database.UserRole`
			`if h.DbTx(rw, func(tx *database.Tx) (err error) {`
			`role, err = tx.GetUserRole(auth.Data.ID)`
			`return`
			`}) {`
			`return`
			`}`
			`if role != database.RoleAdmin {`
Use internal scopes within FancyScopeList 2023-10-15 13:49:58 +01:00			`http.Error(rw, "400 Bad Request: Only admin users can manage users", http.StatusBadRequest)`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`return`
			`}`

			`offset := req.Form.Get("offset")`
			`action := req.Form.Get("action")`
			`name := req.Form.Get("name")`
			`username := req.Form.Get("username")`
			`email := req.Form.Get("email")`
			`newRole, err := parseRoleValue(req.Form.Get("role"))`
			`if err != nil {`
			`http.Error(rw, "400 Bad Request: Invalid role", http.StatusBadRequest)`
			`return`
			`}`
			`active := req.Form.Has("active")`

			`switch action {`
			`case "create":`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`// parse email for headers`
			`address, err := mail.ParseAddress(email)`
			`if err != nil {`
			`http.Error(rw, "500 Internal Server Error: Failed to parse user email address", http.StatusInternalServerError)`
			`return`
			`}`
Pass config directly to server 2023-10-10 18:06:43 +01:00			`n := strings.IndexByte(address.Address, '@')`
			`// This case should never happen and fail the above address parsing`
			`if n == -1 {`
			`return`
			`}`
			`addrDomain := address.Address[n+1:]`

			`var userSub uuid.UUID`
			`if h.DbTx(rw, func(tx *database.Tx) (err error) {`
			`userSub, err = tx.InsertUser(name, username, "", email, addrDomain == h.conf.Namespace, newRole, active)`
			`return err`
			`}) {`
			`return`
			`}`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00
			`u, u2 := uuid.New(), uuid.New()`
			`h.mailLinkCache.Set(mailLinkKey{mailLinkResetPassword, u}, userSub, time.Now().Add(10*time.Minute))`
			`h.mailLinkCache.Set(mailLinkKey{mailLinkDelete, u2}, userSub, time.Now().Add(10*time.Minute))`

Pass config directly to server 2023-10-10 18:06:43 +01:00			`err = h.conf.Mail.SendEmailTemplate("mail-register-admin", "Register", name, address, map[string]any{`
			`"RegisterUrl": h.conf.BaseUrl + "/mail/password/" + u.String(),`
Add mailer and output true user info 2023-09-24 18:24:16 +01:00			`})`
			`if err != nil {`
			`log.Println("[Tulip] Login: Failed to send register email:", err)`
			`http.Error(rw, "500 Internal Server Error: Failed to send register email", http.StatusInternalServerError)`
			`return`
			`}`
Login, edit, oauth, otp and management page changes 2023-09-15 13:06:31 +01:00			`case "edit":`
			`if h.DbTx(rw, func(tx *database.Tx) error {`
			`sub, err := uuid.Parse(req.Form.Get("subject"))`
			`if err != nil {`
			`return err`
			`}`
			`return tx.UpdateUser(sub, newRole, active)`
			`}) {`
			`return`
			`}`
			`default:`
			`http.Error(rw, "400 Bad Request: Invalid action", http.StatusBadRequest)`
			`return`
			`}`

			`redirectUrl := url.URL{Path: "/manage/users", RawQuery: url.Values{"offset": []string{offset}}.Encode()}`
			`http.Redirect(rw, req, redirectUrl.String(), http.StatusFound)`
			`}`

			`func parseRoleValue(role string) (database.UserRole, error) {`
			`switch role {`
			`case "member":`
			`return database.RoleMember, nil`
			`case "admin":`
			`return database.RoleAdmin, nil`
			`}`
			`return 0, errors.New("invalid role value")`
			`}`