Semaphore/api/users.go

package api

import (
	"github.com/semaphoreui/semaphore/api/helpers"
	"github.com/semaphoreui/semaphore/db"
	log "github.com/sirupsen/logrus"
	"net/http"

	"github.com/semaphoreui/semaphore/util"
	"github.com/gorilla/context"
)

type minimalUser struct {
	ID       int    `json:"id"`
	Username string `json:"username"`
	Name     string `json:"name"`
}

func getUsers(w http.ResponseWriter, r *http.Request) {
	currentUser := context.Get(r, "user").(*db.User)
	users, err := helpers.Store(r).GetUsers(db.RetrieveQueryParams{})

	if err != nil {
		panic(err)
	}

	if currentUser.Admin {
		helpers.WriteJSON(w, http.StatusOK, users)
	} else {
		var result = make([]minimalUser, 0)

		for _, user := range users {
			result = append(result, minimalUser{
				ID:       user.ID,
				Name:     user.Name,
				Username: user.Username,
			})
		}

		helpers.WriteJSON(w, http.StatusOK, result)
	}
}

func addUser(w http.ResponseWriter, r *http.Request) {
	var user db.UserWithPwd
	if !helpers.Bind(w, r, &user) {
		return
	}

	editor := context.Get(r, "user").(*db.User)
	if !editor.Admin {
		log.Warn(editor.Username + " is not permitted to create users")
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	newUser, err := helpers.Store(r).CreateUser(user)

	if err != nil {
		log.Warn(editor.Username + " is not created: " + err.Error())
		w.WriteHeader(http.StatusBadRequest)
		return
	}

	helpers.WriteJSON(w, http.StatusCreated, newUser)
}

func getUserMiddleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		userID, err := helpers.GetIntParam("user_id", w, r)

		if err != nil {
			return
		}

		user, err := helpers.Store(r).GetUser(userID)

		if err != nil {
			helpers.WriteError(w, err)
			return
		}

		editor := context.Get(r, "user").(*db.User)

		if !editor.Admin && editor.ID != user.ID {
			log.Warn(editor.Username + " is not permitted to edit users")
			w.WriteHeader(http.StatusUnauthorized)
			return
		}

		context.Set(r, "_user", user)
		next.ServeHTTP(w, r)
	})
}

func updateUser(w http.ResponseWriter, r *http.Request) {
	targetUser := context.Get(r, "_user").(db.User)
	editor := context.Get(r, "user").(*db.User)

	var user db.UserWithPwd
	if !helpers.Bind(w, r, &user) {
		return
	}

	if !editor.Admin && editor.ID != targetUser.ID {
		log.Warn(editor.Username + " is not permitted to edit users")
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	if editor.ID == targetUser.ID && targetUser.Admin != user.Admin {
		log.Warn("User can't edit his own role")
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	if targetUser.External && targetUser.Username != user.Username {
		log.Warn("Username is not editable for external users")
		w.WriteHeader(http.StatusBadRequest)
		return
	}

	user.ID = targetUser.ID
	if err := helpers.Store(r).UpdateUser(user); err != nil {
		log.Error(err.Error())
		w.WriteHeader(http.StatusBadRequest)
		return
	}

	w.WriteHeader(http.StatusNoContent)
}

func updateUserPassword(w http.ResponseWriter, r *http.Request) {
	user := context.Get(r, "_user").(db.User)
	editor := context.Get(r, "user").(*db.User)

	var pwd struct {
		Pwd string `json:"password"`
	}

	if !editor.Admin && editor.ID != user.ID {
		log.Warn(editor.Username + " is not permitted to edit users")
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	if user.External {
		log.Warn("Password is not editable for external users")
		w.WriteHeader(http.StatusBadRequest)
		return
	}

	if !helpers.Bind(w, r, &pwd) {
		return
	}

	if err := helpers.Store(r).SetUserPassword(user.ID, pwd.Pwd); err != nil {
		util.LogWarning(err)
		w.WriteHeader(http.StatusInternalServerError)
		return
	}

	w.WriteHeader(http.StatusNoContent)
}

func deleteUser(w http.ResponseWriter, r *http.Request) {
	user := context.Get(r, "_user").(db.User)
	editor := context.Get(r, "user").(*db.User)

	if !editor.Admin && editor.ID != user.ID {
		log.Warn(editor.Username + " is not permitted to delete users")
		w.WriteHeader(http.StatusUnauthorized)
		return
	}

	if err := helpers.Store(r).DeleteUser(user.ID); err != nil {
		w.WriteHeader(http.StatusInternalServerError)
	}

	w.WriteHeader(http.StatusNoContent)
}
refactoring 2016-05-24 11:55:48 +02:00			`package api`
Users API, Users UI - Improved login failing 2016-04-10 20:03:12 +02:00
			`import (`
feat(be): ansible-semaphore -> semaphoreui 2024-10-26 14:56:17 +02:00			`"github.com/semaphoreui/semaphore/api/helpers"`
			`"github.com/semaphoreui/semaphore/db"`
Support TF/Bash (#2077) Support OpenTofu and Bash 2024-06-12 21:53:00 +02:00			`log "github.com/sirupsen/logrus"`
fix(be): delete global Mysql variable and add interface Store for dialect-independent communication with database. 2020-12-01 20:06:49 +01:00			`"net/http"`
Remove mulekick, move functions to util 2019-07-09 19:45:27 +02:00
feat(be): ansible-semaphore -> semaphoreui 2024-10-26 14:56:17 +02:00			`"github.com/semaphoreui/semaphore/util"`
moar refactor - c.MustGet( -> context.Get(r, - c.Get( -> context.GetOk(r, 2017-02-22 23:21:52 +01:00			`"github.com/gorilla/context"`
Users API, Users UI - Improved login failing 2016-04-10 20:03:12 +02:00			`)`

fix: limit data by users 2023-09-18 19:46:55 +02:00			`type minimalUser struct {`
			ID int `json:"id"`
			Username string `json:"username"`
			Name string `json:"name"`
			`}`

mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`func getUsers(w http.ResponseWriter, r *http.Request) {`
fix: limit data by users 2023-09-18 19:46:55 +02:00			`currentUser := context.Get(r, "user").(*db.User)`
refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00			`users, err := helpers.Store(r).GetUsers(db.RetrieveQueryParams{})`
fix(be): delete global Mysql variable and add interface Store for dialect-independent communication with database. 2020-12-01 20:06:49 +01:00
			`if err != nil {`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`panic(err)`
			`}`
Fix SQL - for strict mode 2016-04-29 09:33:08 +02:00
fix: limit data by users 2023-09-18 19:46:55 +02:00			`if currentUser.Admin {`
			`helpers.WriteJSON(w, http.StatusOK, users)`
			`} else {`
fix(be): init array my empty 2023-09-18 22:04:23 +02:00			`var result = make([]minimalUser, 0)`
fix: limit data by users 2023-09-18 19:46:55 +02:00
			`for _, user := range users {`
			`result = append(result, minimalUser{`
			`ID: user.ID,`
			`Name: user.Name,`
			`Username: user.Username,`
			`})`
			`}`

			`helpers.WriteJSON(w, http.StatusOK, result)`
			`}`
Refactored all routes to use native mux Middelware 2019-07-09 14:56:03 +02:00			`}`
Users API, Users UI - Improved login failing 2016-04-10 20:03:12 +02:00
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`func addUser(w http.ResponseWriter, r *http.Request) {`
fix(web2): password field for new/edited user 2021-03-12 22:13:39 +01:00			`var user db.UserWithPwd`
refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00			`if !helpers.Bind(w, r, &user) {`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`return`
			`}`
Users API, Users UI - Improved login failing 2016-04-10 20:03:12 +02:00
refactor(be): return models to db package 2020-12-04 23:41:26 +01:00			`editor := context.Get(r, "user").(*db.User)`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`if !editor.Admin {`
			`log.Warn(editor.Username + " is not permitted to create users")`
			`w.WriteHeader(http.StatusUnauthorized)`
			`return`
			`}`
Refactored all routes to use native mux Middelware 2019-07-09 14:56:03 +02:00
refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00			`newUser, err := helpers.Store(r).CreateUser(user)`
Refactored all routes to use native mux Middelware 2019-07-09 14:56:03 +02:00
fix(be): delete global Mysql variable and add interface Store for dialect-independent communication with database. 2020-12-01 20:06:49 +01:00			`if err != nil {`
fix(api): user management endpoint 2020-12-01 18:16:29 +01:00			`log.Warn(editor.Username + " is not created: " + err.Error())`
			`w.WriteHeader(http.StatusBadRequest)`
feat: display Register form if no users in database 2021-12-15 22:22:52 +01:00			`return`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`}`
add admin role, restrict users without it 2017-07-26 07:55:34 +02:00
refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00			`helpers.WriteJSON(w, http.StatusCreated, newUser)`
Users API, Users UI - Improved login failing 2016-04-10 20:03:12 +02:00			`}`

Remove mulekick router, use mux directly Revert one more commit 2019-07-09 18:14:06 +02:00			`func getUserMiddleware(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00			`userID, err := helpers.GetIntParam("user_id", w, r)`
fix(be): delete global Mysql variable and add interface Store for dialect-independent communication with database. 2020-12-01 20:06:49 +01:00
Remove mulekick router, use mux directly Revert one more commit 2019-07-09 18:14:06 +02:00			`if err != nil {`
Refactored all routes to use native mux Middelware 2019-07-09 14:56:03 +02:00			`return`
			`}`

refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00			`user, err := helpers.Store(r).GetUser(userID)`
fix(be): delete global Mysql variable and add interface Store for dialect-independent communication with database. 2020-12-01 20:06:49 +01:00
			`if err != nil {`
refactor(be): migrate users to Store 2020-12-17 15:00:05 +01:00			`helpers.WriteError(w, err)`
			`return`
Remove mulekick router, use mux directly Revert one more commit 2019-07-09 18:14:06 +02:00			`}`

refactor(be): return models to db package 2020-12-04 23:41:26 +01:00			`editor := context.Get(r, "user").(*db.User)`
fix(be): delete global Mysql variable and add interface Store for dialect-independent communication with database. 2020-12-01 20:06:49 +01:00
Remove mulekick router, use mux directly Revert one more commit 2019-07-09 18:14:06 +02:00			`if !editor.Admin && editor.ID != user.ID {`
			`log.Warn(editor.Username + " is not permitted to edit users")`
			`w.WriteHeader(http.StatusUnauthorized)`
			`return`
			`}`
Refactored all routes to use native mux Middelware 2019-07-09 14:56:03 +02:00
Remove mulekick router, use mux directly Revert one more commit 2019-07-09 18:14:06 +02:00			`context.Set(r, "_user", user)`
			`next.ServeHTTP(w, r)`
			`})`
Users API, Users UI - Improved login failing 2016-04-10 20:03:12 +02:00			`}`

mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`func updateUser(w http.ResponseWriter, r *http.Request) {`
feat: admin can all 2023-09-17 16:15:44 +02:00			`targetUser := context.Get(r, "_user").(db.User)`
refactor(be): return models to db package 2020-12-04 23:41:26 +01:00			`editor := context.Get(r, "user").(*db.User)`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00
fix(web2): password field for new/edited user 2021-03-12 22:13:39 +01:00			`var user db.UserWithPwd`
refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00			`if !helpers.Bind(w, r, &user) {`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`return`
			`}`

feat: admin can all 2023-09-17 16:15:44 +02:00			`if !editor.Admin && editor.ID != targetUser.ID {`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`log.Warn(editor.Username + " is not permitted to edit users")`
			`w.WriteHeader(http.StatusUnauthorized)`
			`return`
			`}`

feat: admin can all 2023-09-17 16:15:44 +02:00			`if editor.ID == targetUser.ID && targetUser.Admin != user.Admin {`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`log.Warn("User can't edit his own role")`
			`w.WriteHeader(http.StatusUnauthorized)`
			`return`
			`}`

feat: admin can all 2023-09-17 16:15:44 +02:00			`if targetUser.External && targetUser.Username != user.Username {`
feat: implement oidc authentication 2023-04-16 23:57:56 +02:00			`log.Warn("Username is not editable for external users")`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`w.WriteHeader(http.StatusBadRequest)`
			`return`
			`}`

feat: admin can all 2023-09-17 16:15:44 +02:00			`user.ID = targetUser.ID`
refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00			`if err := helpers.Store(r).UpdateUser(user); err != nil {`
test: fix dredd tests 2020-10-02 22:10:41 +02:00			`log.Error(err.Error())`
			`w.WriteHeader(http.StatusBadRequest)`
			`return`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`}`

			`w.WriteHeader(http.StatusNoContent)`
Improve setup, upgrade, new API - Improve upgrade process (fixes #106) - Improve upgrade UI - Delete Users API - Get user API - User update API - Security improvement (does not spill secret over api) - Improve setup (fixes #100) 2016-05-23 21:29:38 +02:00			`}`

mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`func updateUserPassword(w http.ResponseWriter, r *http.Request) {`
refactor(be): return models to db package 2020-12-04 23:41:26 +01:00			`user := context.Get(r, "_user").(db.User)`
			`editor := context.Get(r, "user").(*db.User)`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00
			`var pwd struct {`
			Pwd string `json:"password"`
			`}`

			`if !editor.Admin && editor.ID != user.ID {`
			`log.Warn(editor.Username + " is not permitted to edit users")`
			`w.WriteHeader(http.StatusUnauthorized)`
			`return`
			`}`

			`if user.External {`
feat: implement oidc authentication 2023-04-16 23:57:56 +02:00			`log.Warn("Password is not editable for external users")`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`w.WriteHeader(http.StatusBadRequest)`
			`return`
			`}`

refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00			`if !helpers.Bind(w, r, &pwd) {`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`return`
			`}`

refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00			`if err := helpers.Store(r).SetUserPassword(user.ID, pwd.Pwd); err != nil {`
fix(be): delete global Mysql variable and add interface Store for dialect-independent communication with database. 2020-12-01 20:06:49 +01:00			`util.LogWarning(err)`
			`w.WriteHeader(http.StatusInternalServerError)`
			`return`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`}`

			`w.WriteHeader(http.StatusNoContent)`
			`}`
Refactored all routes to use native mux Middelware 2019-07-09 14:56:03 +02:00
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`func deleteUser(w http.ResponseWriter, r *http.Request) {`
refactor(be): return models to db package 2020-12-04 23:41:26 +01:00			`user := context.Get(r, "_user").(db.User)`
			`editor := context.Get(r, "user").(*db.User)`
add admin role, restrict users without it 2017-07-26 07:55:34 +02:00
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`if !editor.Admin && editor.ID != user.ID {`
			`log.Warn(editor.Username + " is not permitted to delete users")`
			`w.WriteHeader(http.StatusUnauthorized)`
			`return`
			`}`
Improve setup, upgrade, new API - Improve upgrade process (fixes #106) - Improve upgrade UI - Delete Users API - Get user API - User update API - Security improvement (does not spill secret over api) - Improve setup (fixes #100) 2016-05-23 21:29:38 +02:00
refactor(be): template and environment endpoints use Store Rename util to helpers Bind returns bool instead of error 2020-12-03 14:51:15 +01:00			`if err := helpers.Store(r).DeleteUser(user.ID); err != nil {`
fix(be): delete global Mysql variable and add interface Store for dialect-independent communication with database. 2020-12-01 20:06:49 +01:00			`w.WriteHeader(http.StatusInternalServerError)`
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`}`
Users API, Users UI - Improved login failing 2016-04-10 20:03:12 +02:00
mux != Koa, undo refactor before it gets worse 2019-07-09 18:11:01 +02:00			`w.WriteHeader(http.StatusNoContent)`
Users API, Users UI - Improved login failing 2016-04-10 20:03:12 +02:00			`}`