add admin role, restrict users without it

api-docs.yml

@@ -55,6 +55,8 @@ definitions:
         format: date-time
       alert:
         type: boolean
+      admin:
+        type: boolean
   APIToken:
     type: object
     properties:

api/users.go

@@ -28,6 +28,13 @@ func addUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	editor := context.Get(r, "user").(*db.User)
+	if editor.Admin != true {
+		log.Warn(editor.Username + " doesn't permitted for user creating")
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
 	user.Created = time.Now()
 
 	if err := db.Mysql.Insert(&user); err != nil {
@@ -53,23 +60,44 @@ func getUserMiddleware(w http.ResponseWriter, r *http.Request) {
 		panic(err)
 	}
 
+	editor := context.Get(r, "user").(*db.User)
+	if editor.Admin != true && editor.ID != user.ID {
+		log.Warn(editor.Username + " doesn't permitted for user editing")
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
 	context.Set(r, "_user", user)
 }
 
 func updateUser(w http.ResponseWriter, r *http.Request) {
 	oldUser := context.Get(r, "_user").(db.User)
+	editor := context.Get(r, "user").(*db.User)
 
 	var user db.User
 	if err := mulekick.Bind(w, r, &user); err != nil {
 		return
 	}
 
+	if editor.Admin != true && editor.ID != oldUser.ID {
+		log.Warn(editor.Username + " doesn't permitted for user editing")
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
+	if editor.ID == oldUser.ID && oldUser.Admin != user.Admin {
+		log.Warn("User can't edit his own role")
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
 	if oldUser.External == true && oldUser.Username != user.Username {
 		log.Warn("Username is not editable for external LDAP users")
 		w.WriteHeader(http.StatusBadRequest)
+		return
 	}
 
-	if _, err := db.Mysql.Exec("update user set name=?, username=?, email=?, alert=? where id=?", user.Name, user.Username, user.Email, user.Alert, oldUser.ID); err != nil {
+	if _, err := db.Mysql.Exec("update user set name=?, username=?, email=?, alert=?, admin=? where id=?", user.Name, user.Username, user.Email, user.Alert, user.Admin, oldUser.ID); err != nil {
 		panic(err)
 	}
 
@@ -78,10 +106,18 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 
 func updateUserPassword(w http.ResponseWriter, r *http.Request) {
 	user := context.Get(r, "_user").(db.User)
+	editor := context.Get(r, "user").(*db.User)
+
 	var pwd struct {
 		Pwd string `json:"password"`
 	}
 
+	if editor.Admin != true && editor.ID != user.ID {
+		log.Warn(editor.Username + " doesn't permitted for user editing")
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
 	if user.External == true {
 		log.Warn("Password is not editable for external LDAP users")
 		w.WriteHeader(http.StatusBadRequest)
@@ -102,6 +138,13 @@ func updateUserPassword(w http.ResponseWriter, r *http.Request) {
 
 func deleteUser(w http.ResponseWriter, r *http.Request) {
 	user := context.Get(r, "_user").(db.User)
+	editor := context.Get(r, "user").(*db.User)
+
+	if editor.Admin != true && editor.ID != user.ID {
+		log.Warn(editor.Username + " doesn't permitted for user deletion")
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
 
 	if _, err := db.Mysql.Exec("delete from project__user where user_id=?", user.ID); err != nil {
 		panic(err)

db/User.go

@@ -11,6 +11,7 @@ type User struct {
 	Name     string    `db:"name" json:"name" binding:"required"`
 	Email    string    `db:"email" json:"email" binding:"required"`
 	Password string    `db:"password" json:"-"`
+	Admin    bool      `db:"admin" json:"admin"`
 	External bool      `db:"external" json:"external"`
 	Alert    bool      `db:"alert" json:"alert"`
 }

db/migrations/v2.4.2.sql

@@ -0,0 +1 @@
+ALTER TABLE user ADD admin BOOLEAN NOT NULL DEFAULT 1 AFTER password;

db/versionHistory.go

@@ -71,5 +71,6 @@ func init() {
 		{Major: 2, Minor: 3, Patch: 1},
 		{Major: 2, Minor: 3, Patch: 2},
 		{Major: 2, Minor: 4},
+		{Major: 2, Minor: 4, Patch: 2},
 	}
 }

public/html/users/add.pug

@@ -20,6 +20,15 @@
       .col-sm-6
         input#password.form-control(type="password" placeholder="User Password" ng-model="user.password" required)
 
+    .form-group
+      .col-sm-8.col-sm-offset-4: .checkbox: label
+        input#admin(type="checkbox" title="User have admin privileges" ng-model="user.admin")
+        |  Admin user
+    .form-group
+      .col-sm-8.col-sm-offset-4: .checkbox: label
+        input#alert(type="checkbox" title="Send email alerts about failed tasks" ng-model="user.alert")
+        |  Send alerts
+
 .modal-footer
   button.btn.btn-default.pull-left(ng-click="$dismiss()") Dismiss
   button.btn.btn-success(ng-click="$close(user)") Create User

public/html/users/list.pug

@@ -1,15 +1,21 @@
 .container-fluid: .row: .col-sm-12
 	h3.no-top-margin Users
-		button.btn.btn-primary.pull-right(ng-click="addUser()") New User
+		button.btn.btn-primary.pull-right(ng-click="addUser()" ng-if="user.admin == true") New User
 
 	table.table.table-hover
 		thead: tr
 			th Name
 			th Username
 			th Email
+			th Alert
+			th Admin
+			th External
 		tr(ng-repeat="u in users" ng-class="{ info: u.id == user.id }" ui-sref="users.user({ user_id: u.id })" style="cursor: pointer;")
 			td {{ u.name }}
 			td {{ u.username }}
 			td {{ u.email }}
+			td {{ u.alert }}
+			td {{ u.admin }}
+			td {{ u.external }}
 
 	p(ng-show="users.length == 0") No Users

public/html/users/user.pug

@@ -15,6 +15,10 @@
 		.form-group
 			label.control-label.col-sm-4 Password
 			.col-sm-8: input.form-control(type="password" placeholder="Enter new password" ng-readonly="user.external == true" ng-model="user.password")
+		.form-group(ng-if="!is_self")
+			.col-sm-8.col-sm-offset-4: .checkbox: label
+				input(type="checkbox" title="User have admin privileges" ng-model="user.admin")
+				|  Admin user
 		.form-group
 			.col-sm-8.col-sm-offset-4: .checkbox: label
 				input(type="checkbox" title="Send email alerts about failed tasks" ng-model="user.alert")