miniflux/api/user.go

// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
// SPDX-License-Identifier: Apache-2.0

package api // import "miniflux.app/api"

import (
	json_parser "encoding/json"
	"errors"
	"net/http"

	"miniflux.app/http/request"
	"miniflux.app/http/response/json"
	"miniflux.app/model"
	"miniflux.app/validator"
)

func (h *handler) currentUser(w http.ResponseWriter, r *http.Request) {
	user, err := h.store.UserByID(request.UserID(r))
	if err != nil {
		json.ServerError(w, r, err)
		return
	}

	json.OK(w, r, user)
}

func (h *handler) createUser(w http.ResponseWriter, r *http.Request) {
	if !request.IsAdminUser(r) {
		json.Forbidden(w, r)
		return
	}

	var userCreationRequest model.UserCreationRequest
	if err := json_parser.NewDecoder(r.Body).Decode(&userCreationRequest); err != nil {
		json.BadRequest(w, r, err)
		return
	}

	if validationErr := validator.ValidateUserCreationWithPassword(h.store, &userCreationRequest); validationErr != nil {
		json.BadRequest(w, r, validationErr.Error())
		return
	}

	user, err := h.store.CreateUser(&userCreationRequest)
	if err != nil {
		json.ServerError(w, r, err)
		return
	}

	json.Created(w, r, user)
}

func (h *handler) updateUser(w http.ResponseWriter, r *http.Request) {
	userID := request.RouteInt64Param(r, "userID")

	var userModificationRequest model.UserModificationRequest
	if err := json_parser.NewDecoder(r.Body).Decode(&userModificationRequest); err != nil {
		json.BadRequest(w, r, err)
		return
	}

	originalUser, err := h.store.UserByID(userID)
	if err != nil {
		json.ServerError(w, r, err)
		return
	}

	if originalUser == nil {
		json.NotFound(w, r)
		return
	}

	if !request.IsAdminUser(r) {
		if originalUser.ID != request.UserID(r) {
			json.Forbidden(w, r)
			return
		}

		if userModificationRequest.IsAdmin != nil && *userModificationRequest.IsAdmin {
			json.BadRequest(w, r, errors.New("Only administrators can change permissions of standard users"))
			return
		}
	}

	if validationErr := validator.ValidateUserModification(h.store, originalUser.ID, &userModificationRequest); validationErr != nil {
		json.BadRequest(w, r, validationErr.Error())
		return
	}

	userModificationRequest.Patch(originalUser)
	if err = h.store.UpdateUser(originalUser); err != nil {
		json.ServerError(w, r, err)
		return
	}

	json.Created(w, r, originalUser)
}

func (h *handler) markUserAsRead(w http.ResponseWriter, r *http.Request) {
	userID := request.RouteInt64Param(r, "userID")
	if userID != request.UserID(r) {
		json.Forbidden(w, r)
		return
	}

	if _, err := h.store.UserByID(userID); err != nil {
		json.NotFound(w, r)
		return
	}

	if err := h.store.MarkAllAsRead(userID); err != nil {
		json.ServerError(w, r, err)
		return
	}

	json.NoContent(w, r)
}

func (h *handler) users(w http.ResponseWriter, r *http.Request) {
	if !request.IsAdminUser(r) {
		json.Forbidden(w, r)
		return
	}

	users, err := h.store.Users()
	if err != nil {
		json.ServerError(w, r, err)
		return
	}

	users.UseTimezone(request.UserTimezone(r))
	json.OK(w, r, users)
}

func (h *handler) userByID(w http.ResponseWriter, r *http.Request) {
	if !request.IsAdminUser(r) {
		json.Forbidden(w, r)
		return
	}

	userID := request.RouteInt64Param(r, "userID")
	user, err := h.store.UserByID(userID)
	if err != nil {
		json.BadRequest(w, r, errors.New("Unable to fetch this user from the database"))
		return
	}

	if user == nil {
		json.NotFound(w, r)
		return
	}

	user.UseTimezone(request.UserTimezone(r))
	json.OK(w, r, user)
}

func (h *handler) userByUsername(w http.ResponseWriter, r *http.Request) {
	if !request.IsAdminUser(r) {
		json.Forbidden(w, r)
		return
	}

	username := request.RouteStringParam(r, "username")
	user, err := h.store.UserByUsername(username)
	if err != nil {
		json.BadRequest(w, r, errors.New("Unable to fetch this user from the database"))
		return
	}

	if user == nil {
		json.NotFound(w, r)
		return
	}

	json.OK(w, r, user)
}

func (h *handler) removeUser(w http.ResponseWriter, r *http.Request) {
	if !request.IsAdminUser(r) {
		json.Forbidden(w, r)
		return
	}

	userID := request.RouteInt64Param(r, "userID")
	user, err := h.store.UserByID(userID)
	if err != nil {
		json.ServerError(w, r, err)
		return
	}

	if user == nil {
		json.NotFound(w, r)
		return
	}

	if user.ID == request.UserID(r) {
		json.BadRequest(w, r, errors.New("You cannot remove yourself"))
		return
	}

	h.store.RemoveUserAsync(user.ID)
	json.NoContent(w, r)
}
Replace copyright header with SPDX identifier 2023-06-19 17:42:47 -04:00			`// SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.`
			`// SPDX-License-Identifier: Apache-2.0`
First commit 2017-11-20 00:10:04 -05:00
Use canonical imports 2018-08-25 00:51:50 -04:00			`package api // import "miniflux.app/api"`
First commit 2017-11-20 00:10:04 -05:00
			`import (`
Refactor user validation Validate each user field for creation/modification via API and web UI 2021-01-04 00:20:21 -05:00			`json_parser "encoding/json"`
First commit 2017-11-20 00:10:04 -05:00			`"errors"`
Use vanilla HTTP handlers (refactoring) 2018-04-29 19:35:04 -04:00			`"net/http"`
Make sure golint pass on the code base 2017-11-28 00:30:04 -05:00
Use canonical imports 2018-08-25 00:51:50 -04:00			`"miniflux.app/http/request"`
			`"miniflux.app/http/response/json"`
Make user fields editable via API 2020-12-22 01:05:47 -05:00			`"miniflux.app/model"`
Refactor user validation Validate each user field for creation/modification via API and web UI 2021-01-04 00:20:21 -05:00			`"miniflux.app/validator"`
First commit 2017-11-20 00:10:04 -05:00			`)`

Move API middleware and routes to api package 2018-11-11 13:22:47 -05:00			`func (h handler) currentUser(w http.ResponseWriter, r http.Request) {`
			`user, err := h.store.UserByID(request.UserID(r))`
Add API endpoint to get logged user 2018-05-14 21:41:41 -04:00			`if err != nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.ServerError(w, r, err)`
Add API endpoint to get logged user 2018-05-14 21:41:41 -04:00			`return`
			`}`

Compress JSON, CSS and Javascript responses 2018-07-19 22:27:05 -04:00			`json.OK(w, r, user)`
Add API endpoint to get logged user 2018-05-14 21:41:41 -04:00			`}`

Move API middleware and routes to api package 2018-11-11 13:22:47 -05:00			`func (h handler) createUser(w http.ResponseWriter, r http.Request) {`
Refactor HTTP context handling 2018-09-03 17:26:40 -04:00			`if !request.IsAdminUser(r) {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.Forbidden(w, r)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Refactor user validation Validate each user field for creation/modification via API and web UI 2021-01-04 00:20:21 -05:00			`var userCreationRequest model.UserCreationRequest`
			`if err := json_parser.NewDecoder(r.Body).Decode(&userCreationRequest); err != nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.BadRequest(w, r, err)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Refactor user validation Validate each user field for creation/modification via API and web UI 2021-01-04 00:20:21 -05:00			`if validationErr := validator.ValidateUserCreationWithPassword(h.store, &userCreationRequest); validationErr != nil {`
			`json.BadRequest(w, r, validationErr.Error())`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Refactor user validation Validate each user field for creation/modification via API and web UI 2021-01-04 00:20:21 -05:00			`user, err := h.store.CreateUser(&userCreationRequest)`
First commit 2017-11-20 00:10:04 -05:00			`if err != nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.ServerError(w, r, err)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.Created(w, r, user)`
First commit 2017-11-20 00:10:04 -05:00			`}`

Move API middleware and routes to api package 2018-11-11 13:22:47 -05:00			`func (h handler) updateUser(w http.ResponseWriter, r http.Request) {`
Improve request package and add more unit tests 2018-09-24 00:02:26 -04:00			`userID := request.RouteInt64Param(r, "userID")`
Refactor user validation Validate each user field for creation/modification via API and web UI 2021-01-04 00:20:21 -05:00
			`var userModificationRequest model.UserModificationRequest`
			`if err := json_parser.NewDecoder(r.Body).Decode(&userModificationRequest); err != nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.BadRequest(w, r, err)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Move API middleware and routes to api package 2018-11-11 13:22:47 -05:00			`originalUser, err := h.store.UserByID(userID)`
First commit 2017-11-20 00:10:04 -05:00			`if err != nil {`
Refactor user validation Validate each user field for creation/modification via API and web UI 2021-01-04 00:20:21 -05:00			`json.ServerError(w, r, err)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

			`if originalUser == nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.NotFound(w, r)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Allow regular users to change settings via API 2020-12-22 18:10:42 -05:00			`if !request.IsAdminUser(r) {`
			`if originalUser.ID != request.UserID(r) {`
			`json.Forbidden(w, r)`
			`return`
			`}`

Refactor user validation Validate each user field for creation/modification via API and web UI 2021-01-04 00:20:21 -05:00			`if userModificationRequest.IsAdmin != nil && *userModificationRequest.IsAdmin {`
Allow regular users to change settings via API 2020-12-22 18:10:42 -05:00			`json.BadRequest(w, r, errors.New("Only administrators can change permissions of standard users"))`
			`return`
			`}`
			`}`

Refactor user validation Validate each user field for creation/modification via API and web UI 2021-01-04 00:20:21 -05:00			`if validationErr := validator.ValidateUserModification(h.store, originalUser.ID, &userModificationRequest); validationErr != nil {`
			`json.BadRequest(w, r, validationErr.Error())`
Improve feed and user API updates with optional values 2018-06-23 19:16:54 -04:00			`return`
			`}`

Refactor user validation Validate each user field for creation/modification via API and web UI 2021-01-04 00:20:21 -05:00			`userModificationRequest.Patch(originalUser)`
Move API middleware and routes to api package 2018-11-11 13:22:47 -05:00			`if err = h.store.UpdateUser(originalUser); err != nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.ServerError(w, r, err)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.Created(w, r, originalUser)`
First commit 2017-11-20 00:10:04 -05:00			`}`

Add API routes for "mark all as read" 2020-11-25 14:46:05 -05:00			`func (h handler) markUserAsRead(w http.ResponseWriter, r http.Request) {`
			`userID := request.RouteInt64Param(r, "userID")`
			`if userID != request.UserID(r) {`
			`json.Forbidden(w, r)`
			`return`
			`}`

			`if _, err := h.store.UserByID(userID); err != nil {`
			`json.NotFound(w, r)`
			`return`
			`}`

			`if err := h.store.MarkAllAsRead(userID); err != nil {`
			`json.ServerError(w, r, err)`
			`return`
			`}`

			`json.NoContent(w, r)`
			`}`

Move API middleware and routes to api package 2018-11-11 13:22:47 -05:00			`func (h handler) users(w http.ResponseWriter, r http.Request) {`
Refactor HTTP context handling 2018-09-03 17:26:40 -04:00			`if !request.IsAdminUser(r) {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.Forbidden(w, r)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Move API middleware and routes to api package 2018-11-11 13:22:47 -05:00			`users, err := h.store.Users()`
First commit 2017-11-20 00:10:04 -05:00			`if err != nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.ServerError(w, r, err)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Refactor HTTP context handling 2018-09-03 17:26:40 -04:00			`users.UseTimezone(request.UserTimezone(r))`
Compress JSON, CSS and Javascript responses 2018-07-19 22:27:05 -04:00			`json.OK(w, r, users)`
First commit 2017-11-20 00:10:04 -05:00			`}`

Move API middleware and routes to api package 2018-11-11 13:22:47 -05:00			`func (h handler) userByID(w http.ResponseWriter, r http.Request) {`
Refactor HTTP context handling 2018-09-03 17:26:40 -04:00			`if !request.IsAdminUser(r) {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.Forbidden(w, r)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Improve request package and add more unit tests 2018-09-24 00:02:26 -04:00			`userID := request.RouteInt64Param(r, "userID")`
Move API middleware and routes to api package 2018-11-11 13:22:47 -05:00			`user, err := h.store.UserByID(userID)`
First commit 2017-11-20 00:10:04 -05:00			`if err != nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.BadRequest(w, r, errors.New("Unable to fetch this user from the database"))`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

			`if user == nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.NotFound(w, r)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Refactor HTTP context handling 2018-09-03 17:26:40 -04:00			`user.UseTimezone(request.UserTimezone(r))`
Compress JSON, CSS and Javascript responses 2018-07-19 22:27:05 -04:00			`json.OK(w, r, user)`
First commit 2017-11-20 00:10:04 -05:00			`}`

Move API middleware and routes to api package 2018-11-11 13:22:47 -05:00			`func (h handler) userByUsername(w http.ResponseWriter, r http.Request) {`
Refactor HTTP context handling 2018-09-03 17:26:40 -04:00			`if !request.IsAdminUser(r) {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.Forbidden(w, r)`
Add API handler to fetch user by username 2017-12-26 15:10:48 -05:00			`return`
			`}`

Improve request package and add more unit tests 2018-09-24 00:02:26 -04:00			`username := request.RouteStringParam(r, "username")`
Move API middleware and routes to api package 2018-11-11 13:22:47 -05:00			`user, err := h.store.UserByUsername(username)`
Add API handler to fetch user by username 2017-12-26 15:10:48 -05:00			`if err != nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.BadRequest(w, r, errors.New("Unable to fetch this user from the database"))`
Add API handler to fetch user by username 2017-12-26 15:10:48 -05:00			`return`
			`}`

			`if user == nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.NotFound(w, r)`
Add API handler to fetch user by username 2017-12-26 15:10:48 -05:00			`return`
			`}`

Compress JSON, CSS and Javascript responses 2018-07-19 22:27:05 -04:00			`json.OK(w, r, user)`
Add API handler to fetch user by username 2017-12-26 15:10:48 -05:00			`}`

Move API middleware and routes to api package 2018-11-11 13:22:47 -05:00			`func (h handler) removeUser(w http.ResponseWriter, r http.Request) {`
Refactor HTTP context handling 2018-09-03 17:26:40 -04:00			`if !request.IsAdminUser(r) {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.Forbidden(w, r)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

Improve request package and add more unit tests 2018-09-24 00:02:26 -04:00			`userID := request.RouteInt64Param(r, "userID")`
Move API middleware and routes to api package 2018-11-11 13:22:47 -05:00			`user, err := h.store.UserByID(userID)`
First commit 2017-11-20 00:10:04 -05:00			`if err != nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.ServerError(w, r, err)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

			`if user == nil {`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.NotFound(w, r)`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

API: Delete users asynchronously Deleting large users might lock the tables in the hosted offering 2020-07-28 23:28:02 -04:00			`if user.ID == request.UserID(r) {`
			`json.BadRequest(w, r, errors.New("You cannot remove yourself"))`
First commit 2017-11-20 00:10:04 -05:00			`return`
			`}`

API: Delete users asynchronously Deleting large users might lock the tables in the hosted offering 2020-07-28 23:28:02 -04:00			`h.store.RemoveUserAsync(user.ID)`
Refactor HTTP response builder 2018-10-07 21:42:43 -04:00			`json.NoContent(w, r)`
First commit 2017-11-20 00:10:04 -05:00			`}`