user_handlers.go 6.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272
  1. // SPDX-FileCopyrightText: Copyright The Miniflux Authors. All rights reserved.
  2. // SPDX-License-Identifier: Apache-2.0
  3. package api // import "miniflux.app/v2/internal/api"
  4. import (
  5. json_parser "encoding/json"
  6. "errors"
  7. "log/slog"
  8. "net/http"
  9. "miniflux.app/v2/internal/http/request"
  10. "miniflux.app/v2/internal/http/response"
  11. "miniflux.app/v2/internal/model"
  12. "miniflux.app/v2/internal/validator"
  13. )
  14. func (h *handler) currentUserHandler(w http.ResponseWriter, r *http.Request) {
  15. user, err := h.store.UserByID(request.UserID(r))
  16. if err != nil {
  17. response.JSONServerError(w, r, err)
  18. return
  19. }
  20. if user == nil {
  21. response.JSONNotFound(w, r)
  22. return
  23. }
  24. response.JSON(w, r, user)
  25. }
  26. func (h *handler) createUserHandler(w http.ResponseWriter, r *http.Request) {
  27. if !request.IsAdminUser(r) {
  28. response.JSONForbidden(w, r)
  29. return
  30. }
  31. var userCreationRequest model.UserCreationRequest
  32. if err := json_parser.NewDecoder(r.Body).Decode(&userCreationRequest); err != nil {
  33. response.JSONBadRequest(w, r, err)
  34. return
  35. }
  36. if validationErr := validator.ValidateUserCreationWithPassword(h.store, &userCreationRequest); validationErr != nil {
  37. response.JSONBadRequest(w, r, validationErr.Error())
  38. return
  39. }
  40. user, err := h.store.CreateUser(&userCreationRequest)
  41. if err != nil {
  42. response.JSONServerError(w, r, err)
  43. return
  44. }
  45. response.JSONCreated(w, r, user)
  46. }
  47. func (h *handler) updateUserHandler(w http.ResponseWriter, r *http.Request) {
  48. userID := request.RouteInt64Param(r, "userID")
  49. if userID == 0 {
  50. response.JSONBadRequest(w, r, errors.New("invalid user ID"))
  51. return
  52. }
  53. var userModificationRequest model.UserModificationRequest
  54. if err := json_parser.NewDecoder(r.Body).Decode(&userModificationRequest); err != nil {
  55. response.JSONBadRequest(w, r, err)
  56. return
  57. }
  58. originalUser, err := h.store.UserByID(userID)
  59. if err != nil {
  60. response.JSONServerError(w, r, err)
  61. return
  62. }
  63. if originalUser == nil {
  64. response.JSONNotFound(w, r)
  65. return
  66. }
  67. if !request.IsAdminUser(r) {
  68. if originalUser.ID != request.UserID(r) {
  69. response.JSONForbidden(w, r)
  70. return
  71. }
  72. if userModificationRequest.IsAdmin != nil && *userModificationRequest.IsAdmin {
  73. response.JSONBadRequest(w, r, errors.New("only administrators can change permissions of standard users"))
  74. return
  75. }
  76. }
  77. if validationErr := validator.ValidateUserModification(h.store, originalUser.ID, &userModificationRequest); validationErr != nil {
  78. response.JSONBadRequest(w, r, validationErr.Error())
  79. return
  80. }
  81. userModificationRequest.Patch(originalUser)
  82. if err = h.store.UpdateUser(originalUser); err != nil {
  83. response.JSONServerError(w, r, err)
  84. return
  85. }
  86. response.JSONCreated(w, r, originalUser)
  87. }
  88. func (h *handler) markUserAsReadHandler(w http.ResponseWriter, r *http.Request) {
  89. userID := request.RouteInt64Param(r, "userID")
  90. if userID == 0 {
  91. response.JSONBadRequest(w, r, errors.New("invalid user ID"))
  92. return
  93. }
  94. if userID != request.UserID(r) {
  95. response.JSONForbidden(w, r)
  96. return
  97. }
  98. user, err := h.store.UserByID(userID)
  99. if err != nil {
  100. response.JSONServerError(w, r, err)
  101. return
  102. }
  103. if user == nil {
  104. response.JSONNotFound(w, r)
  105. return
  106. }
  107. if err := h.store.MarkAllAsRead(userID); err != nil {
  108. response.JSONServerError(w, r, err)
  109. return
  110. }
  111. response.NoContent(w, r)
  112. }
  113. func (h *handler) getIntegrationsStatusHandler(w http.ResponseWriter, r *http.Request) {
  114. userID := request.UserID(r)
  115. user, err := h.store.UserByID(userID)
  116. if err != nil {
  117. response.JSONServerError(w, r, err)
  118. return
  119. }
  120. if user == nil {
  121. response.JSONNotFound(w, r)
  122. return
  123. }
  124. hasIntegrations := h.store.HasSaveEntry(userID)
  125. response.JSON(w, r, integrationsStatusResponse{HasIntegrations: hasIntegrations})
  126. }
  127. func (h *handler) usersHandler(w http.ResponseWriter, r *http.Request) {
  128. if !request.IsAdminUser(r) {
  129. response.JSONForbidden(w, r)
  130. return
  131. }
  132. users, err := h.store.Users()
  133. if err != nil {
  134. response.JSONServerError(w, r, err)
  135. return
  136. }
  137. users.UseTimezone(request.UserTimezone(r))
  138. response.JSON(w, r, users)
  139. }
  140. func (h *handler) dispatchUserLookupHandler(w http.ResponseWriter, r *http.Request) {
  141. identifier := request.RouteStringParam(r, "identifier")
  142. userID := request.RouteInt64Param(r, "identifier")
  143. if userID > 0 {
  144. r.SetPathValue("userID", identifier)
  145. h.userByIDHandler(w, r)
  146. return
  147. }
  148. r.SetPathValue("username", identifier)
  149. h.userByUsernameHandler(w, r)
  150. }
  151. func (h *handler) userByIDHandler(w http.ResponseWriter, r *http.Request) {
  152. if !request.IsAdminUser(r) {
  153. response.JSONForbidden(w, r)
  154. return
  155. }
  156. userID := request.RouteInt64Param(r, "userID")
  157. if userID == 0 {
  158. response.JSONBadRequest(w, r, errors.New("invalid user ID"))
  159. return
  160. }
  161. user, err := h.store.UserByID(userID)
  162. if err != nil {
  163. response.JSONServerError(w, r, err)
  164. return
  165. }
  166. if user == nil {
  167. response.JSONNotFound(w, r)
  168. return
  169. }
  170. user.UseTimezone(request.UserTimezone(r))
  171. response.JSON(w, r, user)
  172. }
  173. func (h *handler) userByUsernameHandler(w http.ResponseWriter, r *http.Request) {
  174. if !request.IsAdminUser(r) {
  175. response.JSONForbidden(w, r)
  176. return
  177. }
  178. username := request.RouteStringParam(r, "username")
  179. user, err := h.store.UserByUsername(username)
  180. if err != nil {
  181. response.JSONServerError(w, r, err)
  182. return
  183. }
  184. if user == nil {
  185. response.JSONNotFound(w, r)
  186. return
  187. }
  188. response.JSON(w, r, user)
  189. }
  190. func (h *handler) removeUserHandler(w http.ResponseWriter, r *http.Request) {
  191. if !request.IsAdminUser(r) {
  192. response.JSONForbidden(w, r)
  193. return
  194. }
  195. userID := request.RouteInt64Param(r, "userID")
  196. if userID == 0 {
  197. response.JSONBadRequest(w, r, errors.New("invalid user ID"))
  198. return
  199. }
  200. user, err := h.store.UserByID(userID)
  201. if err != nil {
  202. response.JSONServerError(w, r, err)
  203. return
  204. }
  205. if user == nil {
  206. response.JSONNotFound(w, r)
  207. return
  208. }
  209. if user.ID == request.UserID(r) {
  210. response.JSONBadRequest(w, r, errors.New("you cannot remove yourself"))
  211. return
  212. }
  213. go func() {
  214. if err := h.store.RemoveUser(user.ID); err != nil {
  215. slog.Error("Unable to delete user",
  216. slog.Int64("user_id", user.ID),
  217. slog.Any("error", err),
  218. )
  219. }
  220. }()
  221. response.NoContent(w, r)
  222. }