-
Notifications
You must be signed in to change notification settings - Fork 2.7k
/
users.js
154 lines (130 loc) · 4.41 KB
/
users.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
'use strict';
const user = require('../user');
const groups = require('../groups');
const meta = require('../meta');
const flags = require('../flags');
const privileges = require('../privileges');
const notifications = require('../notifications');
const plugins = require('../plugins');
const events = require('../events');
const usersAPI = module.exports;
usersAPI.create = async function (caller, data) {
const uid = await user.create(data);
return await user.getUserData(uid);
};
usersAPI.update = async function (caller, data) {
const oldUserData = await user.getUserFields(data.uid, ['email', 'username']);
if (!oldUserData || !oldUserData.username) {
throw new Error('[[error:invalid-data]]');
}
const [isAdminOrGlobalMod, canEdit, passwordMatch] = await Promise.all([
user.isAdminOrGlobalMod(caller.uid),
privileges.users.canEdit(caller.uid, data.uid),
data.password ? user.isPasswordCorrect(data.uid, data.password, caller.ip) : false,
]);
// Changing own email/username requires password confirmation
if (['email', 'username'].some(prop => Object.keys(data).includes(prop)) && !isAdminOrGlobalMod && caller.uid === data.uid && !passwordMatch) {
throw new Error('[[error:invalid-password]]');
}
if (!canEdit) {
throw new Error('[[error:no-privileges]]');
}
if (!isAdminOrGlobalMod && meta.config['username:disableEdit']) {
data.username = oldUserData.username;
}
if (!isAdminOrGlobalMod && meta.config['email:disableEdit']) {
data.email = oldUserData.email;
}
await user.updateProfile(caller.uid, data);
const userData = await user.getUserData(data.uid);
async function log(type, eventData) {
eventData.type = type;
eventData.uid = caller.uid;
eventData.targetUid = data.uid;
eventData.ip = caller.ip;
await events.log(eventData);
}
if (userData.email !== oldUserData.email) {
await log('email-change', { oldEmail: oldUserData.email, newEmail: userData.email });
}
if (userData.username !== oldUserData.username) {
await log('username-change', { oldUsername: oldUserData.username, newUsername: userData.username });
}
};
usersAPI.delete = async function (caller, data) {
processDeletion(data.uid, caller);
};
usersAPI.deleteMany = async function (caller, data) {
console.log(data.uids);
if (await canDeleteUids(data.uids)) {
await Promise.all(data.uids.map(uid => processDeletion(uid, caller)));
}
};
usersAPI.changePassword = async function (caller, data) {
await user.changePassword(caller.uid, Object.assign(data, { ip: caller.ip }));
await events.log({
type: 'password-change',
uid: caller.uid,
targetUid: data.uid,
ip: caller.ip,
});
};
usersAPI.follow = async function (caller, data) {
await user.follow(caller.uid, data.uid);
plugins.fireHook('action:user.follow', {
fromUid: caller.uid,
toUid: data.uid,
});
const userData = await user.getUserFields(caller.uid, ['username', 'userslug']);
const notifObj = await notifications.create({
type: 'follow',
bodyShort: '[[notifications:user_started_following_you, ' + userData.username + ']]',
nid: 'follow:' + data.uid + ':uid:' + caller.uid,
from: caller.uid,
path: '/uid/' + data.uid + '/followers',
mergeId: 'notifications:user_started_following_you',
});
if (!notifObj) {
return;
}
notifObj.user = userData;
await notifications.push(notifObj, [data.uid]);
};
usersAPI.unfollow = async function (caller, data) {
await user.unfollow(caller.uid, data.uid);
plugins.fireHook('action:user.unfollow', {
fromUid: caller.uid,
toUid: data.uid,
});
};
async function processDeletion(uid, caller) {
const isTargetAdmin = await user.isAdministrator(uid);
const isSelf = parseInt(uid, 10) === caller.uid;
const isAdmin = await user.isAdministrator(caller.uid);
if (!isSelf && !isAdmin) {
throw new Error('[[error:no-privileges]]');
} else if (!isSelf && isTargetAdmin) {
throw new Error('[[error:cant-delete-other-admins]]');
}
// TODO: clear user tokens for this uid
await flags.resolveFlag('user', uid, caller.uid);
const userData = await user.delete(caller.uid, uid);
await events.log({
type: 'user-delete',
uid: caller.uid,
targetUid: uid,
ip: caller.ip,
username: userData.username,
email: userData.email,
});
}
async function canDeleteUids(uids) {
if (!Array.isArray(uids)) {
throw new Error('[[error:invalid-data]]');
}
const isMembers = await groups.isMembers(uids, 'administrators');
if (isMembers.includes(true)) {
throw new Error('[[error:cant-delete-other-admins]]');
}
return true;
}