/
users_update.go
117 lines (93 loc) Β· 3.02 KB
/
users_update.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
package api
import (
"net/http"
"github.com/dustin/go-humanize/english"
"github.com/gin-gonic/gin"
"github.com/photoprism/photoprism/internal/acl"
"github.com/photoprism/photoprism/internal/entity"
"github.com/photoprism/photoprism/internal/event"
"github.com/photoprism/photoprism/internal/get"
"github.com/photoprism/photoprism/pkg/clean"
"github.com/photoprism/photoprism/pkg/i18n"
)
// UpdateUser updates the profile information of the currently authenticated user.
//
// PUT /api/v1/users/:uid
func UpdateUser(router *gin.RouterGroup) {
router.PUT("/users/:uid", func(c *gin.Context) {
conf := get.Config()
if conf.Public() || conf.DisableSettings() {
AbortForbidden(c)
return
}
// Check if the session user is allowed to manage all accounts or update his/her own account.
s := AuthAny(c, acl.ResourceUsers, acl.Permissions{acl.ActionManage, acl.AccessOwn, acl.ActionUpdate})
if s.Abort(c) {
return
}
// UserUID.
uid := clean.UID(c.Param("uid"))
// Find user.
m := entity.FindUserByUID(uid)
if m == nil {
Abort(c, http.StatusNotFound, i18n.ErrUserNotFound)
return
}
// Init form with model values.
f, err := m.Form()
if err != nil {
log.Error(err)
AbortSaveFailed(c)
return
}
// Assign and validate request form values.
if err = c.BindJSON(&f); err != nil {
log.Error(err)
AbortBadRequest(c)
return
}
// Check if the session user is has user management privileges.
isAdmin := acl.Rules.AllowAll(acl.ResourceUsers, s.UserRole(), acl.Permissions{acl.AccessAll, acl.ActionManage})
privilegeLevelChange := isAdmin && m.PrivilegeLevelChange(f)
// Get user from session.
u := s.User()
// Prevent super admins from locking themselves out.
if u.IsSuperAdmin() && u.Equal(m) && !f.CanLogin {
f.CanLogin = true
}
// Only allow super admins to change the authentication method.
if !u.IsSuperAdmin() {
f.AuthMethod = ""
}
// Save model with values from form.
if err = m.SaveForm(f, isAdmin); err != nil {
event.AuditErr([]string{ClientIP(c), "session %s", "users", m.UserName, "update", err.Error()}, s.RefID)
AbortSaveFailed(c)
return
}
// Log event.
event.AuditInfo([]string{ClientIP(c), "session %s", "users", m.UserName, "updated"}, s.RefID)
// Delete user sessions after a privilege level change.
// see https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html#renew-the-session-id-after-any-privilege-level-change
if privilegeLevelChange {
// Prevent the current session from being deleted.
deleted := m.DeleteSessions([]string{s.ID})
// Delete active user sessions.
event.AuditInfo([]string{ClientIP(c), "session %s", "users", m.UserName, "invalidated %s"}, s.RefID,
english.Plural(deleted, "session", "sessions"))
}
// Flush session cache.
if isAdmin {
entity.FlushSessionCache()
} else {
s.ClearCache()
}
// Find and return the updated user record.
m = entity.FindUserByUID(uid)
if m == nil {
AbortEntityNotFound(c)
return
}
c.JSON(http.StatusOK, m)
})
}