|
|
|
import { Router } from 'express';
|
|
|
|
import { getRepository } from 'typeorm';
|
|
|
|
import { canMakePermissionsChange } from '.';
|
|
|
|
import { User } from '../../entity/User';
|
|
|
|
import { getSettings } from '../../lib/settings';
|
|
|
|
import { UserSettings } from '../../entity/UserSettings';
|
|
|
|
import {
|
|
|
|
UserSettingsGeneralResponse,
|
|
|
|
UserSettingsNotificationsResponse,
|
|
|
|
} from '../../interfaces/api/userSettingsInterfaces';
|
|
|
|
import { Permission } from '../../lib/permissions';
|
|
|
|
import logger from '../../logger';
|
|
|
|
import { isAuthenticated } from '../../middleware/auth';
|
|
|
|
|
|
|
|
const isOwnProfileOrAdmin = (): Middleware => {
|
|
|
|
const authMiddleware: Middleware = (req, res, next) => {
|
|
|
|
if (
|
|
|
|
!req.user?.hasPermission(Permission.MANAGE_USERS) &&
|
|
|
|
req.user?.id !== Number(req.params.id)
|
|
|
|
) {
|
|
|
|
return next({
|
|
|
|
status: 403,
|
|
|
|
message: "You do not have permission to view this user's settings.",
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
next();
|
|
|
|
};
|
|
|
|
return authMiddleware;
|
|
|
|
};
|
|
|
|
|
|
|
|
const userSettingsRoutes = Router({ mergeParams: true });
|
|
|
|
|
|
|
|
userSettingsRoutes.get<{ id: string }, UserSettingsGeneralResponse>(
|
|
|
|
'/main',
|
|
|
|
isOwnProfileOrAdmin(),
|
|
|
|
async (req, res, next) => {
|
|
|
|
const userRepository = getRepository(User);
|
|
|
|
|
|
|
|
try {
|
|
|
|
const user = await userRepository.findOne({
|
|
|
|
where: { id: Number(req.params.id) },
|
|
|
|
});
|
|
|
|
|
|
|
|
if (!user) {
|
|
|
|
return next({ status: 404, message: 'User not found.' });
|
|
|
|
}
|
|
|
|
|
|
|
|
return res.status(200).json({
|
|
|
|
username: user.username,
|
|
|
|
region: user.settings?.region,
|
|
|
|
originalLanguage: user.settings?.originalLanguage,
|
|
|
|
});
|
|
|
|
} catch (e) {
|
|
|
|
next({ status: 500, message: e.message });
|
|
|
|
}
|
|
|
|
}
|
|
|
|
);
|
|
|
|
|
|
|
|
userSettingsRoutes.post<
|
|
|
|
{ id: string },
|
|
|
|
UserSettingsGeneralResponse,
|
|
|
|
UserSettingsGeneralResponse
|
|
|
|
>('/main', isOwnProfileOrAdmin(), async (req, res, next) => {
|
|
|
|
const userRepository = getRepository(User);
|
|
|
|
|
|
|
|
try {
|
|
|
|
const user = await userRepository.findOne({
|
|
|
|
where: { id: Number(req.params.id) },
|
|
|
|
});
|
|
|
|
|
|
|
|
if (!user) {
|
|
|
|
return next({ status: 404, message: 'User not found.' });
|
|
|
|
}
|
|
|
|
|
|
|
|
// "Owner" user settings cannot be modified by other users
|
|
|
|
if (user.id === 1 && req.user?.id !== 1) {
|
|
|
|
return next({
|
|
|
|
status: 403,
|
|
|
|
message: "You do not have permission to modify this user's settings.",
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
user.username = req.body.username;
|
|
|
|
if (!user.settings) {
|
|
|
|
user.settings = new UserSettings({
|
|
|
|
user: req.user,
|
|
|
|
region: req.body.region,
|
|
|
|
originalLanguage: req.body.originalLanguage,
|
|
|
|
});
|
|
|
|
} else {
|
|
|
|
user.settings.region = req.body.region;
|
|
|
|
user.settings.originalLanguage = req.body.originalLanguage;
|
|
|
|
}
|
|
|
|
|
|
|
|
await userRepository.save(user);
|
|
|
|
|
|
|
|
return res.status(200).json({ username: user.username });
|
|
|
|
} catch (e) {
|
|
|
|
next({ status: 500, message: e.message });
|
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
userSettingsRoutes.get<{ id: string }, { hasPassword: boolean }>(
|
|
|
|
'/password',
|
|
|
|
isOwnProfileOrAdmin(),
|
|
|
|
async (req, res, next) => {
|
|
|
|
const userRepository = getRepository(User);
|
|
|
|
|
|
|
|
try {
|
|
|
|
const user = await userRepository.findOne({
|
|
|
|
where: { id: Number(req.params.id) },
|
|
|
|
select: ['id', 'password'],
|
|
|
|
});
|
|
|
|
|
|
|
|
if (!user) {
|
|
|
|
return next({ status: 404, message: 'User not found.' });
|
|
|
|
}
|
|
|
|
|
|
|
|
return res.status(200).json({ hasPassword: !!user.password });
|
|
|
|
} catch (e) {
|
|
|
|
next({ status: 500, message: e.message });
|
|
|
|
}
|
|
|
|
}
|
|
|
|
);
|
|
|
|
|
|
|
|
userSettingsRoutes.post<
|
|
|
|
{ id: string },
|
|
|
|
null,
|
|
|
|
{ currentPassword?: string; newPassword: string }
|
|
|
|
>('/password', isOwnProfileOrAdmin(), async (req, res, next) => {
|
|
|
|
const userRepository = getRepository(User);
|
|
|
|
|
|
|
|
try {
|
|
|
|
const user = await userRepository.findOne({
|
|
|
|
where: { id: Number(req.params.id) },
|
|
|
|
});
|
|
|
|
|
|
|
|
const userWithPassword = await userRepository.findOne({
|
|
|
|
select: ['id', 'password'],
|
|
|
|
where: { id: Number(req.params.id) },
|
|
|
|
});
|
|
|
|
|
|
|
|
if (!user || !userWithPassword) {
|
|
|
|
return next({ status: 404, message: 'User not found.' });
|
|
|
|
}
|
|
|
|
|
|
|
|
if (req.body.newPassword.length < 8) {
|
|
|
|
return next({
|
|
|
|
status: 400,
|
|
|
|
message: 'Password must be at least 8 characters.',
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
if (
|
|
|
|
(user.id === 1 && req.user?.id !== 1) ||
|
|
|
|
(user.hasPermission(Permission.ADMIN) &&
|
|
|
|
user.id !== req.user?.id &&
|
|
|
|
req.user?.id !== 1)
|
|
|
|
) {
|
|
|
|
return next({
|
|
|
|
status: 403,
|
|
|
|
message: "You do not have permission to modify this user's password.",
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
// If the user has the permission to manage users and they are not
|
|
|
|
// editing themselves, we will just set the new password
|
|
|
|
if (
|
|
|
|
req.user?.hasPermission(Permission.MANAGE_USERS) &&
|
|
|
|
req.user?.id !== user.id
|
|
|
|
) {
|
|
|
|
await user.setPassword(req.body.newPassword);
|
|
|
|
await userRepository.save(user);
|
|
|
|
logger.debug('Password overriden by user.', {
|
|
|
|
label: 'User Settings',
|
|
|
|
userEmail: user.email,
|
|
|
|
changingUser: req.user.email,
|
|
|
|
});
|
|
|
|
return res.status(204).send();
|
|
|
|
}
|
|
|
|
|
|
|
|
// If the user has a password, we need to check the currentPassword is correct
|
|
|
|
if (
|
|
|
|
user.password &&
|
|
|
|
(!req.body.currentPassword ||
|
|
|
|
!(await userWithPassword.passwordMatch(req.body.currentPassword)))
|
|
|
|
) {
|
|
|
|
logger.debug(
|
|
|
|
'Attempt to change password for user failed. Invalid current password provided.',
|
|
|
|
{ label: 'User Settings', userEmail: user.email }
|
|
|
|
);
|
|
|
|
return next({ status: 403, message: 'Current password is invalid.' });
|
|
|
|
}
|
|
|
|
|
|
|
|
await user.setPassword(req.body.newPassword);
|
|
|
|
await userRepository.save(user);
|
|
|
|
|
|
|
|
return res.status(204).send();
|
|
|
|
} catch (e) {
|
|
|
|
next({ status: 500, message: e.message });
|
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
userSettingsRoutes.get<{ id: string }, UserSettingsNotificationsResponse>(
|
|
|
|
'/notifications',
|
|
|
|
isOwnProfileOrAdmin(),
|
|
|
|
async (req, res, next) => {
|
|
|
|
const userRepository = getRepository(User);
|
|
|
|
const settings = getSettings();
|
|
|
|
|
|
|
|
try {
|
|
|
|
const user = await userRepository.findOne({
|
|
|
|
where: { id: Number(req.params.id) },
|
|
|
|
});
|
|
|
|
|
|
|
|
if (!user) {
|
|
|
|
return next({ status: 404, message: 'User not found.' });
|
|
|
|
}
|
|
|
|
|
|
|
|
return res.status(200).json({
|
|
|
|
enableNotifications: user.settings?.enableNotifications ?? true,
|
|
|
|
telegramBotUsername:
|
|
|
|
settings?.notifications.agents.telegram.options.botUsername,
|
|
|
|
discordId: user.settings?.discordId,
|
|
|
|
telegramChatId: user.settings?.telegramChatId,
|
|
|
|
telegramSendSilently: user?.settings?.telegramSendSilently,
|
|
|
|
pgpKey: user?.settings?.pgpKey,
|
|
|
|
});
|
|
|
|
} catch (e) {
|
|
|
|
next({ status: 500, message: e.message });
|
|
|
|
}
|
|
|
|
}
|
|
|
|
);
|
|
|
|
|
|
|
|
userSettingsRoutes.post<
|
|
|
|
{ id: string },
|
|
|
|
UserSettingsNotificationsResponse,
|
|
|
|
UserSettingsNotificationsResponse
|
|
|
|
>('/notifications', isOwnProfileOrAdmin(), async (req, res, next) => {
|
|
|
|
const userRepository = getRepository(User);
|
|
|
|
|
|
|
|
try {
|
|
|
|
const user = await userRepository.findOne({
|
|
|
|
where: { id: Number(req.params.id) },
|
|
|
|
});
|
|
|
|
|
|
|
|
if (!user) {
|
|
|
|
return next({ status: 404, message: 'User not found.' });
|
|
|
|
}
|
|
|
|
|
|
|
|
// "Owner" user settings cannot be modified by other users
|
|
|
|
if (user.id === 1 && req.user?.id !== 1) {
|
|
|
|
return next({
|
|
|
|
status: 403,
|
|
|
|
message: "You do not have permission to modify this user's settings.",
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!user.settings) {
|
|
|
|
user.settings = new UserSettings({
|
|
|
|
user: req.user,
|
|
|
|
enableNotifications: req.body.enableNotifications,
|
|
|
|
discordId: req.body.discordId,
|
|
|
|
telegramChatId: req.body.telegramChatId,
|
|
|
|
telegramSendSilently: req.body.telegramSendSilently,
|
|
|
|
pgpKey: req.body.pgpKey,
|
|
|
|
});
|
|
|
|
} else {
|
|
|
|
user.settings.enableNotifications = req.body.enableNotifications;
|
|
|
|
user.settings.discordId = req.body.discordId;
|
|
|
|
user.settings.telegramChatId = req.body.telegramChatId;
|
|
|
|
user.settings.telegramSendSilently = req.body.telegramSendSilently;
|
|
|
|
user.settings.pgpKey = req.body.pgpKey;
|
|
|
|
}
|
|
|
|
|
|
|
|
userRepository.save(user);
|
|
|
|
|
|
|
|
return res.status(200).json({
|
|
|
|
enableNotifications: user.settings.enableNotifications,
|
|
|
|
discordId: user.settings.discordId,
|
|
|
|
telegramChatId: user.settings.telegramChatId,
|
|
|
|
telegramSendSilently: user.settings.telegramSendSilently,
|
|
|
|
pgpKey: user.settings.pgpKey,
|
|
|
|
});
|
|
|
|
} catch (e) {
|
|
|
|
next({ status: 500, message: e.message });
|
|
|
|
}
|
|
|
|
});
|
|
|
|
|
|
|
|
userSettingsRoutes.get<{ id: string }, { permissions?: number }>(
|
|
|
|
'/permissions',
|
|
|
|
isAuthenticated(Permission.MANAGE_USERS),
|
|
|
|
async (req, res, next) => {
|
|
|
|
const userRepository = getRepository(User);
|
|
|
|
|
|
|
|
try {
|
|
|
|
const user = await userRepository.findOne({
|
|
|
|
where: { id: Number(req.params.id) },
|
|
|
|
});
|
|
|
|
|
|
|
|
if (!user) {
|
|
|
|
return next({ status: 404, message: 'User not found.' });
|
|
|
|
}
|
|
|
|
|
|
|
|
return res.status(200).json({ permissions: user.permissions });
|
|
|
|
} catch (e) {
|
|
|
|
next({ status: 500, message: e.message });
|
|
|
|
}
|
|
|
|
}
|
|
|
|
);
|
|
|
|
|
|
|
|
userSettingsRoutes.post<
|
|
|
|
{ id: string },
|
|
|
|
{ permissions?: number },
|
|
|
|
{ permissions: number }
|
|
|
|
>(
|
|
|
|
'/permissions',
|
|
|
|
isAuthenticated(Permission.MANAGE_USERS),
|
|
|
|
async (req, res, next) => {
|
|
|
|
const userRepository = getRepository(User);
|
|
|
|
|
|
|
|
try {
|
|
|
|
const user = await userRepository.findOne({
|
|
|
|
where: { id: Number(req.params.id) },
|
|
|
|
});
|
|
|
|
|
|
|
|
if (!user) {
|
|
|
|
return next({ status: 404, message: 'User not found.' });
|
|
|
|
}
|
|
|
|
|
|
|
|
// "Owner" user permissions cannot be modified, and users cannot set their own permissions
|
|
|
|
if (user.id === 1 || req.user?.id === user.id) {
|
|
|
|
return next({
|
|
|
|
status: 403,
|
|
|
|
message: 'You do not have permission to modify this user',
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!canMakePermissionsChange(req.body.permissions, req.user)) {
|
|
|
|
return next({
|
|
|
|
status: 403,
|
|
|
|
message: 'You do not have permission to grant this level of access',
|
|
|
|
});
|
|
|
|
}
|
|
|
|
user.permissions = req.body.permissions;
|
|
|
|
|
|
|
|
await userRepository.save(user);
|
|
|
|
|
|
|
|
return res.status(200).json({ permissions: user.permissions });
|
|
|
|
} catch (e) {
|
|
|
|
next({ status: 500, message: e.message });
|
|
|
|
}
|
|
|
|
}
|
|
|
|
);
|
|
|
|
|
|
|
|
export default userSettingsRoutes;
|