evan/AnthoLume
evan/AnthoLume
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(admin): handle user deletion
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Evan Reichard 2024-05-27 13:32:40 -04:00
parent db9629a618
commit f9277d3b32
6 changed files with 120 additions and 65 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
api/app-admin-routes.go
View File

@ -71,7 +71,7 @@ const (
type requestAdminUpdateUser struct {
User string `form:"user"`
Password *string `form:"password"`
IsAdmin *string `form:"is_admin"`
IsAdmin *bool `form:"is_admin"`
Operation operationType `form:"operation"`
}
@ -268,21 +268,27 @@ func (api *API) appGetAdminUsers(c *gin.Context) {
func (api *API) appUpdateAdminUsers(c *gin.Context) {
templateVars, _ := api.getBaseTemplateVars("admin-users", c)
var rAdminUserUpdate requestAdminUpdateUser
if err := c.ShouldBind(&rAdminUserUpdate); err != nil {
var rUpdate requestAdminUpdateUser
if err := c.ShouldBind(&rUpdate); err != nil {
log.Error("Invalid URI Bind")
appErrorPage(c, http.StatusNotFound, "Invalid user update")
appErrorPage(c, http.StatusNotFound, "Invalid user parameters")
return
}
// Ensure Username
if rUpdate.User == "" {
appErrorPage(c, http.StatusInternalServerError, "User cannot be empty")
return
}
var err error
switch rAdminUserUpdate.Operation {
switch rUpdate.Operation {
case opCreate:
err = api.createUser(rAdminUserUpdate)
err = api.createUser(rUpdate.User, rUpdate.Password, rUpdate.IsAdmin)
case opUpdate:
err = api.updateUser(rAdminUserUpdate)
err = api.updateUser(rUpdate.User, rUpdate.Password, rUpdate.IsAdmin)
case opDelete:
err = api.deleteUser(rAdminUserUpdate)
err = api.deleteUser(rUpdate.User)
default:
appErrorPage(c, http.StatusNotFound, "Unknown user operation")
return
@ -611,14 +617,6 @@ func (api *API) processRestoreFile(rAdminAction requestAdminAction, c *gin.Conte
}
defer backupFile.Close()
// Vacuum DB
_, err = api.db.DB.ExecContext(api.db.Ctx, "VACUUM;")
if err != nil {
log.Error("Unable to vacuum DB: ", err)
appErrorPage(c, http.StatusInternalServerError, "Unable to vacuum database")
return
}
// Save Backup File
w := bufio.NewWriter(backupFile)
err = api.createBackup(w, []string{"covers", "documents"})
@ -712,8 +710,13 @@ func (api *API) removeData() error {
}
func (api *API) createBackup(w io.Writer, directories []string) error {
ar := zip.NewWriter(w)
// Vacuum DB
_, err := api.db.DB.ExecContext(api.db.Ctx, "VACUUM;")
if err != nil {
return errors.Wrap(err, "Unable to vacuum database")
}
ar := zip.NewWriter(w)
exportWalker := func(currentPath string, f fs.DirEntry, err error) error {
if err != nil {
return err
@ -781,29 +784,43 @@ func (api *API) createBackup(w io.Writer, directories []string) error {
return nil
}
func (api *API) createUser(createRequest requestAdminUpdateUser) error {
// Validate Necessary Parameters
if createRequest.User == "" {
return fmt.Errorf("username can't be empty")
func (api *API) isLastAdmin(userID string) (bool, error) {
allUsers, err := api.db.Queries.GetUsers(api.db.Ctx)
if err != nil {
return false, errors.Wrap(err, fmt.Sprintf("GetUsers DB Error: %v", err))
}
if createRequest.Password == nil || *createRequest.Password == "" {
hasAdmin := false
for _, user := range allUsers {
if user.Admin && user.ID != userID {
hasAdmin = true
break
}
}
return !hasAdmin, nil
}
func (api *API) createUser(user string, rawPassword *string, isAdmin *bool) error {
// Validate Necessary Parameters
if rawPassword == nil || *rawPassword == "" {
return fmt.Errorf("password can't be empty")
}
// Base Params
createParams := database.CreateUserParams{
ID: createRequest.User,
ID: user,
}
// Handle Admin (Explicit or False)
if createRequest.IsAdmin != nil {
createParams.Admin = *createRequest.IsAdmin == "true"
if isAdmin != nil {
createParams.Admin = *isAdmin
} else {
createParams.Admin = false
}
// Parse Password
password := fmt.Sprintf("%x", md5.Sum([]byte(*createRequest.Password)))
password := fmt.Sprintf("%x", md5.Sum([]byte(*rawPassword)))
hashedPassword, err := argon2.CreateHash(password, argon2.DefaultParams)
if err != nil {
return fmt.Errorf("unable to create hashed password")
@ -830,25 +847,22 @@ func (api *API) createUser(createRequest requestAdminUpdateUser) error {
return nil
}
func (api *API) updateUser(updateRequest requestAdminUpdateUser) error {
func (api *API) updateUser(user string, rawPassword *string, isAdmin *bool) error {
// Validate Necessary Parameters
if updateRequest.User == "" {
return fmt.Errorf("username can't be empty")
}
if updateRequest.Password == nil && updateRequest.IsAdmin == nil {
if rawPassword == nil && isAdmin == nil {
return fmt.Errorf("nothing to update")
}
// Base Params
updateParams := database.UpdateUserParams{
UserID: updateRequest.User,
UserID: user,
}
// Handle Admin (Update or Existing)
if updateRequest.IsAdmin != nil {
updateParams.Admin = *updateRequest.IsAdmin == "true"
if isAdmin != nil {
updateParams.Admin = *isAdmin
} else {
user, err := api.db.Queries.GetUser(api.db.Ctx, updateRequest.User)
user, err := api.db.Queries.GetUser(api.db.Ctx, user)
if err != nil {
return errors.Wrap(err, fmt.Sprintf("GetUser DB Error: %v", err))
}
@ -856,20 +870,20 @@ func (api *API) updateUser(updateRequest requestAdminUpdateUser) error {
}
// Check Admins
if isLast, err := api.isLastAdmin(updateRequest.User); err != nil {
if isLast, err := api.isLastAdmin(user); err != nil {
return err
} else if isLast {
return fmt.Errorf("unable to demote %s - last admin", updateRequest.User)
return fmt.Errorf("unable to demote %s - last admin", user)
}
// Handle Password
if updateRequest.Password != nil {
if *updateRequest.Password == "" {
if rawPassword != nil {
if *rawPassword == "" {
return fmt.Errorf("password can't be empty")
}
// Parse Password
password := fmt.Sprintf("%x", md5.Sum([]byte(*updateRequest.Password)))
password := fmt.Sprintf("%x", md5.Sum([]byte(*rawPassword)))
hashedPassword, err := argon2.CreateHash(password, argon2.DefaultParams)
if err != nil {
return fmt.Errorf("unable to create hashed password")
@ -894,32 +908,34 @@ func (api *API) updateUser(updateRequest requestAdminUpdateUser) error {
return nil
}
func (api *API) deleteUser(updateRequest requestAdminUpdateUser) error {
func (api *API) deleteUser(user string) error {
// Check Admins
if isLast, err := api.isLastAdmin(updateRequest.User); err != nil {
if isLast, err := api.isLastAdmin(user); err != nil {
return err
} else if isLast {
return fmt.Errorf("unable to demote %s - last admin", updateRequest.User)
return fmt.Errorf("unable to delete %s - last admin", user)
}
// TODO - Implementation
return errors.New("unimplemented")
}
func (api *API) isLastAdmin(userID string) (bool, error) {
allUsers, err := api.db.Queries.GetUsers(api.db.Ctx)
// Create Backup File
backupFilePath := filepath.Join(api.cfg.ConfigPath, fmt.Sprintf("backups/AnthoLumeBackup_%s.zip", time.Now().Format("20060102150405")))
backupFile, err := os.Create(backupFilePath)
if err != nil {
return false, errors.Wrap(err, fmt.Sprintf("GetUsers DB Error: %v", err))
return err
}
defer backupFile.Close()
// Save Backup File (DB Only)
w := bufio.NewWriter(backupFile)
err = api.createBackup(w, []string{})
if err != nil {
return err
}
hasAdmin := false
for _, user := range allUsers {
if user.Admin && user.ID != userID {
hasAdmin = true
break
}
// Delete User
_, err = api.db.Queries.DeleteUser(api.db.Ctx, user)
if err != nil {
return errors.Wrap(err, fmt.Sprintf("DeleteUser DB Error: %v", err))
}
return !hasAdmin, nil
return nil
}

2
assets/style.css
View File

File diff suppressed because one or more lines are too long

3
database/query.sql
View File

@ -30,6 +30,9 @@ INSERT INTO users (id, pass, auth_hash, admin)
VALUES (?, ?, ?, ?)
ON CONFLICT DO NOTHING;
-- name: DeleteUser :execrows
DELETE FROM users WHERE id = $id;
-- name: DeleteDocument :execrows
UPDATE documents
SET

12
database/query.sql.go
View File

@ -153,6 +153,18 @@ func (q *Queries) DeleteDocument(ctx context.Context, id string) (int64, error)
return result.RowsAffected()
}
const deleteUser = `-- name: DeleteUser :execrows
DELETE FROM users WHERE id = ?1
`
func (q *Queries) DeleteUser(ctx context.Context, id string) (int64, error) {
result, err := q.db.ExecContext(ctx, deleteUser, id)
if err != nil {
return 0, err
}
return result.RowsAffected()
}
const getActivity = `-- name: GetActivity :many
WITH filtered_activity AS (
SELECT

8
database/schema.sql
View File

@ -189,3 +189,11 @@ UPDATE documents
SET updated_at = STRFTIME('%Y-%m-%dT%H:%M:%SZ', 'now')
WHERE id = old.id;
END;
-- Delete User
CREATE TRIGGER IF NOT EXISTS user_deleted
BEFORE DELETE ON users BEGIN
DELETE FROM activity WHERE activity.user_id=OLD.id;
DELETE FROM devices WHERE devices.user_id=OLD.id;
DELETE FROM document_progress WHERE document_progress.user_id=OLD.id;
END;

28
templates/pages/admin-users.tmpl
View File

@ -27,7 +27,7 @@
type="submit">Create</button>
</form>
</div>
<div class="min-w-full overflow-hidden rounded shadow">
<div class="min-w-full overflow-scroll rounded shadow">
<table class="min-w-full leading-normal bg-white dark:bg-gray-700 text-sm">
<thead class="text-gray-800 dark:text-gray-400">
<tr>
@ -50,12 +50,27 @@
{{ end }}
{{ range $user := .Data }}
<tr>
<td class="p-3 border-b border-gray-200 text-gray-800 dark:text-gray-400 cursor-pointer">
{{ template "svg/delete" }}
<!-- User Deletion -->
<td class="p-3 border-b border-gray-200 text-gray-800 dark:text-gray-400 cursor-pointer relative">
<label for="delete-{{ $user.ID }}-button" class="cursor-pointer">{{ template "svg/delete" }}</label>
<input type="checkbox"
id="delete-{{ $user.ID }}-button"
class="hidden css-button" />
<div class="absolute z-30 top-1.5 left-10 p-1.5 transition-all duration-200 bg-gray-200 rounded shadow-lg shadow-gray-500 dark:shadow-gray-900 dark:bg-gray-600">
<form method="POST"
action="./users"
class="text-black dark:text-white text-sm w-40">
<input type="hidden" id="operation" name="operation" value="DELETE" />
<input type="hidden" id="user" name="user" value="{{ $user.ID }}" />
{{ template "component/button" (dict "Title" (printf "Delete (%s)" $user.ID )) }}
</form>
</div>
</td>
<!-- User ID -->
<td class="p-3 border-b border-gray-200">
<p>{{ $user.ID }}</p>
</td>
<!-- User Password Change -->
<td class="border-b border-gray-200 relative px-3">
<label for="edit-{{ $user.ID }}-button" class="cursor-pointer">
<span class="font-medium px-2 py-1 text-white bg-gray-500 dark:text-gray-800 hover:bg-gray-800 dark:hover:bg-gray-100"
@ -64,7 +79,7 @@
<input type="checkbox"
id="edit-{{ $user.ID }}-button"
class="hidden css-button" />
<div class="absolute z-30 -bottom-1.5 left-16 p-3 transition-all duration-200 bg-gray-200 rounded shadow-lg shadow-gray-500 dark:shadow-gray-900 dark:bg-gray-600">
<div class="absolute z-30 top-1 left-16 ml-2 p-1.5 transition-all duration-200 bg-gray-200 rounded shadow-lg shadow-gray-500 dark:shadow-gray-900 dark:bg-gray-600">
<form method="POST"
action="./users"
class="flex flex gap-2 text-black dark:text-white text-sm">
@ -73,13 +88,14 @@
<input type="password"
id="password"
name="password"
placeholder="Password"
class="p-2 bg-gray-300 text-black dark:bg-gray-700 dark:text-white" />
placeholder="{{ printf "Password (%s)" $user.ID }}"
class="p-1.5 bg-gray-300 text-black dark:bg-gray-700 dark:text-white" />
<button class="font-medium px-2 py-1 text-white bg-gray-500 dark:text-gray-800 hover:bg-gray-800 dark:hover:bg-gray-100"
type="submit">Change</button>
</form>
</div>
</td>
<!-- User Role -->
<td class="flex gap-2 justify-center p-3 border-b border-gray-200 text-center min-w-40">
<!-- Set Admin & User Styles -->
{{ $adminStyle := "bg-gray-400 dark:bg-gray-600 cursor-pointer" }}