mhoppa commented on a change in pull request #3996: Rewrote /user/current to Go
URL: https://github.com/apache/trafficcontrol/pull/3996#discussion_r337101107
##########
File path: traffic_ops/traffic_ops_golang/user/current.go
##########
@@ -80,3 +139,166 @@ WHERE u.id=$1
u.LocalUser = util.BoolPtr(localPassword.Valid)
return u, nil
}
+
+func ReplaceCurrent(w http.ResponseWriter, r *http.Request) {
+ inf, userErr, sysErr, errCode := api.NewInfo(r, nil, nil)
+ tx := inf.Tx.Tx
+ if userErr != nil || sysErr != nil {
+ api.HandleErr(w, r, tx, errCode, userErr, sysErr)
+ return
+ }
+ defer inf.Close()
+
+ var userRequest tc.CurrentUserUpdateRequest
+ if err := json.NewDecoder(r.Body).Decode(&userRequest); err != nil {
+ errCode = http.StatusBadRequest
+ userErr = fmt.Errorf("Couldn't parse request: %v", err)
+ api.HandleErr(w, r, tx, errCode, userErr, nil)
+ return
+ }
+
+ user, err := userRequest.User.ValidateAndUnmarshal()
+ if err != nil {
+ errCode = http.StatusBadRequest
+ userErr = fmt.Errorf("Couldn't parse request: %v", err)
+ api.HandleErr(w, r, tx, errCode, userErr, nil)
+ return
+ }
+
+ // obfuscate passwords (ValidateAndUnmarshal checks for equality with
ConfirmLocalPassword)
+ // TODO: check for valid password via bad password list like Perl did?
User creation doesn't...
+ if user.LocalPassword != nil && *user.LocalPassword != "" {
+ hashPass, err := auth.DerivePassword(*user.LocalPassword)
+ if err != nil {
+ sysErr = fmt.Errorf("Hashing new password: %v", err)
+ errCode = http.StatusInternalServerError
+ api.HandleErr(w, r, tx, errCode, nil, sysErr)
+ return
+ }
+
+ user.LocalPassword = util.StrPtr(hashPass)
+ user.ConfirmLocalPassword = util.StrPtr(hashPass)
+ }
+
+ if *user.ID != inf.User.ID {
+ userErr = errors.New("You cannot change your user ID!")
+ errCode = http.StatusBadRequest
+ api.HandleErr(w, r, tx, errCode, userErr, nil)
+ return
+ }
+
+ if *user.Role != inf.User.Role {
+ userErr = errors.New("You cannot change your permissions role!")
+ errCode = http.StatusBadRequest
+ api.HandleErr(w, r, tx, errCode, userErr, nil)
+ return
+ }
+
+ if ok, err := tenant.IsResourceAuthorizedToUserTx(*user.TenantID,
inf.User, tx); err != nil {
+ if err == sql.ErrNoRows {
+ userErr = errors.New("No such tenant!")
+ errCode = http.StatusConflict
+ } else {
+ sysErr = fmt.Errorf("Checking user %s permissions on
tenant #%d: %v", inf.User.UserName, *user.TenantID, err)
+ errCode = http.StatusInternalServerError
+ }
+ api.HandleErr(w, r, tx, errCode, userErr, sysErr)
+ return
+ } else if !ok {
+ // unlike Perl, this endpoint will not disclose the existence
of tenants over which the current
+ // user has no permission - in keeping with the behavior of the
'/tenants' endpoint.
+ userErr = errors.New("No such tenant!")
+ errCode = http.StatusConflict
+ api.HandleErr(w, r, tx, errCode, userErr, sysErr)
+ return
+ }
+
+ if *user.Username != inf.User.UserName {
+
+ if ok, err := dbhelpers.UsernameExists(*user.Username, tx); err
!= nil {
+ sysErr = fmt.Errorf("Checking existence of user %s:
%v", *user.Username, err)
+ errCode = http.StatusInternalServerError
+ api.HandleErr(w, r, tx, errCode, nil, sysErr)
+ return
+ } else if ok {
+ // TODO users are tenanted, so theoretically I should
be hiding the existence of the
+ // conflicting user - but then how do I tell the client
how to fix their request?
+ userErr = fmt.Errorf("Username %s already exists!",
*user.Username)
+ errCode = http.StatusConflict
+ api.HandleErr(w, r, tx, errCode, userErr, nil)
+ return
+ }
+ }
+
+ row := tx.QueryRow(replaceCurrentQuery,
+ user.AddressLine1,
+ user.AddressLine2,
+ user.City,
+ user.Company,
+ user.ConfirmLocalPassword,
+ user.Country,
+ user.Email,
+ user.FullName,
+ user.GID,
+ user.LocalPassword,
+ user.PhoneNumber,
+ user.PostalCode,
+ user.PublicSSHKey,
+ user.StateOrProvince,
+ user.TenantID,
+ user.UID,
+ user.Username,
+ inf.User.ID,
+ )
+
+ err = row.Scan(&user.AddressLine1,
Review comment:
think about using sqlx structscan? and sqlx for the query above instead of
using $1,$2,$3,$4. With a big parametrized query like this I worry about
maintenance/debugging
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
