mhoppa commented on a change in pull request #3996: Rewrote /user/current to Go
URL: https://github.com/apache/trafficcontrol/pull/3996#discussion_r341603912
##########
File path: traffic_ops/traffic_ops_golang/user/current.go
##########
@@ -80,3 +190,213 @@ WHERE u.id=$1
u.LocalUser = util.BoolPtr(localPassword.Valid)
return u, nil
}
+
+func ReplaceCurrent(w http.ResponseWriter, r *http.Request) {
+ inf, userErr, sysErr, errCode := api.NewInfo(r, nil, nil)
+ tx := inf.Tx.Tx
+ if userErr != nil || sysErr != nil {
+ api.HandleErr(w, r, tx, errCode, userErr, sysErr)
+ return
+ }
+ defer inf.Close()
+
+ var userRequest tc.CurrentUserUpdateRequest
+ if err := json.NewDecoder(r.Body).Decode(&userRequest); err != nil {
+ errCode = http.StatusBadRequest
+ userErr = fmt.Errorf("Couldn't parse request: %v", err)
+ api.HandleErr(w, r, tx, errCode, userErr, nil)
+ return
+ }
+
+ user, exists, err := dbhelpers.GetUserByID(inf.User.ID, tx)
+ if err != nil {
+ sysErr = fmt.Errorf("Getting user by ID %d: %v", inf.User.ID,
err)
+ errCode = http.StatusInternalServerError
+ api.HandleErr(w, r, tx, errCode, nil, sysErr)
+ return
+ } else if !exists {
+ sysErr = fmt.Errorf("Current user (#%d) doesn't exist... ??",
inf.User.ID)
+ errCode = http.StatusInternalServerError
+ api.HandleErr(w, r, tx, errCode, nil, sysErr)
+ return
+ }
+
+ if err := userRequest.User.ValidateAndUnmarshal(&user); err != nil {
+ errCode = http.StatusBadRequest
+ userErr = fmt.Errorf("Couldn't parse request: %v", err)
+ api.HandleErr(w, r, tx, errCode, userErr, nil)
+ return
+ }
+
+ changePasswd := false
+
+ // obfuscate passwords (ValidateAndUnmarshal checks for equality with
ConfirmLocalPassword)
+ // TODO: check for valid password via bad password list like Perl did?
User creation doesn't...
+ if user.LocalPassword != nil && *user.LocalPassword != "" {
+ hashPass, err := auth.DerivePassword(*user.LocalPassword)
+ if err != nil {
+ sysErr = fmt.Errorf("Hashing new password: %v", err)
+ errCode = http.StatusInternalServerError
+ api.HandleErr(w, r, tx, errCode, nil, sysErr)
+ return
+ }
+ changePasswd = true
+ user.LocalPassword = util.StrPtr(hashPass)
+ user.ConfirmLocalPassword = util.StrPtr(hashPass)
+ }
+
+ if *user.Role != inf.User.Role {
+ privLevel, exists, err := dbhelpers.GetPrivLevelFromRoleID(tx,
*user.Role)
+ if err != nil {
+ sysErr = fmt.Errorf("Getting privLevel for Role #%d:
%v", *user.Role, err)
+ errCode = http.StatusInternalServerError
+ api.HandleErr(w, r, tx, errCode, nil, sysErr)
+ return
+ }
+ if !exists {
+ userErr = fmt.Errorf("role: no such role: %d",
*user.Role)
+ errCode = http.StatusNotFound
+ api.HandleErr(w, r, tx, errCode, userErr, nil)
+ return
+ }
+ if privLevel > inf.User.PrivLevel {
+ userErr = errors.New("role: cannot have greater
permissions than user's current role")
+ errCode = http.StatusForbidden
+ api.HandleErr(w, r, tx, errCode, userErr, nil)
+ return
+ }
+ }
+
+ if ok, err := tenant.IsResourceAuthorizedToUserTx(*user.TenantID,
inf.User, tx); err != nil {
+ if err == sql.ErrNoRows {
+ userErr = errors.New("No such tenant!")
+ errCode = http.StatusNotFound
+ } else {
+ sysErr = fmt.Errorf("Checking user %s permissions on
tenant #%d: %v", inf.User.UserName, *user.TenantID, err)
+ errCode = http.StatusInternalServerError
+ }
+ api.HandleErr(w, r, tx, errCode, userErr, sysErr)
+ return
+ } else if !ok {
+ // unlike Perl, this endpoint will not disclose the existence
of tenants over which the current
+ // user has no permission - in keeping with the behavior of the
'/tenants' endpoint.
+ userErr = errors.New("No such tenant!")
+ errCode = http.StatusNotFound
+ api.HandleErr(w, r, tx, errCode, userErr, sysErr)
+ return
+ }
+
+ if *user.Username != inf.User.UserName {
+
+ if ok, err := dbhelpers.UsernameExists(*user.Username, tx); err
!= nil {
+ sysErr = fmt.Errorf("Checking existence of user %s:
%v", *user.Username, err)
+ errCode = http.StatusInternalServerError
+ api.HandleErr(w, r, tx, errCode, nil, sysErr)
+ return
+ } else if ok {
+ // TODO users are tenanted, so theoretically I should
be hiding the existence of the
+ // conflicting user - but then how do I tell the client
how to fix their request?
+ userErr = fmt.Errorf("Username %s already exists!",
*user.Username)
+ errCode = http.StatusConflict
+ api.HandleErr(w, r, tx, errCode, userErr, nil)
+ return
+ }
+ }
+
+ if err = updateUser(&user, tx, changePasswd); err != nil {
+ errCode = http.StatusInternalServerError
+ sysErr = fmt.Errorf("Updating user: %v", err)
+ api.HandleErr(w, r, tx, errCode, nil, sysErr)
+ return
+ }
+
+ resp := struct {
+ tc.Alerts
+ Response tc.User `json:"response"`
+ }{
+ tc.CreateAlerts(tc.SuccessLevel, "User profile was successfully
updated"),
+ user,
+ }
+
+ respBts, err := json.Marshal(resp)
+ if err != nil {
+ errCode = http.StatusInternalServerError
+ sysErr = fmt.Errorf("Marshalling response: %v", err)
+ api.HandleErr(w, r, tx, errCode, nil, sysErr)
+ return
+ }
+ w.Header().Set(tc.ContentType, tc.ApplicationJson)
+ w.Write(append(respBts, '\n'))
Review comment:
should be handled by
https://github.com/apache/trafficcontrol/blob/master/traffic_ops/traffic_ops_golang/api/api.go#L199?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
