focalboard/server/api/auth.go

549 lines
14 KiB
Go
Raw Normal View History

2020-11-06 16:46:35 +01:00
package api
import (
2020-12-02 21:12:14 +01:00
"context"
2020-11-06 16:46:35 +01:00
"encoding/json"
"fmt"
"io"
2020-11-06 16:46:35 +01:00
"io/ioutil"
2021-01-22 23:14:12 +01:00
"net"
2020-11-06 16:46:35 +01:00
"net/http"
"strings"
2020-12-02 21:12:14 +01:00
2021-01-21 19:16:40 +01:00
"github.com/gorilla/mux"
2021-01-26 23:13:46 +01:00
"github.com/mattermost/focalboard/server/model"
"github.com/mattermost/focalboard/server/services/audit"
2021-01-26 23:13:46 +01:00
"github.com/mattermost/focalboard/server/services/auth"
"github.com/mattermost/focalboard/server/utils"
"github.com/mattermost/mattermost-server/v6/shared/mlog"
2020-11-06 16:46:35 +01:00
)
const (
MinimumPasswordLength = 8
)
type ParamError struct {
msg string
}
func (pe ParamError) Error() string {
return pe.msg
}
2021-02-17 20:29:20 +01:00
// LoginRequest is a login request
// swagger:model
type LoginRequest struct {
// Type of login, currently must be set to "normal"
// required: true
Type string `json:"type"`
// If specified, login using username
// required: false
2020-11-06 16:46:35 +01:00
Username string `json:"username"`
2021-02-17 20:29:20 +01:00
// If specified, login using email
// required: false
Email string `json:"email"`
// Password
// required: true
2020-11-06 16:46:35 +01:00
Password string `json:"password"`
2021-02-17 20:29:20 +01:00
// MFA token
// required: false
// swagger:ignore
2020-11-06 16:46:35 +01:00
MfaToken string `json:"mfa_token"`
}
2021-02-17 20:29:20 +01:00
// LoginResponse is a login response
// swagger:model
type LoginResponse struct {
// Session token
// required: true
Token string `json:"token"`
}
func LoginResponseFromJSON(data io.Reader) (*LoginResponse, error) {
var resp LoginResponse
if err := json.NewDecoder(data).Decode(&resp); err != nil {
return nil, err
}
return &resp, nil
}
2021-02-17 20:29:20 +01:00
// RegisterRequest is a user registration request
// swagger:model
type RegisterRequest struct {
// User name
// required: true
2020-11-06 16:46:35 +01:00
Username string `json:"username"`
2021-02-17 20:29:20 +01:00
// User's email
// required: true
Email string `json:"email"`
// Password
// required: true
2020-11-06 16:46:35 +01:00
Password string `json:"password"`
2021-02-17 20:29:20 +01:00
// Registration authorization token
// required: true
Token string `json:"token"`
2020-11-06 16:46:35 +01:00
}
2021-02-17 20:29:20 +01:00
func (rd *RegisterRequest) IsValid() error {
2021-03-18 08:32:23 +01:00
if strings.TrimSpace(rd.Username) == "" {
return ParamError{"username is required"}
2020-11-06 16:46:35 +01:00
}
2021-03-18 08:32:23 +01:00
if strings.TrimSpace(rd.Email) == "" {
return ParamError{"email is required"}
2020-11-06 16:46:35 +01:00
}
2021-03-18 13:34:42 +01:00
if !auth.IsEmailValid(rd.Email) {
return ParamError{"invalid email format"}
2020-11-06 16:46:35 +01:00
}
2021-01-21 19:16:40 +01:00
if rd.Password == "" {
return ParamError{"password is required"}
2020-11-06 16:46:35 +01:00
}
return isValidPassword(rd.Password)
2021-01-21 19:16:40 +01:00
}
2021-02-17 20:29:20 +01:00
// ChangePasswordRequest is a user password change request
// swagger:model
type ChangePasswordRequest struct {
// Old password
// required: true
2021-01-21 19:16:40 +01:00
OldPassword string `json:"oldPassword"`
2021-02-17 20:29:20 +01:00
// New password
// required: true
2021-01-21 19:16:40 +01:00
NewPassword string `json:"newPassword"`
}
// IsValid validates a password change request.
2021-02-17 20:29:20 +01:00
func (rd *ChangePasswordRequest) IsValid() error {
2021-01-21 19:16:40 +01:00
if rd.OldPassword == "" {
return ParamError{"old password is required"}
2021-01-21 19:16:40 +01:00
}
if rd.NewPassword == "" {
return ParamError{"new password is required"}
2021-01-21 19:16:40 +01:00
}
return isValidPassword(rd.NewPassword)
2021-01-21 19:16:40 +01:00
}
func isValidPassword(password string) error {
if len(password) < MinimumPasswordLength {
return ParamError{fmt.Sprintf("password must be at least %d characters", MinimumPasswordLength)}
2021-01-21 19:16:40 +01:00
}
2020-11-06 16:46:35 +01:00
return nil
}
func (a *API) handleLogin(w http.ResponseWriter, r *http.Request) {
// swagger:operation POST /login login
2021-02-17 20:29:20 +01:00
//
// Login user
//
// ---
// produces:
// - application/json
// parameters:
// - name: body
// in: body
// description: Login request
// required: true
// schema:
// "$ref": "#/definitions/LoginRequest"
// responses:
// '200':
// description: success
// schema:
// "$ref": "#/definitions/LoginResponse"
// '401':
// description: invalid login
// schema:
// "$ref": "#/definitions/ErrorResponse"
// '500':
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
if a.MattermostAuth {
a.errorResponse(w, r.URL.Path, http.StatusNotImplemented, "not permitted in plugin mode", nil)
}
2021-02-17 20:29:20 +01:00
Permissions integration tests (#2697) * Initial permissions review infrastructure * Adding more tests cases * Modifying a bit the tests approach and adding more tests * Adding more tests * Adding more tests for permissions * Adding more tests * Adding more permissions tests * Adding more tests * Adding more permission checks * Adding more permissions tests * Adding more permission tests * Adding more tests * Adding subscriptions tests * Adding more permissions tests * Adding tests for read tokens in the files * Update APIs and fix unit tests * Fix linter errors * Auto-assign category id from the database (as expected because is serial/auto_increment integer field) * Revert "Auto-assign category id from the database (as expected because is serial/auto_increment integer field)" This reverts commit 5c98fd76a32f1a7ef6a6258497ec7ac64e034640. * Fixing Category scheme in postgres and MySQL * Removing restriction about the channel_id and add it to all the databases * Moving everything to a new migration * Fix bad merge (?) * Update 000021_fix_categories.up.sql Fix Postgres ALTER COLUMN syntax * Update 000021_fix_categories.down.sql Fix Postgres ALTER COLUMN syntax * Update 000021_fix_categories.up.sql Remove unnecessary, and unsupported MODIFY COLUMNs for SQLite. * Update 000021_fix_categories.up.sql Remove not null from categories.channel_id * Update 000021_fix_categories.down.sql Migrate down removing not null from categories.channel_id * Update 000021_fix_categories.up.sql Fix drop not null on categories.channel_id * Update 000021_fix_categories.down.sql Fix down migration of drop not null from categories.channel_id. * Restore default notification level to debug Co-authored-by: Chen-I Lim <chenilim@gmail.com> Co-authored-by: Chen-I Lim <46905241+chenilim@users.noreply.github.com>
2022-04-05 17:00:04 +02:00
if a.MattermostAuth {
a.errorResponse(w, r.URL.Path, http.StatusNotImplemented, "", nil)
return
}
if len(a.singleUserToken) > 0 {
// Not permitted in single-user mode
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not permitted in single-user mode", nil)
return
}
2020-11-06 16:46:35 +01:00
requestBody, err := ioutil.ReadAll(r.Body)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2020-11-06 16:46:35 +01:00
return
}
2021-02-17 20:29:20 +01:00
var loginData LoginRequest
2020-11-06 16:46:35 +01:00
err = json.Unmarshal(requestBody, &loginData)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2020-11-06 16:46:35 +01:00
return
}
auditRec := a.makeAuditRecord(r, "login", audit.Fail)
defer a.audit.LogRecord(audit.LevelAuth, auditRec)
auditRec.AddMeta("username", loginData.Username)
auditRec.AddMeta("type", loginData.Type)
2020-11-06 16:46:35 +01:00
if loginData.Type == "normal" {
token, err := a.app.Login(loginData.Username, loginData.Email, loginData.Password, loginData.MfaToken)
2020-11-06 16:46:35 +01:00
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "incorrect login", err)
2020-11-06 16:46:35 +01:00
return
}
2021-02-17 20:29:20 +01:00
json, err := json.Marshal(LoginResponse{Token: token})
2020-11-06 16:46:35 +01:00
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2020-11-06 16:46:35 +01:00
return
}
jsonBytesResponse(w, http.StatusOK, json)
auditRec.Success()
2020-12-02 21:12:14 +01:00
return
2020-11-06 16:46:35 +01:00
}
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, "invalid login type", nil)
2020-11-06 16:46:35 +01:00
}
func (a *API) handleLogout(w http.ResponseWriter, r *http.Request) {
// swagger:operation POST /logout logout
//
// Logout user
//
// ---
// produces:
// - application/json
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// '500':
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
if a.MattermostAuth {
a.errorResponse(w, r.URL.Path, http.StatusNotImplemented, "not permitted in plugin mode", nil)
}
Permissions integration tests (#2697) * Initial permissions review infrastructure * Adding more tests cases * Modifying a bit the tests approach and adding more tests * Adding more tests * Adding more tests for permissions * Adding more tests * Adding more permissions tests * Adding more tests * Adding more permission checks * Adding more permissions tests * Adding more permission tests * Adding more tests * Adding subscriptions tests * Adding more permissions tests * Adding tests for read tokens in the files * Update APIs and fix unit tests * Fix linter errors * Auto-assign category id from the database (as expected because is serial/auto_increment integer field) * Revert "Auto-assign category id from the database (as expected because is serial/auto_increment integer field)" This reverts commit 5c98fd76a32f1a7ef6a6258497ec7ac64e034640. * Fixing Category scheme in postgres and MySQL * Removing restriction about the channel_id and add it to all the databases * Moving everything to a new migration * Fix bad merge (?) * Update 000021_fix_categories.up.sql Fix Postgres ALTER COLUMN syntax * Update 000021_fix_categories.down.sql Fix Postgres ALTER COLUMN syntax * Update 000021_fix_categories.up.sql Remove unnecessary, and unsupported MODIFY COLUMNs for SQLite. * Update 000021_fix_categories.up.sql Remove not null from categories.channel_id * Update 000021_fix_categories.down.sql Migrate down removing not null from categories.channel_id * Update 000021_fix_categories.up.sql Fix drop not null on categories.channel_id * Update 000021_fix_categories.down.sql Fix down migration of drop not null from categories.channel_id. * Restore default notification level to debug Co-authored-by: Chen-I Lim <chenilim@gmail.com> Co-authored-by: Chen-I Lim <46905241+chenilim@users.noreply.github.com>
2022-04-05 17:00:04 +02:00
if a.MattermostAuth {
a.errorResponse(w, r.URL.Path, http.StatusNotImplemented, "", nil)
return
}
if len(a.singleUserToken) > 0 {
// Not permitted in single-user mode
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not permitted in single-user mode", nil)
return
}
ctx := r.Context()
session := ctx.Value(sessionContextKey).(*model.Session)
auditRec := a.makeAuditRecord(r, "logout", audit.Fail)
defer a.audit.LogRecord(audit.LevelAuth, auditRec)
auditRec.AddMeta("userID", session.UserID)
if err := a.app.Logout(session.ID); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "incorrect login", err)
return
}
auditRec.AddMeta("sessionID", session.ID)
jsonStringResponse(w, http.StatusOK, "{}")
auditRec.Success()
}
2020-11-06 16:46:35 +01:00
func (a *API) handleRegister(w http.ResponseWriter, r *http.Request) {
// swagger:operation POST /register register
2021-02-17 20:29:20 +01:00
//
// Register new user
//
// ---
// produces:
// - application/json
// parameters:
// - name: body
// in: body
// description: Register request
// required: true
// schema:
// "$ref": "#/definitions/RegisterRequest"
// responses:
// '200':
// description: success
// '401':
// description: invalid registration token
// '500':
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
if a.MattermostAuth {
a.errorResponse(w, r.URL.Path, http.StatusNotImplemented, "not permitted in plugin mode", nil)
}
2021-02-17 20:29:20 +01:00
Permissions integration tests (#2697) * Initial permissions review infrastructure * Adding more tests cases * Modifying a bit the tests approach and adding more tests * Adding more tests * Adding more tests for permissions * Adding more tests * Adding more permissions tests * Adding more tests * Adding more permission checks * Adding more permissions tests * Adding more permission tests * Adding more tests * Adding subscriptions tests * Adding more permissions tests * Adding tests for read tokens in the files * Update APIs and fix unit tests * Fix linter errors * Auto-assign category id from the database (as expected because is serial/auto_increment integer field) * Revert "Auto-assign category id from the database (as expected because is serial/auto_increment integer field)" This reverts commit 5c98fd76a32f1a7ef6a6258497ec7ac64e034640. * Fixing Category scheme in postgres and MySQL * Removing restriction about the channel_id and add it to all the databases * Moving everything to a new migration * Fix bad merge (?) * Update 000021_fix_categories.up.sql Fix Postgres ALTER COLUMN syntax * Update 000021_fix_categories.down.sql Fix Postgres ALTER COLUMN syntax * Update 000021_fix_categories.up.sql Remove unnecessary, and unsupported MODIFY COLUMNs for SQLite. * Update 000021_fix_categories.up.sql Remove not null from categories.channel_id * Update 000021_fix_categories.down.sql Migrate down removing not null from categories.channel_id * Update 000021_fix_categories.up.sql Fix drop not null on categories.channel_id * Update 000021_fix_categories.down.sql Fix down migration of drop not null from categories.channel_id. * Restore default notification level to debug Co-authored-by: Chen-I Lim <chenilim@gmail.com> Co-authored-by: Chen-I Lim <46905241+chenilim@users.noreply.github.com>
2022-04-05 17:00:04 +02:00
if a.MattermostAuth {
a.errorResponse(w, r.URL.Path, http.StatusNotImplemented, "", nil)
return
}
if len(a.singleUserToken) > 0 {
// Not permitted in single-user mode
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not permitted in single-user mode", nil)
return
}
2020-11-06 16:46:35 +01:00
requestBody, err := ioutil.ReadAll(r.Body)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2020-11-06 16:46:35 +01:00
return
}
2021-02-17 20:29:20 +01:00
var registerData RegisterRequest
2020-11-06 16:46:35 +01:00
err = json.Unmarshal(requestBody, &registerData)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2020-11-06 16:46:35 +01:00
return
}
2021-12-08 15:07:28 +01:00
registerData.Email = strings.TrimSpace(registerData.Email)
registerData.Username = strings.TrimSpace(registerData.Username)
2020-11-06 16:46:35 +01:00
2021-01-14 01:56:01 +01:00
// Validate token
if len(registerData.Token) > 0 {
Permissions feature branch (#2578) * wip * Added data migration for populating categories * wip * Added data migration for populating categories * Store WIP * migration WIP * category CRUD APIs complete * category block API WIP * block category update API done * Fetcehed data into store * Started displayting sidebar data * sidebar WIP * Dashboard - basic changes * Sidebar dashboard btn and board switcher UI only * Sidebar dashboard btn and board switcher UI only * create category dialog WIP * Create category webapp side done * Integrated move card to other category * board to block * Disabled dashboard route for now as we'll implement it in phase 2 * WIP * Added logic to open last board/view on per team level * Add workspace to teams and boards migrations (#1986) * Add workspace to teams and boards migrations * Update json annotations on board models * boards search dialog WIP * Seach dialog WIP * Implemented opening boiard from search results * Boards switcher styliung * Handled update category WS event * Template support * personal server support and styling fixes * test fix WIP * Fixed a bug causing boards to not be moved correctly beteen categories * Fixed webapp tests * fix * Store changes (#2011) * Permissions phase 1 - Websocket updates (#2014) * Store changes * Websockets changes * Permissions phase 1 - Permissions service (#2015) * Store changes * Websockets changes * Permissions service * Api and app updates (#2016) * Store changes * Websockets changes * Permissions service * New API and App changes * Delete and Patch boards and blocks endpoints * Used correct variable * Webapp changes WIP * Open correct team URL * Fixed get block API * Used React context for workspace users * WIP * On load navigation sorted out * WIP * Nav fix * categories WS broadcast * Used real search API * Fixed unfurl ppreview * set active team in sidebar * IMplemented navigation on changing team in sidebar * Misc fixes * close rows inside transaction (#2045) * update syntax for mysql (#2044) * Upadted mutator for new patchBlock API * Updated patchBlock API to use new URL * Listeining to correct event in plugin mode * Implemented WS messages for category operations: * Fix duplicated build tags on Makefile * Sidebar enhancements * Add missing prefix to SQLite migration and fix flaky tests * Sidebar boards menu enhancement * Fix board page interactions (#2144) * Fix patch board card properties error * Fix board interactions * Fix insert blocks interactions * Fix app tests (#2104) * Add json1 tag to vscode launch (#2157) * Fix add, delete and update boards and add board patch generation (#2146) * Fix update boards and add board patch generation * Make add board and add template work, as well as deleting a board * Update the state on board deletion * Delete unused variable * Fix bad parenthesis * Fix board creation inside plugin, options were coming null due websocket message serialization * update property type mutators to use boards API (#2168) * Add permissions modal (#2196) * Initial integration * Permissions modal, websocket updates and API tests implemented * Avoid updating/removing user if there is only one admin left * Fix duplicates on board search * Adds integration test * Addressing PR review comments Co-authored-by: Jesús Espino <jespinog@gmail.com> * Merge * I'm able to compile now * Some fixes around tests execution * Fixing migrations * Fixing migrations order * WIP * Fixing some other compilation problems on tests * Some typescript tests fixed * Fixing javascript tests * Fixing compilation * Fixing some problems to create boards * Load the templates on initial load * Improvements over initial team templates import * Adding new fields in the database * Working on adding duplicate board api * Removing RootID concept entirely * Improving a bit the subscriptions * Fixing store tests for notificationHints * Fixing more tests * fixing tests * Fixing tests * Fixing tests * Fixing some small bugs related to templates * Fixing registration link generation/regeneration * Fixing cypress tests * Adding store tests for duplicateBoard and duplicateBlock * Addressing some TODO comments * Making the export api simpler * Add redirect component for old workspace urls * Removing Dashboard code * Delete only the built-in templates on update * fixing tests * Adding users autocompletion * Updating snapshots * Fixing bad merge * fix panic when creating new card in notifysubscriptions (#2352) * fix lint errors (#2353) * fix lint errors * fix panic when creating new card in notifysubscriptions (#2352) * fix lint errors * fix unit test * Revert "fix unit test" This reverts commit 0ad78aed65745521c0bb45790c9ea91b6c316c44. Co-authored-by: Doug Lauder <wiggin77@warpmail.net> * fix sql syntax error for SearchUsersByTeam (#2357) * Fix mentions delivery (#2358) * fix sql syntax error for SearchUsersByTeam * fix mentions delivery Co-authored-by: Mattermod <mattermod@users.noreply.github.com> * update api for octoClient calls, pass correct variables to mutator (#2359) * Fixing tests after merge * Fix sidebar context menu UI issue (#2399) * Fix notification diff for text blocks (#2386) * fix notification diff for text blocks; fix various linter errors. * fix URLs to cards Co-authored-by: Mattermod <mattermod@users.noreply.github.com> * Permissions branch: Fix card links (#2391) * fix notification diff for text blocks; fix various linter errors. * fix URLs to cards Co-authored-by: Mattermod <mattermod@users.noreply.github.com> * Fixing sqlite tests * Fixing server tests * Update migrations to create global templates. (#2397) * fix duplicate templates * revert migrate.go * update UI for empty templates * implement updating built-in templates as global (teamId = 0) * handle error if board not found * update unit test * fix more tests * Update blocks_test.go Fix merge issue * fix migration sql error (#2414) * Fixing frontend tests * Set target team ID when using a global template (#2419) * Fix some server tests * Fixing onboarding creation * Permissions branch: Fix unit tests and CI errors (part 1) (#2425) * Fixing some small memory leaks (#2400) * Fixing some small memory leaks * fixing tests * passing the tags to all test targets * Increasing the timeout of the tests * Fix some type checkings * Permissions branch: Fixes all the linter errors (#2429) * fix linter errors * Reestructuring the router and splitting in more subcomponents (#2403) * Reestructuring the router and splitting in more subcomponents * Removing console.log calls * Removing unneeded selector * Addressing PR comment * Fix redirection to one team when you load directly the boards home path * Using properly the lastTeamID to redirect the user if needed * don't allow last admin change/deleted (#2416) * don't allow last admin change/deleted * update for i18-extract * fixed en.json Co-authored-by: Mattermod <mattermod@users.noreply.github.com> Co-authored-by: Harshil Sharma <harshilsharma63@gmail.com> * Splitting BoardPage component into simpler/smaller components (#2435) * Splitting BoardPage component into simpler/smaller components * Removing unneeded import * Replace go migrate with morph permissions (#2424) * merge origin/replace-go-migrate-with-morph * run go mod tidy on mattermost-plugin and increase test timeout * fix merge issue temprorarily * remove some debug changes * fixing the linter * Allow always team 0 (global) templates fetch (#2472) * Fix problem with viewId 0 in the URL (#2473) * Migrate from binddata to goembed (#2471) * Adding join logic to the board switcher (#2434) * Adding join logic to the board switcher * Using already existing client function and removing the joinBoard one * Adding support for autojoin based on url * Fixing frontend tests * fix webapp compile error, missing enableSharedBoards (#2501) * Fixing duplication on postgres * Adding back views to the sidebar (#2494) * Fix #2507. Update Swagger comments (#2508) * Fix the flash of the template selector on board/team switch (#2490) * Fix the flash of the template selector on board/team switch * More fixes specially around error handling * Fixing the bot badge (#2487) * simplifying a bit the team store sync between channels and focalboard (#2481) * Fix menu tests (#2528) * fix failing menu tests * fix lint error * Added keyboard shortcut for boards switcher (#2407) * Added keyboard shortcut for boards switcher * Fixed a type error * Added some inline comments * Fixed lint * Fixed bug with scroll jumping when the card is opened: (#2477) - avoid remounting of `ScrollingComponent` for each render of `Kanban` component - property `autoFocus` set to false for `CalculationOptions` because it triggers `blur` even for the button in Jest tests and closes the menu - snapshots for tests with `CalculationOptions` updated * Adding the frontend support for permissions and applying it to a big part of the interface. (#2536) * Initial work on permissions gates * Applying permissions gates in more places * Adding more checks to the interface * Adding more permissions gates and keeping the store up to date * fixing some tests * Fixing some more tests * Fixing another test * Fixing all tests and adding some more * Adding no-permission snapshot tests * Addressing PR review comments * Fixing invert behavior * Permissions branch: No sqlstore calls after app shutdown (#2530) * fix webapp compile error, missing enableSharedBoards * refactor app init wip * - ensure all block change notifications are finished before shutting down app - fix unit tests for mysql (insert_at only has 1 second resolution!) * adjust logging Co-authored-by: Mattermod <mattermod@users.noreply.github.com> * Fixed migrations to allow upgrading from previous version (#2535) * Added mechanism to check if schema migration is needed * WIP * WIP * WIP * WIP * Fixed migration * Fixed for SQLite * minor cleaniup * Deleted old schema migration table after running migrations * Removed a debug log * Fixed a bug where the code always tried to delete a table which may or may not exist * Show properly the user avatar in the ShareBoard component (#2542) * Fixing the last CI problems from the permissions-branch (#2541) * Fix history ordering * Giving some times to avoid possible race conditions * Empty * Reverting accidental change in the config.json * Optimizing table view (#2540) * Optimizing table view * Reducing the amount of rendering for tables * Some other performance improvements * Improve the activeView updates * Some extra simplifications * Another small improvement * Fixing tests * Fixing linter errors * Reducing a bit the amount of dependency with big objects in the store * Small simplification * Removing Commenter role from the user role selector (#2561) * Shareboard cleanup (#2550) * Initial work on permissions gates * Applying permissions gates in more places * Adding more checks to the interface * Adding more permissions gates and keeping the store up to date * fixing some tests * Fixing some more tests * Fixing another test * Fixing all tests and adding some more * Adding no-permission snapshot tests * Addressing PR review comments * cleanup some shareboard settings * remove unused property, fix for user items being displayed for non admin * revert change, allow users to show Co-authored-by: Jesús Espino <jespinog@gmail.com> Co-authored-by: Mattermod <mattermod@users.noreply.github.com> * Fixing comments and cards with the new optimizations in the store (#2560) * Fixing property creation (#2563) * Fix user selection in table view (#2565) * Fixing focus new row in table view (#2567) * Permissions branch: Fix sqlite table lock (CI) (#2568) * fix sqlite table lock * remove test db on teardown * revert .gitignore * fix goimport on migration code * fix typo * more linter fixes * clean up tmp db for sqlstore tests Co-authored-by: Mattermod <mattermod@users.noreply.github.com> * Fixing snapshots * Migrating center panel to functional component (#2562) * Migrating center panel to functional component * Fixing some tests * Fixing another test * Fixing linter errors * Fixing types errors * Fixing linter error * Fixing cypress tests * Fixing the last cypress test * Simpliying a bit the code * Making property insertion more robust * Updating checkbox test Co-authored-by: Harshil Sharma <harshilsharma63@gmail.com> Co-authored-by: Miguel de la Cruz <miguel@mcrx.me> Co-authored-by: Scott Bishel <scott.bishel@mattermost.com> Co-authored-by: Chen-I Lim <46905241+chenilim@users.noreply.github.com> Co-authored-by: Doug Lauder <wiggin77@warpmail.net> Co-authored-by: Mattermod <mattermod@users.noreply.github.com> Co-authored-by: Harshil Sharma <18575143+harshilsharma63@users.noreply.github.com> Co-authored-by: Ibrahim Serdar Acikgoz <serdaracikgoz86@gmail.com> Co-authored-by: kamre <eremchenko@gmail.com>
2022-03-22 15:24:34 +01:00
team, err2 := a.app.GetRootTeam()
if err2 != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err2)
2021-01-14 01:56:01 +01:00
return
}
Permissions feature branch (#2578) * wip * Added data migration for populating categories * wip * Added data migration for populating categories * Store WIP * migration WIP * category CRUD APIs complete * category block API WIP * block category update API done * Fetcehed data into store * Started displayting sidebar data * sidebar WIP * Dashboard - basic changes * Sidebar dashboard btn and board switcher UI only * Sidebar dashboard btn and board switcher UI only * create category dialog WIP * Create category webapp side done * Integrated move card to other category * board to block * Disabled dashboard route for now as we'll implement it in phase 2 * WIP * Added logic to open last board/view on per team level * Add workspace to teams and boards migrations (#1986) * Add workspace to teams and boards migrations * Update json annotations on board models * boards search dialog WIP * Seach dialog WIP * Implemented opening boiard from search results * Boards switcher styliung * Handled update category WS event * Template support * personal server support and styling fixes * test fix WIP * Fixed a bug causing boards to not be moved correctly beteen categories * Fixed webapp tests * fix * Store changes (#2011) * Permissions phase 1 - Websocket updates (#2014) * Store changes * Websockets changes * Permissions phase 1 - Permissions service (#2015) * Store changes * Websockets changes * Permissions service * Api and app updates (#2016) * Store changes * Websockets changes * Permissions service * New API and App changes * Delete and Patch boards and blocks endpoints * Used correct variable * Webapp changes WIP * Open correct team URL * Fixed get block API * Used React context for workspace users * WIP * On load navigation sorted out * WIP * Nav fix * categories WS broadcast * Used real search API * Fixed unfurl ppreview * set active team in sidebar * IMplemented navigation on changing team in sidebar * Misc fixes * close rows inside transaction (#2045) * update syntax for mysql (#2044) * Upadted mutator for new patchBlock API * Updated patchBlock API to use new URL * Listeining to correct event in plugin mode * Implemented WS messages for category operations: * Fix duplicated build tags on Makefile * Sidebar enhancements * Add missing prefix to SQLite migration and fix flaky tests * Sidebar boards menu enhancement * Fix board page interactions (#2144) * Fix patch board card properties error * Fix board interactions * Fix insert blocks interactions * Fix app tests (#2104) * Add json1 tag to vscode launch (#2157) * Fix add, delete and update boards and add board patch generation (#2146) * Fix update boards and add board patch generation * Make add board and add template work, as well as deleting a board * Update the state on board deletion * Delete unused variable * Fix bad parenthesis * Fix board creation inside plugin, options were coming null due websocket message serialization * update property type mutators to use boards API (#2168) * Add permissions modal (#2196) * Initial integration * Permissions modal, websocket updates and API tests implemented * Avoid updating/removing user if there is only one admin left * Fix duplicates on board search * Adds integration test * Addressing PR review comments Co-authored-by: Jesús Espino <jespinog@gmail.com> * Merge * I'm able to compile now * Some fixes around tests execution * Fixing migrations * Fixing migrations order * WIP * Fixing some other compilation problems on tests * Some typescript tests fixed * Fixing javascript tests * Fixing compilation * Fixing some problems to create boards * Load the templates on initial load * Improvements over initial team templates import * Adding new fields in the database * Working on adding duplicate board api * Removing RootID concept entirely * Improving a bit the subscriptions * Fixing store tests for notificationHints * Fixing more tests * fixing tests * Fixing tests * Fixing tests * Fixing some small bugs related to templates * Fixing registration link generation/regeneration * Fixing cypress tests * Adding store tests for duplicateBoard and duplicateBlock * Addressing some TODO comments * Making the export api simpler * Add redirect component for old workspace urls * Removing Dashboard code * Delete only the built-in templates on update * fixing tests * Adding users autocompletion * Updating snapshots * Fixing bad merge * fix panic when creating new card in notifysubscriptions (#2352) * fix lint errors (#2353) * fix lint errors * fix panic when creating new card in notifysubscriptions (#2352) * fix lint errors * fix unit test * Revert "fix unit test" This reverts commit 0ad78aed65745521c0bb45790c9ea91b6c316c44. Co-authored-by: Doug Lauder <wiggin77@warpmail.net> * fix sql syntax error for SearchUsersByTeam (#2357) * Fix mentions delivery (#2358) * fix sql syntax error for SearchUsersByTeam * fix mentions delivery Co-authored-by: Mattermod <mattermod@users.noreply.github.com> * update api for octoClient calls, pass correct variables to mutator (#2359) * Fixing tests after merge * Fix sidebar context menu UI issue (#2399) * Fix notification diff for text blocks (#2386) * fix notification diff for text blocks; fix various linter errors. * fix URLs to cards Co-authored-by: Mattermod <mattermod@users.noreply.github.com> * Permissions branch: Fix card links (#2391) * fix notification diff for text blocks; fix various linter errors. * fix URLs to cards Co-authored-by: Mattermod <mattermod@users.noreply.github.com> * Fixing sqlite tests * Fixing server tests * Update migrations to create global templates. (#2397) * fix duplicate templates * revert migrate.go * update UI for empty templates * implement updating built-in templates as global (teamId = 0) * handle error if board not found * update unit test * fix more tests * Update blocks_test.go Fix merge issue * fix migration sql error (#2414) * Fixing frontend tests * Set target team ID when using a global template (#2419) * Fix some server tests * Fixing onboarding creation * Permissions branch: Fix unit tests and CI errors (part 1) (#2425) * Fixing some small memory leaks (#2400) * Fixing some small memory leaks * fixing tests * passing the tags to all test targets * Increasing the timeout of the tests * Fix some type checkings * Permissions branch: Fixes all the linter errors (#2429) * fix linter errors * Reestructuring the router and splitting in more subcomponents (#2403) * Reestructuring the router and splitting in more subcomponents * Removing console.log calls * Removing unneeded selector * Addressing PR comment * Fix redirection to one team when you load directly the boards home path * Using properly the lastTeamID to redirect the user if needed * don't allow last admin change/deleted (#2416) * don't allow last admin change/deleted * update for i18-extract * fixed en.json Co-authored-by: Mattermod <mattermod@users.noreply.github.com> Co-authored-by: Harshil Sharma <harshilsharma63@gmail.com> * Splitting BoardPage component into simpler/smaller components (#2435) * Splitting BoardPage component into simpler/smaller components * Removing unneeded import * Replace go migrate with morph permissions (#2424) * merge origin/replace-go-migrate-with-morph * run go mod tidy on mattermost-plugin and increase test timeout * fix merge issue temprorarily * remove some debug changes * fixing the linter * Allow always team 0 (global) templates fetch (#2472) * Fix problem with viewId 0 in the URL (#2473) * Migrate from binddata to goembed (#2471) * Adding join logic to the board switcher (#2434) * Adding join logic to the board switcher * Using already existing client function and removing the joinBoard one * Adding support for autojoin based on url * Fixing frontend tests * fix webapp compile error, missing enableSharedBoards (#2501) * Fixing duplication on postgres * Adding back views to the sidebar (#2494) * Fix #2507. Update Swagger comments (#2508) * Fix the flash of the template selector on board/team switch (#2490) * Fix the flash of the template selector on board/team switch * More fixes specially around error handling * Fixing the bot badge (#2487) * simplifying a bit the team store sync between channels and focalboard (#2481) * Fix menu tests (#2528) * fix failing menu tests * fix lint error * Added keyboard shortcut for boards switcher (#2407) * Added keyboard shortcut for boards switcher * Fixed a type error * Added some inline comments * Fixed lint * Fixed bug with scroll jumping when the card is opened: (#2477) - avoid remounting of `ScrollingComponent` for each render of `Kanban` component - property `autoFocus` set to false for `CalculationOptions` because it triggers `blur` even for the button in Jest tests and closes the menu - snapshots for tests with `CalculationOptions` updated * Adding the frontend support for permissions and applying it to a big part of the interface. (#2536) * Initial work on permissions gates * Applying permissions gates in more places * Adding more checks to the interface * Adding more permissions gates and keeping the store up to date * fixing some tests * Fixing some more tests * Fixing another test * Fixing all tests and adding some more * Adding no-permission snapshot tests * Addressing PR review comments * Fixing invert behavior * Permissions branch: No sqlstore calls after app shutdown (#2530) * fix webapp compile error, missing enableSharedBoards * refactor app init wip * - ensure all block change notifications are finished before shutting down app - fix unit tests for mysql (insert_at only has 1 second resolution!) * adjust logging Co-authored-by: Mattermod <mattermod@users.noreply.github.com> * Fixed migrations to allow upgrading from previous version (#2535) * Added mechanism to check if schema migration is needed * WIP * WIP * WIP * WIP * Fixed migration * Fixed for SQLite * minor cleaniup * Deleted old schema migration table after running migrations * Removed a debug log * Fixed a bug where the code always tried to delete a table which may or may not exist * Show properly the user avatar in the ShareBoard component (#2542) * Fixing the last CI problems from the permissions-branch (#2541) * Fix history ordering * Giving some times to avoid possible race conditions * Empty * Reverting accidental change in the config.json * Optimizing table view (#2540) * Optimizing table view * Reducing the amount of rendering for tables * Some other performance improvements * Improve the activeView updates * Some extra simplifications * Another small improvement * Fixing tests * Fixing linter errors * Reducing a bit the amount of dependency with big objects in the store * Small simplification * Removing Commenter role from the user role selector (#2561) * Shareboard cleanup (#2550) * Initial work on permissions gates * Applying permissions gates in more places * Adding more checks to the interface * Adding more permissions gates and keeping the store up to date * fixing some tests * Fixing some more tests * Fixing another test * Fixing all tests and adding some more * Adding no-permission snapshot tests * Addressing PR review comments * cleanup some shareboard settings * remove unused property, fix for user items being displayed for non admin * revert change, allow users to show Co-authored-by: Jesús Espino <jespinog@gmail.com> Co-authored-by: Mattermod <mattermod@users.noreply.github.com> * Fixing comments and cards with the new optimizations in the store (#2560) * Fixing property creation (#2563) * Fix user selection in table view (#2565) * Fixing focus new row in table view (#2567) * Permissions branch: Fix sqlite table lock (CI) (#2568) * fix sqlite table lock * remove test db on teardown * revert .gitignore * fix goimport on migration code * fix typo * more linter fixes * clean up tmp db for sqlstore tests Co-authored-by: Mattermod <mattermod@users.noreply.github.com> * Fixing snapshots * Migrating center panel to functional component (#2562) * Migrating center panel to functional component * Fixing some tests * Fixing another test * Fixing linter errors * Fixing types errors * Fixing linter error * Fixing cypress tests * Fixing the last cypress test * Simpliying a bit the code * Making property insertion more robust * Updating checkbox test Co-authored-by: Harshil Sharma <harshilsharma63@gmail.com> Co-authored-by: Miguel de la Cruz <miguel@mcrx.me> Co-authored-by: Scott Bishel <scott.bishel@mattermost.com> Co-authored-by: Chen-I Lim <46905241+chenilim@users.noreply.github.com> Co-authored-by: Doug Lauder <wiggin77@warpmail.net> Co-authored-by: Mattermod <mattermod@users.noreply.github.com> Co-authored-by: Harshil Sharma <18575143+harshilsharma63@users.noreply.github.com> Co-authored-by: Ibrahim Serdar Acikgoz <serdaracikgoz86@gmail.com> Co-authored-by: kamre <eremchenko@gmail.com>
2022-03-22 15:24:34 +01:00
if registerData.Token != team.SignupToken {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "invalid token", nil)
2021-01-14 01:56:01 +01:00
return
}
} else {
// No signup token, check if no active users
userCount, err2 := a.app.GetRegisteredUserCount()
if err2 != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err2)
2021-01-14 01:56:01 +01:00
return
}
if userCount > 0 {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "no sign-up token and user(s) already exist", nil)
2021-01-14 01:56:01 +01:00
return
}
}
2020-11-06 16:46:35 +01:00
if err = registerData.IsValid(); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, err.Error(), err)
2020-11-06 16:46:35 +01:00
return
}
auditRec := a.makeAuditRecord(r, "register", audit.Fail)
defer a.audit.LogRecord(audit.LevelAuth, auditRec)
auditRec.AddMeta("username", registerData.Username)
err = a.app.RegisterUser(registerData.Username, registerData.Email, registerData.Password)
2020-11-06 16:46:35 +01:00
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, err.Error(), err)
2020-11-06 16:46:35 +01:00
return
}
2021-01-14 01:56:01 +01:00
2021-02-17 20:29:20 +01:00
jsonStringResponse(w, http.StatusOK, "{}")
auditRec.Success()
2020-11-06 16:46:35 +01:00
}
2020-12-02 21:12:14 +01:00
2021-01-21 19:16:40 +01:00
func (a *API) handleChangePassword(w http.ResponseWriter, r *http.Request) {
// swagger:operation POST /users/{userID}/changepassword changePassword
2021-02-17 20:29:20 +01:00
//
// Change a user's password
//
// ---
// produces:
// - application/json
// parameters:
// - name: userID
// in: path
// description: User ID
// required: true
// type: string
// - name: body
// in: body
// description: Change password request
// required: true
// schema:
// "$ref": "#/definitions/ChangePasswordRequest"
// security:
// - BearerAuth: []
// responses:
// '200':
// description: success
// '400':
// description: invalid request
// schema:
// "$ref": "#/definitions/ErrorResponse"
// '500':
// description: internal error
// schema:
// "$ref": "#/definitions/ErrorResponse"
if a.MattermostAuth {
a.errorResponse(w, r.URL.Path, http.StatusNotImplemented, "not permitted in plugin mode", nil)
}
2021-02-17 20:29:20 +01:00
Permissions integration tests (#2697) * Initial permissions review infrastructure * Adding more tests cases * Modifying a bit the tests approach and adding more tests * Adding more tests * Adding more tests for permissions * Adding more tests * Adding more permissions tests * Adding more tests * Adding more permission checks * Adding more permissions tests * Adding more permission tests * Adding more tests * Adding subscriptions tests * Adding more permissions tests * Adding tests for read tokens in the files * Update APIs and fix unit tests * Fix linter errors * Auto-assign category id from the database (as expected because is serial/auto_increment integer field) * Revert "Auto-assign category id from the database (as expected because is serial/auto_increment integer field)" This reverts commit 5c98fd76a32f1a7ef6a6258497ec7ac64e034640. * Fixing Category scheme in postgres and MySQL * Removing restriction about the channel_id and add it to all the databases * Moving everything to a new migration * Fix bad merge (?) * Update 000021_fix_categories.up.sql Fix Postgres ALTER COLUMN syntax * Update 000021_fix_categories.down.sql Fix Postgres ALTER COLUMN syntax * Update 000021_fix_categories.up.sql Remove unnecessary, and unsupported MODIFY COLUMNs for SQLite. * Update 000021_fix_categories.up.sql Remove not null from categories.channel_id * Update 000021_fix_categories.down.sql Migrate down removing not null from categories.channel_id * Update 000021_fix_categories.up.sql Fix drop not null on categories.channel_id * Update 000021_fix_categories.down.sql Fix down migration of drop not null from categories.channel_id. * Restore default notification level to debug Co-authored-by: Chen-I Lim <chenilim@gmail.com> Co-authored-by: Chen-I Lim <46905241+chenilim@users.noreply.github.com>
2022-04-05 17:00:04 +02:00
if a.MattermostAuth {
a.errorResponse(w, r.URL.Path, http.StatusNotImplemented, "", nil)
return
}
if len(a.singleUserToken) > 0 {
// Not permitted in single-user mode
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not permitted in single-user mode", nil)
return
}
2021-01-21 19:16:40 +01:00
vars := mux.Vars(r)
userID := vars["userID"]
requestBody, err := ioutil.ReadAll(r.Body)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2021-01-21 19:16:40 +01:00
return
}
2021-02-17 20:29:20 +01:00
var requestData ChangePasswordRequest
if err = json.Unmarshal(requestBody, &requestData); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusInternalServerError, "", err)
2021-01-21 19:16:40 +01:00
return
}
if err = requestData.IsValid(); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, err.Error(), err)
2021-01-21 19:16:40 +01:00
return
}
auditRec := a.makeAuditRecord(r, "changePassword", audit.Fail)
defer a.audit.LogRecord(audit.LevelAuth, auditRec)
if err = a.app.ChangePassword(userID, requestData.OldPassword, requestData.NewPassword); err != nil {
a.errorResponse(w, r.URL.Path, http.StatusBadRequest, err.Error(), err)
2021-01-21 19:16:40 +01:00
return
}
2021-02-17 20:29:20 +01:00
jsonStringResponse(w, http.StatusOK, "{}")
auditRec.Success()
2021-01-21 19:16:40 +01:00
}
2020-12-02 21:12:14 +01:00
func (a *API) sessionRequired(handler func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
2021-01-13 03:49:08 +01:00
return a.attachSession(handler, true)
}
func (a *API) attachSession(handler func(w http.ResponseWriter, r *http.Request), required bool) func(w http.ResponseWriter, r *http.Request) {
2020-12-02 21:12:14 +01:00
return func(w http.ResponseWriter, r *http.Request) {
2021-02-09 21:27:34 +01:00
token, _ := auth.ParseAuthTokenFromRequest(r)
a.logger.Debug(`attachSession`, mlog.Bool("single_user", len(a.singleUserToken) > 0))
2021-02-09 21:27:34 +01:00
if len(a.singleUserToken) > 0 {
if required && (token != a.singleUserToken) {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "invalid single user token", nil)
2021-02-09 21:27:34 +01:00
return
}
now := utils.GetMillis()
2020-12-04 11:28:35 +01:00
session := &model.Session{
ID: model.SingleUser,
2021-03-26 19:01:54 +01:00
Token: token,
UserID: model.SingleUser,
2021-03-26 19:01:54 +01:00
AuthService: a.authService,
Props: map[string]interface{}{},
CreateAt: now,
UpdateAt: now,
2020-12-04 11:28:35 +01:00
}
ctx := context.WithValue(r.Context(), sessionContextKey, session)
handler(w, r.WithContext(ctx))
return
}
if a.MattermostAuth && r.Header.Get("Mattermost-User-Id") != "" {
userID := r.Header.Get("Mattermost-User-Id")
now := utils.GetMillis()
session := &model.Session{
ID: userID,
Token: userID,
UserID: userID,
AuthService: a.authService,
Props: map[string]interface{}{},
CreateAt: now,
UpdateAt: now,
}
user, err := a.app.GetUser(userID)
if err != nil {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "", err)
return
}
if user.IsGuest {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "guests not supported", nil)
return
}
ctx := context.WithValue(r.Context(), sessionContextKey, session)
2020-12-04 11:28:35 +01:00
handler(w, r.WithContext(ctx))
return
}
session, err := a.app.GetSession(token)
2020-12-02 21:12:14 +01:00
if err != nil {
2021-01-13 03:49:08 +01:00
if required {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "", err)
2021-01-13 03:49:08 +01:00
return
}
handler(w, r)
2020-12-02 21:12:14 +01:00
return
}
2021-03-26 19:01:54 +01:00
authService := session.AuthService
if authService != a.authService {
a.logger.Error(`Session authService mismatch`,
mlog.String("sessionID", session.ID),
mlog.String("want", a.authService),
mlog.String("got", authService),
)
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "", err)
2021-03-26 19:01:54 +01:00
return
}
ctx := context.WithValue(r.Context(), sessionContextKey, session)
2020-12-02 21:12:14 +01:00
handler(w, r.WithContext(ctx))
}
}
2021-01-22 23:14:12 +01:00
func (a *API) adminRequired(handler func(w http.ResponseWriter, r *http.Request)) func(w http.ResponseWriter, r *http.Request) {
return func(w http.ResponseWriter, r *http.Request) {
// Currently, admin APIs require local unix connections
conn := GetContextConn(r)
2021-01-22 23:14:12 +01:00
if _, isUnix := conn.(*net.UnixConn); !isUnix {
a.errorResponse(w, r.URL.Path, http.StatusUnauthorized, "not a local unix connection", nil)
2021-01-22 23:14:12 +01:00
return
}
handler(w, r)
}
}