init

2026-01-12 13:51:52 +01:00
parent 90191c50d8
commit 06e55c441e
44 changed files with 3066 additions and 1 deletions
--- a/internal/app/handlers_users.go
+++ b/internal/app/handlers_users.go
@@ -0,0 +1,186 @@
+package app
+
+import (
+	"net/http"
+	"strings"
+
+	"github.com/yourorg/ntfywui/internal/store"
+)
+
+func (s *Server) handleUsersList(w http.ResponseWriter, r *http.Request) {
+	if r.URL.Path != "/users" {
+		http.NotFound(w, r)
+		return
+	}
+	admin, _ := s.currentAdmin(r)
+	switch r.Method {
+	case http.MethodGet:
+		users, err := s.ntfy.ListUsers(s.ntfyCtx(r))
+		if err != nil {
+			s.renderer.Render(w, "error.html", PageData{
+				Title: "Fehler",
+				Admin: admin.Username,
+				Role:  string(admin.Role),
+				Error: err.Error(),
+			})
+			return
+		}
+		csrf, _ := s.csrfEnsure(w, r)
+		flash := s.popFlash(w, r)
+		s.renderer.Render(w, "users.html", PageData{
+			Title: "Users",
+			Admin: admin.Username,
+			Role:  string(admin.Role),
+			CSRF:  csrf,
+			Flash: flash,
+			Users: users,
+		})
+	case http.MethodPost:
+		_ = r.ParseForm()
+		action := r.Form.Get("action")
+		switch action {
+		case "create":
+			if !roleAtLeast(admin.Role, store.RoleOperator) {
+				http.Error(w, "forbidden", http.StatusForbidden)
+				return
+			}
+			username := cleanUser(r.Form.Get("username"))
+			role := strings.TrimSpace(r.Form.Get("role"))
+			tier := strings.TrimSpace(r.Form.Get("tier"))
+			pass := r.Form.Get("password")
+			if username == "" || pass == "" {
+				s.setFlash(w, r, "Username und Passwort sind erforderlich")
+				http.Redirect(w, r, s.abs("/users"), http.StatusFound)
+				return
+			}
+			if err := s.ntfy.AddUser(s.ntfyCtx(r), username, role, tier, pass); err != nil {
+				s.setFlash(w, r, "Fehler: "+err.Error())
+				http.Redirect(w, r, s.abs("/users"), http.StatusFound)
+				return
+			}
+			s.auditEvent(r, "ntfy_user_add", username, map[string]string{"role": role, "tier": tier})
+			s.setFlash(w, r, "User erstellt: "+username)
+			http.Redirect(w, r, s.abs("/users"), http.StatusFound)
+		default:
+			http.Error(w, "bad request", http.StatusBadRequest)
+		}
+	default:
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+	}
+}
+
+func (s *Server) handleUserDetail(w http.ResponseWriter, r *http.Request) {
+	// /users/{name} or /users/{name}/action
+	admin, _ := s.currentAdmin(r)
+	p := strings.TrimPrefix(r.URL.Path, "/users/")
+	if p == "" {
+		http.NotFound(w, r)
+		return
+	}
+	parts := strings.Split(strings.Trim(p, "/"), "/")
+	username := parts[0]
+	action := ""
+	if len(parts) > 1 {
+		action = parts[1]
+	}
+	switch r.Method {
+	case http.MethodGet:
+		users, err := s.ntfy.ListUsers(s.ntfyCtx(r))
+		if err != nil {
+			s.renderer.Render(w, "error.html", PageData{
+				Title: "Fehler",
+				Admin: admin.Username,
+				Role:  string(admin.Role),
+				Error: err.Error(),
+			})
+			return
+		}
+		var u any
+		for _, x := range users {
+			if x.Username == username {
+				u = x
+				break
+			}
+		}
+		if u == nil {
+			http.NotFound(w, r)
+			return
+		}
+		toks, _ := s.ntfy.TokenList(s.ntfyCtx(r), username)
+		csrf, _ := s.csrfEnsure(w, r)
+		flash := s.popFlash(w, r)
+		s.renderer.Render(w, "user.html", PageData{
+			Title: "User: " + username,
+			Admin: admin.Username,
+			Role:  string(admin.Role),
+			CSRF:  csrf,
+			Flash: flash,
+			User:  u,
+			Tokens: toks,
+		})
+	case http.MethodPost:
+		if !roleAtLeast(admin.Role, store.RoleOperator) {
+			http.Error(w, "forbidden", http.StatusForbidden)
+			return
+		}
+		_ = r.ParseForm()
+		switch action {
+		case "delete":
+			if err := s.ntfy.DelUser(s.ntfyCtx(r), username); err != nil {
+				s.setFlash(w, r, "Fehler: "+err.Error())
+				http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
+				return
+			}
+			s.auditEvent(r, "ntfy_user_del", username, nil)
+			s.setFlash(w, r, "User gelöscht: "+username)
+			http.Redirect(w, r, s.abs("/users"), http.StatusFound)
+		case "password":
+			pass := r.Form.Get("password")
+			if pass == "" {
+				s.setFlash(w, r, "Passwort erforderlich")
+				http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
+				return
+			}
+			if err := s.ntfy.ChangePass(s.ntfyCtx(r), username, pass); err != nil {
+				s.setFlash(w, r, "Fehler: "+err.Error())
+				http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
+				return
+			}
+			s.auditEvent(r, "ntfy_user_change_pass", username, nil)
+			s.setFlash(w, r, "Passwort geändert")
+			http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
+		case "role":
+			role := strings.TrimSpace(r.Form.Get("role"))
+			if role == "" {
+				s.setFlash(w, r, "Rolle erforderlich")
+				http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
+				return
+			}
+			if err := s.ntfy.ChangeRole(s.ntfyCtx(r), username, role); err != nil {
+				s.setFlash(w, r, "Fehler: "+err.Error())
+				http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
+				return
+			}
+			s.auditEvent(r, "ntfy_user_change_role", username, map[string]string{"role": role})
+			s.setFlash(w, r, "Rolle geändert")
+			http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
+		case "tier":
+			tier := strings.TrimSpace(r.Form.Get("tier"))
+			if tier == "" {
+				tier = "none"
+			}
+			if err := s.ntfy.ChangeTier(s.ntfyCtx(r), username, tier); err != nil {
+				s.setFlash(w, r, "Fehler: "+err.Error())
+				http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
+				return
+			}
+			s.auditEvent(r, "ntfy_user_change_tier", username, map[string]string{"tier": tier})
+			s.setFlash(w, r, "Tier geändert")
+			http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
+		default:
+			http.Error(w, "bad request", http.StatusBadRequest)
+		}
+	default:
+		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
+	}
+}