187 lines
5.3 KiB
Go
187 lines
5.3 KiB
Go
package app
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/yourorg/ntfywui/internal/store"
|
|
)
|
|
|
|
func (s *Server) handleUsersList(w http.ResponseWriter, r *http.Request) {
|
|
if r.URL.Path != "/users" {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
admin, _ := s.currentAdmin(r)
|
|
switch r.Method {
|
|
case http.MethodGet:
|
|
users, err := s.ntfy.ListUsers(s.ntfyCtx(r))
|
|
if err != nil {
|
|
s.renderer.Render(w, "error.html", PageData{
|
|
Title: "Fehler",
|
|
Admin: admin.Username,
|
|
Role: string(admin.Role),
|
|
Error: err.Error(),
|
|
})
|
|
return
|
|
}
|
|
csrf, _ := s.csrfEnsure(w, r)
|
|
flash := s.popFlash(w, r)
|
|
s.renderer.Render(w, "users.html", PageData{
|
|
Title: "Users",
|
|
Admin: admin.Username,
|
|
Role: string(admin.Role),
|
|
CSRF: csrf,
|
|
Flash: flash,
|
|
Users: users,
|
|
})
|
|
case http.MethodPost:
|
|
_ = r.ParseForm()
|
|
action := r.Form.Get("action")
|
|
switch action {
|
|
case "create":
|
|
if !roleAtLeast(admin.Role, store.RoleOperator) {
|
|
http.Error(w, "forbidden", http.StatusForbidden)
|
|
return
|
|
}
|
|
username := cleanUser(r.Form.Get("username"))
|
|
role := strings.TrimSpace(r.Form.Get("role"))
|
|
tier := strings.TrimSpace(r.Form.Get("tier"))
|
|
pass := r.Form.Get("password")
|
|
if username == "" || pass == "" {
|
|
s.setFlash(w, r, "Username und Passwort sind erforderlich")
|
|
http.Redirect(w, r, s.abs("/users"), http.StatusFound)
|
|
return
|
|
}
|
|
if err := s.ntfy.AddUser(s.ntfyCtx(r), username, role, tier, pass); err != nil {
|
|
s.setFlash(w, r, "Fehler: "+err.Error())
|
|
http.Redirect(w, r, s.abs("/users"), http.StatusFound)
|
|
return
|
|
}
|
|
s.auditEvent(r, "ntfy_user_add", username, map[string]string{"role": role, "tier": tier})
|
|
s.setFlash(w, r, "User erstellt: "+username)
|
|
http.Redirect(w, r, s.abs("/users"), http.StatusFound)
|
|
default:
|
|
http.Error(w, "bad request", http.StatusBadRequest)
|
|
}
|
|
default:
|
|
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
|
|
}
|
|
}
|
|
|
|
func (s *Server) handleUserDetail(w http.ResponseWriter, r *http.Request) {
|
|
// /users/{name} or /users/{name}/action
|
|
admin, _ := s.currentAdmin(r)
|
|
p := strings.TrimPrefix(r.URL.Path, "/users/")
|
|
if p == "" {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
parts := strings.Split(strings.Trim(p, "/"), "/")
|
|
username := parts[0]
|
|
action := ""
|
|
if len(parts) > 1 {
|
|
action = parts[1]
|
|
}
|
|
switch r.Method {
|
|
case http.MethodGet:
|
|
users, err := s.ntfy.ListUsers(s.ntfyCtx(r))
|
|
if err != nil {
|
|
s.renderer.Render(w, "error.html", PageData{
|
|
Title: "Fehler",
|
|
Admin: admin.Username,
|
|
Role: string(admin.Role),
|
|
Error: err.Error(),
|
|
})
|
|
return
|
|
}
|
|
var u any
|
|
for _, x := range users {
|
|
if x.Username == username {
|
|
u = x
|
|
break
|
|
}
|
|
}
|
|
if u == nil {
|
|
http.NotFound(w, r)
|
|
return
|
|
}
|
|
toks, _ := s.ntfy.TokenList(s.ntfyCtx(r), username)
|
|
csrf, _ := s.csrfEnsure(w, r)
|
|
flash := s.popFlash(w, r)
|
|
s.renderer.Render(w, "user.html", PageData{
|
|
Title: "User: " + username,
|
|
Admin: admin.Username,
|
|
Role: string(admin.Role),
|
|
CSRF: csrf,
|
|
Flash: flash,
|
|
User: u,
|
|
Tokens: toks,
|
|
})
|
|
case http.MethodPost:
|
|
if !roleAtLeast(admin.Role, store.RoleOperator) {
|
|
http.Error(w, "forbidden", http.StatusForbidden)
|
|
return
|
|
}
|
|
_ = r.ParseForm()
|
|
switch action {
|
|
case "delete":
|
|
if err := s.ntfy.DelUser(s.ntfyCtx(r), username); err != nil {
|
|
s.setFlash(w, r, "Fehler: "+err.Error())
|
|
http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
|
|
return
|
|
}
|
|
s.auditEvent(r, "ntfy_user_del", username, nil)
|
|
s.setFlash(w, r, "User gelöscht: "+username)
|
|
http.Redirect(w, r, s.abs("/users"), http.StatusFound)
|
|
case "password":
|
|
pass := r.Form.Get("password")
|
|
if pass == "" {
|
|
s.setFlash(w, r, "Passwort erforderlich")
|
|
http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
|
|
return
|
|
}
|
|
if err := s.ntfy.ChangePass(s.ntfyCtx(r), username, pass); err != nil {
|
|
s.setFlash(w, r, "Fehler: "+err.Error())
|
|
http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
|
|
return
|
|
}
|
|
s.auditEvent(r, "ntfy_user_change_pass", username, nil)
|
|
s.setFlash(w, r, "Passwort geändert")
|
|
http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
|
|
case "role":
|
|
role := strings.TrimSpace(r.Form.Get("role"))
|
|
if role == "" {
|
|
s.setFlash(w, r, "Rolle erforderlich")
|
|
http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
|
|
return
|
|
}
|
|
if err := s.ntfy.ChangeRole(s.ntfyCtx(r), username, role); err != nil {
|
|
s.setFlash(w, r, "Fehler: "+err.Error())
|
|
http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
|
|
return
|
|
}
|
|
s.auditEvent(r, "ntfy_user_change_role", username, map[string]string{"role": role})
|
|
s.setFlash(w, r, "Rolle geändert")
|
|
http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
|
|
case "tier":
|
|
tier := strings.TrimSpace(r.Form.Get("tier"))
|
|
if tier == "" {
|
|
tier = "none"
|
|
}
|
|
if err := s.ntfy.ChangeTier(s.ntfyCtx(r), username, tier); err != nil {
|
|
s.setFlash(w, r, "Fehler: "+err.Error())
|
|
http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
|
|
return
|
|
}
|
|
s.auditEvent(r, "ntfy_user_change_tier", username, map[string]string{"tier": tier})
|
|
s.setFlash(w, r, "Tier geändert")
|
|
http.Redirect(w, r, s.abs("/users/"+username), http.StatusFound)
|
|
default:
|
|
http.Error(w, "bad request", http.StatusBadRequest)
|
|
}
|
|
default:
|
|
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
|
|
}
|
|
}
|