namespace BookStack\Api;
use BookStack\Http\Controllers\Api\ApiController;
+use Exception;
use Illuminate\Contracts\Container\BindingResolutionException;
use Illuminate\Support\Collection;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\Route;
use Illuminate\Support\Str;
+use Illuminate\Validation\Rules\Password;
use ReflectionClass;
use ReflectionException;
use ReflectionMethod;
$this->controllerClasses[$className] = $class;
}
- $rules = $class->getValdationRules()[$methodName] ?? [];
+ $rules = collect($class->getValidationRules()[$methodName] ?? [])->map(function($validations) {
+ return array_map(function($validation) {
+ return $this->getValidationAsString($validation);
+ }, $validations);
+ })->toArray();
return empty($rules) ? null : $rules;
}
+ /**
+ * Convert the given validation message to a readable string.
+ */
+ protected function getValidationAsString($validation): string
+ {
+ if (is_string($validation)) {
+ return $validation;
+ }
+
+ if (is_object($validation) && method_exists($validation, '__toString')) {
+ return strval($validation);
+ }
+
+ if ($validation instanceof Password) {
+ return 'min:8';
+ }
+
+ $class = get_class($validation);
+ throw new Exception("Cannot provide string representation of rule for class: {$class}");
+ }
+
/**
* Parse out the description text from a class method comment.
*/
/**
* Get all users as Builder for API
*/
- public function getApiUsersBuilder() : Builder
+ public function getApiUsersBuilder(): Builder
{
return User::query()->select(['*'])
->scopes('withLastActivityAt')
->with(['avatar']);
}
+
/**
* Get all the users with their permissions in a paginated format.
* Note: Due to the use of email search this should only be used when
public function create(array $data, bool $emailConfirmed = false): User
{
$details = [
- 'name' => $data['name'],
- 'email' => $data['email'],
- 'password' => bcrypt($data['password']),
- 'email_confirmed' => $emailConfirmed,
+ 'name' => $data['name'],
+ 'email' => $data['email'],
+ 'password' => bcrypt($data['password']),
+ 'email_confirmed' => $emailConfirmed,
'external_auth_id' => $data['external_auth_id'] ?? '',
];
return $user;
}
+ /**
+ * Update the given user with the given data.
+ * @param array{name: ?string, email: ?string, external_auth_id: ?string, password: ?string, roles: ?array<int>, language: ?string} $data
+ * @throws UserUpdateException
+ */
+ public function update(User $user, array $data, bool $manageUsersAllowed): User
+ {
+ if (!empty($data['name'])) {
+ $user->name = $data['name'];
+ $user->refreshSlug();
+ }
+
+ if (!empty($data['email']) && $manageUsersAllowed) {
+ $user->email = $data['email'];
+ }
+
+ if (!empty($data['external_auth_id']) && $manageUsersAllowed) {
+ $user->external_auth_id = $data['external_auth_id'];
+ }
+
+ if (isset($data['roles']) && $manageUsersAllowed) {
+ $this->setUserRoles($user, $data['roles']);
+ }
+
+ if (!empty($data['password'])) {
+ $user->password = bcrypt($data['password']);
+ }
+
+ if (!empty($data['language'])) {
+ setting()->putUser($user, 'language', $data['language']);
+ }
+
+ $user->save();
+ Activity::add(ActivityType::USER_UPDATE, $user);
+
+ return $user;
+ }
+
/**
* Remove the given user from storage, Delete all related content.
*
};
return [
- 'pages' => $query(Page::visible()->where('draft', '=', false)),
+ 'pages' => $query(Page::visible()->where('draft', '=', false)),
'chapters' => $query(Chapter::visible()),
- 'books' => $query(Book::visible()),
- 'shelves' => $query(Bookshelf::visible()),
+ 'books' => $query(Book::visible()),
+ 'shelves' => $query(Bookshelf::visible()),
];
}
$createdBy = ['created_by' => $user->id];
return [
- 'pages' => Page::visible()->where($createdBy)->count(),
- 'chapters' => Chapter::visible()->where($createdBy)->count(),
- 'books' => Book::visible()->where($createdBy)->count(),
- 'shelves' => Bookshelf::visible()->where($createdBy)->count(),
+ 'pages' => Page::visible()->where($createdBy)->count(),
+ 'chapters' => Chapter::visible()->where($createdBy)->count(),
+ 'books' => Book::visible()->where($createdBy)->count(),
+ 'shelves' => Bookshelf::visible()->where($createdBy)->count(),
];
}
abstract class ApiController extends Controller
{
protected $rules = [];
- protected $fieldsToExpose = [];
/**
* Provide a paginated listing JSON response in a standard format
* Get the validation rules for this controller.
* Defaults to a $rules property but can be a rules() method.
*/
- public function getValdationRules(): array
+ public function getValidationRules(): array
{
if (method_exists($this, 'rules')) {
return $this->rules();
use BookStack\Auth\UserRepo;
use Closure;
use Illuminate\Http\Request;
+use Illuminate\Validation\Rules\Password;
+use Illuminate\Validation\Rules\Unique;
class UserApiController extends ApiController
{
'email', 'created_at', 'updated_at', 'last_activity_at', 'external_auth_id'
];
- protected $rules = [
- 'create' => [
- ],
- 'update' => [
- ],
- 'delete' => [
- 'migrate_ownership_id' => ['integer', 'exists:users,id'],
- ],
- ];
-
public function __construct(UserRepo $userRepo)
{
$this->userRepo = $userRepo;
}
+ protected function rules(int $userId = null): array
+ {
+ return [
+ 'create' => [
+ ],
+ 'update' => [
+ 'name' => ['min:2'],
+ 'email' => [
+ 'min:2',
+ 'email',
+ (new Unique('users', 'email'))->ignore($userId ?? null)
+ ],
+ 'external_auth_id' => ['string'],
+ 'language' => ['string'],
+ 'password' => [Password::default()],
+ 'roles' => ['array'],
+ 'roles.*' => ['integer'],
+ ],
+ 'delete' => [
+ 'migrate_ownership_id' => ['integer', 'exists:users,id'],
+ ],
+ ];
+ }
+
/**
* Get a listing of users in the system.
* Requires permission to manage users.
{
$this->checkPermission('users-manage');
- $singleUser = $this->userRepo->getById($id);
- $this->singleFormatter($singleUser);
+ $user = $this->userRepo->getById($id);
+ $this->singleFormatter($user);
+
+ return response()->json($user);
+ }
+
+ /**
+ * Update an existing user in the system.
+ * @throws \BookStack\Exceptions\UserUpdateException
+ */
+ public function update(Request $request, string $id)
+ {
+ $this->checkPermission('users-manage');
+
+ $data = $this->validate($request, $this->rules($id)['update']);
+ $user = $this->userRepo->getById($id);
+ $this->userRepo->update($user, $data, userCan('users-manage'));
+ $this->singleFormatter($user);
- return response()->json($singleUser);
+ return response()->json($user);
}
/**
$this->preventAccessInDemoMode();
$this->checkPermissionOrCurrentUser('users-manage', $id);
- $this->validate($request, [
+ $validated = $this->validate($request, [
'name' => ['min:2'],
'email' => ['min:2', 'email', 'unique:users,email,' . $id],
'password' => ['required_with:password_confirm', Password::default()],
'password-confirm' => ['same:password', 'required_with:password'],
- 'setting' => ['array'],
+ 'language' => ['string'],
+ 'roles' => ['array'],
+ 'roles.*' => ['integer'],
'profile_image' => array_merge(['nullable'], $this->getImageValidationRules()),
]);
$user = $this->userRepo->getById($id);
- $user->fill($request->except(['email']));
-
- // Email updates
- if (userCan('users-manage') && $request->filled('email')) {
- $user->email = $request->get('email');
- }
-
- // Refresh the slug if the user's name has changed
- if ($user->isDirty('name')) {
- $user->refreshSlug();
- }
-
- // Role updates
- if (userCan('users-manage') && $request->filled('roles')) {
- $roles = $request->get('roles');
- $this->userRepo->setUserRoles($user, $roles);
- }
-
- // Password updates
- if ($request->filled('password')) {
- $password = $request->get('password');
- $user->password = bcrypt($password);
- }
-
- // External auth id updates
- if (user()->can('users-manage') && $request->filled('external_auth_id')) {
- $user->external_auth_id = $request->get('external_auth_id');
- }
-
- // Save user-specific settings
- if ($request->filled('setting')) {
- foreach ($request->get('setting') as $key => $value) {
- setting()->putUser($user, $key, $value);
- }
- }
+ $this->userRepo->update($user, $validated, userCan('users-manage'));
// Save profile image if in request
if ($request->hasFile('profile_image')) {
$this->imageRepo->destroyImage($user->avatar);
$image = $this->imageRepo->saveNew($imageUpload, 'user', $user->id);
$user->image_id = $image->id;
+ $user->save();
}
// Delete the profile image if reset option is in request
$this->imageRepo->destroyImage($user->avatar);
}
- $user->save();
- $this->showSuccessNotification(trans('settings.users_edit_success'));
- $this->logActivity(ActivityType::USER_UPDATE, $user);
-
- $redirectUrl = userCan('users-manage') ? '/settings/users' : ('/settings/users/' . $user->id);
+ $redirectUrl = userCan('users-manage') ? '/settings/users' : "/settings/users/{$user->id}";
return redirect($redirectUrl);
}
public function boot()
{
// Password Configuration
+ // Changes here must be reflected in ApiDocsGenerate@getValidationAsString.
Password::defaults(function () {
return Password::min(8);
});
'webhook_delete_notification' => 'Webhook successfully deleted',
// Users
+ 'user_update_notification' => 'User successfully updated',
'user_delete_notification' => 'User successfully removed',
// Other
'users_none_selected' => 'No user selected',
'users_edit' => 'Edit User',
'users_edit_profile' => 'Edit Profile',
- 'users_edit_success' => 'User successfully updated',
'users_avatar' => 'User Avatar',
'users_avatar_desc' => 'Select an image to represent this user. This should be approx 256px square.',
'users_preferred_language' => 'Preferred Language',
</p>
</div>
<div>
- <select name="setting[language]" id="user-language">
+ <select name="language" id="user-language">
@foreach(trans('settings.language_select') as $lang => $label)
<option @if($value === $lang) selected @endif value="{{ $lang }}">{{ $label }}</option>
@endforeach
Route::get('users', [UserApiController::class, 'list']);
Route::get('users/{id}', [UserApiController::class, 'read']);
+Route::put('users/{id}', [UserApiController::class, 'update']);
Route::delete('users/{id}', [UserApiController::class, 'delete']);
\ No newline at end of file
use BookStack\Auth\Role;
use BookStack\Auth\User;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Hash;
use Tests\TestCase;
class UsersApiTest extends TestCase
]);
}
+ public function test_update_endpoint()
+ {
+ $this->actingAsApiAdmin();
+ /** @var User $user */
+ $user = $this->getAdmin();
+ $roles = Role::query()->pluck('id');
+ $resp = $this->putJson($this->baseEndpoint . "/{$user->id}", [
+ 'name' => 'My updated user',
+ 'roles' => $roles,
+ 'external_auth_id' => 'btest',
+ 'password' => 'barrytester',
+ 'language' => 'fr',
+ ]);
+
+ $resp->assertStatus(200);
+ $resp->assertJson([
+ 'id' => $user->id,
+ 'name' => 'My updated user',
+ 'external_auth_id' => 'btest',
+ ]);
+ $user->refresh();
+ $this->assertEquals('fr', setting()->getUser($user, 'language'));
+ $this->assertEquals(count($roles), $user->roles()->count());
+ $this->assertNotEquals('barrytester', $user->password);
+ $this->assertTrue(Hash::check('barrytester', $user->password));
+ }
+
+ public function test_update_endpoint_does_not_remove_info_if_not_provided()
+ {
+ $this->actingAsApiAdmin();
+ /** @var User $user */
+ $user = $this->getAdmin();
+ $roleCount = $user->roles()->count();
+ $resp = $this->putJson($this->baseEndpoint . "/{$user->id}", []);
+
+ $resp->assertStatus(200);
+ $this->assertDatabaseHas('users', [
+ 'id' => $user->id,
+ 'name' => $user->name,
+ 'email' => $user->email,
+ 'password' => $user->password,
+ ]);
+ $this->assertEquals($roleCount, $user->roles()->count());
+ }
+
public function test_delete_endpoint()
{
$this->actingAsApiAdmin();
projects / bookstack / commitdiff