X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/2cd7a48044ede60c487bbe575fc20ed99c702571..refs/pull/4191/head:/app/Http/Controllers/Api/UserApiController.php diff --git a/app/Http/Controllers/Api/UserApiController.php b/app/Http/Controllers/Api/UserApiController.php index 6ca31f0fd..da6ca4321 100644 --- a/app/Http/Controllers/Api/UserApiController.php +++ b/app/Http/Controllers/Api/UserApiController.php @@ -4,30 +4,66 @@ namespace BookStack\Http\Controllers\Api; use BookStack\Auth\User; use BookStack\Auth\UserRepo; +use BookStack\Exceptions\UserUpdateException; use Closure; use Illuminate\Http\Request; +use Illuminate\Support\Facades\DB; +use Illuminate\Validation\Rules\Password; +use Illuminate\Validation\Rules\Unique; class UserApiController extends ApiController { - protected $userRepo; + protected UserRepo $userRepo; - protected $fieldsToExpose = [ - 'email', 'created_at', 'updated_at', 'last_activity_at', 'external_auth_id' - ]; - - protected $rules = [ - 'create' => [ - ], - 'update' => [ - ], - 'delete' => [ - 'migrate_ownership_id' => ['integer', 'exists:users,id'], - ], + protected array $fieldsToExpose = [ + 'email', 'created_at', 'updated_at', 'last_activity_at', 'external_auth_id', ]; public function __construct(UserRepo $userRepo) { $this->userRepo = $userRepo; + + // Checks for all endpoints in this controller + $this->middleware(function ($request, $next) { + $this->checkPermission('users-manage'); + $this->preventAccessInDemoMode(); + + return $next($request); + }); + } + + protected function rules(int $userId = null): array + { + return [ + 'create' => [ + 'name' => ['required', 'min:2', 'max:100'], + 'email' => [ + 'required', 'min:2', 'email', new Unique('users', 'email'), + ], + 'external_auth_id' => ['string'], + 'language' => ['string', 'max:15', 'alpha_dash'], + 'password' => [Password::default()], + 'roles' => ['array'], + 'roles.*' => ['integer'], + 'send_invite' => ['boolean'], + ], + 'update' => [ + 'name' => ['min:2', 'max:100'], + 'email' => [ + 'min:2', + 'email', + (new Unique('users', 'email'))->ignore($userId ?? null), + ], + 'external_auth_id' => ['string'], + 'language' => ['string', 'max:15', 'alpha_dash'], + 'password' => [Password::default()], + 'roles' => ['array'], + 'roles.*' => ['integer'], + ], + 'delete' => [ + 'migrate_ownership_id' => ['integer', 'exists:users,id'], + ], + ]; } /** @@ -36,9 +72,9 @@ class UserApiController extends ApiController */ public function list() { - $this->checkPermission('users-manage'); - - $users = $this->userRepo->getApiUsersBuilder(); + $users = User::query()->select(['*']) + ->scopes('withLastActivityAt') + ->with(['avatar']); return $this->apiListingResponse($users, [ 'id', 'name', 'slug', 'email', 'external_auth_id', @@ -46,18 +82,51 @@ class UserApiController extends ApiController ], [Closure::fromCallable([$this, 'listFormatter'])]); } + /** + * Create a new user in the system. + * Requires permission to manage users. + */ + public function create(Request $request) + { + $data = $this->validate($request, $this->rules()['create']); + $sendInvite = ($data['send_invite'] ?? false) === true; + + $user = null; + DB::transaction(function () use ($data, $sendInvite, &$user) { + $user = $this->userRepo->create($data, $sendInvite); + }); + + $this->singleFormatter($user); + + return response()->json($user); + } + /** * View the details of a single user. * Requires permission to manage users. */ public function read(string $id) { - $this->checkPermission('users-manage'); + $user = $this->userRepo->getById($id); + $this->singleFormatter($user); - $singleUser = $this->userRepo->getById($id); - $this->singleFormatter($singleUser); + return response()->json($user); + } - return response()->json($singleUser); + /** + * Update an existing user in the system. + * Requires permission to manage users. + * + * @throws UserUpdateException + */ + public function update(Request $request, string $id) + { + $data = $this->validate($request, $this->rules($id)['update']); + $user = $this->userRepo->getById($id); + $this->userRepo->update($user, $data, userCan('users-manage')); + $this->singleFormatter($user); + + return response()->json($user); } /** @@ -68,8 +137,6 @@ class UserApiController extends ApiController */ public function delete(Request $request, string $id) { - $this->checkPermission('users-manage'); - $user = $this->userRepo->getById($id); $newOwnerId = $request->get('migrate_ownership_id', null);