X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/dccb279c84a3f523f1c07ffc4ee4e2b526fd5384..refs/pull/2935/head:/app/Http/Controllers/UserApiTokenController.php

diff --git a/app/Http/Controllers/UserApiTokenController.php b/app/Http/Controllers/UserApiTokenController.php
index 3bfb0175e..bdc25f79d 100644
--- a/app/Http/Controllers/UserApiTokenController.php
+++ b/app/Http/Controllers/UserApiTokenController.php
@@ -1,15 +1,16 @@
-<?php namespace BookStack\Http\Controllers;
+<?php
 
+namespace BookStack\Http\Controllers;
+
+use BookStack\Actions\ActivityType;
 use BookStack\Api\ApiToken;
 use BookStack\Auth\User;
 use Illuminate\Http\Request;
-use Illuminate\Support\Carbon;
 use Illuminate\Support\Facades\Hash;
 use Illuminate\Support\Str;
 
 class UserApiTokenController extends Controller
 {
-
     /**
      * Show the form to create a new API token.
      */
@@ -17,9 +18,10 @@ class UserApiTokenController extends Controller
     {
         // Ensure user is has access-api permission and is the current user or has permission to manage the current user.
         $this->checkPermission('access-api');
-        $this->checkPermissionOrCurrentUser('manage-users', $userId);
+        $this->checkPermissionOrCurrentUser('users-manage', $userId);
 
         $user = User::query()->findOrFail($userId);
+
         return view('users.api-tokens.create', [
             'user' => $user,
         ]);
@@ -31,32 +33,34 @@ class UserApiTokenController extends Controller
     public function store(Request $request, int $userId)
     {
         $this->checkPermission('access-api');
-        $this->checkPermissionOrCurrentUser('manage-users', $userId);
+        $this->checkPermissionOrCurrentUser('users-manage', $userId);
 
         $this->validate($request, [
-            'name' => 'required|max:250',
+            'name'       => 'required|max:250',
             'expires_at' => 'date_format:Y-m-d',
         ]);
 
         $user = User::query()->findOrFail($userId);
         $secret = Str::random(32);
-        $expiry = $request->get('expires_at', (Carbon::now()->addYears(100))->format('Y-m-d'));
 
         $token = (new ApiToken())->forceFill([
-            'name' => $request->get('name'),
-            'client_id' => Str::random(32),
-            'client_secret' => Hash::make($secret),
-            'user_id' => $user->id,
-            'expires_at' => $expiry
+            'name'       => $request->get('name'),
+            'token_id'   => Str::random(32),
+            'secret'     => Hash::make($secret),
+            'user_id'    => $user->id,
+            'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(),
         ]);
 
-        while (ApiToken::query()->where('client_id', '=', $token->client_id)->exists()) {
-            $token->client_id = Str::random(32);
+        while (ApiToken::query()->where('token_id', '=', $token->token_id)->exists()) {
+            $token->token_id = Str::random(32);
         }
 
         $token->save();
-        // TODO - Notification and activity?
+
         session()->flash('api-token-secret:' . $token->id, $secret);
+        $this->showSuccessNotification(trans('settings.user_api_token_create_success'));
+        $this->logActivity(ActivityType::API_TOKEN_CREATE, $token);
+
         return redirect($user->getEditUrl('/api-tokens/' . $token->id));
     }
 
@@ -69,9 +73,9 @@ class UserApiTokenController extends Controller
         $secret = session()->pull('api-token-secret:' . $token->id, null);
 
         return view('users.api-tokens.edit', [
-            'user' => $user,
-            'token' => $token,
-            'model' => $token,
+            'user'   => $user,
+            'token'  => $token,
+            'model'  => $token,
             'secret' => $secret,
         ]);
     }
@@ -82,14 +86,19 @@ class UserApiTokenController extends Controller
     public function update(Request $request, int $userId, int $tokenId)
     {
         $this->validate($request, [
-            'name' => 'required|max:250',
+            'name'       => 'required|max:250',
             'expires_at' => 'date_format:Y-m-d',
         ]);
 
         [$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);
+        $token->fill([
+            'name'       => $request->get('name'),
+            'expires_at' => $request->get('expires_at') ?: ApiToken::defaultExpiry(),
+        ])->save();
+
+        $this->showSuccessNotification(trans('settings.user_api_token_update_success'));
+        $this->logActivity(ActivityType::API_TOKEN_UPDATE, $token);
 
-        $token->fill($request->all())->save();
-        // TODO - Notification and activity?
         return redirect($user->getEditUrl('/api-tokens/' . $token->id));
     }
 
@@ -99,8 +108,9 @@ class UserApiTokenController extends Controller
     public function delete(int $userId, int $tokenId)
     {
         [$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);
+
         return view('users.api-tokens.delete', [
-            'user' => $user,
+            'user'  => $user,
             'token' => $token,
         ]);
     }
@@ -113,7 +123,9 @@ class UserApiTokenController extends Controller
         [$user, $token] = $this->checkPermissionAndFetchUserToken($userId, $tokenId);
         $token->delete();
 
-        // TODO - Notification and activity?, Might have text in translations already (user_api_token_delete_success)
+        $this->showSuccessNotification(trans('settings.user_api_token_delete_success'));
+        $this->logActivity(ActivityType::API_TOKEN_DELETE, $token);
+
         return redirect($user->getEditUrl('#api_tokens'));
     }
 
@@ -124,12 +136,13 @@ class UserApiTokenController extends Controller
      */
     protected function checkPermissionAndFetchUserToken(int $userId, int $tokenId): array
     {
-        $this->checkPermission('access-api');
-        $this->checkPermissionOrCurrentUser('manage-users', $userId);
+        $this->checkPermissionOr('users-manage', function () use ($userId) {
+            return $userId === user()->id && userCan('access-api');
+        });
 
         $user = User::query()->findOrFail($userId);
         $token = ApiToken::query()->where('user_id', '=', $user->id)->where('id', '=', $tokenId)->firstOrFail();
+
         return [$user, $token];
     }
-
 }