X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=server%2Fcontrollers%2Fapi%2Fusers%2Findex.ts;h=27351c1a954b8d68ed648fac005e5462bacc0962;hb=282e61e6c11f79e919c543871783fe1a00298d18;hp=28c8de3031a51c43a3b070dc659d30e97639008b;hpb=74dc3bca2b14f5fd3fe80c394dfc34177a46db77;p=github%2FChocobozzz%2FPeerTube.git

diff --git a/server/controllers/api/users/index.ts b/server/controllers/api/users/index.ts
index 28c8de303..27351c1a9 100644
--- a/server/controllers/api/users/index.ts
+++ b/server/controllers/api/users/index.ts
@@ -3,10 +3,10 @@ import * as RateLimit from 'express-rate-limit'
 import { UserCreate, UserRight, UserRole, UserUpdate } from '../../../../shared'
 import { logger } from '../../../helpers/logger'
 import { getFormattedObjects } from '../../../helpers/utils'
-import { RATES_LIMIT, WEBSERVER } from '../../../initializers/constants'
+import { WEBSERVER } from '../../../initializers/constants'
 import { Emailer } from '../../../lib/emailer'
 import { Redis } from '../../../lib/redis'
-import { createUserAccountAndChannelAndPlaylist } from '../../../lib/user'
+import { createUserAccountAndChannelAndPlaylist, sendVerifyUserEmail } from '../../../lib/user'
 import {
   asyncMiddleware,
   asyncRetryTransactionMiddleware,
@@ -31,7 +31,8 @@ import {
   usersAskSendVerifyEmailValidator,
   usersBlockingValidator,
   usersResetPasswordValidator,
-  usersVerifyEmailValidator
+  usersVerifyEmailValidator,
+  ensureCanManageUser
 } from '../../../middlewares/validators'
 import { UserModel } from '../../../models/account/user'
 import { auditLoggerFactory, getAuditIdFromRes, UserAuditView } from '../../../helpers/audit-logger'
@@ -45,17 +46,30 @@ import { Notifier } from '../../../lib/notifier'
 import { mySubscriptionsRouter } from './my-subscriptions'
 import { CONFIG } from '../../../initializers/config'
 import { sequelizeTypescript } from '../../../initializers/database'
+import { UserAdminFlag } from '../../../../shared/models/users/user-flag.model'
+import { UserRegister } from '../../../../shared/models/users/user-register.model'
+import { MUser, MUserAccountDefault } from '@server/typings/models'
 
 const auditLogger = auditLoggerFactory('users')
 
-const loginRateLimiter = new RateLimit({
-  windowMs: RATES_LIMIT.LOGIN.WINDOW_MS,
-  max: RATES_LIMIT.LOGIN.MAX
+// FIXME: https://github.com/nfriedly/express-rate-limit/issues/138
+// @ts-ignore
+const loginRateLimiter = RateLimit({
+  windowMs: CONFIG.RATES_LIMIT.LOGIN.WINDOW_MS,
+  max: CONFIG.RATES_LIMIT.LOGIN.MAX
 })
 
+// @ts-ignore
+const signupRateLimiter = RateLimit({
+  windowMs: CONFIG.RATES_LIMIT.SIGNUP.WINDOW_MS,
+  max: CONFIG.RATES_LIMIT.SIGNUP.MAX,
+  skipFailedRequests: true
+})
+
+// @ts-ignore
 const askSendEmailLimiter = new RateLimit({
-  windowMs: RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
-  max: RATES_LIMIT.ASK_SEND_EMAIL.MAX
+  windowMs: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.WINDOW_MS,
+  max: CONFIG.RATES_LIMIT.ASK_SEND_EMAIL.MAX
 })
 
 const usersRouter = express.Router()
@@ -85,12 +99,14 @@ usersRouter.post('/:id/block',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersBlockingValidator),
+  ensureCanManageUser,
   asyncMiddleware(blockUser)
 )
 usersRouter.post('/:id/unblock',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersBlockingValidator),
+  ensureCanManageUser,
   asyncMiddleware(unblockUser)
 )
 
@@ -109,6 +125,7 @@ usersRouter.post('/',
 )
 
 usersRouter.post('/register',
+  signupRateLimiter,
   asyncMiddleware(ensureUserRegistrationAllowed),
   ensureUserRegistrationAllowedForIP,
   asyncMiddleware(usersRegisterValidator),
@@ -119,6 +136,7 @@ usersRouter.put('/:id',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersUpdateValidator),
+  ensureCanManageUser,
   asyncMiddleware(updateUser)
 )
 
@@ -126,6 +144,7 @@ usersRouter.delete('/:id',
   authenticate,
   ensureUserHasRight(UserRight.MANAGE_USERS),
   asyncMiddleware(usersRemoveValidator),
+  ensureCanManageUser,
   asyncMiddleware(removeUser)
 )
 
@@ -142,7 +161,7 @@ usersRouter.post('/:id/reset-password',
 usersRouter.post('/ask-send-verify-email',
   askSendEmailLimiter,
   asyncMiddleware(usersAskSendVerifyEmailValidator),
-  asyncMiddleware(askSendVerifyUserEmail)
+  asyncMiddleware(reSendVerifyUserEmail)
 )
 
 usersRouter.post('/:id/verify-email',
@@ -175,10 +194,11 @@ async function createUser (req: express.Request, res: express.Response) {
     autoPlayVideo: true,
     role: body.role,
     videoQuota: body.videoQuota,
-    videoQuotaDaily: body.videoQuotaDaily
-  })
+    videoQuotaDaily: body.videoQuotaDaily,
+    adminFlags: body.adminFlags || UserAdminFlag.NONE
+  }) as MUser
 
-  const { user, account } = await createUserAccountAndChannelAndPlaylist(userToCreate)
+  const { user, account } = await createUserAccountAndChannelAndPlaylist({ userToCreate: userToCreate })
 
   auditLogger.create(getAuditIdFromRes(res), new UserAuditView(user.toFormattedJSON()))
   logger.info('User %s with its channel and account created.', body.username)
@@ -187,15 +207,14 @@ async function createUser (req: express.Request, res: express.Response) {
     user: {
       id: user.id,
       account: {
-        id: account.id,
-        uuid: account.Actor.uuid
+        id: account.id
       }
     }
   }).end()
 }
 
 async function registerUser (req: express.Request, res: express.Response) {
-  const body: UserCreate = req.body
+  const body: UserRegister = req.body
 
   const userToCreate = new UserModel({
     username: body.username,
@@ -209,7 +228,11 @@ async function registerUser (req: express.Request, res: express.Response) {
     emailVerified: CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION ? false : null
   })
 
-  const { user } = await createUserAccountAndChannelAndPlaylist(userToCreate)
+  const { user } = await createUserAccountAndChannelAndPlaylist({
+    userToCreate: userToCreate,
+    userDisplayName: body.displayName || undefined,
+    channelNames: body.channel
+  })
 
   auditLogger.create(body.username, new UserAuditView(user.toFormattedJSON()))
   logger.info('User %s with its channel and account registered.', body.username)
@@ -241,7 +264,7 @@ async function blockUser (req: express.Request, res: express.Response) {
 }
 
 function getUser (req: express.Request, res: express.Response) {
-  return res.json(res.locals.user.toFormattedJSON())
+  return res.json(res.locals.user.toFormattedJSON({ withAdminFlags: true }))
 }
 
 async function autocompleteUsers (req: express.Request, res: express.Response) {
@@ -253,7 +276,7 @@ async function autocompleteUsers (req: express.Request, res: express.Response) {
 async function listUsers (req: express.Request, res: express.Response) {
   const resultList = await UserModel.listForApi(req.query.start, req.query.count, req.query.sort, req.query.search)
 
-  return res.json(getFormattedObjects(resultList.data, resultList.total))
+  return res.json(getFormattedObjects(resultList.data, resultList.total, { withAdminFlags: true }))
 }
 
 async function removeUser (req: express.Request, res: express.Response) {
@@ -278,6 +301,7 @@ async function updateUser (req: express.Request, res: express.Response) {
   if (body.videoQuota !== undefined) userToUpdate.videoQuota = body.videoQuota
   if (body.videoQuotaDaily !== undefined) userToUpdate.videoQuotaDaily = body.videoQuotaDaily
   if (body.role !== undefined) userToUpdate.role = body.role
+  if (body.adminFlags !== undefined) userToUpdate.adminFlags = body.adminFlags
 
   const user = await userToUpdate.save()
 
@@ -310,14 +334,7 @@ async function resetUserPassword (req: express.Request, res: express.Response) {
   return res.status(204).end()
 }
 
-async function sendVerifyUserEmail (user: UserModel) {
-  const verificationString = await Redis.Instance.setVerifyEmailVerificationString(user.id)
-  const url = WEBSERVER.URL + '/verify-account/email?userId=' + user.id + '&verificationString=' + verificationString
-  await Emailer.Instance.addVerifyEmailJob(user.email, url)
-  return
-}
-
-async function askSendVerifyUserEmail (req: express.Request, res: express.Response) {
+async function reSendVerifyUserEmail (req: express.Request, res: express.Response) {
   const user = res.locals.user
 
   await sendVerifyUserEmail(user)
@@ -329,6 +346,11 @@ async function verifyUserEmail (req: express.Request, res: express.Response) {
   const user = res.locals.user
   user.emailVerified = true
 
+  if (req.body.isPendingEmail === true) {
+    user.email = user.pendingEmail
+    user.pendingEmail = null
+  }
+
   await user.save()
 
   return res.status(204).end()
@@ -338,7 +360,7 @@ function success (req: express.Request, res: express.Response) {
   res.end()
 }
 
-async function changeUserBlock (res: express.Response, user: UserModel, block: boolean, reason?: string) {
+async function changeUserBlock (res: express.Response, user: MUserAccountDefault, block: boolean, reason?: string) {
   const oldUserAuditView = new UserAuditView(user.toFormattedJSON())
 
   user.blocked = block