mirror of
https://github.com/hedgedoc/hedgedoc.git
synced 2024-11-23 02:06:29 -05:00
Get user from Session instead of hardcoded value
Signed-off-by: Yannick Bungers <git@innay.de>
This commit is contained in:
parent
b2ae4a85c3
commit
28266bca0b
7 changed files with 92 additions and 67 deletions
|
@ -13,10 +13,9 @@ import {
|
|||
Param,
|
||||
Post,
|
||||
Put,
|
||||
Req,
|
||||
UnauthorizedException,
|
||||
UseGuards,
|
||||
} from '@nestjs/common';
|
||||
import { Request } from 'express';
|
||||
|
||||
import {
|
||||
AlreadyInDBError,
|
||||
|
@ -24,6 +23,7 @@ import {
|
|||
NotInDBError,
|
||||
PrimaryAliasDeletionForbiddenError,
|
||||
} from '../../../errors/errors';
|
||||
import { SessionGuard } from '../../../identity/session.guard';
|
||||
import { ConsoleLoggerService } from '../../../logger/console-logger.service';
|
||||
import { AliasCreateDto } from '../../../notes/alias-create.dto';
|
||||
import { AliasUpdateDto } from '../../../notes/alias-update.dto';
|
||||
|
@ -31,8 +31,11 @@ import { AliasDto } from '../../../notes/alias.dto';
|
|||
import { AliasService } from '../../../notes/alias.service';
|
||||
import { NotesService } from '../../../notes/notes.service';
|
||||
import { PermissionsService } from '../../../permissions/permissions.service';
|
||||
import { User } from '../../../users/user.entity';
|
||||
import { UsersService } from '../../../users/users.service';
|
||||
import { RequestUser } from '../../utils/request-user.decorator';
|
||||
|
||||
@UseGuards(SessionGuard)
|
||||
@Controller('alias')
|
||||
export class AliasController {
|
||||
constructor(
|
||||
|
@ -44,15 +47,12 @@ export class AliasController {
|
|||
) {
|
||||
this.logger.setContext(AliasController.name);
|
||||
}
|
||||
|
||||
@Post()
|
||||
async addAlias(
|
||||
@Req() req: Request,
|
||||
@RequestUser() user: User,
|
||||
@Body() newAliasDto: AliasCreateDto,
|
||||
): Promise<AliasDto> {
|
||||
try {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
const note = await this.noteService.getNoteByIdOrAlias(
|
||||
newAliasDto.noteIdOrAlias,
|
||||
);
|
||||
|
@ -77,7 +77,7 @@ export class AliasController {
|
|||
|
||||
@Put(':alias')
|
||||
async makeAliasPrimary(
|
||||
@Req() req: Request,
|
||||
@RequestUser() user: User,
|
||||
@Param('alias') alias: string,
|
||||
@Body() changeAliasDto: AliasUpdateDto,
|
||||
): Promise<AliasDto> {
|
||||
|
@ -87,8 +87,6 @@ export class AliasController {
|
|||
);
|
||||
}
|
||||
try {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
const note = await this.noteService.getNoteByIdOrAlias(alias);
|
||||
if (!this.permissionsService.isOwner(user, note)) {
|
||||
throw new UnauthorizedException('Reading note denied!');
|
||||
|
@ -112,12 +110,10 @@ export class AliasController {
|
|||
@Delete(':alias')
|
||||
@HttpCode(204)
|
||||
async removeAlias(
|
||||
@Req() req: Request,
|
||||
@RequestUser() user: User,
|
||||
@Param('alias') alias: string,
|
||||
): Promise<void> {
|
||||
try {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
const note = await this.noteService.getNoteByIdOrAlias(alias);
|
||||
if (!this.permissionsService.isOwner(user, note)) {
|
||||
throw new UnauthorizedException('Reading note denied!');
|
||||
|
|
|
@ -13,6 +13,7 @@ import {
|
|||
Param,
|
||||
Post,
|
||||
Put,
|
||||
UseGuards,
|
||||
} from '@nestjs/common';
|
||||
import { ApiTags } from '@nestjs/swagger';
|
||||
|
||||
|
@ -21,27 +22,27 @@ import { HistoryEntryImportDto } from '../../../../history/history-entry-import.
|
|||
import { HistoryEntryUpdateDto } from '../../../../history/history-entry-update.dto';
|
||||
import { HistoryEntryDto } from '../../../../history/history-entry.dto';
|
||||
import { HistoryService } from '../../../../history/history.service';
|
||||
import { SessionGuard } from '../../../../identity/session.guard';
|
||||
import { ConsoleLoggerService } from '../../../../logger/console-logger.service';
|
||||
import { GetNotePipe } from '../../../../notes/get-note.pipe';
|
||||
import { Note } from '../../../../notes/note.entity';
|
||||
import { UsersService } from '../../../../users/users.service';
|
||||
import { User } from '../../../../users/user.entity';
|
||||
import { RequestUser } from '../../../utils/request-user.decorator';
|
||||
|
||||
@UseGuards(SessionGuard)
|
||||
@ApiTags('history')
|
||||
@Controller('/me/history')
|
||||
export class HistoryController {
|
||||
constructor(
|
||||
private readonly logger: ConsoleLoggerService,
|
||||
private historyService: HistoryService,
|
||||
private userService: UsersService,
|
||||
) {
|
||||
this.logger.setContext(HistoryController.name);
|
||||
}
|
||||
|
||||
@Get()
|
||||
async getHistory(): Promise<HistoryEntryDto[]> {
|
||||
// ToDo: use actual user here
|
||||
async getHistory(@RequestUser() user: User): Promise<HistoryEntryDto[]> {
|
||||
try {
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
const foundEntries = await this.historyService.getEntriesByUser(user);
|
||||
return foundEntries.map((entry) =>
|
||||
this.historyService.toHistoryEntryDto(entry),
|
||||
|
@ -56,11 +57,10 @@ export class HistoryController {
|
|||
|
||||
@Post()
|
||||
async setHistory(
|
||||
@RequestUser() user: User,
|
||||
@Body('history') history: HistoryEntryImportDto[],
|
||||
): Promise<void> {
|
||||
try {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
await this.historyService.setHistory(user, history);
|
||||
} catch (e) {
|
||||
if (e instanceof NotInDBError || e instanceof ForbiddenIdError) {
|
||||
|
@ -71,10 +71,8 @@ export class HistoryController {
|
|||
}
|
||||
|
||||
@Delete()
|
||||
async deleteHistory(): Promise<void> {
|
||||
async deleteHistory(@RequestUser() user: User): Promise<void> {
|
||||
try {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
await this.historyService.deleteHistory(user);
|
||||
} catch (e) {
|
||||
if (e instanceof NotInDBError) {
|
||||
|
@ -87,11 +85,10 @@ export class HistoryController {
|
|||
@Put(':note')
|
||||
async updateHistoryEntry(
|
||||
@Param('note', GetNotePipe) note: Note,
|
||||
@RequestUser() user: User,
|
||||
@Body() entryUpdateDto: HistoryEntryUpdateDto,
|
||||
): Promise<HistoryEntryDto> {
|
||||
try {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
const newEntry = await this.historyService.updateHistoryEntry(
|
||||
note,
|
||||
user,
|
||||
|
@ -109,10 +106,9 @@ export class HistoryController {
|
|||
@Delete(':note')
|
||||
async deleteHistoryEntry(
|
||||
@Param('note', GetNotePipe) note: Note,
|
||||
@RequestUser() user: User,
|
||||
): Promise<void> {
|
||||
try {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
await this.historyService.deleteHistoryEntry(note, user);
|
||||
} catch (e) {
|
||||
if (e instanceof NotInDBError) {
|
||||
|
|
|
@ -3,14 +3,26 @@
|
|||
*
|
||||
* SPDX-License-Identifier: AGPL-3.0-only
|
||||
*/
|
||||
import { Body, Controller, Delete, Get, HttpCode, Post } from '@nestjs/common';
|
||||
import {
|
||||
Body,
|
||||
Controller,
|
||||
Delete,
|
||||
Get,
|
||||
HttpCode,
|
||||
Post,
|
||||
UseGuards,
|
||||
} from '@nestjs/common';
|
||||
|
||||
import { SessionGuard } from '../../../identity/session.guard';
|
||||
import { ConsoleLoggerService } from '../../../logger/console-logger.service';
|
||||
import { MediaUploadDto } from '../../../media/media-upload.dto';
|
||||
import { MediaService } from '../../../media/media.service';
|
||||
import { UserInfoDto } from '../../../users/user-info.dto';
|
||||
import { User } from '../../../users/user.entity';
|
||||
import { UsersService } from '../../../users/users.service';
|
||||
import { RequestUser } from '../../utils/request-user.decorator';
|
||||
|
||||
@UseGuards(SessionGuard)
|
||||
@Controller('me')
|
||||
export class MeController {
|
||||
constructor(
|
||||
|
@ -20,27 +32,20 @@ export class MeController {
|
|||
) {
|
||||
this.logger.setContext(MeController.name);
|
||||
}
|
||||
|
||||
@Get()
|
||||
async getMe(): Promise<UserInfoDto> {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
getMe(@RequestUser() user: User): UserInfoDto {
|
||||
return this.userService.toUserDto(user);
|
||||
}
|
||||
|
||||
@Get('media')
|
||||
async getMyMedia(): Promise<MediaUploadDto[]> {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
async getMyMedia(@RequestUser() user: User): Promise<MediaUploadDto[]> {
|
||||
const media = await this.mediaService.listUploadsByUser(user);
|
||||
return media.map((media) => this.mediaService.toMediaUploadDto(media));
|
||||
}
|
||||
|
||||
@Delete()
|
||||
@HttpCode(204)
|
||||
async deleteUser(): Promise<void> {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
async deleteUser(@RequestUser() user: User): Promise<void> {
|
||||
const mediaUploads = await this.mediaService.listUploadsByUser(user);
|
||||
for (const mediaUpload of mediaUploads) {
|
||||
await this.mediaService.deleteFile(mediaUpload);
|
||||
|
@ -52,9 +57,10 @@ export class MeController {
|
|||
|
||||
@Post('profile')
|
||||
@HttpCode(200)
|
||||
async updateDisplayName(@Body('name') newDisplayName: string): Promise<void> {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
async updateDisplayName(
|
||||
@RequestUser() user: User,
|
||||
@Body('name') newDisplayName: string,
|
||||
): Promise<void> {
|
||||
await this.userService.changeDisplayName(user, newDisplayName);
|
||||
}
|
||||
}
|
||||
|
|
|
@ -11,6 +11,7 @@ import {
|
|||
InternalServerErrorException,
|
||||
Post,
|
||||
UploadedFile,
|
||||
UseGuards,
|
||||
UseInterceptors,
|
||||
} from '@nestjs/common';
|
||||
import { FileInterceptor } from '@nestjs/platform-express';
|
||||
|
@ -20,6 +21,7 @@ import {
|
|||
MediaBackendError,
|
||||
NotInDBError,
|
||||
} from '../../../errors/errors';
|
||||
import { SessionGuard } from '../../../identity/session.guard';
|
||||
import { ConsoleLoggerService } from '../../../logger/console-logger.service';
|
||||
import { MediaUploadUrlDto } from '../../../media/media-upload-url.dto';
|
||||
import { MediaService } from '../../../media/media.service';
|
||||
|
@ -28,7 +30,9 @@ import { Note } from '../../../notes/note.entity';
|
|||
import { NotesService } from '../../../notes/notes.service';
|
||||
import { User } from '../../../users/user.entity';
|
||||
import { UsersService } from '../../../users/users.service';
|
||||
import { RequestUser } from '../../utils/request-user.decorator';
|
||||
|
||||
@UseGuards(SessionGuard)
|
||||
@Controller('media')
|
||||
export class MediaController {
|
||||
constructor(
|
||||
|
@ -46,9 +50,8 @@ export class MediaController {
|
|||
async uploadMedia(
|
||||
@UploadedFile() file: MulterFile,
|
||||
@Headers('HedgeDoc-Note') noteId: string,
|
||||
@RequestUser() user: User,
|
||||
): Promise<MediaUploadUrlDto> {
|
||||
// ToDo: Get real userName
|
||||
const user: User = await this.userService.getUserByUsername('hardcoded');
|
||||
try {
|
||||
// TODO: Move getting the Note object into a decorator
|
||||
const note: Note = await this.noteService.getNoteByIdOrAlias(noteId);
|
||||
|
|
|
@ -14,6 +14,7 @@ import {
|
|||
Param,
|
||||
Post,
|
||||
UnauthorizedException,
|
||||
UseGuards,
|
||||
} from '@nestjs/common';
|
||||
|
||||
import {
|
||||
|
@ -22,6 +23,7 @@ import {
|
|||
NotInDBError,
|
||||
} from '../../../errors/errors';
|
||||
import { HistoryService } from '../../../history/history.service';
|
||||
import { SessionGuard } from '../../../identity/session.guard';
|
||||
import { ConsoleLoggerService } from '../../../logger/console-logger.service';
|
||||
import { MediaUploadDto } from '../../../media/media-upload.dto';
|
||||
import { MediaService } from '../../../media/media.service';
|
||||
|
@ -34,9 +36,12 @@ import { PermissionsService } from '../../../permissions/permissions.service';
|
|||
import { RevisionMetadataDto } from '../../../revisions/revision-metadata.dto';
|
||||
import { RevisionDto } from '../../../revisions/revision.dto';
|
||||
import { RevisionsService } from '../../../revisions/revisions.service';
|
||||
import { User } from '../../../users/user.entity';
|
||||
import { UsersService } from '../../../users/users.service';
|
||||
import { MarkdownBody } from '../../utils/markdownbody-decorator';
|
||||
import { RequestUser } from '../../utils/request-user.decorator';
|
||||
|
||||
@UseGuards(SessionGuard)
|
||||
@Controller('notes')
|
||||
export class NotesController {
|
||||
constructor(
|
||||
|
@ -53,10 +58,9 @@ export class NotesController {
|
|||
|
||||
@Get(':noteIdOrAlias')
|
||||
async getNote(
|
||||
@RequestUser() user: User,
|
||||
@Param('noteIdOrAlias', GetNotePipe) note: Note,
|
||||
): Promise<NoteDto> {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
if (!this.permissionsService.mayRead(user, note)) {
|
||||
throw new UnauthorizedException('Reading note denied!');
|
||||
}
|
||||
|
@ -67,10 +71,9 @@ export class NotesController {
|
|||
@Get(':noteIdOrAlias/media')
|
||||
async getNotesMedia(
|
||||
@Param('noteIdOrAlias', GetNotePipe) note: Note,
|
||||
@RequestUser() user: User,
|
||||
): Promise<MediaUploadDto[]> {
|
||||
try {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
if (!this.permissionsService.mayRead(user, note)) {
|
||||
throw new UnauthorizedException('Reading note denied!');
|
||||
}
|
||||
|
@ -86,10 +89,10 @@ export class NotesController {
|
|||
|
||||
@Post()
|
||||
@HttpCode(201)
|
||||
async createNote(@MarkdownBody() text: string): Promise<NoteDto> {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
// ToDo: provide user for createNoteDto
|
||||
async createNote(
|
||||
@RequestUser() user: User,
|
||||
@MarkdownBody() text: string,
|
||||
): Promise<NoteDto> {
|
||||
if (!this.permissionsService.mayCreate(user)) {
|
||||
throw new UnauthorizedException('Creating note denied!');
|
||||
}
|
||||
|
@ -102,11 +105,10 @@ export class NotesController {
|
|||
@Post(':noteAlias')
|
||||
@HttpCode(201)
|
||||
async createNamedNote(
|
||||
@RequestUser() user: User,
|
||||
@Param('noteAlias') noteAlias: string,
|
||||
@MarkdownBody() text: string,
|
||||
): Promise<NoteDto> {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
if (!this.permissionsService.mayCreate(user)) {
|
||||
throw new UnauthorizedException('Creating note denied!');
|
||||
}
|
||||
|
@ -129,12 +131,11 @@ export class NotesController {
|
|||
@Delete(':noteIdOrAlias')
|
||||
@HttpCode(204)
|
||||
async deleteNote(
|
||||
@RequestUser() user: User,
|
||||
@Param('noteIdOrAlias', GetNotePipe) note: Note,
|
||||
@Body() noteMediaDeletionDto: NoteMediaDeletionDto,
|
||||
): Promise<void> {
|
||||
try {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
if (!this.permissionsService.isOwner(user, note)) {
|
||||
throw new UnauthorizedException('Deleting note denied!');
|
||||
}
|
||||
|
@ -160,11 +161,10 @@ export class NotesController {
|
|||
|
||||
@Get(':noteIdOrAlias/revisions')
|
||||
async getNoteRevisions(
|
||||
@RequestUser() user: User,
|
||||
@Param('noteIdOrAlias', GetNotePipe) note: Note,
|
||||
): Promise<RevisionMetadataDto[]> {
|
||||
try {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
if (!this.permissionsService.mayRead(user, note)) {
|
||||
throw new UnauthorizedException('Reading note denied!');
|
||||
}
|
||||
|
@ -185,11 +185,10 @@ export class NotesController {
|
|||
@Delete(':noteIdOrAlias/revisions')
|
||||
@HttpCode(204)
|
||||
async purgeNoteRevisions(
|
||||
@RequestUser() user: User,
|
||||
@Param('noteIdOrAlias') noteIdOrAlias: string,
|
||||
): Promise<void> {
|
||||
try {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
const note = await this.noteService.getNoteByIdOrAlias(noteIdOrAlias);
|
||||
if (!this.permissionsService.mayRead(user, note)) {
|
||||
throw new UnauthorizedException('Reading note denied!');
|
||||
|
@ -217,12 +216,11 @@ export class NotesController {
|
|||
|
||||
@Get(':noteIdOrAlias/revisions/:revisionId')
|
||||
async getNoteRevision(
|
||||
@RequestUser() user: User,
|
||||
@Param('noteIdOrAlias', GetNotePipe) note: Note,
|
||||
@Param('revisionId') revisionId: number,
|
||||
): Promise<RevisionDto> {
|
||||
try {
|
||||
// ToDo: use actual user here
|
||||
const user = await this.userService.getUserByUsername('hardcoded');
|
||||
if (!this.permissionsService.mayRead(user, note)) {
|
||||
throw new UnauthorizedException('Reading note denied!');
|
||||
}
|
||||
|
|
|
@ -14,6 +14,7 @@ import { Identity } from '../../../identity/identity.entity';
|
|||
import { LoggerModule } from '../../../logger/logger.module';
|
||||
import { Session } from '../../../users/session.entity';
|
||||
import { User } from '../../../users/user.entity';
|
||||
import { UsersModule } from '../../../users/users.module';
|
||||
import { TokensController } from './tokens.controller';
|
||||
|
||||
describe('TokensController', () => {
|
||||
|
@ -29,6 +30,7 @@ describe('TokensController', () => {
|
|||
}),
|
||||
LoggerModule,
|
||||
AuthModule,
|
||||
UsersModule,
|
||||
],
|
||||
})
|
||||
.overrideProvider(getRepositoryToken(User))
|
||||
|
|
|
@ -9,17 +9,25 @@ import {
|
|||
Delete,
|
||||
Get,
|
||||
HttpCode,
|
||||
NotFoundException,
|
||||
Param,
|
||||
Post,
|
||||
UnauthorizedException,
|
||||
UseGuards,
|
||||
} from '@nestjs/common';
|
||||
import { ApiTags } from '@nestjs/swagger';
|
||||
|
||||
import { AuthTokenWithSecretDto } from '../../../auth/auth-token-with-secret.dto';
|
||||
import { AuthTokenDto } from '../../../auth/auth-token.dto';
|
||||
import { AuthService } from '../../../auth/auth.service';
|
||||
import { NotInDBError } from '../../../errors/errors';
|
||||
import { SessionGuard } from '../../../identity/session.guard';
|
||||
import { ConsoleLoggerService } from '../../../logger/console-logger.service';
|
||||
import { User } from '../../../users/user.entity';
|
||||
import { TimestampMillis } from '../../../utils/timestamp';
|
||||
import { RequestUser } from '../../utils/request-user.decorator';
|
||||
|
||||
@UseGuards(SessionGuard)
|
||||
@ApiTags('tokens')
|
||||
@Controller('tokens')
|
||||
export class TokensController {
|
||||
|
@ -31,9 +39,8 @@ export class TokensController {
|
|||
}
|
||||
|
||||
@Get()
|
||||
async getUserTokens(): Promise<AuthTokenDto[]> {
|
||||
// ToDo: Get real userName
|
||||
return (await this.authService.getTokensByUsername('hardcoded')).map(
|
||||
async getUserTokens(@RequestUser() user: User): Promise<AuthTokenDto[]> {
|
||||
return (await this.authService.getTokensByUsername(user.userName)).map(
|
||||
(token) => this.authService.toAuthTokenDto(token),
|
||||
);
|
||||
}
|
||||
|
@ -42,10 +49,10 @@ export class TokensController {
|
|||
async postTokenRequest(
|
||||
@Body('label') label: string,
|
||||
@Body('validUntil') validUntil: TimestampMillis,
|
||||
@RequestUser() user: User,
|
||||
): Promise<AuthTokenWithSecretDto> {
|
||||
// ToDo: Get real userName
|
||||
return await this.authService.createTokenForUser(
|
||||
'hardcoded',
|
||||
user.userName,
|
||||
label,
|
||||
validUntil,
|
||||
);
|
||||
|
@ -53,7 +60,24 @@ export class TokensController {
|
|||
|
||||
@Delete('/:keyId')
|
||||
@HttpCode(204)
|
||||
async deleteToken(@Param('keyId') keyId: string): Promise<void> {
|
||||
async deleteToken(
|
||||
@RequestUser() user: User,
|
||||
@Param('keyId') keyId: string,
|
||||
): Promise<void> {
|
||||
const tokens = await this.authService.getTokensByUsername(user.userName);
|
||||
try {
|
||||
for (const token of tokens) {
|
||||
if (token.keyId == keyId) {
|
||||
return await this.authService.removeToken(keyId);
|
||||
}
|
||||
}
|
||||
} catch (e) {
|
||||
if (e instanceof NotInDBError) {
|
||||
throw new NotFoundException(e.message);
|
||||
}
|
||||
}
|
||||
throw new UnauthorizedException(
|
||||
'User is not authorized to delete this token',
|
||||
);
|
||||
}
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue