overleaf/services/web/app/coffee/Features/User/UserController.coffee

UserHandler = require("./UserHandler")
UserDeleter = require("./UserDeleter")
UserGetter = require("./UserGetter")
User = require("../../models/User").User
newsLetterManager = require('../Newsletter/NewsletterManager')
UserRegistrationHandler = require("./UserRegistrationHandler")
logger = require("logger-sharelatex")
metrics = require("metrics-sharelatex")
Url = require("url")
AuthenticationManager = require("../Authentication/AuthenticationManager")
AuthenticationController = require('../Authentication/AuthenticationController')
UserSessionsManager = require("./UserSessionsManager")
UserUpdater = require("./UserUpdater")
SudoModeHandler = require('../SudoMode/SudoModeHandler')
settings = require "settings-sharelatex"
Errors = require "../Errors/Errors"

module.exports = UserController =

	tryDeleteUser: (req, res, next) ->
		user_id = AuthenticationController.getLoggedInUserId(req)
		password = req.body.password
		logger.log {user_id}, "trying to delete user account"
		if !password? or password == ''
			logger.err {user_id}, 'no password supplied for attempt to delete account'
			return res.sendStatus(403)
		AuthenticationManager.authenticate {_id: user_id}, password, (err, user) ->
			if err?
				logger.err {user_id}, 'error authenticating during attempt to delete account'
				return next(err)
			if !user
				logger.err {user_id}, 'auth failed during attempt to delete account'
				return res.sendStatus(403)
			UserDeleter.deleteUser user_id, (err) ->
				if err?
					logger.err {user_id}, "error while deleting user account"
					return next(err)
				sessionId = req.sessionID
				req.logout?()
				req.session.destroy (err) ->
					if err?
						logger.err err: err, 'error destorying session'
						return next(err)
					UserSessionsManager.untrackSession(user, sessionId)
					res.sendStatus(200)

	unsubscribe: (req, res)->
		user_id = AuthenticationController.getLoggedInUserId(req)
		UserGetter.getUser user_id, (err, user)->
			newsLetterManager.unsubscribe user, ->
				res.send()

	updateUserSettings : (req, res)->
		user_id = AuthenticationController.getLoggedInUserId(req)
		logger.log user_id: user_id, "updating account settings"
		User.findById user_id, (err, user)->
			if err? or !user?
				logger.err err:err, user_id:user_id, "problem updaing user settings"
				return res.sendStatus 500

			if req.body.first_name?
				user.first_name = req.body.first_name.trim()
			if req.body.last_name?
				user.last_name = req.body.last_name.trim()
			if req.body.role?
				user.role = req.body.role.trim()
			if req.body.institution?
				user.institution = req.body.institution.trim()
			if req.body.mode?
				user.ace.mode = req.body.mode
			if req.body.editorTheme?
				user.ace.theme = req.body.editorTheme
			if req.body.overallTheme?
				user.ace.overallTheme = req.body.overallTheme
			if req.body.fontSize?
				user.ace.fontSize = req.body.fontSize
			if req.body.autoComplete?
				user.ace.autoComplete = req.body.autoComplete
			if req.body.autoPairDelimiters?
				user.ace.autoPairDelimiters = req.body.autoPairDelimiters
			if req.body.spellCheckLanguage?
				user.ace.spellCheckLanguage = req.body.spellCheckLanguage
			if req.body.pdfViewer?
				user.ace.pdfViewer = req.body.pdfViewer
			if req.body.syntaxValidation?
				user.ace.syntaxValidation = req.body.syntaxValidation
			if req.body.fontFamily?
				user.ace.fontFamily = req.body.fontFamily
			if req.body.lineHeight?
				user.ace.lineHeight = req.body.lineHeight

			user.save (err)->
				newEmail = req.body.email?.trim().toLowerCase()
				if !newEmail? or newEmail == user.email or req.externalAuthenticationSystemUsed()
					# end here, don't update email
					AuthenticationController.setInSessionUser(req, {first_name: user.first_name, last_name: user.last_name})
					return res.sendStatus 200
				else if newEmail.indexOf("@") == -1
					# email invalid
					return res.sendStatus(400)
				else
					# update the user email
					UserUpdater.changeEmailAddress user_id, newEmail, (err)->
						if err?
							logger.err err:err, user_id:user_id, newEmail:newEmail, "problem updaing users email address"
							if err instanceof Errors.EmailExistsError
								message = req.i18n.translate("email_already_registered")
							else
								message = req.i18n.translate("problem_changing_email_address")
							return res.send 500, {message:message}
						User.findById user_id, (err, user)->
							if err?
								logger.err err:err, user_id:user_id, "error getting user for email update"
								return res.send 500
							AuthenticationController.setInSessionUser(req, {email: user.email, first_name: user.first_name, last_name: user.last_name})
							UserHandler.populateTeamInvites user, (err)-> #need to refresh this in the background
								if err?
									logger.err err:err, "error populateTeamInvites"
								res.sendStatus(200)

	_doLogout: (req, cb = (err) ->) ->
		metrics.inc "user.logout"
		user = AuthenticationController.getSessionUser(req)
		logger.log user: user, "logging out"
		sessionId = req.sessionID
		req.logout?()  # passport logout
		req.session.destroy (err)->
			if err
				logger.err err: err, 'error destorying session'
				cb(err)
			if user?
				UserSessionsManager.untrackSession(user, sessionId)
				SudoModeHandler.clearSudoMode(user._id)
			cb()

	logout : (req, res, next)->
		UserController._doLogout req, (err) ->
			return next(err) if err?
			res.redirect '/login'

	register : (req, res, next = (error) ->)->
		email = req.body.email
		if !email? or email == ""
			res.sendStatus 422 # Unprocessable Entity
			return
		UserRegistrationHandler.registerNewUserAndSendActivationEmail email, (error, user, setNewPasswordUrl) ->
			return next(error) if error?
			res.json {
				email: user.email
				setNewPasswordUrl: setNewPasswordUrl
			}

	clearSessions: (req, res, next = (error) ->) ->
		metrics.inc "user.clear-sessions"
		user = AuthenticationController.getSessionUser(req)
		logger.log {user_id: user._id}, "clearing sessions for user"
		UserSessionsManager.revokeAllUserSessions user, [req.sessionID], (err) ->
			return next(err) if err?
			res.sendStatus 201

	changePassword : (req, res, next = (error) ->)->
		metrics.inc "user.password-change"
		oldPass = req.body.currentPassword
		user_id = AuthenticationController.getLoggedInUserId(req)
		AuthenticationManager.authenticate {_id:user_id}, oldPass, (err, user)->
			return next(err) if err?
			if(user)
				logger.log user: user._id, "changing password"
				newPassword1 = req.body.newPassword1
				newPassword2 = req.body.newPassword2
				if newPassword1 != newPassword2
					logger.log user: user, "passwords do not match"
					res.send
						message:
							type:'error'
							text:'Your passwords do not match'
				else
					logger.log user: user, "password changed"
					AuthenticationManager.setUserPassword user._id, newPassword1, (error) ->
						return next(error) if error?
						UserSessionsManager.revokeAllUserSessions user, [req.sessionID], (err) ->
							return next(err) if err?
							res.send
								message:
									type:'success'
									text:'Your password has been changed'
			else
				logger.log user_id: user_id, "current password wrong"
				res.send
					message:
						type:'error'
						text:'Your old password is wrong'
if user changes email then check if they have a site licence 2016-03-13 18:24:39 -04:00			`UserHandler = require("./UserHandler")`
created new UserController and put delete user in it 2014-04-09 09:50:12 -04:00			`UserDeleter = require("./UserDeleter")`
remove UserLocator Use UserGetter instead 2018-05-24 09:55:12 -04:00			`UserGetter = require("./UserGetter")`
moved user update user settings to user controller 2014-04-09 11:33:54 -04:00			`User = require("../../models/User").User`
moved unsubscribe endpoint to new user controller 2014-04-09 10:41:19 -04:00			`newsLetterManager = require('../Newsletter/NewsletterManager')`
Moved register function into user registration handler and new user controller 2014-04-10 09:43:06 -04:00			`UserRegistrationHandler = require("./UserRegistrationHandler")`
moved user update user settings to user controller 2014-04-09 11:33:54 -04:00			`logger = require("logger-sharelatex")`
Remove the Metrics module, use metrics-sharelatex 2017-04-03 11:18:30 -04:00			`metrics = require("metrics-sharelatex")`
Moved register function into user registration handler and new user controller 2014-04-10 09:43:06 -04:00			`Url = require("url")`
moved password change to new user controller with tests 2014-04-10 12:15:18 -04:00			`AuthenticationManager = require("../Authentication/AuthenticationManager")`
WIP: refactor 2016-09-05 10:58:31 -04:00			`AuthenticationController = require('../Authentication/AuthenticationController')`
Begin keeping record of user sessions in reds. 2016-06-29 06:35:25 -04:00			`UserSessionsManager = require("./UserSessionsManager")`
added controler t change user email 2014-05-16 12:45:48 -04:00			`UserUpdater = require("./UserUpdater")`
On logout, clear sudo mode 2017-05-15 06:53:52 -04:00			`SudoModeHandler = require('../SudoMode/SudoModeHandler')`
Remove public registration and require that a user be registered by an admin 2015-03-19 10:22:48 -04:00			`settings = require "settings-sharelatex"`
Update error handling on backend 2018-07-17 06:12:09 -04:00			`Errors = require "../Errors/Errors"`
moved password change to new user controller with tests 2014-04-10 12:15:18 -04:00
if user changes email then check if they have a site licence 2016-03-13 18:24:39 -04:00			`module.exports = UserController =`
created new UserController and put delete user in it 2014-04-09 09:50:12 -04:00
WIP: ask for password when deleting account 2016-10-25 09:33:47 -04:00			`tryDeleteUser: (req, res, next) ->`
WIP: refactor 2016-09-05 10:58:31 -04:00			`user_id = AuthenticationController.getLoggedInUserId(req)`
WIP: ask for password when deleting account 2016-10-25 09:33:47 -04:00			`password = req.body.password`
fix logging 2016-10-26 05:57:34 -04:00			`logger.log {user_id}, "trying to delete user account"`
WIP: ask for password when deleting account 2016-10-25 09:33:47 -04:00			`if !password? or password == ''`
			`logger.err {user_id}, 'no password supplied for attempt to delete account'`
			`return res.sendStatus(403)`
			`AuthenticationManager.authenticate {_id: user_id}, password, (err, user) ->`
			`if err?`
			`logger.err {user_id}, 'error authenticating during attempt to delete account'`
			`return next(err)`
Functioning account deletion with password 2016-10-25 11:23:50 -04:00			`if !user`
fix logging 2016-10-26 05:57:34 -04:00			`logger.err {user_id}, 'auth failed during attempt to delete account'`
Functioning account deletion with password 2016-10-25 11:23:50 -04:00			`return res.sendStatus(403)`
			`UserDeleter.deleteUser user_id, (err) ->`
			`if err?`
			`logger.err {user_id}, "error while deleting user account"`
			`return next(err)`
More robust session destruction after deleting user account. 2016-11-28 07:37:53 -05:00			`sessionId = req.sessionID`
			`req.logout?()`
			`req.session.destroy (err) ->`
			`if err?`
			`logger.err err: err, 'error destorying session'`
			`return next(err)`
			`UserSessionsManager.untrackSession(user, sessionId)`
			`res.sendStatus(200)`
moved unsubscribe endpoint to new user controller 2014-04-09 10:41:19 -04:00
			`unsubscribe: (req, res)->`
WIP: refactor 2016-09-05 10:58:31 -04:00			`user_id = AuthenticationController.getLoggedInUserId(req)`
remove UserLocator Use UserGetter instead 2018-05-24 09:55:12 -04:00			`UserGetter.getUser user_id, (err, user)->`
moved unsubscribe endpoint to new user controller 2014-04-09 10:41:19 -04:00			`newsLetterManager.unsubscribe user, ->`
moved user update user settings to user controller 2014-04-09 11:33:54 -04:00			`res.send()`

			`updateUserSettings : (req, res)->`
WIP: refactor 2016-09-05 10:58:31 -04:00			`user_id = AuthenticationController.getLoggedInUserId(req)`
log user_id not user 2016-09-20 10:11:14 -04:00			`logger.log user_id: user_id, "updating account settings"`
finished off change email 2014-05-19 06:50:32 -04:00			`User.findById user_id, (err, user)->`
moved user update user settings to user controller 2014-04-09 11:33:54 -04:00			`if err? or !user?`
finished off change email 2014-05-19 06:50:32 -04:00			`logger.err err:err, user_id:user_id, "problem updaing user settings"`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`return res.sendStatus 500`
Allow partial updates to user settings 2014-06-20 04:42:43 -04:00
			`if req.body.first_name?`
			`user.first_name = req.body.first_name.trim()`
			`if req.body.last_name?`
			`user.last_name = req.body.last_name.trim()`
Wire up account settings forms 2014-06-20 06:15:25 -04:00			`if req.body.role?`
			`user.role = req.body.role.trim()`
			`if req.body.institution?`
			`user.institution = req.body.institution.trim()`
Allow partial updates to user settings 2014-06-20 04:42:43 -04:00			`if req.body.mode?`
			`user.ace.mode = req.body.mode`
Load theme as a user setting; allow the user to change it; update tests. 2018-08-27 10:25:00 -04:00			`if req.body.editorTheme?`
			`user.ace.theme = req.body.editorTheme`
Nest the overall theme property under ace. 2018-08-28 05:10:16 -04:00			`if req.body.overallTheme?`
			`user.ace.overallTheme = req.body.overallTheme`
Allow partial updates to user settings 2014-06-20 04:42:43 -04:00			`if req.body.fontSize?`
			`user.ace.fontSize = req.body.fontSize`
			`if req.body.autoComplete?`
Add in auto complete 2014-06-24 16:09:20 -04:00			`user.ace.autoComplete = req.body.autoComplete`
Persist `autoPairDelimiters` setting. 2017-07-31 03:36:13 -04:00			`if req.body.autoPairDelimiters?`
			`user.ace.autoPairDelimiters = req.body.autoPairDelimiters`
Allow partial updates to user settings 2014-06-20 04:42:43 -04:00			`if req.body.spellCheckLanguage?`
			`user.ace.spellCheckLanguage = req.body.spellCheckLanguage`
			`if req.body.pdfViewer?`
			`user.ace.pdfViewer = req.body.pdfViewer`
add left menu for syntax validator 2016-10-06 06:51:24 -04:00			`if req.body.syntaxValidation?`
			`user.ace.syntaxValidation = req.body.syntaxValidation`
Allow font family and line height to be user configurable 2018-05-10 13:03:54 -04:00			`if req.body.fontFamily?`
			`user.ace.fontFamily = req.body.fontFamily`
			`if req.body.lineHeight?`
			`user.ace.lineHeight = req.body.lineHeight`

finished off change email 2014-05-19 06:50:32 -04:00			`user.save (err)->`
changing email address should lowercase the email 2014-10-13 10:44:45 -04:00			`newEmail = req.body.email?.trim().toLowerCase()`
Refactor to always use req.externalAuthenticationSystemUsed 2017-11-20 05:10:23 -05:00			`if !newEmail? or newEmail == user.email or req.externalAuthenticationSystemUsed()`
If using external auth, show non-editable email field. Also defend server-side against setting email when using external auth. 2016-11-17 09:34:02 -05:00			`# end here, don't update email`
update session when user settings change 2016-09-22 11:58:25 -04:00			`AuthenticationController.setInSessionUser(req, {first_name: user.first_name, last_name: user.last_name})`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`return res.sendStatus 200`
Allow partial updates to user settings 2014-06-20 04:42:43 -04:00			`else if newEmail.indexOf("@") == -1`
If using external auth, show non-editable email field. Also defend server-side against setting email when using external auth. 2016-11-17 09:34:02 -05:00			`# email invalid`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`return res.sendStatus(400)`
Revert "Revert "change send doc lines using tpds to work with stream and doc store"" This reverts commit a41299570d07b83111b6a995902a30a67867a5c7. 2014-05-20 08:18:59 -04:00			`else`
If using external auth, show non-editable email field. Also defend server-side against setting email when using external auth. 2016-11-17 09:34:02 -05:00			`# update the user email`
finished off change email 2014-05-19 06:50:32 -04:00			`UserUpdater.changeEmailAddress user_id, newEmail, (err)->`
			`if err?`
			`logger.err err:err, user_id:user_id, newEmail:newEmail, "problem updaing users email address"`
Update error handling on backend 2018-07-17 06:12:09 -04:00			`if err instanceof Errors.EmailExistsError`
fixed missign translation for when email is already registered 2016-02-16 07:05:16 -05:00			`message = req.i18n.translate("email_already_registered")`
Changed the error messages which are sent down to the client to be translated first fixed up tests from titles we check when rendering, deleted them as they never catch anything important, more hastle than they are worth imo. 2014-08-01 09:03:38 -04:00			`else`
			`message = req.i18n.translate("problem_changing_email_address")`
			`return res.send 500, {message:message}`
if user changes email then check if they have a site licence 2016-03-13 18:24:39 -04:00			`User.findById user_id, (err, user)->`
			`if err?`
			`logger.err err:err, user_id:user_id, "error getting user for email update"`
			`return res.send 500`
update session when user settings change 2016-09-22 11:58:25 -04:00			`AuthenticationController.setInSessionUser(req, {email: user.email, first_name: user.first_name, last_name: user.last_name})`
Invite users in the invited_emails array We'll remove that attribute soon, but for the time being we want users to still be able to join the team. 2018-06-06 07:35:13 -04:00			`UserHandler.populateTeamInvites user, (err)-> #need to refresh this in the background`
if user changes email then check if they have a site licence 2016-03-13 18:24:39 -04:00			`if err?`
Invite users in the invited_emails array We'll remove that attribute soon, but for the time being we want users to still be able to join the team. 2018-06-06 07:35:13 -04:00			`logger.err err:err, "error populateTeamInvites"`
if user changes email then check if they have a site licence 2016-03-13 18:24:39 -04:00			`res.sendStatus(200)`
moved logout to new user controller 2014-04-09 11:59:28 -04:00
Extract logout to function, so different redirect can be called 2018-09-03 06:01:14 -04:00			`_doLogout: (req, cb = (err) ->) ->`
moved logout to new user controller 2014-04-09 11:59:28 -04:00			`metrics.inc "user.logout"`
use `getSessionUser` rather than `getLoggedInUser` 2016-09-07 05:30:58 -04:00			`user = AuthenticationController.getSessionUser(req)`
wipe out more session access 2016-09-22 10:33:50 -04:00			`logger.log user: user, "logging out"`
			`sessionId = req.sessionID`
use `getSessionUser` rather than `getLoggedInUser` 2016-09-07 05:30:58 -04:00			`req.logout?() # passport logout`
			`req.session.destroy (err)->`
			`if err`
			`logger.err err: err, 'error destorying session'`
Extract logout to function, so different redirect can be called 2018-09-03 06:01:14 -04:00			`cb(err)`
null check user during logout 2017-08-03 08:26:14 -04:00			`if user?`
			`UserSessionsManager.untrackSession(user, sessionId)`
			`SudoModeHandler.clearSudoMode(user._id)`
Extract logout to function, so different redirect can be called 2018-09-03 06:01:14 -04:00			`cb()`

Add error handling on logout 2018-09-03 06:46:36 -04:00			`logout : (req, res, next)->`
Extract logout to function, so different redirect can be called 2018-09-03 06:01:14 -04:00			`UserController._doLogout req, (err) ->`
Add error handling on logout 2018-09-03 06:46:36 -04:00			`return next(err) if err?`
use `getSessionUser` rather than `getLoggedInUser` 2016-09-07 05:30:58 -04:00			`res.redirect '/login'`
moved logout to new user controller 2014-04-09 11:59:28 -04:00
Moved register function into user registration handler and new user controller 2014-04-10 09:43:06 -04:00			`register : (req, res, next = (error) ->)->`
Remove public registration and require that a user be registered by an admin 2015-03-19 10:22:48 -04:00			`email = req.body.email`
			`if !email? or email == ""`
send -> sendStatus 2015-07-08 11:56:38 -04:00			`res.sendStatus 422 # Unprocessable Entity`
Remove public registration and require that a user be registered by an admin 2015-03-19 10:22:48 -04:00			`return`
Refactor registration so it can be called from modules 2015-12-11 12:11:13 -05:00			`UserRegistrationHandler.registerNewUserAndSendActivationEmail email, (error, user, setNewPasswordUrl) ->`
			`return next(error) if error?`
			`res.json {`
			`email: user.email`
			`setNewPasswordUrl: setNewPasswordUrl`
			`}`
added referal allocator to user controller 2014-04-15 08:59:00 -04:00
clear-sessions page (+4 squashed commits) Squashed commits: [3a56af0] Remove cruft [c5a1f6c] Finalise alignment [82f741a] Working sessions page [d40f069] WIP: display sessions 2016-10-07 05:52:58 -04:00			`clearSessions: (req, res, next = (error) ->) ->`
			`metrics.inc "user.clear-sessions"`
			`user = AuthenticationController.getSessionUser(req)`
			`logger.log {user_id: user._id}, "clearing sessions for user"`
			`UserSessionsManager.revokeAllUserSessions user, [req.sessionID], (err) ->`
			`return next(err) if err?`
			`res.sendStatus 201`

moved password change to new user controller with tests 2014-04-10 12:15:18 -04:00			`changePassword : (req, res, next = (error) ->)->`
			`metrics.inc "user.password-change"`
			`oldPass = req.body.currentPassword`
WIP: refactor 2016-09-05 10:58:31 -04:00			`user_id = AuthenticationController.getLoggedInUserId(req)`
			`AuthenticationManager.authenticate {_id:user_id}, oldPass, (err, user)->`
moved password change to new user controller with tests 2014-04-10 12:15:18 -04:00			`return next(err) if err?`
			`if(user)`
WIP: refactor 2016-09-05 10:58:31 -04:00			`logger.log user: user._id, "changing password"`
moved password change to new user controller with tests 2014-04-10 12:15:18 -04:00			`newPassword1 = req.body.newPassword1`
			`newPassword2 = req.body.newPassword2`
			`if newPassword1 != newPassword2`
			`logger.log user: user, "passwords do not match"`
			`res.send`
			`message:`
Fixup mixed indentation 2018-06-25 19:27:47 -04:00			`type:'error'`
			`text:'Your passwords do not match'`
moved password change to new user controller with tests 2014-04-10 12:15:18 -04:00			`else`
			`logger.log user: user, "password changed"`
			`AuthenticationManager.setUserPassword user._id, newPassword1, (error) ->`
			`return next(error) if error?`
add an array of session ids to retain. 2016-07-05 09:20:47 -04:00			`UserSessionsManager.revokeAllUserSessions user, [req.sessionID], (err) ->`
Refactor: add `?` suffix to truth tests. 2016-07-07 04:35:44 -04:00			`return next(err) if err?`
Add `revokeAllSessions` handler, when password is reset 2016-07-01 04:51:22 -04:00			`res.send`
			`message:`
			`type:'success'`
			`text:'Your password has been changed'`
moved password change to new user controller with tests 2014-04-10 12:15:18 -04:00			`else`
avoid exception in logging null user 2016-10-25 10:01:00 -04:00			`logger.log user_id: user_id, "current password wrong"`
moved password change to new user controller with tests 2014-04-10 12:15:18 -04:00			`res.send`
			`message:`
Fixup mixed indentation 2018-06-25 19:27:47 -04:00			`type:'error'`
			`text:'Your old password is wrong'`