BigW Consortium Gitlab

users.rb 15 KB
Newer Older
1
module API
2
  class Users < Grape::API
3 4
    include PaginationParams

5 6 7 8
    before do
      allow_access_with_scope :read_user if request.get?
      authenticate!
    end
9

10
    resource :users, requirements: { uid: /[0-9]*/, id: /[0-9]*/ } do
11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39
      helpers do
        params :optional_attributes do
          optional :skype, type: String, desc: 'The Skype username'
          optional :linkedin, type: String, desc: 'The LinkedIn username'
          optional :twitter, type: String, desc: 'The Twitter username'
          optional :website_url, type: String, desc: 'The website of the user'
          optional :organization, type: String, desc: 'The organization of the user'
          optional :projects_limit, type: Integer, desc: 'The number of projects a user can create'
          optional :extern_uid, type: Integer, desc: 'The external authentication provider UID'
          optional :provider, type: String, desc: 'The external provider'
          optional :bio, type: String, desc: 'The biography of the user'
          optional :location, type: String, desc: 'The location of the user'
          optional :admin, type: Boolean, desc: 'Flag indicating the user is an administrator'
          optional :can_create_group, type: Boolean, desc: 'Flag indicating the user can create groups'
          optional :confirm, type: Boolean, desc: 'Flag indicating the account needs to be confirmed'
          optional :external, type: Boolean, desc: 'Flag indicating the user is an external user'
          all_or_none_of :extern_uid, :provider
        end
      end

      desc 'Get the list of users' do
        success Entities::UserBasic
      end
      params do
        optional :username, type: String, desc: 'Get a single user with a specific username'
        optional :search, type: String, desc: 'Search for a username'
        optional :active, type: Boolean, default: false, desc: 'Filters only active users'
        optional :external, type: Boolean, default: false, desc: 'Filters only external users'
        optional :blocked, type: Boolean, default: false, desc: 'Filters only blocked users'
40
        use :pagination
41
      end
42
      get do
43
        unless can?(current_user, :read_users_list, nil)
44 45 46
          render_api_error!("Not authorized.", 403)
        end

47
        if params[:username].present?
48
          users = User.where(username: params[:username])
49
        else
50 51 52 53 54
          users = User.all
          users = users.active if params[:active]
          users = users.search(params[:search]) if params[:search].present?
          users = users.blocked if params[:blocked]
          users = users.external if params[:external] && current_user.is_admin?
55
        end
56

57
        entity = current_user.is_admin? ? Entities::UserPublic : Entities::UserBasic
58
        present paginate(users), with: entity
59 60
      end

61 62 63 64 65 66
      desc 'Get a single user' do
        success Entities::UserBasic
      end
      params do
        requires :id, type: Integer, desc: 'The ID of the user'
      end
67
      get ":id" do
68 69
        user = User.find_by(id: params[:id])
        not_found!('User') unless user
70

Felipe Artur committed
71
        if current_user && current_user.is_admin?
72
          present user, with: Entities::UserPublic
73 74
        elsif can?(current_user, :read_user, user)
          present user, with: Entities::User
75 76
        else
          render_api_error!("User not found.", 404)
77
        end
78
      end
79

80
      desc 'Create a user. Available only for admins.' do
81
        success Entities::UserPublic
82 83 84 85 86 87 88 89
      end
      params do
        requires :email, type: String, desc: 'The email of the user'
        requires :password, type: String, desc: 'The password of the new user'
        requires :name, type: String, desc: 'The name of the user'
        requires :username, type: String, desc: 'The username of the user'
        use :optional_attributes
      end
90 91
      post do
        authenticated_as_admin!
92 93 94 95 96

        # Filter out params which are used later
        identity_attrs = params.slice(:provider, :extern_uid)
        confirm = params.delete(:confirm)

97
        user = User.new(declared_params(include_missing: false))
98
        user.skip_confirmation! unless confirm
Zeger-Jan van de Weg committed
99

100 101 102 103
        if identity_attrs.any?
          user.identities.build(identity_attrs)
        end

104
        if user.save
105
          present user, with: Entities::UserPublic
106
        else
107 108 109 110 111 112 113 114 115
          conflict!('Email has already been taken') if User.
              where(email: user.email).
              count > 0

          conflict!('Username has already been taken') if User.
              where(username: user.username).
              count > 0

          render_validation_error!(user)
116 117
        end
      end
118

119
      desc 'Update a user. Available only for admins.' do
120
        success Entities::UserPublic
121 122 123 124 125 126 127 128 129 130 131 132 133
      end
      params do
        requires :id, type: Integer, desc: 'The ID of the user'
        optional :email, type: String, desc: 'The email of the user'
        optional :password, type: String, desc: 'The password of the new user'
        optional :name, type: String, desc: 'The name of the user'
        optional :username, type: String, desc: 'The username of the user'
        use :optional_attributes
        at_least_one_of :email, :password, :name, :username, :skype, :linkedin,
                        :twitter, :website_url, :organization, :projects_limit,
                        :extern_uid, :provider, :bio, :location, :admin,
                        :can_create_group, :confirm, :external
      end
134 135
      put ":id" do
        authenticated_as_admin!
136

137
        user = User.find_by(id: params.delete(:id))
138
        not_found!('User') unless user
139

140 141
        conflict!('Email has already been taken') if params[:email] &&
            User.where(email: params[:email]).
142 143
                where.not(id: user.id).count > 0

144 145
        conflict!('Username has already been taken') if params[:username] &&
            User.where(username: params[:username]).
146 147
                where.not(id: user.id).count > 0

148 149
        user_params = declared_params(include_missing: false)
        identity_attrs = user_params.slice(:provider, :extern_uid)
150

151 152
        if identity_attrs.any?
          identity = user.identities.find_by(provider: identity_attrs[:provider])
153

154 155 156 157 158 159 160 161
          if identity
            identity.update_attributes(identity_attrs)
          else
            identity = user.identities.build(identity_attrs)
            identity.save
          end
        end

162
        # Delete already handled parameters
163 164
        user_params.delete(:extern_uid)
        user_params.delete(:provider)
165

166
        if user.update_attributes(user_params)
167
          present user, with: Entities::UserPublic
168
        else
169
          render_validation_error!(user)
170 171 172
        end
      end

173 174 175 176 177 178 179 180
      desc 'Add an SSH key to a specified user. Available only for admins.' do
        success Entities::SSHKey
      end
      params do
        requires :id, type: Integer, desc: 'The ID of the user'
        requires :key, type: String, desc: 'The new SSH key'
        requires :title, type: String, desc: 'The title of the new SSH key'
      end
Angus MacArthur committed
181 182
      post ":id/keys" do
        authenticated_as_admin!
183

184 185 186 187 188
        user = User.find_by(id: params.delete(:id))
        not_found!('User') unless user

        key = user.keys.new(declared_params(include_missing: false))

Angus MacArthur committed
189 190 191
        if key.save
          present key, with: Entities::SSHKey
        else
192
          render_validation_error!(key)
Angus MacArthur committed
193 194 195
        end
      end

196 197 198 199 200 201 202
      desc 'Get the SSH keys of a specified user. Available only for admins.' do
        success Entities::SSHKey
      end
      params do
        requires :id, type: Integer, desc: 'The ID of the user'
      end
      get ':id/keys' do
203
        authenticated_as_admin!
204 205

        user = User.find_by(id: params[:id])
206 207 208
        not_found!('User') unless user

        present user.keys, with: Entities::SSHKey
209 210
      end

211 212 213 214 215 216 217 218
      desc 'Delete an existing SSH key from a specified user. Available only for admins.' do
        success Entities::SSHKey
      end
      params do
        requires :id, type: Integer, desc: 'The ID of the user'
        requires :key_id, type: Integer, desc: 'The ID of the SSH key'
      end
      delete ':id/keys/:key_id' do
219
        authenticated_as_admin!
220 221

        user = User.find_by(id: params[:id])
222 223
        not_found!('User') unless user

224 225 226 227
        key = user.keys.find_by(id: params[:key_id])
        not_found!('Key') unless key

        present key.destroy, with: Entities::SSHKey
228 229
      end

230 231 232 233 234 235 236
      desc 'Add an email address to a specified user. Available only for admins.' do
        success Entities::Email
      end
      params do
        requires :id, type: Integer, desc: 'The ID of the user'
        requires :email, type: String, desc: 'The email of the user'
      end
237 238 239
      post ":id/emails" do
        authenticated_as_admin!

240 241 242 243 244
        user = User.find_by(id: params.delete(:id))
        not_found!('User') unless user

        email = user.emails.new(declared_params(include_missing: false))

245 246 247 248 249 250 251 252
        if email.save
          NotificationService.new.new_email(email)
          present email, with: Entities::Email
        else
          render_validation_error!(email)
        end
      end

253 254 255 256 257 258 259
      desc 'Get the emails addresses of a specified user. Available only for admins.' do
        success Entities::Email
      end
      params do
        requires :id, type: Integer, desc: 'The ID of the user'
      end
      get ':id/emails' do
260
        authenticated_as_admin!
261
        user = User.find_by(id: params[:id])
262 263 264 265 266
        not_found!('User') unless user

        present user.emails, with: Entities::Email
      end

267 268 269 270 271 272 273 274
      desc 'Delete an email address of a specified user. Available only for admins.' do
        success Entities::Email
      end
      params do
        requires :id, type: Integer, desc: 'The ID of the user'
        requires :email_id, type: Integer, desc: 'The ID of the email'
      end
      delete ':id/emails/:email_id' do
275
        authenticated_as_admin!
276
        user = User.find_by(id: params[:id])
277 278
        not_found!('User') unless user

279 280
        email = user.emails.find_by(id: params[:email_id])
        not_found!('Email') unless email
281

282 283
        email.destroy
        user.update_secondary_emails!
284 285
      end

286 287 288 289 290 291
      desc 'Delete a user. Available only for admins.' do
        success Entities::Email
      end
      params do
        requires :id, type: Integer, desc: 'The ID of the user'
      end
292 293
      delete ":id" do
        authenticated_as_admin!
skv committed
294
        user = User.find_by(id: params[:id])
295
        not_found!('User') unless user
296

297
        DeleteUserService.new(current_user).execute(user)
298
      end
299

300 301 302 303
      desc 'Block a user. Available only for admins.'
      params do
        requires :id, type: Integer, desc: 'The ID of the user'
      end
304 305 306
      put ':id/block' do
        authenticated_as_admin!
        user = User.find_by(id: params[:id])
307
        not_found!('User') unless user
308

309
        if !user.ldap_blocked?
310 311
          user.block
        else
312
          forbidden!('LDAP blocked users cannot be modified by the API')
313 314 315
        end
      end

316 317 318 319
      desc 'Unblock a user. Available only for admins.'
      params do
        requires :id, type: Integer, desc: 'The ID of the user'
      end
320 321 322
      put ':id/unblock' do
        authenticated_as_admin!
        user = User.find_by(id: params[:id])
323
        not_found!('User') unless user
324

325
        if user.ldap_blocked?
326
          forbidden!('LDAP blocked users cannot be unblocked by the API')
Gabriel Mazetto committed
327 328
        else
          user.activate
329 330
        end
      end
331

332
      desc 'Get the contribution events of a specified user' do
333 334 335 336
        detail 'This feature was introduced in GitLab 8.13.'
        success Entities::Event
      end
      params do
337
        requires :id, type: Integer, desc: 'The ID of the user'
338
        use :pagination
339 340
      end
      get ':id/events' do
341
        user = User.find_by(id: params[:id])
342 343
        not_found!('User') unless user

344
        events = user.events.
345 346 347
          merge(ProjectsFinder.new.execute(current_user)).
          references(:project).
          with_associations.
348
          recent
349 350 351

        present paginate(events), with: Entities::Event
      end
352 353
    end

354
    resource :user do
355
      desc 'Get the currently authenticated user' do
356
        success Entities::UserPublic
357
      end
358
      get do
359
        present current_user, with: sudo? ? Entities::UserWithPrivateToken : Entities::UserPublic
360 361
      end

362 363 364
      desc "Get the currently authenticated user's SSH keys" do
        success Entities::SSHKey
      end
365 366 367 368
      get "keys" do
        present current_user.keys, with: Entities::SSHKey
      end

369 370 371 372 373 374 375 376 377 378
      desc 'Get a single key owned by currently authenticated user' do
        success Entities::SSHKey
      end
      params do
        requires :key_id, type: Integer, desc: 'The ID of the SSH key'
      end
      get "keys/:key_id" do
        key = current_user.keys.find_by(id: params[:key_id])
        not_found!('Key') unless key

379 380 381
        present key, with: Entities::SSHKey
      end

382 383 384 385 386 387 388
      desc 'Add a new SSH key to the currently authenticated user' do
        success Entities::SSHKey
      end
      params do
        requires :key, type: String, desc: 'The new SSH key'
        requires :title, type: String, desc: 'The title of the new SSH key'
      end
389
      post "keys" do
390
        key = current_user.keys.new(declared_params)
391

392 393 394
        if key.save
          present key, with: Entities::SSHKey
        else
395
          render_validation_error!(key)
396 397 398
        end
      end

399 400 401 402 403 404 405 406 407 408 409
      desc 'Delete an SSH key from the currently authenticated user' do
        success Entities::SSHKey
      end
      params do
        requires :key_id, type: Integer, desc: 'The ID of the SSH key'
      end
      delete "keys/:key_id" do
        key = current_user.keys.find_by(id: params[:key_id])
        not_found!('Key') unless key

        present key.destroy, with: Entities::SSHKey
410
      end
411

412 413 414
      desc "Get the currently authenticated user's email addresses" do
        success Entities::Email
      end
415 416 417 418
      get "emails" do
        present current_user.emails, with: Entities::Email
      end

419 420 421 422 423 424 425 426 427 428
      desc 'Get a single email address owned by the currently authenticated user' do
        success Entities::Email
      end
      params do
        requires :email_id, type: Integer, desc: 'The ID of the email'
      end
      get "emails/:email_id" do
        email = current_user.emails.find_by(id: params[:email_id])
        not_found!('Email') unless email

429 430 431
        present email, with: Entities::Email
      end

432 433 434 435 436 437
      desc 'Add new email address to the currently authenticated user' do
        success Entities::Email
      end
      params do
        requires :email, type: String, desc: 'The new email'
      end
438
      post "emails" do
439
        email = current_user.emails.new(declared_params)
440 441 442 443 444 445 446 447 448

        if email.save
          NotificationService.new.new_email(email)
          present email, with: Entities::Email
        else
          render_validation_error!(email)
        end
      end

449 450 451 452 453 454 455
      desc 'Delete an email address from the currently authenticated user'
      params do
        requires :email_id, type: Integer, desc: 'The ID of the email'
      end
      delete "emails/:email_id" do
        email = current_user.emails.find_by(id: params[:email_id])
        not_found!('Email') unless email
456

457 458
        email.destroy
        current_user.update_secondary_emails!
459
      end
460 461 462
    end
  end
end