finish admin tasks

2023-04-04 10:44:14 +02:00
parent 202964bfa4
commit 3dfc64071c
11 changed files with 284 additions and 23 deletions
--- a/src/model/user.rs
+++ b/src/model/user.rs
@ -10,19 +10,37 @@ use sqlx::{FromRow, SqlitePool};

 #[derive(FromRow, Debug, Serialize, Deserialize)]
 pub struct User {
-    id: i64,
-    name: String,
-    pw: String,
+    pub id: i64,
+    pub name: String,
+    pw: Option<String>,
    is_cox: bool,
    is_admin: bool,
    is_guest: bool,
 }

+pub struct AdminUser {
+    user: User,
+}
+
+impl TryFrom<User> for AdminUser {
+    type Error = LoginError;
+
+    fn try_from(user: User) -> Result<Self, Self::Error> {
+        if user.is_admin {
+            Ok(AdminUser { user })
+        } else {
+            Err(LoginError::NotAnAdmin)
+        }
+    }
+}
+
 #[derive(Debug)]
 pub enum LoginError {
    SqlxError(sqlx::Error),
    InvalidAuthenticationCombo,
    NotLoggedIn,
+    NotAnAdmin,
+    NoPasswordSet(User),
 }

 impl From<sqlx::Error> for LoginError {
@ -31,6 +49,35 @@ impl From<sqlx::Error> for LoginError {
    }
 }
 impl User {
+    pub async fn update(&self, db: &SqlitePool, is_cox: bool, is_admin: bool, is_guest: bool) {
+        sqlx::query!(
+            "UPDATE user SET is_cox = ?, is_admin = ?, is_guest = ? where id = ?",
+            is_cox,
+            is_admin,
+            is_guest,
+            self.id
+        )
+        .execute(db)
+        .await
+        .unwrap(); //TODO: fixme
+    }
+
+    pub async fn find_by_id(db: &SqlitePool, id: i32) -> Result<Self, sqlx::Error> {
+        let user: User = sqlx::query_as!(
+            User,
+            "
+SELECT id, name, pw, is_cox, is_admin, is_guest
+FROM user 
+WHERE id like ?
+        ",
+            id
+        )
+        .fetch_one(db)
+        .await?;
+
+        Ok(user)
+    }
+
    async fn find_by_name(db: &SqlitePool, name: String) -> Result<Self, sqlx::Error> {
        let user: User = sqlx::query_as!(
            User,
@ -47,21 +94,57 @@ WHERE name like ?
        Ok(user)
    }

+    fn get_hashed_pw(pw: String) -> String {
+        let salt = SaltString::from_b64("dS/X5/sPEKTj4Rzs/CuvzQ").unwrap();
+        let argon2 = Argon2::default();
+        argon2
+            .hash_password(&pw.as_bytes(), &salt)
+            .unwrap()
+            .to_string()
+    }
+
    pub async fn login(db: &SqlitePool, name: String, pw: String) -> Result<Self, LoginError> {
        let user = User::find_by_name(db, name).await?;

-        let salt = SaltString::from_b64("dS/X5/sPEKTj4Rzs/CuvzQ").unwrap();
-        let argon2 = Argon2::default();
-        let password_hash = argon2
-            .hash_password(&pw.as_bytes(), &salt)
-            .unwrap()
-            .to_string();
+        match user.pw.clone() {
+            Some(user_pw) => {
+                let password_hash = Self::get_hashed_pw(pw);
+                if password_hash == user_pw {
+                    return Ok(user);
+                }

-        if password_hash == user.pw {
-            return Ok(user);
+                Err(LoginError::InvalidAuthenticationCombo)
+            }
+            None => Err(LoginError::NoPasswordSet(user)),
        }
+    }

-        Err(LoginError::InvalidAuthenticationCombo)
+    pub async fn all(db: &SqlitePool) -> Vec<Self> {
+        sqlx::query_as!(
+            User,
+            "
+SELECT id, name, pw, is_cox, is_admin, is_guest
+FROM user 
+        "
+        )
+        .fetch_all(db)
+        .await
+        .unwrap() //TODO: fixme
+    }
+
+    pub async fn reset_pw(&self, db: &SqlitePool) {
+        sqlx::query!("UPDATE user SET pw = null where id = ?", self.id)
+            .execute(db)
+            .await
+            .unwrap(); //TODO: fixme
+    }
+
+    pub async fn update_pw(&self, db: &SqlitePool, pw: String) {
+        let pw = Self::get_hashed_pw(pw);
+        sqlx::query!("UPDATE user SET pw = ? where id = ?", pw, self.id)
+            .execute(db)
+            .await
+            .unwrap(); //TODO: fixme
    }
 }

@ -80,6 +163,24 @@ impl<'r> FromRequest<'r> for User {
    }
 }

+#[async_trait]
+impl<'r> FromRequest<'r> for AdminUser {
+    type Error = LoginError;
+
+    async fn from_request(req: &'r Request<'_>) -> request::Outcome<Self, Self::Error> {
+        match req.cookies().get_private("loggedin_user") {
+            Some(user) => {
+                let user: User = serde_json::from_str(&user.value()).unwrap(); //TODO: fixme
+                match user.try_into() {
+                    Ok(user) => Outcome::Success(user),
+                    Err(_) => Outcome::Failure((Status::Unauthorized, LoginError::NotAnAdmin)),
+                }
+            }
+            None => Outcome::Failure((Status::Unauthorized, LoginError::NotLoggedIn)),
+        }
+    }
+}
+
 #[cfg(test)]
 mod test {
    use crate::testdb;
--- a/src/rest/admin/mod.rs
+++ b/src/rest/admin/mod.rs
@ -0,0 +1,9 @@
+use rocket::Route;
+
+pub mod user;
+
+pub fn routes() -> Vec<Route> {
+    let mut ret = Vec::new();
+    ret.append(&mut user::routes());
+    ret
+}
--- a/src/rest/admin/user.rs
+++ b/src/rest/admin/user.rs
@ -0,0 +1,61 @@
+use crate::model::user::{AdminUser, User};
+use rocket::{
+    form::Form,
+    get, post,
+    response::{Flash, Redirect},
+    routes, FromForm, Route, State,
+};
+use rocket_dyn_templates::{context, Template};
+use sqlx::SqlitePool;
+
+#[get("/user")]
+async fn index(db: &State<SqlitePool>, _admin: AdminUser) -> Template {
+    let users = User::all(db).await;
+    Template::render("admin/user/index", context!(users))
+}
+
+#[get("/user/<user>/reset-pw")]
+async fn resetpw(db: &State<SqlitePool>, _admin: AdminUser, user: i32) -> Flash<Redirect> {
+    let user = User::find_by_id(db, user).await;
+    match user {
+        Ok(user) => {
+            user.reset_pw(db).await;
+            Flash::success(
+                Redirect::to("/admin/user"),
+                format!("Successfully reset pw of {}", user.name),
+            )
+        }
+        Err(_) => Flash::error(Redirect::to("/admin/user"), "User does not exist"),
+    }
+}
+
+#[derive(FromForm)]
+struct UserEditForm {
+    id: i32,
+    is_guest: bool,
+    is_cox: bool,
+    is_admin: bool,
+}
+
+#[post("/user", data = "<data>")]
+async fn update(db: &State<SqlitePool>, data: Form<UserEditForm>) -> Flash<Redirect> {
+    let user = User::find_by_id(db, data.id).await;
+    let user = match user {
+        Ok(user) => user,
+        Err(_) => {
+            return Flash::error(
+                Redirect::to("/admin/user"),
+                format!("User with ID {} does not exist!", data.id),
+            )
+        }
+    };
+
+    user.update(db, data.is_cox, data.is_admin, data.is_guest)
+        .await;
+
+    Flash::success(Redirect::to("/admin/user"), "Successfully updated user")
+}
+
+pub fn routes() -> Vec<Route> {
+    routes![index, resetpw, update]
+}
--- a/src/rest/auth.rs
+++ b/src/rest/auth.rs
@ -7,11 +7,11 @@ use rocket::{
    response::{Flash, Redirect},
    routes, FromForm, Route, State,
 };
-use rocket_dyn_templates::{tera, Template};
+use rocket_dyn_templates::{context, tera, Template};
 use serde_json::json;
 use sqlx::SqlitePool;

-use crate::model::user::User;
+use crate::model::user::{LoginError, User};

 #[get("/")]
 async fn index(flash: Option<FlashMessage<'_>>) -> Template {
@ -41,6 +41,12 @@ async fn login(
    //TODO: be able to use ? for login. This would get rid of the following match clause.
    let user = match user {
        Ok(user) => user,
+        Err(LoginError::NoPasswordSet(user)) => {
+            return Flash::warning(
+                Redirect::to(format!("/auth/set-pw/{}", user.id)),
+                "Setze ein neues Passwort",
+            );
+        }
        Err(_) => {
            return Flash::error(Redirect::to("/auth"), "Falscher Benutzername/Passwort");
        }
@ -52,6 +58,53 @@ async fn login(
    Flash::success(Redirect::to("/"), "Login erfolgreich")
 }

+#[get("/set-pw/<userid>")]
+async fn setpw(userid: i32) -> Template {
+    Template::render("auth/set-pw", context!(userid))
+}
+
+#[derive(FromForm)]
+struct UpdatePw {
+    userid: i32,
+    password: String,
+    password_confirm: String,
+}
+
+#[post("/set-pw", data = "<updatepw>")]
+async fn updatepw(
+    db: &State<SqlitePool>,
+    updatepw: Form<UpdatePw>,
+    cookies: &CookieJar<'_>,
+) -> Flash<Redirect> {
+    let user = User::find_by_id(db, updatepw.userid).await;
+    let user = match user {
+        Ok(user) => user,
+        Err(_) => {
+            return Flash::error(
+                Redirect::to("/auth"),
+                format!("User with ID {} does not exist!", updatepw.userid),
+            )
+        }
+    };
+
+    if updatepw.password != updatepw.password_confirm {
+        return Flash::error(
+            Redirect::to(format!("/auth/set-pw/{}", updatepw.userid)),
+            "Passwörter stimmen nicht überein! Bitte probiere es nochmal",
+        );
+    }
+
+    user.update_pw(db, updatepw.password.clone()).await;
+
+    let user_json: String = format!("{}", json!(user));
+    cookies.add_private(Cookie::new("loggedin_user", user_json));
+
+    Flash::success(
+        Redirect::to("/"),
+        "Passwort erfolgreich gesetzt. Du bist nun eingeloggt.",
+    )
+}
+
 #[get("/logout")]
 async fn logout(cookies: &CookieJar<'_>, _user: User) -> Flash<Redirect> {
    cookies.remove_private(Cookie::named("loggedin_user"));
@ -60,5 +113,5 @@ async fn logout(cookies: &CookieJar<'_>, _user: User) -> Flash<Redirect> {
 }

 pub fn routes() -> Vec<Route> {
-    routes![index, login, logout]
+    routes![index, login, logout, setpw, updatepw]
 }
--- a/src/rest/mod.rs
+++ b/src/rest/mod.rs
@ -4,6 +4,7 @@ use sqlx::SqlitePool;

 use crate::model::user::User;

+mod admin;
 mod auth;

 #[get("/")]
@ -21,6 +22,7 @@ pub fn start(db: SqlitePool) -> Rocket<Build> {
        .manage(db)
        .mount("/", routes![index])
        .mount("/auth", auth::routes())
+        .mount("/admin", admin::routes())
        .register("/", catchers![unauthorized_error])
        .attach(Template::fairing())
 }