debian-mirror-gitlab/lib/api/users.rb

562 lines
19 KiB
Ruby
Raw Normal View History

2014-09-02 18:07:02 +05:30
module API
class Users < Grape::API
2017-08-17 22:00:37 +05:30
include PaginationParams
2017-09-10 17:25:29 +05:30
include APIGuard
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
allow_access_with_scope :read_user, if: -> (request) { request.get? }
2014-09-02 18:07:02 +05:30
2015-09-25 12:07:36 +05:30
resource :users, requirements: { uid: /[0-9]*/, id: /[0-9]*/ } do
2017-09-10 17:25:29 +05:30
before do
authenticate_non_get!
end
2017-08-17 22:00:37 +05:30
helpers do
def find_user(params)
id = params[:user_id] || params[:id]
User.find_by(id: id) || not_found!('User')
end
params :optional_attributes do
optional :skype, type: String, desc: 'The Skype username'
optional :linkedin, type: String, desc: 'The LinkedIn username'
optional :twitter, type: String, desc: 'The Twitter username'
optional :website_url, type: String, desc: 'The website of the user'
optional :organization, type: String, desc: 'The organization of the user'
optional :projects_limit, type: Integer, desc: 'The number of projects a user can create'
optional :extern_uid, type: String, desc: 'The external authentication provider UID'
optional :provider, type: String, desc: 'The external provider'
optional :bio, type: String, desc: 'The biography of the user'
optional :location, type: String, desc: 'The location of the user'
optional :admin, type: Boolean, desc: 'Flag indicating the user is an administrator'
optional :can_create_group, type: Boolean, desc: 'Flag indicating the user can create groups'
optional :skip_confirmation, type: Boolean, default: false, desc: 'Flag indicating the account is confirmed'
optional :external, type: Boolean, desc: 'Flag indicating the user is an external user'
2017-09-10 17:25:29 +05:30
optional :avatar, type: File, desc: 'Avatar image for user'
2017-08-17 22:00:37 +05:30
all_or_none_of :extern_uid, :provider
end
end
desc 'Get the list of users' do
success Entities::UserBasic
end
params do
# CE
optional :username, type: String, desc: 'Get a single user with a specific username'
optional :extern_uid, type: String, desc: 'Get a single user with a specific external authentication provider UID'
optional :provider, type: String, desc: 'The external provider'
optional :search, type: String, desc: 'Search for a username'
optional :active, type: Boolean, default: false, desc: 'Filters only active users'
optional :external, type: Boolean, default: false, desc: 'Filters only external users'
optional :blocked, type: Boolean, default: false, desc: 'Filters only blocked users'
2017-09-10 17:25:29 +05:30
optional :created_after, type: DateTime, desc: 'Return users created after the specified time'
optional :created_before, type: DateTime, desc: 'Return users created before the specified time'
2017-08-17 22:00:37 +05:30
all_or_none_of :extern_uid, :provider
use :pagination
end
2014-09-02 18:07:02 +05:30
get do
2017-09-10 17:25:29 +05:30
authenticated_as_admin! if params[:external].present? || (params[:extern_uid].present? && params[:provider].present?)
unless current_user&.admin?
params.except!(:created_after, :created_before)
2016-06-02 11:05:42 +05:30
end
2017-09-10 17:25:29 +05:30
users = UsersFinder.new(current_user, params).execute
2014-09-02 18:07:02 +05:30
2017-09-10 17:25:29 +05:30
authorized = can?(current_user, :read_users_list)
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
# When `current_user` is not present, require that the `username`
# parameter is passed, to prevent an unauthenticated user from accessing
# a list of all the users on the GitLab instance. `UsersFinder` performs
# an exact match on the `username` parameter, so we are guaranteed to
# get either 0 or 1 `users` here.
authorized &&= params[:username].present? if current_user.blank?
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
forbidden!("Not authorized to access /api/v4/users") unless authorized
entity = current_user&.admin? ? Entities::UserWithAdmin : Entities::UserBasic
2017-08-17 22:00:37 +05:30
present paginate(users), with: entity
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
desc 'Get a single user' do
success Entities::UserBasic
end
params do
requires :id, type: Integer, desc: 'The ID of the user'
end
2014-09-02 18:07:02 +05:30
get ":id" do
2017-08-17 22:00:37 +05:30
user = User.find_by(id: params[:id])
not_found!('User') unless user
2014-09-02 18:07:02 +05:30
2017-08-17 22:00:37 +05:30
if current_user && current_user.admin?
present user, with: Entities::UserPublic
elsif can?(current_user, :read_user, user)
present user, with: Entities::User
2016-06-02 11:05:42 +05:30
else
render_api_error!("User not found.", 404)
2014-09-02 18:07:02 +05:30
end
end
2017-08-17 22:00:37 +05:30
desc 'Create a user. Available only for admins.' do
success Entities::UserPublic
end
params do
requires :email, type: String, desc: 'The email of the user'
optional :password, type: String, desc: 'The password of the new user'
optional :reset_password, type: Boolean, desc: 'Flag indicating the user will be sent a password reset token'
at_least_one_of :password, :reset_password
requires :name, type: String, desc: 'The name of the user'
requires :username, type: String, desc: 'The username of the user'
use :optional_attributes
end
2014-09-02 18:07:02 +05:30
post do
authenticated_as_admin!
2016-06-02 11:05:42 +05:30
2017-08-17 22:00:37 +05:30
params = declared_params(include_missing: false)
2017-09-10 17:25:29 +05:30
user = ::Users::CreateService.new(current_user, params).execute(skip_authorization: true)
2015-04-26 12:48:37 +05:30
2017-08-17 22:00:37 +05:30
if user.persisted?
2017-01-15 13:20:01 +05:30
present user, with: Entities::UserPublic
2014-09-02 18:07:02 +05:30
else
2017-09-10 17:25:29 +05:30
conflict!('Email has already been taken') if User
.where(email: user.email)
.count > 0
2015-04-26 12:48:37 +05:30
2017-09-10 17:25:29 +05:30
conflict!('Username has already been taken') if User
.where(username: user.username)
.count > 0
2015-04-26 12:48:37 +05:30
render_validation_error!(user)
2014-09-02 18:07:02 +05:30
end
end
2017-08-17 22:00:37 +05:30
desc 'Update a user. Available only for admins.' do
success Entities::UserPublic
end
params do
requires :id, type: Integer, desc: 'The ID of the user'
optional :email, type: String, desc: 'The email of the user'
optional :password, type: String, desc: 'The password of the new user'
optional :name, type: String, desc: 'The name of the user'
optional :username, type: String, desc: 'The username of the user'
use :optional_attributes
end
2014-09-02 18:07:02 +05:30
put ":id" do
authenticated_as_admin!
2017-08-17 22:00:37 +05:30
user = User.find_by(id: params.delete(:id))
2015-04-26 12:48:37 +05:30
not_found!('User') unless user
2014-09-02 18:07:02 +05:30
2017-08-17 22:00:37 +05:30
conflict!('Email has already been taken') if params[:email] &&
2017-09-10 17:25:29 +05:30
User.where(email: params[:email])
.where.not(id: user.id).count > 0
2015-04-26 12:48:37 +05:30
2017-08-17 22:00:37 +05:30
conflict!('Username has already been taken') if params[:username] &&
2017-09-10 17:25:29 +05:30
User.where(username: params[:username])
.where.not(id: user.id).count > 0
2015-04-26 12:48:37 +05:30
2017-08-17 22:00:37 +05:30
user_params = declared_params(include_missing: false)
identity_attrs = user_params.slice(:provider, :extern_uid)
2015-10-24 18:46:33 +05:30
if identity_attrs.any?
identity = user.identities.find_by(provider: identity_attrs[:provider])
2017-08-17 22:00:37 +05:30
2015-10-24 18:46:33 +05:30
if identity
identity.update_attributes(identity_attrs)
else
identity = user.identities.build(identity_attrs)
identity.save
end
end
2017-08-17 22:00:37 +05:30
user_params[:password_expires_at] = Time.now if user_params[:password].present?
2017-09-10 17:25:29 +05:30
result = ::Users::UpdateService.new(user, user_params.except(:extern_uid, :provider)).execute
if result[:status] == :success
2017-01-15 13:20:01 +05:30
present user, with: Entities::UserPublic
2014-09-02 18:07:02 +05:30
else
2015-04-26 12:48:37 +05:30
render_validation_error!(user)
2014-09-02 18:07:02 +05:30
end
end
2017-08-17 22:00:37 +05:30
desc 'Add an SSH key to a specified user. Available only for admins.' do
success Entities::SSHKey
end
params do
requires :id, type: Integer, desc: 'The ID of the user'
requires :key, type: String, desc: 'The new SSH key'
requires :title, type: String, desc: 'The title of the new SSH key'
end
2014-09-02 18:07:02 +05:30
post ":id/keys" do
authenticated_as_admin!
2015-04-26 12:48:37 +05:30
2017-08-17 22:00:37 +05:30
user = User.find_by(id: params.delete(:id))
not_found!('User') unless user
key = user.keys.new(declared_params(include_missing: false))
2014-09-02 18:07:02 +05:30
if key.save
present key, with: Entities::SSHKey
else
2015-04-26 12:48:37 +05:30
render_validation_error!(key)
2014-09-02 18:07:02 +05:30
end
end
2017-08-17 22:00:37 +05:30
desc 'Get the SSH keys of a specified user. Available only for admins.' do
success Entities::SSHKey
end
params do
requires :id, type: Integer, desc: 'The ID of the user'
use :pagination
end
get ':id/keys' do
2014-09-02 18:07:02 +05:30
authenticated_as_admin!
2017-08-17 22:00:37 +05:30
user = User.find_by(id: params[:id])
2015-04-26 12:48:37 +05:30
not_found!('User') unless user
2017-08-17 22:00:37 +05:30
present paginate(user.keys), with: Entities::SSHKey
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
desc 'Delete an existing SSH key from a specified user. Available only for admins.' do
success Entities::SSHKey
end
params do
requires :id, type: Integer, desc: 'The ID of the user'
requires :key_id, type: Integer, desc: 'The ID of the SSH key'
end
delete ':id/keys/:key_id' do
2014-09-02 18:07:02 +05:30
authenticated_as_admin!
2017-08-17 22:00:37 +05:30
user = User.find_by(id: params[:id])
2015-04-26 12:48:37 +05:30
not_found!('User') unless user
2017-08-17 22:00:37 +05:30
key = user.keys.find_by(id: params[:key_id])
not_found!('Key') unless key
2017-09-10 17:25:29 +05:30
status 204
2017-08-17 22:00:37 +05:30
key.destroy
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
desc 'Add an email address to a specified user. Available only for admins.' do
success Entities::Email
end
params do
requires :id, type: Integer, desc: 'The ID of the user'
requires :email, type: String, desc: 'The email of the user'
end
2015-09-11 14:41:01 +05:30
post ":id/emails" do
authenticated_as_admin!
2017-08-17 22:00:37 +05:30
user = User.find_by(id: params.delete(:id))
not_found!('User') unless user
2017-09-10 17:25:29 +05:30
email = Emails::CreateService.new(user, declared_params(include_missing: false)).execute
2017-08-17 22:00:37 +05:30
2017-09-10 17:25:29 +05:30
if email.errors.blank?
2015-09-11 14:41:01 +05:30
NotificationService.new.new_email(email)
present email, with: Entities::Email
else
render_validation_error!(email)
end
end
2017-08-17 22:00:37 +05:30
desc 'Get the emails addresses of a specified user. Available only for admins.' do
success Entities::Email
end
params do
requires :id, type: Integer, desc: 'The ID of the user'
use :pagination
end
get ':id/emails' do
2015-09-11 14:41:01 +05:30
authenticated_as_admin!
2017-08-17 22:00:37 +05:30
user = User.find_by(id: params[:id])
2015-09-11 14:41:01 +05:30
not_found!('User') unless user
2017-08-17 22:00:37 +05:30
present paginate(user.emails), with: Entities::Email
2015-09-11 14:41:01 +05:30
end
2017-08-17 22:00:37 +05:30
desc 'Delete an email address of a specified user. Available only for admins.' do
success Entities::Email
end
params do
requires :id, type: Integer, desc: 'The ID of the user'
requires :email_id, type: Integer, desc: 'The ID of the email'
end
delete ':id/emails/:email_id' do
2015-09-11 14:41:01 +05:30
authenticated_as_admin!
2017-08-17 22:00:37 +05:30
user = User.find_by(id: params[:id])
2015-09-11 14:41:01 +05:30
not_found!('User') unless user
2017-08-17 22:00:37 +05:30
email = user.emails.find_by(id: params[:email_id])
not_found!('Email') unless email
2015-09-11 14:41:01 +05:30
2017-09-10 17:25:29 +05:30
Emails::DestroyService.new(user, email: email.email).execute
2015-09-11 14:41:01 +05:30
end
2017-08-17 22:00:37 +05:30
desc 'Delete a user. Available only for admins.' do
success Entities::Email
end
params do
requires :id, type: Integer, desc: 'The ID of the user'
2017-09-10 17:25:29 +05:30
optional :hard_delete, type: Boolean, desc: "Whether to remove a user's contributions"
2017-08-17 22:00:37 +05:30
end
2014-09-02 18:07:02 +05:30
delete ":id" do
authenticated_as_admin!
user = User.find_by(id: params[:id])
2017-08-17 22:00:37 +05:30
not_found!('User') unless user
2014-09-02 18:07:02 +05:30
2017-09-10 17:25:29 +05:30
status 204
user.delete_async(deleted_by: current_user, params: params)
2015-09-11 14:41:01 +05:30
end
2017-08-17 22:00:37 +05:30
desc 'Block a user. Available only for admins.'
params do
requires :id, type: Integer, desc: 'The ID of the user'
end
post ':id/block' do
2015-09-11 14:41:01 +05:30
authenticated_as_admin!
user = User.find_by(id: params[:id])
2017-08-17 22:00:37 +05:30
not_found!('User') unless user
2015-09-11 14:41:01 +05:30
2017-08-17 22:00:37 +05:30
if !user.ldap_blocked?
2015-09-11 14:41:01 +05:30
user.block
else
forbidden!('LDAP blocked users cannot be modified by the API')
2015-09-11 14:41:01 +05:30
end
end
2017-08-17 22:00:37 +05:30
desc 'Unblock a user. Available only for admins.'
params do
requires :id, type: Integer, desc: 'The ID of the user'
end
post ':id/unblock' do
2015-09-11 14:41:01 +05:30
authenticated_as_admin!
user = User.find_by(id: params[:id])
2017-08-17 22:00:37 +05:30
not_found!('User') unless user
2015-09-11 14:41:01 +05:30
2017-08-17 22:00:37 +05:30
if user.ldap_blocked?
forbidden!('LDAP blocked users cannot be unblocked by the API')
else
user.activate
2014-09-02 18:07:02 +05:30
end
end
2016-11-03 12:29:30 +05:30
2017-08-17 22:00:37 +05:30
params do
requires :user_id, type: Integer, desc: 'The ID of the user'
end
segment ':user_id' do
resource :impersonation_tokens do
helpers do
def finder(options = {})
user = find_user(params)
PersonalAccessTokensFinder.new({ user: user, impersonation: true }.merge(options))
end
def find_impersonation_token
finder.find_by(id: declared_params[:impersonation_token_id]) || not_found!('Impersonation Token')
end
end
before { authenticated_as_admin! }
desc 'Retrieve impersonation tokens. Available only for admins.' do
detail 'This feature was introduced in GitLab 9.0'
success Entities::ImpersonationToken
end
params do
use :pagination
optional :state, type: String, default: 'all', values: %w[all active inactive], desc: 'Filters (all|active|inactive) impersonation_tokens'
end
get { present paginate(finder(declared_params(include_missing: false)).execute), with: Entities::ImpersonationToken }
desc 'Create a impersonation token. Available only for admins.' do
detail 'This feature was introduced in GitLab 9.0'
success Entities::ImpersonationToken
end
params do
requires :name, type: String, desc: 'The name of the impersonation token'
optional :expires_at, type: Date, desc: 'The expiration date in the format YEAR-MONTH-DAY of the impersonation token'
optional :scopes, type: Array, desc: 'The array of scopes of the impersonation token'
end
post do
impersonation_token = finder.build(declared_params(include_missing: false))
if impersonation_token.save
present impersonation_token, with: Entities::ImpersonationToken
else
render_validation_error!(impersonation_token)
end
end
desc 'Retrieve impersonation token. Available only for admins.' do
detail 'This feature was introduced in GitLab 9.0'
success Entities::ImpersonationToken
end
params do
requires :impersonation_token_id, type: Integer, desc: 'The ID of the impersonation token'
end
get ':impersonation_token_id' do
present find_impersonation_token, with: Entities::ImpersonationToken
end
desc 'Revoke a impersonation token. Available only for admins.' do
detail 'This feature was introduced in GitLab 9.0'
end
params do
requires :impersonation_token_id, type: Integer, desc: 'The ID of the impersonation token'
end
delete ':impersonation_token_id' do
2017-09-10 17:25:29 +05:30
status 204
2017-08-17 22:00:37 +05:30
find_impersonation_token.revoke!
end
end
end
2014-09-02 18:07:02 +05:30
end
resource :user do
2017-09-10 17:25:29 +05:30
before do
authenticate!
end
2017-08-17 22:00:37 +05:30
desc 'Get the currently authenticated user' do
success Entities::UserPublic
end
2014-09-02 18:07:02 +05:30
get do
2017-09-10 17:25:29 +05:30
entity =
if sudo?
Entities::UserWithPrivateDetails
elsif current_user.admin?
Entities::UserWithAdmin
else
Entities::UserPublic
end
present current_user, with: entity
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
desc "Get the currently authenticated user's SSH keys" do
success Entities::SSHKey
end
params do
use :pagination
end
2014-09-02 18:07:02 +05:30
get "keys" do
2017-08-17 22:00:37 +05:30
present paginate(current_user.keys), with: Entities::SSHKey
2014-09-02 18:07:02 +05:30
end
2017-08-17 22:00:37 +05:30
desc 'Get a single key owned by currently authenticated user' do
success Entities::SSHKey
end
params do
requires :key_id, type: Integer, desc: 'The ID of the SSH key'
end
get "keys/:key_id" do
key = current_user.keys.find_by(id: params[:key_id])
not_found!('Key') unless key
2014-09-02 18:07:02 +05:30
present key, with: Entities::SSHKey
end
2017-08-17 22:00:37 +05:30
desc 'Add a new SSH key to the currently authenticated user' do
success Entities::SSHKey
end
params do
requires :key, type: String, desc: 'The new SSH key'
requires :title, type: String, desc: 'The title of the new SSH key'
end
2014-09-02 18:07:02 +05:30
post "keys" do
2017-08-17 22:00:37 +05:30
key = current_user.keys.new(declared_params)
2014-09-02 18:07:02 +05:30
if key.save
present key, with: Entities::SSHKey
else
2015-04-26 12:48:37 +05:30
render_validation_error!(key)
2014-09-02 18:07:02 +05:30
end
end
2017-08-17 22:00:37 +05:30
desc 'Delete an SSH key from the currently authenticated user' do
success Entities::SSHKey
end
params do
requires :key_id, type: Integer, desc: 'The ID of the SSH key'
end
delete "keys/:key_id" do
key = current_user.keys.find_by(id: params[:key_id])
not_found!('Key') unless key
2017-09-10 17:25:29 +05:30
status 204
2017-08-17 22:00:37 +05:30
key.destroy
2014-09-02 18:07:02 +05:30
end
2015-09-11 14:41:01 +05:30
2017-08-17 22:00:37 +05:30
desc "Get the currently authenticated user's email addresses" do
success Entities::Email
end
params do
use :pagination
end
2015-09-11 14:41:01 +05:30
get "emails" do
2017-08-17 22:00:37 +05:30
present paginate(current_user.emails), with: Entities::Email
2015-09-11 14:41:01 +05:30
end
2017-08-17 22:00:37 +05:30
desc 'Get a single email address owned by the currently authenticated user' do
success Entities::Email
end
params do
requires :email_id, type: Integer, desc: 'The ID of the email'
end
get "emails/:email_id" do
email = current_user.emails.find_by(id: params[:email_id])
not_found!('Email') unless email
2015-09-11 14:41:01 +05:30
present email, with: Entities::Email
end
2017-08-17 22:00:37 +05:30
desc 'Add new email address to the currently authenticated user' do
success Entities::Email
end
params do
requires :email, type: String, desc: 'The new email'
end
2015-09-11 14:41:01 +05:30
post "emails" do
2017-09-10 17:25:29 +05:30
email = Emails::CreateService.new(current_user, declared_params).execute
2015-09-11 14:41:01 +05:30
2017-09-10 17:25:29 +05:30
if email.errors.blank?
2015-09-11 14:41:01 +05:30
NotificationService.new.new_email(email)
present email, with: Entities::Email
else
render_validation_error!(email)
end
end
2017-08-17 22:00:37 +05:30
desc 'Delete an email address from the currently authenticated user'
params do
requires :email_id, type: Integer, desc: 'The ID of the email'
end
delete "emails/:email_id" do
email = current_user.emails.find_by(id: params[:email_id])
not_found!('Email') unless email
2015-09-11 14:41:01 +05:30
2017-09-10 17:25:29 +05:30
status 204
Emails::DestroyService.new(current_user, email: email.email).execute
2017-08-17 22:00:37 +05:30
end
desc 'Get a list of user activities'
params do
optional :from, type: DateTime, default: 6.months.ago, desc: 'Date string in the format YEAR-MONTH-DAY'
use :pagination
end
get "activities" do
authenticated_as_admin!
2017-09-10 17:25:29 +05:30
activities = User
.where(User.arel_table[:last_activity_on].gteq(params[:from]))
.reorder(last_activity_on: :asc)
2017-08-17 22:00:37 +05:30
present paginate(activities), with: Entities::UserActivity
2015-09-11 14:41:01 +05:30
end
2014-09-02 18:07:02 +05:30
end
end
end