gosora/common/user.go
Azareal c7aec90612 You can now filter analytics graphs by a day, twelve hours and six hours.
Added a X-XSS-Protection header.
Fixed some Group Editor CSS for Cosora.
2018-01-08 08:53:51 +00:00

424 lines
11 KiB
Go

/*
*
* Gosora User File
* Copyright Azareal 2017 - 2018
*
*/
package common
import (
"database/sql"
"errors"
"strconv"
"strings"
"time"
"../query_gen/lib"
"golang.org/x/crypto/bcrypt"
)
// TODO: Replace any literals with this
var BanGroup = 4
// GuestUser is an instance of user which holds guest data to avoid having to initialise a guest every time
var GuestUser = User{ID: 0, Link: "#", Group: 6, Perms: GuestPerms}
//func(real_password string, password string, salt string) (err error)
var CheckPassword = BcryptCheckPassword
//func(password string) (hashed_password string, salt string, err error)
var GeneratePassword = BcryptGeneratePassword
var ErrNoTempGroup = errors.New("We couldn't find a temporary group for this user")
type User struct {
ID int
Link string
Name string
Email string
Group int
Active bool
IsMod bool
IsSuperMod bool
IsAdmin bool
IsSuperAdmin bool
IsBanned bool
Perms Perms
PluginPerms map[string]bool
Session string
//AuthToken string
Loggedin bool
Avatar string
Message string
URLPrefix string // Move this to another table? Create a user lite?
URLName string
Tag string
Level int
Score int
LastIP string // ! This part of the UserCache data might fall out of date
TempGroup int
}
type UserStmts struct {
activate *sql.Stmt
changeGroup *sql.Stmt
delete *sql.Stmt
setAvatar *sql.Stmt
setUsername *sql.Stmt
updateGroup *sql.Stmt
incrementTopics *sql.Stmt
updateLevel *sql.Stmt
incrementScore *sql.Stmt
incrementPosts *sql.Stmt
incrementBigposts *sql.Stmt
incrementMegaposts *sql.Stmt
updateLastIP *sql.Stmt
setPassword *sql.Stmt
}
var userStmts UserStmts
func init() {
DbInits.Add(func(acc *qgen.Accumulator) error {
userStmts = UserStmts{
activate: acc.SimpleUpdate("users", "active = 1", "uid = ?"),
changeGroup: acc.SimpleUpdate("users", "group = ?", "uid = ?"),
delete: acc.SimpleDelete("users", "uid = ?"),
setAvatar: acc.SimpleUpdate("users", "avatar = ?", "uid = ?"),
setUsername: acc.SimpleUpdate("users", "name = ?", "uid = ?"),
updateGroup: acc.SimpleUpdate("users", "group = ?", "uid = ?"),
incrementTopics: acc.SimpleUpdate("users", "topics = topics + ?", "uid = ?"),
updateLevel: acc.SimpleUpdate("users", "level = ?", "uid = ?"),
incrementScore: acc.SimpleUpdate("users", "score = score + ?", "uid = ?"),
incrementPosts: acc.SimpleUpdate("users", "posts = posts + ?", "uid = ?"),
incrementBigposts: acc.SimpleUpdate("users", "posts = posts + ?, bigposts = bigposts + ?", "uid = ?"),
incrementMegaposts: acc.SimpleUpdate("users", "posts = posts + ?, bigposts = bigposts + ?, megaposts = megaposts + ?", "uid = ?"),
updateLastIP: acc.SimpleUpdate("users", "last_ip = ?", "uid = ?"),
setPassword: acc.SimpleUpdate("users", "password = ?, salt = ?", "uid = ?"),
}
return acc.FirstError()
})
}
func (user *User) Init() {
if user.Avatar != "" {
if user.Avatar[0] == '.' {
user.Avatar = "/uploads/avatar_" + strconv.Itoa(user.ID) + user.Avatar
}
} else {
user.Avatar = strings.Replace(Config.Noavatar, "{id}", strconv.Itoa(user.ID), 1)
}
user.Link = BuildProfileURL(NameToSlug(user.Name), user.ID)
user.Tag = Groups.DirtyGet(user.Group).Tag
user.InitPerms()
}
// TODO: Refactor this idiom into something shorter, maybe with a NullUserCache when one isn't set?
func (user *User) CacheRemove() {
ucache := Users.GetCache()
if ucache != nil {
ucache.Remove(user.ID)
}
}
func (user *User) Ban(duration time.Duration, issuedBy int) error {
return user.ScheduleGroupUpdate(BanGroup, issuedBy, duration)
}
func (user *User) Unban() error {
return user.RevertGroupUpdate()
}
func (user *User) deleteScheduleGroupTx(tx *sql.Tx) error {
deleteScheduleGroupStmt, err := qgen.Builder.SimpleDeleteTx(tx, "users_groups_scheduler", "uid = ?")
if err != nil {
return err
}
_, err = deleteScheduleGroupStmt.Exec(user.ID)
return err
}
func (user *User) setTempGroupTx(tx *sql.Tx, tempGroup int) error {
setTempGroupStmt, err := qgen.Builder.SimpleUpdateTx(tx, "users", "temp_group = ?", "uid = ?")
if err != nil {
return err
}
_, err = setTempGroupStmt.Exec(tempGroup, user.ID)
return err
}
// Make this more stateless?
func (user *User) ScheduleGroupUpdate(gid int, issuedBy int, duration time.Duration) error {
var temporary bool
if duration.Nanoseconds() != 0 {
temporary = true
}
revertAt := time.Now().Add(duration)
tx, err := qgen.Builder.Begin()
if err != nil {
return err
}
defer tx.Rollback()
err = user.deleteScheduleGroupTx(tx)
if err != nil {
return err
}
createScheduleGroupTx, err := qgen.Builder.SimpleInsertTx(tx, "users_groups_scheduler", "uid, set_group, issued_by, issued_at, revert_at, temporary", "?,?,?,UTC_TIMESTAMP(),?,?")
if err != nil {
return err
}
_, err = createScheduleGroupTx.Exec(user.ID, gid, issuedBy, revertAt, temporary)
if err != nil {
return err
}
err = user.setTempGroupTx(tx, gid)
if err != nil {
return err
}
err = tx.Commit()
user.CacheRemove()
return err
}
func (user *User) RevertGroupUpdate() error {
tx, err := qgen.Builder.Begin()
if err != nil {
return err
}
defer tx.Rollback()
err = user.deleteScheduleGroupTx(tx)
if err != nil {
return err
}
err = user.setTempGroupTx(tx, 0)
if err != nil {
return err
}
err = tx.Commit()
user.CacheRemove()
return err
}
// TODO: Use a transaction here
// ? - Add a Deactivate method? Not really needed, if someone's been bad you could do a ban, I guess it might be useful, if someone says that email x isn't actually owned by the user in question?
func (user *User) Activate() (err error) {
_, err = userStmts.activate.Exec(user.ID)
if err != nil {
return err
}
_, err = userStmts.changeGroup.Exec(Config.DefaultGroup, user.ID)
user.CacheRemove()
return err
}
// TODO: Write tests for this
// TODO: Delete this user's content too?
// TODO: Expose this to the admin?
func (user *User) Delete() error {
_, err := userStmts.delete.Exec(user.ID)
if err != nil {
return err
}
user.CacheRemove()
return err
}
func (user *User) ChangeName(username string) (err error) {
_, err = userStmts.setUsername.Exec(username, user.ID)
user.CacheRemove()
return err
}
func (user *User) ChangeAvatar(avatar string) (err error) {
_, err = userStmts.setAvatar.Exec(avatar, user.ID)
user.CacheRemove()
return err
}
func (user *User) ChangeGroup(group int) (err error) {
_, err = userStmts.updateGroup.Exec(group, user.ID)
user.CacheRemove()
return err
}
// ! Only updates the database not the *User for safety reasons
func (user *User) UpdateIP(host string) error {
_, err := userStmts.updateLastIP.Exec(host, user.ID)
return err
}
func (user *User) IncreasePostStats(wcount int, topic bool) (err error) {
var mod int
baseScore := 1
if topic {
_, err = userStmts.incrementTopics.Exec(1, user.ID)
if err != nil {
return err
}
baseScore = 2
}
settings := SettingBox.Load().(SettingMap)
if wcount >= settings["megapost_min_words"].(int) {
_, err = userStmts.incrementMegaposts.Exec(1, 1, 1, user.ID)
mod = 4
} else if wcount >= settings["bigpost_min_words"].(int) {
_, err = userStmts.incrementBigposts.Exec(1, 1, user.ID)
mod = 1
} else {
_, err = userStmts.incrementPosts.Exec(1, user.ID)
}
if err != nil {
return err
}
_, err = userStmts.incrementScore.Exec(baseScore+mod, user.ID)
if err != nil {
return err
}
//log.Print(user.Score + base_score + mod)
//log.Print(getLevel(user.Score + base_score + mod))
// TODO: Use a transaction to prevent level desyncs?
_, err = userStmts.updateLevel.Exec(GetLevel(user.Score+baseScore+mod), user.ID)
return err
}
func (user *User) DecreasePostStats(wcount int, topic bool) (err error) {
var mod int
baseScore := -1
if topic {
_, err = userStmts.incrementTopics.Exec(-1, user.ID)
if err != nil {
return err
}
baseScore = -2
}
settings := SettingBox.Load().(SettingMap)
if wcount >= settings["megapost_min_words"].(int) {
_, err = userStmts.incrementMegaposts.Exec(-1, -1, -1, user.ID)
mod = 4
} else if wcount >= settings["bigpost_min_words"].(int) {
_, err = userStmts.incrementBigposts.Exec(-1, -1, user.ID)
mod = 1
} else {
_, err = userStmts.incrementPosts.Exec(-1, user.ID)
}
if err != nil {
return err
}
_, err = userStmts.incrementScore.Exec(baseScore-mod, user.ID)
if err != nil {
return err
}
// TODO: Use a transaction to prevent level desyncs?
_, err = userStmts.updateLevel.Exec(GetLevel(user.Score-baseScore-mod), user.ID)
return err
}
// Copy gives you a non-pointer concurrency safe copy of the user
func (user *User) Copy() User {
return *user
}
// TODO: Write unit tests for this
func (user *User) InitPerms() {
if user.TempGroup != 0 {
user.Group = user.TempGroup
}
group := Groups.DirtyGet(user.Group)
if user.IsSuperAdmin {
user.Perms = AllPerms
user.PluginPerms = AllPluginPerms
} else {
user.Perms = group.Perms
user.PluginPerms = group.PluginPerms
}
user.IsAdmin = user.IsSuperAdmin || group.IsAdmin
user.IsSuperMod = user.IsAdmin || group.IsMod
user.IsMod = user.IsSuperMod
user.IsBanned = group.IsBanned
if user.IsBanned && user.IsSuperMod {
user.IsBanned = false
}
}
func BcryptCheckPassword(realPassword string, password string, salt string) (err error) {
return bcrypt.CompareHashAndPassword([]byte(realPassword), []byte(password+salt))
}
// Investigate. Do we need the extra salt?
func BcryptGeneratePassword(password string) (hashedPassword string, salt string, err error) {
salt, err = GenerateSafeString(SaltLength)
if err != nil {
return "", "", err
}
password = password + salt
hashedPassword, err = BcryptGeneratePasswordNoSalt(password)
if err != nil {
return "", "", err
}
return hashedPassword, salt, nil
}
func BcryptGeneratePasswordNoSalt(password string) (hash string, err error) {
hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
if err != nil {
return "", err
}
return string(hashedPassword), nil
}
// TODO: Move this to *User
func SetPassword(uid int, password string) error {
hashedPassword, salt, err := GeneratePassword(password)
if err != nil {
return err
}
_, err = userStmts.setPassword.Exec(hashedPassword, salt, uid)
return err
}
// TODO: Write units tests for this
func wordsToScore(wcount int, topic bool) (score int) {
if topic {
score = 2
} else {
score = 1
}
settings := SettingBox.Load().(SettingMap)
if wcount >= settings["megapost_min_words"].(int) {
score += 4
} else if wcount >= settings["bigpost_min_words"].(int) {
score++
}
return score
}
// For use in tests and to help generate dummy users for forums which don't have last posters
func BlankUser() *User {
return &User{ID: 0, Name: ""}
}
// TODO: Write unit tests for this
func BuildProfileURL(slug string, uid int) string {
if slug == "" {
return "/user/" + strconv.Itoa(uid)
}
return "/user/" + slug + "." + strconv.Itoa(uid)
}