Change require user input

The input now requires the password of the person changing the record. All other fields are now optiona. Signed-off-by: trivernis <trivernis@protonmail.com>
4 years ago · 0fae280c18
parent 81ae1a5c3e
commit 0fae280c18
3 changed files with 54 additions and 23 deletions
--- a/src/database/users.rs
+++ b/src/database/users.rs
@ -80,13 +80,12 @@ impl Users {

    pub fn update_user(
        &self,
-        old_email: String,
-        name: String,
-        email: String,
-        password: String,
+        old_email: &String,
+        name: &String,
+        email: &String,
+        password: &Option<String>,
    ) -> DatabaseResult<UserInformation> {
        let mut connection = self.pool.get()?;
-        let mut password = Zeroizing::new(password);
        if connection
            .query_opt("SELECT email FROM users WHERE email = $1", &[&old_email])?
            .is_none()
@ -105,14 +104,20 @@ impl Users {
                email
            )));
        }
-        let salt = Zeroizing::new(create_salt());
-        let pw_hash =
-            hash_password(password.as_bytes(), &*salt).map_err(|e| DBError::GenericError(e))?;
-        password.zeroize();
-        let new_record = connection.query_one(
-            "UPDATE users SET name = $1, email = $2, password_hash = $3, salt = $4 WHERE email = $5 RETURNING *",
-            &[&name, &email, &pw_hash.to_vec(), &salt.to_vec(), &old_email],
-        )?;
+        let new_record = if let Some(password) = password {
+            let salt = Zeroizing::new(create_salt());
+            let pw_hash =
+                hash_password(password.as_bytes(), &*salt).map_err(|e| DBError::GenericError(e))?;
+            connection.query_one(
+                "UPDATE users SET name = $1, email = $2, password_hash = $3, salt = $4 WHERE email = $5 RETURNING *",
+                &[&name, &email, &pw_hash.to_vec(), &salt.to_vec(), &old_email],
+            )?
+        } else {
+            connection.query_one(
+                "UPDATE users SET name = $1, email = $2 WHERE email = $3 RETURNING *",
+                &[&name, &email, &old_email],
+            )?
+        };

        Ok(serde_postgres::from_row::<UserInformation>(&new_record)?)
    }
@ -127,6 +132,18 @@ impl Users {
        Ok(serde_postgres::from_row::<UserInformation>(&result)?)
    }

+    pub fn get_user_by_email(&self, email: &String) -> DatabaseResult<UserInformation> {
+        let mut connection = self.pool.get()?;
+        let result = connection
+            .query_opt(
+                "SELECT id, name, email FROM users WHERE email = $1",
+                &[email],
+            )?
+            .ok_or(DBError::RecordDoesNotExist)?;
+
+        Ok(serde_postgres::from_row::<UserInformation>(&result)?)
+    }
+
    /// Creates new tokens for a user login that can be used by services
    /// that need those tokens to verify a user login
    pub fn create_tokens(
@ -219,7 +236,7 @@ impl Users {

    /// Validates the login data of the user by creating the hash for the given password
    /// and comparing it with the database entry
-    fn validate_login(&self, email: &String, password: &String) -> DatabaseResult<bool> {
+    pub fn validate_login(&self, email: &String, password: &String) -> DatabaseResult<bool> {
        let mut connection = self.pool.get()?;
        let row = connection
            .query_opt(
--- a/src/server/http_server.rs
+++ b/src/server/http_server.rs
@ -340,14 +340,26 @@ impl UserHttpServer {
        let (_, id) = validate_request_token(request, database)?;
        let message = deserialize_body::<UpdateUserRequest>(&request)?;
        let logged_in_user = database.users.get_user(id)?;
+        if !database
+            .users
+            .validate_login(&logged_in_user.email, &message.own_password)?
+        {
+            return Err(HTTPError::new(
+                "Invalid authentication data".to_string(),
+                401,
+            ));
+        }

-        if logged_in_user.email != message.email {
+        if logged_in_user.email != email {
            require_permission!(database, request, USER_UPDATE_PERM);
        }
-        let record =
-            database
-                .users
-                .update_user(email, message.name, message.email, message.password)?;
+        let user_record = database.users.get_user_by_email(&email)?;
+        let record = database.users.update_user(
+            &email,
+            &message.name.clone().unwrap_or(user_record.name),
+            &message.email.clone().unwrap_or(user_record.email),
+            &message.password,
+        )?;

        Ok(Response::json(&record))
    }
--- a/src/server/messages.rs
+++ b/src/server/messages.rs
@ -120,9 +120,11 @@ pub struct DeleteRoleResponse {
    pub role: String,
 }

-#[derive(Deserialize, JsonSchema)]
+#[derive(Deserialize, JsonSchema, Zeroize)]
+#[zeroize(drop)]
 pub struct UpdateUserRequest {
-    pub name: String,
-    pub email: String,
-    pub password: String,
+    pub name: Option<String>,
+    pub email: Option<String>,
+    pub password: Option<String>,
+    pub own_password: String,
 }