BookStack/app/Http/Controllers/Api/UserApiController.php

<?php

namespace BookStack\Http\Controllers\Api;

use BookStack\Auth\User;
use BookStack\Auth\UserRepo;
use BookStack\Exceptions\UserUpdateException;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\DB;
use Illuminate\Validation\Rules\Password;
use Illuminate\Validation\Rules\Unique;

class UserApiController extends ApiController
{
    protected $userRepo;

    protected $fieldsToExpose = [
        'email', 'created_at', 'updated_at', 'last_activity_at', 'external_auth_id',
    ];

    public function __construct(UserRepo $userRepo)
    {
        $this->userRepo = $userRepo;

        // Checks for all endpoints in this controller
        $this->middleware(function ($request, $next) {
            $this->checkPermission('users-manage');
            $this->preventAccessInDemoMode();

            return $next($request);
        });
    }

    protected function rules(int $userId = null): array
    {
        return [
            'create' => [
                'name'  => ['required', 'min:2', 'max:100'],
                'email' => [
                    'required', 'min:2', 'email', new Unique('users', 'email'),
                ],
                'external_auth_id' => ['string'],
                'language'         => ['string', 'max:15', 'alpha_dash'],
                'password'         => [Password::default()],
                'roles'            => ['array'],
                'roles.*'          => ['integer'],
                'send_invite'      => ['boolean'],
            ],
            'update' => [
                'name'  => ['min:2', 'max:100'],
                'email' => [
                    'min:2',
                    'email',
                    (new Unique('users', 'email'))->ignore($userId ?? null),
                ],
                'external_auth_id' => ['string'],
                'language'         => ['string', 'max:15', 'alpha_dash'],
                'password'         => [Password::default()],
                'roles'            => ['array'],
                'roles.*'          => ['integer'],
            ],
            'delete' => [
                'migrate_ownership_id' => ['integer', 'exists:users,id'],
            ],
        ];
    }

    /**
     * Get a listing of users in the system.
     * Requires permission to manage users.
     */
    public function list()
    {
        $users = User::query()->select(['*'])
            ->scopes('withLastActivityAt')
            ->with(['avatar']);

        return $this->apiListingResponse($users, [
            'id', 'name', 'slug', 'email', 'external_auth_id',
            'created_at', 'updated_at', 'last_activity_at',
        ], [Closure::fromCallable([$this, 'listFormatter'])]);
    }

    /**
     * Create a new user in the system.
     * Requires permission to manage users.
     */
    public function create(Request $request)
    {
        $data = $this->validate($request, $this->rules()['create']);
        $sendInvite = ($data['send_invite'] ?? false) === true;

        $user = null;
        DB::transaction(function () use ($data, $sendInvite, &$user) {
            $user = $this->userRepo->create($data, $sendInvite);
        });

        $this->singleFormatter($user);

        return response()->json($user);
    }

    /**
     * View the details of a single user.
     * Requires permission to manage users.
     */
    public function read(string $id)
    {
        $user = $this->userRepo->getById($id);
        $this->singleFormatter($user);

        return response()->json($user);
    }

    /**
     * Update an existing user in the system.
     * Requires permission to manage users.
     *
     * @throws UserUpdateException
     */
    public function update(Request $request, string $id)
    {
        $data = $this->validate($request, $this->rules($id)['update']);
        $user = $this->userRepo->getById($id);
        $this->userRepo->update($user, $data, userCan('users-manage'));
        $this->singleFormatter($user);

        return response()->json($user);
    }

    /**
     * Delete a user from the system.
     * Can optionally accept a user id via `migrate_ownership_id` to indicate
     * who should be the new owner of their related content.
     * Requires permission to manage users.
     */
    public function delete(Request $request, string $id)
    {
        $user = $this->userRepo->getById($id);
        $newOwnerId = $request->get('migrate_ownership_id', null);

        $this->userRepo->destroy($user, $newOwnerId);

        return response('', 204);
    }

    /**
     * Format the given user model for single-result display.
     */
    protected function singleFormatter(User $user)
    {
        $this->listFormatter($user);
        $user->load('roles:id,display_name');
        $user->makeVisible(['roles']);
    }

    /**
     * Format the given user model for a listing multi-result display.
     */
    protected function listFormatter(User $user)
    {
        $user->makeVisible($this->fieldsToExpose);
        $user->setAttribute('profile_url', $user->getProfileUrl());
        $user->setAttribute('edit_url', $user->getEditUrl());
        $user->setAttribute('avatar_url', $user->getAvatar());
    }
}
Test API Endpoint for users 2021-05-05 07:46:14 -04:00			`<?php`

			`namespace BookStack\Http\Controllers\Api;`

			`use BookStack\Auth\User;`
			`use BookStack\Auth\UserRepo;`
Added user-create API endpoint - Required extracting logic into repo. - Changed some existing creation paths to standardise behaviour. - Added test to cover new endpoint. - Added extra test for user delete to test migration. - Changed how permission errors are thrown to ensure the right status code can be reported when handled in API. 2022-02-03 19:26:19 -05:00			`use BookStack\Exceptions\UserUpdateException;`
Refactored existing user API work - Updated routes to use new format. - Changed how hidden fields are exposed to be more flexible to different use-cases. - Updated properties available on read/list results. - Started adding testing coverage. - Removed old unused UserRepo 'getAllUsers' function. Related to #2701, Progression of #2734 2022-02-03 07:33:26 -05:00			`use Closure;`
Added users-delete API endpoint - Refactored some delete checks into repo. - Added tests to cover. - Moved some translations to align with activity/logging system. 2022-02-03 10:12:50 -05:00			`use Illuminate\Http\Request;`
Added user-create API endpoint - Required extracting logic into repo. - Changed some existing creation paths to standardise behaviour. - Added test to cover new endpoint. - Added extra test for user delete to test migration. - Changed how permission errors are thrown to ensure the right status code can be reported when handled in API. 2022-02-03 19:26:19 -05:00			`use Illuminate\Support\Facades\DB;`
Added user-update API endpoint - Required changing the docs generator to handle more complex object-style rules. Bit of a hack for some types (password). - Extracted core update logic to repo for sharing with API. - Moved user update language string to align with activity/logging system. - Added tests to cover. 2022-02-03 11:52:28 -05:00			`use Illuminate\Validation\Rules\Password;`
			`use Illuminate\Validation\Rules\Unique;`
Test API Endpoint for users 2021-05-05 07:46:14 -04:00
			`class UserApiController extends ApiController`
			`{`
			`protected $userRepo;`

Refactored existing user API work - Updated routes to use new format. - Changed how hidden fields are exposed to be more flexible to different use-cases. - Updated properties available on read/list results. - Started adding testing coverage. - Removed old unused UserRepo 'getAllUsers' function. Related to #2701, Progression of #2734 2022-02-03 07:33:26 -05:00			`protected $fieldsToExpose = [`
Updated with latest styleci changes 2022-02-08 10:29:58 -05:00			`'email', 'created_at', 'updated_at', 'last_activity_at', 'external_auth_id',`
Extend /users API endpoint * add /users/{id} to get a single user * add variable to print fields that are otherwise hidden (e.g. email) 2021-05-06 05:10:49 -04:00			`];`

Refactored existing user API work - Updated routes to use new format. - Changed how hidden fields are exposed to be more flexible to different use-cases. - Updated properties available on read/list results. - Started adding testing coverage. - Removed old unused UserRepo 'getAllUsers' function. Related to #2701, Progression of #2734 2022-02-03 07:33:26 -05:00			`public function __construct(UserRepo $userRepo)`
Test API Endpoint for users 2021-05-05 07:46:14 -04:00			`{`
			`$this->userRepo = $userRepo;`
Added user-create API endpoint - Required extracting logic into repo. - Changed some existing creation paths to standardise behaviour. - Added test to cover new endpoint. - Added extra test for user delete to test migration. - Changed how permission errors are thrown to ensure the right status code can be reported when handled in API. 2022-02-03 19:26:19 -05:00
			`// Checks for all endpoints in this controller`
			`$this->middleware(function ($request, $next) {`
			`$this->checkPermission('users-manage');`
			`$this->preventAccessInDemoMode();`
Updated with latest styleci changes 2022-02-08 10:29:58 -05:00
Added user-create API endpoint - Required extracting logic into repo. - Changed some existing creation paths to standardise behaviour. - Added test to cover new endpoint. - Added extra test for user delete to test migration. - Changed how permission errors are thrown to ensure the right status code can be reported when handled in API. 2022-02-03 19:26:19 -05:00			`return $next($request);`
			`});`
Test API Endpoint for users 2021-05-05 07:46:14 -04:00			`}`

Added user-update API endpoint - Required changing the docs generator to handle more complex object-style rules. Bit of a hack for some types (password). - Extracted core update logic to repo for sharing with API. - Moved user update language string to align with activity/logging system. - Added tests to cover. 2022-02-03 11:52:28 -05:00			`protected function rules(int $userId = null): array`
			`{`
			`return [`
			`'create' => [`
Set a fairly sensible limit on user name validation Also updated controller properties with types within modified files. Related to #3614 2022-08-09 07:40:59 -04:00			`'name' => ['required', 'min:2', 'max:100'],`
Added user-create API endpoint - Required extracting logic into repo. - Changed some existing creation paths to standardise behaviour. - Added test to cover new endpoint. - Added extra test for user delete to test migration. - Changed how permission errors are thrown to ensure the right status code can be reported when handled in API. 2022-02-03 19:26:19 -05:00			`'email' => [`
Updated with latest styleci changes 2022-02-08 10:29:58 -05:00			`'required', 'min:2', 'email', new Unique('users', 'email'),`
Added user-create API endpoint - Required extracting logic into repo. - Changed some existing creation paths to standardise behaviour. - Added test to cover new endpoint. - Added extra test for user delete to test migration. - Changed how permission errors are thrown to ensure the right status code can be reported when handled in API. 2022-02-03 19:26:19 -05:00			`],`
			`'external_auth_id' => ['string'],`
Sprinkled in some user language validation For #3615 2022-08-04 12:24:04 -04:00			`'language' => ['string', 'max:15', 'alpha_dash'],`
Updated with latest styleci changes 2022-02-08 10:29:58 -05:00			`'password' => [Password::default()],`
			`'roles' => ['array'],`
			`'roles.*' => ['integer'],`
			`'send_invite' => ['boolean'],`
Added user-update API endpoint - Required changing the docs generator to handle more complex object-style rules. Bit of a hack for some types (password). - Extracted core update logic to repo for sharing with API. - Moved user update language string to align with activity/logging system. - Added tests to cover. 2022-02-03 11:52:28 -05:00			`],`
			`'update' => [`
Set a fairly sensible limit on user name validation Also updated controller properties with types within modified files. Related to #3614 2022-08-09 07:40:59 -04:00			`'name' => ['min:2', 'max:100'],`
Added user-update API endpoint - Required changing the docs generator to handle more complex object-style rules. Bit of a hack for some types (password). - Extracted core update logic to repo for sharing with API. - Moved user update language string to align with activity/logging system. - Added tests to cover. 2022-02-03 11:52:28 -05:00			`'email' => [`
			`'min:2',`
			`'email',`
Updated with latest styleci changes 2022-02-08 10:29:58 -05:00			`(new Unique('users', 'email'))->ignore($userId ?? null),`
Added user-update API endpoint - Required changing the docs generator to handle more complex object-style rules. Bit of a hack for some types (password). - Extracted core update logic to repo for sharing with API. - Moved user update language string to align with activity/logging system. - Added tests to cover. 2022-02-03 11:52:28 -05:00			`],`
			`'external_auth_id' => ['string'],`
Sprinkled in some user language validation For #3615 2022-08-04 12:24:04 -04:00			`'language' => ['string', 'max:15', 'alpha_dash'],`
Updated with latest styleci changes 2022-02-08 10:29:58 -05:00			`'password' => [Password::default()],`
			`'roles' => ['array'],`
			`'roles.*' => ['integer'],`
Added user-update API endpoint - Required changing the docs generator to handle more complex object-style rules. Bit of a hack for some types (password). - Extracted core update logic to repo for sharing with API. - Moved user update language string to align with activity/logging system. - Added tests to cover. 2022-02-03 11:52:28 -05:00			`],`
			`'delete' => [`
			`'migrate_ownership_id' => ['integer', 'exists:users,id'],`
			`],`
			`];`
			`}`

Test API Endpoint for users 2021-05-05 07:46:14 -04:00			`/**`
Refactored existing user API work - Updated routes to use new format. - Changed how hidden fields are exposed to be more flexible to different use-cases. - Updated properties available on read/list results. - Started adding testing coverage. - Removed old unused UserRepo 'getAllUsers' function. Related to #2701, Progression of #2734 2022-02-03 07:33:26 -05:00			`* Get a listing of users in the system.`
			`* Requires permission to manage users.`
Test API Endpoint for users 2021-05-05 07:46:14 -04:00			`*/`
			`public function list()`
			`{`
Made a pass to clean up UserRepo 2022-02-13 07:56:26 -05:00			`$users = User::query()->select(['*'])`
			`->scopes('withLastActivityAt')`
			`->with(['avatar']);`
Test API Endpoint for users 2021-05-05 07:46:14 -04:00
			`return $this->apiListingResponse($users, [`
Refactored existing user API work - Updated routes to use new format. - Changed how hidden fields are exposed to be more flexible to different use-cases. - Updated properties available on read/list results. - Started adding testing coverage. - Removed old unused UserRepo 'getAllUsers' function. Related to #2701, Progression of #2734 2022-02-03 07:33:26 -05:00			`'id', 'name', 'slug', 'email', 'external_auth_id',`
Extend /users API endpoint * add /users/{id} to get a single user * add variable to print fields that are otherwise hidden (e.g. email) 2021-05-06 05:10:49 -04:00			`'created_at', 'updated_at', 'last_activity_at',`
Refactored existing user API work - Updated routes to use new format. - Changed how hidden fields are exposed to be more flexible to different use-cases. - Updated properties available on read/list results. - Started adding testing coverage. - Removed old unused UserRepo 'getAllUsers' function. Related to #2701, Progression of #2734 2022-02-03 07:33:26 -05:00			`], [Closure::fromCallable([$this, 'listFormatter'])]);`
Extend /users API endpoint * add /users/{id} to get a single user * add variable to print fields that are otherwise hidden (e.g. email) 2021-05-06 05:10:49 -04:00			`}`

Added user-create API endpoint - Required extracting logic into repo. - Changed some existing creation paths to standardise behaviour. - Added test to cover new endpoint. - Added extra test for user delete to test migration. - Changed how permission errors are thrown to ensure the right status code can be reported when handled in API. 2022-02-03 19:26:19 -05:00			`/**`
			`* Create a new user in the system.`
Added user API examples 2022-02-03 19:44:56 -05:00			`* Requires permission to manage users.`
Added user-create API endpoint - Required extracting logic into repo. - Changed some existing creation paths to standardise behaviour. - Added test to cover new endpoint. - Added extra test for user delete to test migration. - Changed how permission errors are thrown to ensure the right status code can be reported when handled in API. 2022-02-03 19:26:19 -05:00			`*/`
			`public function create(Request $request)`
			`{`
			`$data = $this->validate($request, $this->rules()['create']);`
			`$sendInvite = ($data['send_invite'] ?? false) === true;`

			`$user = null;`
			`DB::transaction(function () use ($data, $sendInvite, &$user) {`
			`$user = $this->userRepo->create($data, $sendInvite);`
			`});`

			`$this->singleFormatter($user);`

			`return response()->json($user);`
			`}`

Extend /users API endpoint * add /users/{id} to get a single user * add variable to print fields that are otherwise hidden (e.g. email) 2021-05-06 05:10:49 -04:00			`/**`
Refactored existing user API work - Updated routes to use new format. - Changed how hidden fields are exposed to be more flexible to different use-cases. - Updated properties available on read/list results. - Started adding testing coverage. - Removed old unused UserRepo 'getAllUsers' function. Related to #2701, Progression of #2734 2022-02-03 07:33:26 -05:00			`* View the details of a single user.`
			`* Requires permission to manage users.`
Extend /users API endpoint * add /users/{id} to get a single user * add variable to print fields that are otherwise hidden (e.g. email) 2021-05-06 05:10:49 -04:00			`*/`
			`public function read(string $id)`
			`{`
Added user-update API endpoint - Required changing the docs generator to handle more complex object-style rules. Bit of a hack for some types (password). - Extracted core update logic to repo for sharing with API. - Moved user update language string to align with activity/logging system. - Added tests to cover. 2022-02-03 11:52:28 -05:00			`$user = $this->userRepo->getById($id);`
			`$this->singleFormatter($user);`

			`return response()->json($user);`
			`}`

			`/**`
			`* Update an existing user in the system.`
Added user API examples 2022-02-03 19:44:56 -05:00			`* Requires permission to manage users.`
Updated with latest styleci changes 2022-02-08 10:29:58 -05:00			`*`
Added user-create API endpoint - Required extracting logic into repo. - Changed some existing creation paths to standardise behaviour. - Added test to cover new endpoint. - Added extra test for user delete to test migration. - Changed how permission errors are thrown to ensure the right status code can be reported when handled in API. 2022-02-03 19:26:19 -05:00			`* @throws UserUpdateException`
Added user-update API endpoint - Required changing the docs generator to handle more complex object-style rules. Bit of a hack for some types (password). - Extracted core update logic to repo for sharing with API. - Moved user update language string to align with activity/logging system. - Added tests to cover. 2022-02-03 11:52:28 -05:00			`*/`
			`public function update(Request $request, string $id)`
			`{`
			`$data = $this->validate($request, $this->rules($id)['update']);`
			`$user = $this->userRepo->getById($id);`
			`$this->userRepo->update($user, $data, userCan('users-manage'));`
			`$this->singleFormatter($user);`
Extend /users API endpoint * add /users/{id} to get a single user * add variable to print fields that are otherwise hidden (e.g. email) 2021-05-06 05:10:49 -04:00
Added user-update API endpoint - Required changing the docs generator to handle more complex object-style rules. Bit of a hack for some types (password). - Extracted core update logic to repo for sharing with API. - Moved user update language string to align with activity/logging system. - Added tests to cover. 2022-02-03 11:52:28 -05:00			`return response()->json($user);`
Test API Endpoint for users 2021-05-05 07:46:14 -04:00			`}`
Refactored existing user API work - Updated routes to use new format. - Changed how hidden fields are exposed to be more flexible to different use-cases. - Updated properties available on read/list results. - Started adding testing coverage. - Removed old unused UserRepo 'getAllUsers' function. Related to #2701, Progression of #2734 2022-02-03 07:33:26 -05:00
Added users-delete API endpoint - Refactored some delete checks into repo. - Added tests to cover. - Moved some translations to align with activity/logging system. 2022-02-03 10:12:50 -05:00			`/**`
			`* Delete a user from the system.`
			* Can optionally accept a user id via `migrate_ownership_id` to indicate
			`* who should be the new owner of their related content.`
			`* Requires permission to manage users.`
			`*/`
			`public function delete(Request $request, string $id)`
			`{`
			`$user = $this->userRepo->getById($id);`
			`$newOwnerId = $request->get('migrate_ownership_id', null);`

			`$this->userRepo->destroy($user, $newOwnerId);`

			`return response('', 204);`
			`}`

Refactored existing user API work - Updated routes to use new format. - Changed how hidden fields are exposed to be more flexible to different use-cases. - Updated properties available on read/list results. - Started adding testing coverage. - Removed old unused UserRepo 'getAllUsers' function. Related to #2701, Progression of #2734 2022-02-03 07:33:26 -05:00			`/**`
			`* Format the given user model for single-result display.`
			`*/`
			`protected function singleFormatter(User $user)`
			`{`
			`$this->listFormatter($user);`
			`$user->load('roles:id,display_name');`
			`$user->makeVisible(['roles']);`
			`}`

			`/**`
			`* Format the given user model for a listing multi-result display.`
			`*/`
			`protected function listFormatter(User $user)`
			`{`
			`$user->makeVisible($this->fieldsToExpose);`
			`$user->setAttribute('profile_url', $user->getProfileUrl());`
			`$user->setAttribute('edit_url', $user->getEditUrl());`
			`$user->setAttribute('avatar_url', $user->getAvatar());`
			`}`
Test API Endpoint for users 2021-05-05 07:46:14 -04:00			`}`