User deletion.

This commit is contained in:
Karchnu 2020-10-13 06:21:58 +02:00
parent 90ccd50c80
commit baa86bf667
3 changed files with 53 additions and 4 deletions

View File

@ -62,11 +62,11 @@ class AuthD::Service
return Response::Error.new "invalid credentials"
end
if user.password_hash != hash_password request.password
if user.nil?
return Response::Error.new "invalid credentials"
end
if user.nil?
if user.password_hash != hash_password request.password
return Response::Error.new "invalid credentials"
end
@ -517,6 +517,55 @@ class AuthD::Service
@users_per_uid.update user
Response::UserEdited.new user.uid
when Request::Delete
uid_or_login = request.user
user_to_delete = if uid_or_login.is_a? Int32
@users_per_uid.get? uid_or_login.to_s
else
@users_per_login.get? uid_or_login
end
if user_to_delete.nil?
return Response::Error.new "invalid user"
end
# Either the request comes from an admin or the user.
# Shared key == admin, check the key.
if key = request.shared_key
return Response::Error.new "unauthorized (wrong shared key)" unless key == @jwt_key
else
login = request.login
pass = request.password
if login.nil? || pass.nil?
return Response::Error.new "authentication failed (no shared key, no login)"
end
# authenticate the user
begin
user = @users_per_login.get login
rescue e : DODB::MissingEntry
return Response::Error.new "invalid credentials"
end
if user.nil?
return Response::Error.new "invalid credentials"
end
if user.password_hash != hash_password pass
return Response::Error.new "invalid credentials"
end
# Is the user to delete the requesting user?
if user.uid != user_to_delete.uid
return Response::Error.new "invalid credentials"
end
end
# User or admin is now verified: let's proceed with the user deletion.
@users_per_login.delete user_to_delete.login
# TODO: better response
Response::User.new user_to_delete.to_public
else
Response::Error.new "unhandled request type"
end

View File

@ -136,7 +136,7 @@ class Actions
def user_deletion
args = Context.args.not_nil!
userid = args[0]
userid = args[0].to_i
# Check if the request comes from an admin or the user.
res = if Context.shared_key.nil?

View File

@ -113,7 +113,7 @@ parser = OptionParser.new do |parser|
parser.on "delete", "Remove user." do
parser.banner = "Usage: user delete userid [opt]"
Baguette::Log.info "Remove user."
Context.command = "delete"
Context.command = "user-delete"
# You can either be the owner of the account, or an admin.
opt_authd_login.call parser
opt_authd_admin.call parser