enforce display name lock

Author: KrodenDev

backend/app/server/user.go backend/app/server/users_api.gobackend/app/server/user.go renamed to backend/app/server/users_api.go

@@ -10,9 +10,8 @@ import (
 	"strings"
 )
 
-func validateUser(user *database.DBUser, response *models.FormResponse) {
-	// Title is required
-	if strings.Trim(user.DisplayName, " ") == "" {
+func validateDisplayName(displayName string, response *models.FormResponse) {
+	if displayName == "" {
 		response.AddError("DisplayName", "required")
 	}
 }
@@ -33,28 +32,47 @@ func (server *Server) GetUser(ctx *gin.Context) {
 	ctx.Status(http.StatusUnauthorized)
 }
 
-func (server *Server) PutUser(ctx *gin.Context) {
+type PutProfileRequest struct {
+	DisplayName string
+}
+
+func (server *Server) PutProfile(ctx *gin.Context) {
 	session := sessions.Default(ctx)
 	userId := session.Get("userId")
 	if userId != nil {
-		var user database.DBUser
-		err := ctx.ShouldBindJSON(&user)
+		user, err := database.GetUser(convert.StringToUUID(userId.(string)))
+		if err != nil {
+			logger.Error("PutProfile: GetUser error: %v", err)
+			ctx.Status(http.StatusInternalServerError)
+			return
+		}
+
+		// admin display name lock prevents a user from changing it
+		if user.LockDisplayName {
+			logger.Info("DisplayName Locked")
+			ctx.Status(http.StatusForbidden)
+			return
+		}
+
+		var request PutProfileRequest
+		err = ctx.ShouldBindJSON(&request)
 		if err != nil {
 			ctx.Status(http.StatusBadRequest)
 			return
 		}
 
 		response := models.NewFormResponse()
+		request.DisplayName = strings.Trim(request.DisplayName, " ")
 
 		// Perform validation
-		validateUser(&user, &response)
+		validateDisplayName(request.DisplayName, &response)
 		if len(response.Errors) > 0 {
 			logger.Error("Validation Error: %v+", user)
 			ctx.JSON(http.StatusBadRequest, response)
 			return
 		}
 
-		user.Id = convert.StringToUUID(userId.(string))
+		user.DisplayName = request.DisplayName
 		_, err = database.UpdateUser(user)
 		if err != nil {
 			logger.Error("Error calling database.UpdateEvent: %v", err)
@@ -92,7 +110,7 @@ func (server *Server) SetupUserRoutes() {
 	group := server.Gin.Group("/user")
 	{
 		group.GET("/", server.GetUser)
-		group.PUT("/", server.PutUser)
+		group.PUT("/profile", server.PutProfile)
 		group.GET("/logout", server.Logout)
 	}
 

html/src/lib/pages/ProfilePage.svelte

@@ -1,12 +1,14 @@
 <script lang="ts">
 
     import Page from "../components/Page.svelte";
-    import {Button, Card, Input, Spinner} from "flowbite-svelte";
+    import {Button, Card, Input, Spinner, Tooltip} from "flowbite-svelte";
     import FormField from "../components/FormField.svelte";
     import Form from "../components/Form.svelte";
     import type {ActiveUser, User} from "../models/user";
     import {putProfile} from "../services/services";
     import {activeUserStore} from "../stores/stores";
+    import {FontAwesomeIcon} from "@fortawesome/svelte-fontawesome";
+    import {faLock} from "@fortawesome/free-solid-svg-icons";
 
     let isSaving : boolean = false;
     let formData: User | null = null;
@@ -24,7 +26,7 @@
             isSaving = true;
             clearErrors();
             try {
-                const response = await putProfile(formData);
+                const response = await putProfile(formData.DisplayName);
                 parseResponse(response);
                 const responseData = await response.json();
                 activeUserStore.set(<ActiveUser>{user: <User>responseData.Data, loggedIn: true});
@@ -41,27 +43,38 @@
 
 <Page>
 
-    <Card size="xl" class="w-full">
+    <Card size="lg" class="w-full">
         <h2>Edit Profile</h2>
-        {#if formData !== null}
-            <div class="flex flex-col gap-8 my-8">
-                <Form bind:clearErrors bind:parseResponse>
-                    <FormField label="Display Name" name="DisplayName">
-                        <Input bind:value={formData.DisplayName}></Input>
-                    </FormField>
-                </Form>
-            </div>
+        {#await $activeUserStore}
+        {:then activeUser}
+            {#if formData !== null}
+                {#if activeUser !== null}
+                    <div class="flex flex-col gap-8 my-8">
+                        <Form bind:clearErrors bind:parseResponse>
+                            {#if activeUser.user?.LockDisplayName}
+                                <div class="font-bold">
+                                    Display Name <FontAwesomeIcon icon={faLock}/>
+                                    <Tooltip>Your Display Name has been locked by an admin and may not be changed</Tooltip>
+                                </div>
+                                <div>{formData.DisplayName}</div>
+                            {:else}
+                                <FormField label="Display Name" name="DisplayName">
+                                    <Input bind:value={formData.DisplayName}></Input>
+                                </FormField>
+                            {/if}
+                        </Form>
+                    </div>
 
-            <Button on:click={saveForm} disabled={isSaving}>
-                {#if isSaving}
-                    <Spinner />
-                {:else}
-                    Save
+                    <Button on:click={saveForm} disabled={isSaving || activeUser.user?.LockDisplayName}>
+                        {#if isSaving}
+                            <Spinner />
+                        {:else}
+                            Save
+                        {/if}
+                    </Button>
                 {/if}
-            </Button>
-        {:else}
-            <Spinner />
-        {/if}
+            {/if}
+        {/await}
     </Card>
 
 

html/src/lib/services/services.ts

@@ -46,12 +46,19 @@ export async function getUser() {
         });
 }
 
-export async function putProfile(user: User): Promise<Response> {
-    return fetch(baseApiUrl + "/user/",
-        {
-            method: "PUT",
-            body: JSON.stringify(user)
-        });
+interface PutProfileRequest {
+    DisplayName : string,
+}
+export async function putProfile(displayName: string): Promise<Response> {
+    const requestInit : RequestInit = {
+        method: 'PUT',
+        body: JSON.stringify(
+            <PutProfileRequest>{
+                DisplayName: displayName
+            }
+        )
+    }
+    return await fetch(`${baseApiUrl}/user/profile/`, requestInit);
 }
 
 export async function logout() {