Theodor-Springmann-Stiftung/musenalm
1
0
Fork 0
mirror of https://github.com/Theodor-Springmann-Stiftung/musenalm.git synced 2025-10-29 17:25:32 +00:00
Code Issues Packages Projects Releases Wiki Activity

User edit -> Alpine Ajax

Browse Source
This commit is contained in:
Simon Martens
2025-05-29 16:21:59 +02:00
parent cbbfa77865
commit 3b9ec7d493
7 changed files with 39 additions and 34 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
controllers/user_edit.go
View File

@@ -3,7 +3,6 @@ package controllers
import ( import (
"fmt" "fmt"
"log/slog" "log/slog"
"time"
"github.com/Theodor-Springmann-Stiftung/musenalm/app" "github.com/Theodor-Springmann-Stiftung/musenalm/app"
"github.com/Theodor-Springmann-Stiftung/musenalm/dbmodels" "github.com/Theodor-Springmann-Stiftung/musenalm/dbmodels"
@@ -76,12 +75,8 @@ func (p *UserEditPage) getData(app core.App, data map[string]any, e *core.Reques
data["user"] = &fu data["user"] = &fu
data["db_user"] = user data["db_user"] = user
nonce, token, err := CSRF_CACHE.GenerateTokenBundleWithExpiration(2 * time.Hour) req := templating.NewRequest(e)
if err != nil { data["csrf_token"] = req.Session().Token
return fmt.Errorf("Konnte CSRF-Token nicht generieren: %w", err)
}
data["csrf_token"] = token
data["csrf_nonce"] = nonce
SetRedirect(data, e) SetRedirect(data, e)
@@ -135,13 +130,13 @@ func (p *UserEditPage) POSTDeactivate(engine *templating.Engine, app core.App) H
return func(e *core.RequestEvent) error { return func(e *core.RequestEvent) error {
data := make(map[string]any) data := make(map[string]any)
err := p.getData(app, data, e) err := p.getData(app, data, e)
req := templating.NewRequest(e)
if err != nil { if err != nil {
return engine.Response500(e, err, data) return engine.Response500(e, err, data)
} }
formdata := struct { formdata := struct {
CSRF string `form:"csrf_token"` CSRF string `form:"csrf_token"`
Nonce string `form:"csrf_nonce"`
}{} }{}
user := data["db_user"].(*dbmodels.User) user := data["db_user"].(*dbmodels.User)
@@ -150,10 +145,14 @@ func (p *UserEditPage) POSTDeactivate(engine *templating.Engine, app core.App) H
return p.InvalidDataResponse(engine, e, "Formulardaten ungültig.", user.Fixed()) return p.InvalidDataResponse(engine, e, "Formulardaten ungültig.", user.Fixed())
} }
if _, err := CSRF_CACHE.ValidateTokenBundle(formdata.Nonce, formdata.CSRF); err != nil { if err := req.CheckCSRF(formdata.CSRF); err != nil {
return p.InvalidDataResponse(engine, e, err.Error(), user.Fixed()) return p.InvalidDataResponse(engine, e, err.Error(), user.Fixed())
} }
if formdata.CSRF != req.Session().Token {
return p.InvalidDataResponse(engine, e, "CSRF-Token ungültig", user.Fixed())
}
user.SetDeactivated(true) user.SetDeactivated(true)
if err := app.Save(user); err != nil { if err := app.Save(user); err != nil {
@@ -162,7 +161,6 @@ func (p *UserEditPage) POSTDeactivate(engine *templating.Engine, app core.App) H
DeleteSessionsForUser(app, user.Id) DeleteSessionsForUser(app, user.Id)
req := templating.NewRequest(e)
if req.User() != nil && req.User().Id == user.Id { if req.User() != nil && req.User().Id == user.Id {
return e.Redirect(303, "/login/") return e.Redirect(303, "/login/")
} }
@@ -179,6 +177,7 @@ func (p *UserEditPage) POSTDeactivate(engine *templating.Engine, app core.App) H
func (p *UserEditPage) POSTActivate(engine *templating.Engine, app core.App) HandleFunc { func (p *UserEditPage) POSTActivate(engine *templating.Engine, app core.App) HandleFunc {
return func(e *core.RequestEvent) error { return func(e *core.RequestEvent) error {
data := make(map[string]any) data := make(map[string]any)
req := templating.NewRequest(e)
err := p.getData(app, data, e) err := p.getData(app, data, e)
if err != nil { if err != nil {
return engine.Response500(e, err, data) return engine.Response500(e, err, data)
@@ -188,14 +187,13 @@ func (p *UserEditPage) POSTActivate(engine *templating.Engine, app core.App) Han
formdata := struct { formdata := struct {
CSRF string `form:"csrf_token"` CSRF string `form:"csrf_token"`
Nonce string `form:"csrf_nonce"`
}{} }{}
if err := e.BindBody(&formdata); err != nil { if err := e.BindBody(&formdata); err != nil {
return p.InvalidDataResponse(engine, e, "Formulardaten ungültig.", user.Fixed()) return p.InvalidDataResponse(engine, e, "Formulardaten ungültig.", user.Fixed())
} }
if _, err := CSRF_CACHE.ValidateTokenBundle(formdata.Nonce, formdata.CSRF); err != nil { if err := req.CheckCSRF(formdata.CSRF); err != nil {
return p.InvalidDataResponse(engine, e, err.Error(), user.Fixed()) return p.InvalidDataResponse(engine, e, err.Error(), user.Fixed())
} }
@@ -233,8 +231,7 @@ func (p *UserEditPage) POST(engine *templating.Engine, app core.App) HandleFunc
Email string `form:"username"` Email string `form:"username"`
Name string `form:"name"` Name string `form:"name"`
Role string `form:"role"` Role string `form:"role"`
CsrfNonce string `form:"csrf_nonce"` CSRF string `form:"csrf_token"`
CsrfToken string `form:"csrf_token"`
Password string `form:"password"` Password string `form:"password"`
PasswordRepeat string `form:"password_repeat"` PasswordRepeat string `form:"password_repeat"`
OldPassword string `form:"old_password"` OldPassword string `form:"old_password"`
@@ -245,12 +242,8 @@ func (p *UserEditPage) POST(engine *templating.Engine, app core.App) HandleFunc
return p.InvalidDataResponse(engine, e, err.Error(), fu) return p.InvalidDataResponse(engine, e, err.Error(), fu)
} }
if formdata.CsrfNonce != "" && formdata.CsrfToken != "" { if err := req.CheckCSRF(formdata.CSRF); err != nil {
if _, err := CSRF_CACHE.ValidateTokenBundle(formdata.CsrfNonce, formdata.CsrfToken); err != nil { return p.InvalidDataResponse(engine, e, err.Error(), fu)
return p.InvalidDataResponse(engine, e, "CSRF ungültig oder abgelaufen", fu)
}
} else {
return p.InvalidDataResponse(engine, e, "CSRF ungültig oder abgelaufen", fu)
} }
if formdata.Email == "" || formdata.Name == "" { if formdata.Email == "" || formdata.Name == "" {
@@ -315,13 +308,7 @@ func (p *UserEditPage) POST(engine *templating.Engine, app core.App) HandleFunc
data["success"] = "Benutzer erfolgreich bearbeitet" data["success"] = "Benutzer erfolgreich bearbeitet"
nonce, token, err := CSRF_CACHE.GenerateTokenBundleWithExpiration(2 * time.Hour) data["csrf_token"] = req.Session().Token
if err != nil {
return engine.Response500(e, err, nil)
}
data["csrf_token"] = token
data["csrf_nonce"] = nonce
return engine.Response200(e, TEMPLATE_USER_EDIT, data, p.Layout) return engine.Response200(e, TEMPLATE_USER_EDIT, data, p.Layout)
} }
} }

9
templating/request.go
View File

@@ -1,6 +1,8 @@
package templating package templating
import ( import (
"fmt"
"github.com/Theodor-Springmann-Stiftung/musenalm/dbmodels" "github.com/Theodor-Springmann-Stiftung/musenalm/dbmodels"
"github.com/pocketbase/pocketbase/core" "github.com/pocketbase/pocketbase/core"
) )
@@ -83,3 +85,10 @@ func (r *Request) IsEditor() bool {
} }
return false return false
} }
func (r *Request) CheckCSRF(target string) error {
if r.Session() == nil || target == "" || r.Session().Token != target {
return fmt.Errorf("CSRF-Token nicht vorhanden oder ungültig")
}
return nil
}

2
views/layouts/blank/root.gohtml
View File

@@ -8,7 +8,7 @@
{{ template "_head" . }} {{ template "_head" . }}
</head> </head>
<body class="w-full min-h-full" hx-ext="response-targets" hx-boost="true"> <body class="w-full min-h-full" id="body" hx-ext="response-targets" hx-boost="true">
<div class="pb-12"> <div class="pb-12">
{{ block "body" . }} {{ block "body" . }}
<!-- Default app body... --> <!-- Default app body... -->

2
views/layouts/blankfooter/root.gohtml
View File

@@ -8,7 +8,7 @@
{{ template "_head" . }} {{ template "_head" . }}
</head> </head>
<body class="w-full min-h-full" hx-ext="response-targets" hx-boost="true"> <body id="body" class="w-full min-h-full" hx-ext="response-targets" hx-boost="true">
<div class="flex flex-col min-h-screen w-full"> <div class="flex flex-col min-h-screen w-full">
<header class="container-normal bg-slate-100 " id="header"> <header class="container-normal bg-slate-100 " id="header">
{{ template "_menu" . }} {{ template "_menu" . }}

1
views/layouts/components/_footer.gohtml
View File

@@ -1,5 +1,6 @@
{{- $date := Today -}} {{- $date := Today -}}
<footer <footer
id="footer"
class="container-normal pb-1.5 text-base text-gray-800 relative" class="container-normal pb-1.5 text-base text-gray-800 relative"
x-data="{ openusermenu: false }"> x-data="{ openusermenu: false }">
{{- if .request.user -}} {{- if .request.user -}}

2
views/layouts/default/root.gohtml
View File

@@ -9,7 +9,7 @@
</head> </head>
<body class="w-full text-lg" hx-ext="response-targets" hx-boost="true"> <body id="body" class="w-full text-lg" hx-ext="response-targets" hx-boost="true">
<div class="flex flex-col min-h-screen w-full"> <div class="flex flex-col min-h-screen w-full">
<header class="container-normal pb-0" id="header"> <header class="container-normal pb-0" id="header">
{{ block "_menu" . }} {{ block "_menu" . }}

10
views/routes/user/edit/body.gohtml
View File

@@ -17,8 +17,16 @@
</div> </div>
<div class="flex container-normal mx-auto px-8 mt-4"> <div class="flex container-normal mx-auto px-8 mt-4">
<div class="flex-col max-w-2xl w-full"> <div class="flex-col max-w-2xl w-full">
<form
class="w-full grid grid-cols-3 gap-4"
id="changeuserform"
x-target="changeuserform footer"
hx-boost="false"
method="POST"
x-data="{ openpw: false }">
<div class="col-span-3">
{{ template "_usermessage" $model }} {{ template "_usermessage" $model }}
<form class="w-full grid grid-cols-3 gap-4" method="POST" x-data="{ openpw: false }"> </div>
<div <div
class="rounded-xs col-span-3 border-2 border-transparent px-3 class="rounded-xs col-span-3 border-2 border-transparent px-3
py-1 pb-1.5 border-l-2 focus-within:border-l-slate-600 py-1 pb-1.5 border-l-2 focus-within:border-l-slate-600