devtron-labs · Shivam-nagar23 · Feb 8, 2024 · Jan 25, 2024 · Jan 25, 2024 · Jan 25, 2024
@@ -21,6 +21,8 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"github.com/devtron-labs/devtron/pkg/auth/user/helper"
+	"github.com/gorilla/schema"
 	"net/http"
 	"strconv"
 	"strings"
@@ -44,12 +46,10 @@ type UserRestHandler interface {
 	GetById(w http.ResponseWriter, r *http.Request)
 	GetAll(w http.ResponseWriter, r *http.Request)
 	DeleteUser(w http.ResponseWriter, r *http.Request)
-	GetAllDetailedUsers(w http.ResponseWriter, r *http.Request)
 	FetchRoleGroupById(w http.ResponseWriter, r *http.Request)
 	CreateRoleGroup(w http.ResponseWriter, r *http.Request)
 	UpdateRoleGroup(w http.ResponseWriter, r *http.Request)
 	FetchRoleGroups(w http.ResponseWriter, r *http.Request)
-	FetchDetailedRoleGroups(w http.ResponseWriter, r *http.Request)
 	FetchRoleGroupsByName(w http.ResponseWriter, r *http.Request)
 	DeleteRoleGroup(w http.ResponseWriter, r *http.Request)
 	CheckUserRoles(w http.ResponseWriter, r *http.Request)
@@ -210,20 +210,13 @@ func (handler UserRestHandlerImpl) UpdateUser(w http.ResponseWriter, r *http.Req
 	// RBAC enforcer applying
 	token := r.Header.Get("token")
 
-	if userInfo.EmailId == "admin" {
-		userInfo.EmailId = "[email protected]/devtron-labs"
-	}
 	err = handler.validator.Struct(userInfo)
 	if err != nil {
 		handler.logger.Errorw("validation err, UpdateUser", "err", err, "payload", userInfo)
 		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
 
-	if userInfo.EmailId == "[email protected]/devtron-labs" {
-		userInfo.EmailId = "admin"
-	}
-
 	res, rolesChanged, groupsModified, restrictedGroups, err := handler.userService.UpdateUser(&userInfo, token, handler.CheckManagerAuth)
 
 	if err != nil {
@@ -309,6 +302,7 @@ func (handler UserRestHandlerImpl) GetById(w http.ResponseWriter, r *http.Reques
 }
 
 func (handler UserRestHandlerImpl) GetAll(w http.ResponseWriter, r *http.Request) {
+	var decoder = schema.NewDecoder()
 	userId, err := handler.userService.GetLoggedInUser(r)
 	if userId == 0 || err != nil {
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
@@ -362,35 +356,16 @@ func (handler UserRestHandlerImpl) GetAll(w http.ResponseWriter, r *http.Request
 		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
 		return
 	}
-	res, err := handler.userService.GetAll()
+	req := &bean.FetchListingRequest{}
+	err = decoder.Decode(req, r.URL.Query())
 	if err != nil {
-		handler.logger.Errorw("service err, GetAll", "err", err)
-		common.WriteJsonResp(w, err, "Failed to Get", http.StatusInternalServerError)
-		return
-	}
-
-	common.WriteJsonResp(w, err, res, http.StatusOK)
-}
-
-func (handler UserRestHandlerImpl) GetAllDetailedUsers(w http.ResponseWriter, r *http.Request) {
-	userId, err := handler.userService.GetLoggedInUser(r)
-	if userId == 0 || err != nil {
-		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
-		return
-	}
-
-	token := r.Header.Get("token")
-	isActionUserSuperAdmin := false
-	if ok := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); ok {
-		isActionUserSuperAdmin = true
-	}
-	if !isActionUserSuperAdmin {
-		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		handler.logger.Errorw("request err, GetAll", "err", err, "payload", req)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
-	res, err := handler.userService.GetAllDetailedUsers()
+	res, err := handler.userService.GetAllWithFilters(req)
 	if err != nil {
-		handler.logger.Errorw("service err, GetAllDetailedUsers", "err", err)
+		handler.logger.Errorw("service err, GetAll", "err", err)
 		common.WriteJsonResp(w, err, "Failed to Get", http.StatusInternalServerError)
 		return
 	}
@@ -451,7 +426,15 @@ func (handler UserRestHandlerImpl) DeleteUser(w http.ResponseWriter, r *http.Req
 		}
 	}
 	//RBAC enforcer Ends
-
+	//validation
+	validated := helper.CheckIfUserDevtronManaged(int32(id))
+	if !validated {
+		err = &util.ApiError{Code: "400", HttpStatusCode: 400, UserMessage: "cannot delete system or admin user"}
+		handler.logger.Errorw("request err, DeleteUser, validation failed", "id", id, "err", err)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
+		return
+	}
+	//service call
 	res, err := handler.userService.DeleteUser(user)
 	if err != nil {
 		handler.logger.Errorw("service err, DeleteUser", "err", err, "id", id)
@@ -639,6 +622,7 @@ func (handler UserRestHandlerImpl) UpdateRoleGroup(w http.ResponseWriter, r *htt
 }
 
 func (handler UserRestHandlerImpl) FetchRoleGroups(w http.ResponseWriter, r *http.Request) {
+	var decoder = schema.NewDecoder()
 	userId, err := handler.userService.GetLoggedInUser(r)
 	if userId == 0 || err != nil {
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
@@ -692,32 +676,15 @@ func (handler UserRestHandlerImpl) FetchRoleGroups(w http.ResponseWriter, r *htt
 		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
 		return
 	}
-	res, err := handler.roleGroupService.FetchRoleGroups()
-	if err != nil {
-		handler.logger.Errorw("service err, FetchRoleGroups", "err", err)
-		common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
-		return
-	}
-	common.WriteJsonResp(w, err, res, http.StatusOK)
-}
 
-func (handler UserRestHandlerImpl) FetchDetailedRoleGroups(w http.ResponseWriter, r *http.Request) {
-	userId, err := handler.userService.GetLoggedInUser(r)
-	if userId == 0 || err != nil {
-		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
-		return
-	}
-	token := r.Header.Get("token")
-	isActionUserSuperAdmin := false
-	if ok := handler.enforcer.Enforce(token, casbin.ResourceGlobal, casbin.ActionGet, "*"); ok {
-		isActionUserSuperAdmin = true
-	}
-	if !isActionUserSuperAdmin {
-		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+	req := &bean.FetchListingRequest{}
+	err = decoder.Decode(req, r.URL.Query())
+	if err != nil {
+		handler.logger.Errorw("request err, FetchRoleGroups", "err", err, "payload", req)
+		common.WriteJsonResp(w, err, nil, http.StatusBadRequest)
 		return
 	}
-
-	res, err := handler.roleGroupService.FetchDetailedRoleGroups()
+	res, err := handler.roleGroupService.FetchRoleGroupsWithFilters(req)
 	if err != nil {
 		handler.logger.Errorw("service err, FetchRoleGroups", "err", err)
 		common.WriteJsonResp(w, err, "", http.StatusInternalServerError)

@@ -49,9 +49,6 @@ func (router UserRouterImpl) InitUserRouter(userAuthRouter *mux.Router) {
 	userAuthRouter.Path("/{id}").
 		HandlerFunc(router.userRestHandler.DeleteUser).Methods("DELETE")
 
-	userAuthRouter.Path("/detail/get").
-		HandlerFunc(router.userRestHandler.GetAllDetailedUsers).Methods("GET")
-
 	userAuthRouter.Path("/role/group/{id}").
 		HandlerFunc(router.userRestHandler.FetchRoleGroupById).Methods("GET")
 	userAuthRouter.Path("/role/group").
@@ -60,8 +57,6 @@ func (router UserRouterImpl) InitUserRouter(userAuthRouter *mux.Router) {
 		HandlerFunc(router.userRestHandler.UpdateRoleGroup).Methods("PUT")
 	userAuthRouter.Path("/role/group").
 		HandlerFunc(router.userRestHandler.FetchRoleGroups).Methods("GET")
-	userAuthRouter.Path("/role/group/detailed/get").
-		HandlerFunc(router.userRestHandler.FetchDetailedRoleGroups).Methods("GET")
 	userAuthRouter.Path("/role/group/search").
 		Queries("name", "{name}").
 		HandlerFunc(router.userRestHandler.FetchRoleGroupsByName).Methods("GET")

@@ -5,14 +5,15 @@ import (
 	"github.com/devtron-labs/devtron/pkg/auth/authorisation/casbin"
 	user2 "github.com/devtron-labs/devtron/pkg/auth/user"
 	repository2 "github.com/devtron-labs/devtron/pkg/auth/user/repository"
+	"github.com/devtron-labs/devtron/pkg/auth/user/repository/helper"
 	"github.com/google/wire"
 )
 
 //depends on sql,validate,logger
 
 var UserWireSet = wire.NewSet(
 	UserAuditWireSet,
-
+	helper.NewUserRepositoryQueryBuilder,
 	NewUserAuthRouterImpl,
 	wire.Bind(new(UserAuthRouter), new(*UserAuthRouterImpl)),
 	NewUserAuthHandlerImpl,

@@ -19,6 +19,7 @@ package bean
 
 import (
 	"encoding/json"
+	"github.com/devtron-labs/devtron/pkg/auth/user/bean"
 	"time"
 )
 
@@ -29,19 +30,20 @@ type UserRole struct {
 }
 
 type UserInfo struct {
-	Id           int32        `json:"id" validate:"number"`
-	EmailId      string       `json:"email_id" validate:"required"`
-	Roles        []string     `json:"roles,omitempty"`
-	AccessToken  string       `json:"access_token,omitempty"`
-	UserType     string       `json:"-"`
-	LastUsedAt   time.Time    `json:"-"`
-	LastUsedByIp string       `json:"-"`
-	Exist        bool         `json:"-"`
-	UserId       int32        `json:"-"` // created or modified user id
-	RoleFilters  []RoleFilter `json:"roleFilters"`
-	Status       string       `json:"status,omitempty"`
-	Groups       []string     `json:"groups"`
-	SuperAdmin   bool         `json:"superAdmin,notnull"`
+	Id            int32        `json:"id" validate:"number,not-system-admin-userid"`
+	EmailId       string       `json:"emailId" validate:"required,not-system-admin-user"`
+	Roles         []string     `json:"roles,omitempty"`
+	AccessToken   string       `json:"access_token,omitempty"`
+	RoleFilters   []RoleFilter `json:"roleFilters"`
+	Status        string       `json:"status,omitempty"`
+	Groups        []string     `json:"groups"` // this will be deprecated in future do not use
+	SuperAdmin    bool         `json:"superAdmin,notnull"`
+	LastLoginTime time.Time    `json:"lastLoginTime"`
+	UserType      string       `json:"-"`
+	LastUsedAt    time.Time    `json:"-"`
+	LastUsedByIp  string       `json:"-"`
+	Exist         bool         `json:"-"`
+	UserId        int32        `json:"-"` // created or modified user id
 }
 
 type RoleGroup struct {
@@ -117,3 +119,23 @@ const (
 	CHART_GROUP_ENTITY              = "chart-group"
 	CLUSTER_ENTITIY                 = "cluster"
 )
+
+type UserListingResponse struct {
+	Users      []UserInfo `json:"users"`
+	TotalCount int        `json:"totalCount"`
+}
+
+type RoleGroupListingResponse struct {
+	RoleGroups []*RoleGroup `json:"roleGroups"`
+	TotalCount int          `json:"totalCount"`
+}
+
+type FetchListingRequest struct {
+	SearchKey  string         `json:"searchKey"`
+	SortOrder  bean.SortOrder `json:"sortOrder"`
+	SortBy     bean.SortBy    `json:"sortBy"`
+	Offset     int            `json:"offset"`
+	Size       int            `json:"size"`
+	ShowAll    bool           `json:"showAll"`
+	CountCheck bool           `json:"-"`
+}
@@ -18,6 +18,7 @@
 package util
 
 import (
+	"github.com/devtron-labs/devtron/pkg/auth/user/bean"
 	"regexp"
 	"strings"
 
@@ -94,9 +95,33 @@ func IntValidator() (*validator.Validate, error) {
 	if err != nil {
 		return v, err
 	}
+	err = v.RegisterValidation("not-system-admin-user", validateForSystemOrAdminUser)
+	if err != nil {
+		return v, err
+	}
+	err = v.RegisterValidation("not-system-admin-userid", validateForSystemOrAdminUserById)
+	if err != nil {
+		return v, err
+	}
 	return v, err
 }
 
+func validateForSystemOrAdminUser(fl validator.FieldLevel) bool {
+	value := fl.Field().String()
+	if value == bean.AdminUser || value == bean.SystemUser {
+		return false
+	}
+	return true
+}
+
+func validateForSystemOrAdminUserById(fl validator.FieldLevel) bool {
+	value := fl.Field().Int()
+	if value == bean.AdminUserId || value == bean.SystemUserId {
+		return false
+	}
+	return true
+}
+
 func validateDockerImage(fl validator.FieldLevel) bool {
 	value := fl.Field().String()
 	if strings.Contains(value, ":") {