Add user_profile view to update the profile with form
Since users do not have access to the auth scheme, i had to add a view
that selects only the data that they can see of themselves (i.e., no
password or cookie).
I wanted to use the `request.user.id` setting that i set in
check_cookie, but this would be bad because anyone can change that
parameter and, since the view is created by the owner, could see and
*change* the values of everyone just by knowing their id. Thus, now i
use the cookie instead, because it is way harder to figure out, and if
you already have it you can just set to your browser and the user is
fucked anyway; the database can not help here.
I **am** going to use the user id in row level security policies, but
not the value coming for the setting but instaed the one in the
`user_profile`, since it already is “derived” from the cookie, that’s
why i added that column to the view.
The profile includes the language, that i do not use it yet to switch
the locale, so i had to add a relation of the available languages, for
constraint purposes. There is no NULL language, and instead i added the
“Undefined” language, with ‘und’ tag’, to represent “do not know/use
content negotiation”.
The languages in that relation are the same i used to have inside
locale.go, because there is no point on having options for languages i
do not have the translation for, so i now configure the list of
available languages user in content negotiation from that relation.
Finally, i have added all font from RemixIcon because that’s what we
used in the design and i am going to use quite a lot of them.
There is duplication in the views; i will address that in a different
commit.
2023-01-22 01:23:09 +00:00
|
|
|
package pkg
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
2023-02-01 13:15:02 +00:00
|
|
|
"html/template"
|
Add user_profile view to update the profile with form
Since users do not have access to the auth scheme, i had to add a view
that selects only the data that they can see of themselves (i.e., no
password or cookie).
I wanted to use the `request.user.id` setting that i set in
check_cookie, but this would be bad because anyone can change that
parameter and, since the view is created by the owner, could see and
*change* the values of everyone just by knowing their id. Thus, now i
use the cookie instead, because it is way harder to figure out, and if
you already have it you can just set to your browser and the user is
fucked anyway; the database can not help here.
I **am** going to use the user id in row level security policies, but
not the value coming for the setting but instaed the one in the
`user_profile`, since it already is “derived” from the cookie, that’s
why i added that column to the view.
The profile includes the language, that i do not use it yet to switch
the locale, so i had to add a relation of the available languages, for
constraint purposes. There is no NULL language, and instead i added the
“Undefined” language, with ‘und’ tag’, to represent “do not know/use
content negotiation”.
The languages in that relation are the same i used to have inside
locale.go, because there is no point on having options for languages i
do not have the translation for, so i now configure the list of
available languages user in content negotiation from that relation.
Finally, i have added all font from RemixIcon because that’s what we
used in the design and i am going to use quite a lot of them.
There is duplication in the views; i will address that in a different
commit.
2023-01-22 01:23:09 +00:00
|
|
|
"net/http"
|
|
|
|
)
|
|
|
|
|
|
|
|
type LanguageOption struct {
|
|
|
|
Tag string
|
|
|
|
Name string
|
|
|
|
}
|
|
|
|
|
2023-01-31 14:40:12 +00:00
|
|
|
type profileForm struct {
|
2023-02-01 10:02:32 +00:00
|
|
|
locale *Locale
|
2023-01-31 14:40:12 +00:00
|
|
|
Name *InputField
|
|
|
|
Email *InputField
|
|
|
|
Password *InputField
|
|
|
|
PasswordConfirm *InputField
|
|
|
|
Language *SelectField
|
|
|
|
}
|
|
|
|
|
|
|
|
func newProfileForm(ctx context.Context, conn *Conn, locale *Locale) *profileForm {
|
|
|
|
automaticOption := pgettext("language option", "Automatic", locale)
|
|
|
|
languages := MustGetOptions(ctx, conn, "select 'und', $1 union all select lang_tag, endonym from language where selectable", automaticOption)
|
|
|
|
return &profileForm{
|
2023-02-01 10:02:32 +00:00
|
|
|
locale: locale,
|
2023-01-31 14:40:12 +00:00
|
|
|
Name: &InputField{
|
|
|
|
Name: "name",
|
|
|
|
Label: pgettext("input", "User name", locale),
|
|
|
|
Type: "text",
|
|
|
|
Required: true,
|
2023-02-01 13:15:02 +00:00
|
|
|
Attributes: []template.HTMLAttr{
|
|
|
|
`autocomplete="name"`,
|
2023-02-01 10:37:13 +00:00
|
|
|
},
|
2023-01-31 14:40:12 +00:00
|
|
|
},
|
|
|
|
Email: &InputField{
|
|
|
|
Name: "email",
|
|
|
|
Label: pgettext("input", "Email", locale),
|
|
|
|
Type: "email",
|
|
|
|
Required: true,
|
2023-02-01 13:15:02 +00:00
|
|
|
Attributes: []template.HTMLAttr{
|
|
|
|
`autocomplete="username"`,
|
2023-02-01 10:37:13 +00:00
|
|
|
},
|
2023-01-31 14:40:12 +00:00
|
|
|
},
|
|
|
|
Password: &InputField{
|
|
|
|
Name: "password",
|
|
|
|
Label: pgettext("input", "Password", locale),
|
|
|
|
Type: "password",
|
2023-02-01 13:15:02 +00:00
|
|
|
Attributes: []template.HTMLAttr{
|
|
|
|
`autocomplete="new-password"`,
|
2023-02-01 10:37:13 +00:00
|
|
|
},
|
2023-01-31 14:40:12 +00:00
|
|
|
},
|
|
|
|
PasswordConfirm: &InputField{
|
|
|
|
Name: "password_confirm",
|
|
|
|
Label: pgettext("input", "Password Confirmation", locale),
|
|
|
|
Type: "password",
|
2023-02-01 13:15:02 +00:00
|
|
|
Attributes: []template.HTMLAttr{
|
|
|
|
`autocomplete="new-password"`,
|
2023-02-01 10:37:13 +00:00
|
|
|
},
|
2023-01-31 14:40:12 +00:00
|
|
|
},
|
|
|
|
Language: &SelectField{
|
|
|
|
Name: "language",
|
|
|
|
Label: pgettext("input", "Language", locale),
|
|
|
|
Options: languages,
|
2023-02-01 13:15:02 +00:00
|
|
|
Attributes: []template.HTMLAttr{
|
|
|
|
`autocomplete="language"`,
|
|
|
|
},
|
2023-01-31 14:40:12 +00:00
|
|
|
},
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
func (form *profileForm) Parse(r *http.Request) error {
|
|
|
|
if err := r.ParseForm(); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2023-02-01 10:02:32 +00:00
|
|
|
form.Email.FillValue(r)
|
|
|
|
form.Name.FillValue(r)
|
|
|
|
form.Password.FillValue(r)
|
|
|
|
form.PasswordConfirm.FillValue(r)
|
|
|
|
form.Language.FillValue(r)
|
2023-01-31 14:40:12 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2023-02-01 10:02:32 +00:00
|
|
|
func (form *profileForm) Validate() bool {
|
2023-02-01 10:30:30 +00:00
|
|
|
validator := newFormValidator()
|
|
|
|
if validator.CheckRequiredInput(form.Email, gettext("Email can not be empty.", form.locale)) {
|
|
|
|
validator.CheckValidEmailInput(form.Email, gettext("This value is not a valid email. It should be like name@domain.com.", form.locale))
|
2023-01-31 14:40:12 +00:00
|
|
|
}
|
2023-02-01 10:30:30 +00:00
|
|
|
validator.CheckRequiredInput(form.Name, gettext("Name can not be empty.", form.locale))
|
|
|
|
validator.CheckPasswordConfirmation(form.Password, form.PasswordConfirm, gettext("Confirmation does not match password.", form.locale))
|
|
|
|
validator.CheckValidSelectOption(form.Language, gettext("Selected language is not valid.", form.locale))
|
|
|
|
return validator.AllOK()
|
Add user_profile view to update the profile with form
Since users do not have access to the auth scheme, i had to add a view
that selects only the data that they can see of themselves (i.e., no
password or cookie).
I wanted to use the `request.user.id` setting that i set in
check_cookie, but this would be bad because anyone can change that
parameter and, since the view is created by the owner, could see and
*change* the values of everyone just by knowing their id. Thus, now i
use the cookie instead, because it is way harder to figure out, and if
you already have it you can just set to your browser and the user is
fucked anyway; the database can not help here.
I **am** going to use the user id in row level security policies, but
not the value coming for the setting but instaed the one in the
`user_profile`, since it already is “derived” from the cookie, that’s
why i added that column to the view.
The profile includes the language, that i do not use it yet to switch
the locale, so i had to add a relation of the available languages, for
constraint purposes. There is no NULL language, and instead i added the
“Undefined” language, with ‘und’ tag’, to represent “do not know/use
content negotiation”.
The languages in that relation are the same i used to have inside
locale.go, because there is no point on having options for languages i
do not have the translation for, so i now configure the list of
available languages user in content negotiation from that relation.
Finally, i have added all font from RemixIcon because that’s what we
used in the design and i am going to use quite a lot of them.
There is duplication in the views; i will address that in a different
commit.
2023-01-22 01:23:09 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
func ProfileHandler() http.Handler {
|
|
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
user := getUser(r)
|
|
|
|
conn := getConn(r)
|
2023-01-31 14:40:12 +00:00
|
|
|
locale := getLocale(r)
|
|
|
|
form := newProfileForm(r.Context(), conn, locale)
|
Add user_profile view to update the profile with form
Since users do not have access to the auth scheme, i had to add a view
that selects only the data that they can see of themselves (i.e., no
password or cookie).
I wanted to use the `request.user.id` setting that i set in
check_cookie, but this would be bad because anyone can change that
parameter and, since the view is created by the owner, could see and
*change* the values of everyone just by knowing their id. Thus, now i
use the cookie instead, because it is way harder to figure out, and if
you already have it you can just set to your browser and the user is
fucked anyway; the database can not help here.
I **am** going to use the user id in row level security policies, but
not the value coming for the setting but instaed the one in the
`user_profile`, since it already is “derived” from the cookie, that’s
why i added that column to the view.
The profile includes the language, that i do not use it yet to switch
the locale, so i had to add a relation of the available languages, for
constraint purposes. There is no NULL language, and instead i added the
“Undefined” language, with ‘und’ tag’, to represent “do not know/use
content negotiation”.
The languages in that relation are the same i used to have inside
locale.go, because there is no point on having options for languages i
do not have the translation for, so i now configure the list of
available languages user in content negotiation from that relation.
Finally, i have added all font from RemixIcon because that’s what we
used in the design and i am going to use quite a lot of them.
There is duplication in the views; i will address that in a different
commit.
2023-01-22 01:23:09 +00:00
|
|
|
if r.Method == "POST" {
|
2023-01-31 14:40:12 +00:00
|
|
|
if err := form.Parse(r); err != nil {
|
|
|
|
http.Error(w, err.Error(), http.StatusBadRequest)
|
|
|
|
return
|
2023-01-23 20:41:14 +00:00
|
|
|
}
|
2023-02-02 10:39:34 +00:00
|
|
|
if err := verifyCsrfTokenValid(r); err != nil {
|
|
|
|
http.Error(w, err.Error(), http.StatusForbidden)
|
|
|
|
return
|
|
|
|
}
|
2023-02-01 10:02:32 +00:00
|
|
|
if ok := form.Validate(); ok {
|
2023-01-31 14:41:05 +00:00
|
|
|
//goland:noinspection SqlWithoutWhere
|
2023-02-01 13:15:02 +00:00
|
|
|
cookie := conn.MustGetText(r.Context(), "", "update user_profile set name = $1, email = $2, lang_tag = $3 returning build_cookie()", form.Name, form.Email, form.Language)
|
2023-01-31 14:40:12 +00:00
|
|
|
setSessionCookie(w, cookie)
|
2023-02-01 13:15:02 +00:00
|
|
|
if form.Password.Val != "" {
|
|
|
|
conn.MustExec(r.Context(), "select change_password($1)", form.Password)
|
2023-01-31 14:40:12 +00:00
|
|
|
}
|
|
|
|
company := getCompany(r)
|
|
|
|
http.Redirect(w, r, "/company/"+company.Slug+"/profile", http.StatusSeeOther)
|
|
|
|
return
|
Add user_profile view to update the profile with form
Since users do not have access to the auth scheme, i had to add a view
that selects only the data that they can see of themselves (i.e., no
password or cookie).
I wanted to use the `request.user.id` setting that i set in
check_cookie, but this would be bad because anyone can change that
parameter and, since the view is created by the owner, could see and
*change* the values of everyone just by knowing their id. Thus, now i
use the cookie instead, because it is way harder to figure out, and if
you already have it you can just set to your browser and the user is
fucked anyway; the database can not help here.
I **am** going to use the user id in row level security policies, but
not the value coming for the setting but instaed the one in the
`user_profile`, since it already is “derived” from the cookie, that’s
why i added that column to the view.
The profile includes the language, that i do not use it yet to switch
the locale, so i had to add a relation of the available languages, for
constraint purposes. There is no NULL language, and instead i added the
“Undefined” language, with ‘und’ tag’, to represent “do not know/use
content negotiation”.
The languages in that relation are the same i used to have inside
locale.go, because there is no point on having options for languages i
do not have the translation for, so i now configure the list of
available languages user in content negotiation from that relation.
Finally, i have added all font from RemixIcon because that’s what we
used in the design and i am going to use quite a lot of them.
There is duplication in the views; i will address that in a different
commit.
2023-01-22 01:23:09 +00:00
|
|
|
}
|
2023-01-31 14:40:12 +00:00
|
|
|
w.WriteHeader(http.StatusUnprocessableEntity)
|
|
|
|
} else {
|
2023-02-01 13:15:02 +00:00
|
|
|
form.Name.Val = conn.MustGetText(r.Context(), "", "select name from user_profile")
|
|
|
|
form.Email.Val = user.Email
|
2023-01-31 14:40:12 +00:00
|
|
|
form.Language.Selected = user.Language.String()
|
Add user_profile view to update the profile with form
Since users do not have access to the auth scheme, i had to add a view
that selects only the data that they can see of themselves (i.e., no
password or cookie).
I wanted to use the `request.user.id` setting that i set in
check_cookie, but this would be bad because anyone can change that
parameter and, since the view is created by the owner, could see and
*change* the values of everyone just by knowing their id. Thus, now i
use the cookie instead, because it is way harder to figure out, and if
you already have it you can just set to your browser and the user is
fucked anyway; the database can not help here.
I **am** going to use the user id in row level security policies, but
not the value coming for the setting but instaed the one in the
`user_profile`, since it already is “derived” from the cookie, that’s
why i added that column to the view.
The profile includes the language, that i do not use it yet to switch
the locale, so i had to add a relation of the available languages, for
constraint purposes. There is no NULL language, and instead i added the
“Undefined” language, with ‘und’ tag’, to represent “do not know/use
content negotiation”.
The languages in that relation are the same i used to have inside
locale.go, because there is no point on having options for languages i
do not have the translation for, so i now configure the list of
available languages user in content negotiation from that relation.
Finally, i have added all font from RemixIcon because that’s what we
used in the design and i am going to use quite a lot of them.
There is duplication in the views; i will address that in a different
commit.
2023-01-22 01:23:09 +00:00
|
|
|
}
|
2023-01-31 14:40:12 +00:00
|
|
|
mustRenderAppTemplate(w, r, "profile.gohtml", form)
|
Add user_profile view to update the profile with form
Since users do not have access to the auth scheme, i had to add a view
that selects only the data that they can see of themselves (i.e., no
password or cookie).
I wanted to use the `request.user.id` setting that i set in
check_cookie, but this would be bad because anyone can change that
parameter and, since the view is created by the owner, could see and
*change* the values of everyone just by knowing their id. Thus, now i
use the cookie instead, because it is way harder to figure out, and if
you already have it you can just set to your browser and the user is
fucked anyway; the database can not help here.
I **am** going to use the user id in row level security policies, but
not the value coming for the setting but instaed the one in the
`user_profile`, since it already is “derived” from the cookie, that’s
why i added that column to the view.
The profile includes the language, that i do not use it yet to switch
the locale, so i had to add a relation of the available languages, for
constraint purposes. There is no NULL language, and instead i added the
“Undefined” language, with ‘und’ tag’, to represent “do not know/use
content negotiation”.
The languages in that relation are the same i used to have inside
locale.go, because there is no point on having options for languages i
do not have the translation for, so i now configure the list of
available languages user in content negotiation from that relation.
Finally, i have added all font from RemixIcon because that’s what we
used in the design and i am going to use quite a lot of them.
There is duplication in the views; i will address that in a different
commit.
2023-01-22 01:23:09 +00:00
|
|
|
})
|
|
|
|
}
|