summaryrefslogtreecommitdiff
path: root/system/admin
diff options
context:
space:
mode:
Diffstat (limited to 'system/admin')
-rw-r--r--system/admin/admin.go115
-rw-r--r--system/admin/filesystem.go36
-rw-r--r--system/admin/handlers.go418
-rw-r--r--system/admin/server.go8
-rw-r--r--system/admin/static/dashboard/css/admin.css2
5 files changed, 562 insertions, 17 deletions
diff --git a/system/admin/admin.go b/system/admin/admin.go
index 8c13582..e0689b3 100644
--- a/system/admin/admin.go
+++ b/system/admin/admin.go
@@ -205,7 +205,8 @@ var loginAdminHTML = `
</div>
<div class="input-field col s12">
<input placeholder="Enter your password" class="validate required" type="password" id="password" name="password"/>
- <label for="password" class="active">Password</label>
+ <a href="/admin/recover" class="right">Forgot password?</a>
+ <label for="password" class="active">Password</label>
</div>
<button class="btn waves-effect waves-light right">Log in</button>
</form>
@@ -246,6 +247,118 @@ func Login() ([]byte, error) {
return buf.Bytes(), nil
}
+var forgotPasswordHTML = `
+<div class="init col s5">
+<div class="card">
+<div class="card-content">
+ <div class="card-title">Account Recovery</div>
+ <blockquote>Please enter the email for your account and a recovery message will be sent to you at this address. Check your spam folder in case the message was flagged.</blockquote>
+ <form method="post" action="/admin/recover" class="row">
+ <div class="input-field col s12">
+ <input placeholder="Enter your email address e.g. you@example.com" class="validate required" type="email" id="email" name="email"/>
+ <label for="email" class="active">Email</label>
+ </div>
+
+ <button class="btn waves-effect waves-light right">Send Recovery Email</button>
+ </form>
+</div>
+</div>
+</div>
+<script>
+ $(function() {
+ $('.nav-wrapper ul.right').hide();
+ });
+</script>
+`
+
+// ForgotPassword ...
+func ForgotPassword() ([]byte, error) {
+ html := startAdminHTML + forgotPasswordHTML + endAdminHTML
+
+ cfg, err := db.Config("name")
+ if err != nil {
+ return nil, err
+ }
+
+ if cfg == nil {
+ cfg = []byte("")
+ }
+
+ a := admin{
+ Logo: string(cfg),
+ }
+
+ buf := &bytes.Buffer{}
+ tmpl := template.Must(template.New("forgotPassword").Parse(html))
+ err = tmpl.Execute(buf, a)
+ if err != nil {
+ return nil, err
+ }
+
+ return buf.Bytes(), nil
+}
+
+var recoveryKeyHTML = `
+<div class="init col s5">
+<div class="card">
+<div class="card-content">
+ <div class="card-title">Account Recovery</div>
+ <blockquote>Please check for your recovery key inside an email sent to the address you provided. Check your spam folder in case the message was flagged.</blockquote>
+ <form method="post" action="/admin/recover/key" class="row">
+ <div class="input-field col s12">
+ <input placeholder="Enter your recovery key" class="validate required" type="text" id="key" name="key"/>
+ <label for="key" class="active">Recovery Key</label>
+ </div>
+
+ <div class="input-field col s12">
+ <input placeholder="Enter your email address e.g. you@example.com" class="validate required" type="email" id="email" name="email"/>
+ <label for="email" class="active">Email</label>
+ </div>
+
+ <div class="input-field col s12">
+ <input placeholder="Enter your password" class="validate required" type="password" id="password" name="password"/>
+ <label for="password" class="active">New Password</label>
+ </div>
+
+ <button class="btn waves-effect waves-light right">Update Account</button>
+ </form>
+</div>
+</div>
+</div>
+<script>
+ $(function() {
+ $('.nav-wrapper ul.right').hide();
+ });
+</script>
+`
+
+// RecoveryKey ...
+func RecoveryKey() ([]byte, error) {
+ html := startAdminHTML + recoveryKeyHTML + endAdminHTML
+
+ cfg, err := db.Config("name")
+ if err != nil {
+ return nil, err
+ }
+
+ if cfg == nil {
+ cfg = []byte("")
+ }
+
+ a := admin{
+ Logo: string(cfg),
+ }
+
+ buf := &bytes.Buffer{}
+ tmpl := template.Must(template.New("recoveryKey").Parse(html))
+ err = tmpl.Execute(buf, a)
+ if err != nil {
+ return nil, err
+ }
+
+ return buf.Bytes(), nil
+}
+
// UsersList ...
func UsersList(req *http.Request) ([]byte, error) {
html := `
diff --git a/system/admin/filesystem.go b/system/admin/filesystem.go
new file mode 100644
index 0000000..4e64a26
--- /dev/null
+++ b/system/admin/filesystem.go
@@ -0,0 +1,36 @@
+package admin
+
+import (
+ "net/http"
+ "os"
+)
+
+
+func restrict(dir http.Dir) justFilesFilesystem {
+ return justFilesFilesystem{dir}
+}
+
+// the code below removes the open directory listing when accessing a URL which
+// normally would point to a directory. code from golang-nuts mailing list:
+// https://groups.google.com/d/msg/golang-nuts/bStLPdIVM6w/hidTJgDZpHcJ
+// credit: Brad Fitzpatrick (c) 2012
+
+type justFilesFilesystem struct {
+ fs http.FileSystem
+}
+
+func (fs justFilesFilesystem) Open(name string) (http.File, error) {
+ f, err := fs.fs.Open(name)
+ if err != nil {
+ return nil, err
+ }
+ return neuteredReaddirFile{f}, nil
+}
+
+type neuteredReaddirFile struct {
+ http.File
+}
+
+func (f neuteredReaddirFile) Readdir(count int) ([]os.FileInfo, error) {
+ return nil, nil
+}
diff --git a/system/admin/handlers.go b/system/admin/handlers.go
index 1f277e0..38ce41d 100644
--- a/system/admin/handlers.go
+++ b/system/admin/handlers.go
@@ -21,6 +21,7 @@ import (
"github.com/bosssauce/ponzu/system/db"
"github.com/gorilla/schema"
+ emailer "github.com/nilslice/email"
"github.com/nilslice/jwt"
)
@@ -521,12 +522,187 @@ func logoutHandler(res http.ResponseWriter, req *http.Request) {
http.Redirect(res, req, req.URL.Scheme+req.URL.Host+"/admin/login", http.StatusFound)
}
+func forgotPasswordHandler(res http.ResponseWriter, req *http.Request) {
+ switch req.Method {
+ case http.MethodGet:
+ view, err := ForgotPassword()
+ if err != nil {
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
+ res.Write(view)
+
+ case http.MethodPost:
+ err := req.ParseMultipartForm(1024 * 1024 * 4) // maxMemory 4MB
+ if err != nil {
+ res.WriteHeader(http.StatusBadRequest)
+ errView, err := Error400()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
+ // check email for user, if no user return Error
+ email := strings.ToLower(req.FormValue("email"))
+ if email == "" {
+ res.WriteHeader(http.StatusBadRequest)
+ errView, err := Error400()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
+ _, err = db.User(email)
+ if err == db.ErrNoUserExists {
+ res.WriteHeader(http.StatusBadRequest)
+ errView, err := Error400()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
+ if err != db.ErrNoUserExists && err != nil {
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
+ // create temporary key to verify user
+ key, err := db.SetRecoveryKey(email)
+ if err != nil {
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
+ domain := db.ConfigCache("domain")
+ body := fmt.Sprintf(`
+ There has been an account recovery request made for the user with email:
+ %s
+
+ To recover your account, please go to http://%s/admin/recover/key and enter
+ this email address along with the following secret key:
+
+ %s
+
+ If you did not make the request, ignore this message and your password
+ will remain as-is.
+
+
+ Thank you,
+ Ponzu CMS at %s
+
+ `, email, domain, key, domain)
+ msg := emailer.Message{
+ To: email,
+ From: fmt.Sprintf("Ponzu CMS <ponzu-cms@%s", domain),
+ Subject: fmt.Sprintf("Account Recovery [%s]", domain),
+ Body: body,
+ }
+
+ /*
+ err = msg.Send()
+ if err != nil {
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+ */
+ fmt.Println(msg)
+
+ // redirect to /admin/recover/key and send email with key and URL
+ http.Redirect(res, req, req.URL.Scheme+req.URL.Host+"/admin/recover/key", http.StatusFound)
+
+ default:
+ res.WriteHeader(http.StatusMethodNotAllowed)
+ errView, err := Error405()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+}
+
+func recoveryKeyHandler(res http.ResponseWriter, req *http.Request) {
+ switch req.Method {
+ case http.MethodGet:
+ view, err := RecoveryKey()
+ if err != nil {
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
+ res.Write(view)
+
+ case http.MethodPost:
+
+ // check for email & key match
+
+ // set user with new password
+
+ // redirect to /admin/login
+
+ default:
+ res.WriteHeader(http.StatusMethodNotAllowed)
+ errView, err := Error405()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+}
+
+func recoveryEditHandler(res http.ResponseWriter, req *http.Request) {
+
+}
+
func postsHandler(res http.ResponseWriter, req *http.Request) {
q := req.URL.Query()
t := q.Get("type")
if t == "" {
res.WriteHeader(http.StatusBadRequest)
- errView, err := Error405()
+ errView, err := Error400()
if err != nil {
return
}
@@ -544,7 +720,7 @@ func postsHandler(res http.ResponseWriter, req *http.Request) {
if _, ok := content.Types[t]; !ok {
res.WriteHeader(http.StatusBadRequest)
- errView, err := Error405()
+ errView, err := Error400()
if err != nil {
return
}
@@ -717,7 +893,22 @@ func postsHandler(res http.ResponseWriter, req *http.Request) {
}
}
+ } else {
+ for i := range posts {
+ err := json.Unmarshal(posts[i], &p)
+ if err != nil {
+ log.Println("Error unmarshal json into", t, err, posts[i])
+
+ post := `<li class="col s12">Error decoding data. Possible file corruption.</li>`
+ b.Write([]byte(post))
+ continue
+ }
+
+ post := adminPostListItem(p, t, status)
+ b.Write(post)
+ }
}
+
html += `<ul class="posts row">`
b.Write([]byte(`</ul></div></div>`))
@@ -822,10 +1013,24 @@ func approvePostHandler(res http.ResponseWriter, req *http.Request) {
post := content.Types[t]()
+ // run hooks
+ hook, ok := post.(content.Hookable)
+ if !ok {
+ log.Println("Type", t, "does not implement content.Hookable or embed content.Item.")
+ res.WriteHeader(http.StatusBadRequest)
+ errView, err := Error400()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
// check if we have a Mergeable
- m, ok := post.(api.Mergeable)
+ m, ok := post.(editor.Mergeable)
if !ok {
- log.Println("Content type", t, "must implement api.Mergable before it can bee approved.")
+ log.Println("Content type", t, "must implement editor.Mergable before it can bee approved.")
res.WriteHeader(http.StatusBadRequest)
errView, err := Error400()
if err != nil {
@@ -851,6 +1056,18 @@ func approvePostHandler(res http.ResponseWriter, req *http.Request) {
return
}
+ err = hook.BeforeApprove(req)
+ if err != nil {
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
// call its Approve method
err = m.Approve(req)
if err != nil {
@@ -864,6 +1081,30 @@ func approvePostHandler(res http.ResponseWriter, req *http.Request) {
return
}
+ err = hook.AfterApprove(req)
+ if err != nil {
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
+ err = hook.BeforeSave(req)
+ if err != nil {
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
// Store the content in the bucket t
id, err := db.SetContent(t+":-1", req.Form)
if err != nil {
@@ -877,6 +1118,18 @@ func approvePostHandler(res http.ResponseWriter, req *http.Request) {
return
}
+ err = hook.AfterSave(req)
+ if err != nil {
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
// redirect to the new approved content's editor
redir := req.URL.Scheme + req.URL.Host + strings.TrimSuffix(req.URL.Path, "/approve")
redir += fmt.Sprintf("?type=%s&id=%d", t, id)
@@ -946,7 +1199,7 @@ func editHandler(res http.ResponseWriter, req *http.Request) {
log.Println("Content type", t, "doesn't implement editor.Identifiable")
return
}
- s.SetContentID(-1)
+ s.SetItemID(-1)
}
@@ -1040,6 +1293,50 @@ func editHandler(res http.ResponseWriter, req *http.Request) {
req.PostForm.Del(discardKey)
}
+ if strings.Contains(t, "_") {
+ t = strings.Split(t, "_")[0]
+ }
+
+ p, ok := content.Types[t]
+ if !ok {
+ log.Println("Type", t, "is not a content type. Cannot edit or save.")
+ res.WriteHeader(http.StatusBadRequest)
+ errView, err := Error400()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
+ post := p()
+ hook, ok := post.(content.Hookable)
+ if !ok {
+ log.Println("Type", t, "does not implement content.Hookable or embed content.Item.")
+ res.WriteHeader(http.StatusBadRequest)
+ errView, err := Error400()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
+ err = hook.BeforeSave(req)
+ if err != nil {
+ log.Println(err)
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
id, err := db.SetContent(t+":"+cid, req.PostForm)
if err != nil {
log.Println(err)
@@ -1053,13 +1350,23 @@ func editHandler(res http.ResponseWriter, req *http.Request) {
return
}
+ err = hook.AfterSave(req)
+ if err != nil {
+ log.Println(err)
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
scheme := req.URL.Scheme
host := req.URL.Host
path := req.URL.Path
sid := fmt.Sprintf("%d", id)
- if strings.Contains(t, "_") {
- t = strings.Split(t, "_")[0]
- }
redir := scheme + host + path + "?type=" + t + "&id=" + sid
if req.URL.Query().Get("status") == "pending" {
@@ -1088,12 +1395,75 @@ func deleteHandler(res http.ResponseWriter, req *http.Request) {
id := req.FormValue("id")
t := req.FormValue("type")
+ ct := t
if id == "" || t == "" {
res.WriteHeader(http.StatusBadRequest)
return
}
+ // catch specifier suffix from delete form value
+ if strings.Contains(t, "_") {
+ spec := strings.Split(t, "_")
+ ct = spec[0]
+ }
+
+ p, ok := content.Types[ct]
+ if !ok {
+ log.Println("Type", t, "does not implement content.Hookable or embed content.Item.")
+ res.WriteHeader(http.StatusBadRequest)
+ errView, err := Error400()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
+ post := p()
+ hook, ok := post.(content.Hookable)
+ if !ok {
+ log.Println("Type", t, "does not implement content.Hookable or embed content.Item.")
+ res.WriteHeader(http.StatusBadRequest)
+ errView, err := Error400()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
+ reject := req.URL.Query().Get("reject")
+ if reject == "true" {
+ err = hook.BeforeReject(req)
+ if err != nil {
+ log.Println(err)
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+ }
+
+ err = hook.BeforeDelete(req)
+ if err != nil {
+ log.Println(err)
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
err = db.DeleteContent(t + ":" + id)
if err != nil {
log.Println(err)
@@ -1101,14 +1471,36 @@ func deleteHandler(res http.ResponseWriter, req *http.Request) {
return
}
- // catch specifier suffix from delete form value
- if strings.Contains(t, "_") {
- spec := strings.Split(t, "_")
- t = spec[0]
+ err = hook.AfterDelete(req)
+ if err != nil {
+ log.Println(err)
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
+
+ if reject == "true" {
+ err = hook.AfterReject(req)
+ if err != nil {
+ log.Println(err)
+ res.WriteHeader(http.StatusInternalServerError)
+ errView, err := Error500()
+ if err != nil {
+ return
+ }
+
+ res.Write(errView)
+ return
+ }
}
redir := strings.TrimSuffix(req.URL.Scheme+req.URL.Host+req.URL.Path, "/edit/delete")
- redir = redir + "/posts?type=" + t
+ redir = redir + "/posts?type=" + ct
http.Redirect(res, req, redir, http.StatusFound)
}
diff --git a/system/admin/server.go b/system/admin/server.go
index 5d93d84..75b48f6 100644
--- a/system/admin/server.go
+++ b/system/admin/server.go
@@ -18,6 +18,10 @@ func Run() {
http.HandleFunc("/admin/login", loginHandler)
http.HandleFunc("/admin/logout", logoutHandler)
+ http.HandleFunc("/admin/recover", forgotPasswordHandler)
+ http.HandleFunc("/admin/recover/key", recoveryKeyHandler)
+ http.HandleFunc("/admin/recover/edit", recoveryEditHandler)
+
http.HandleFunc("/admin/configure", user.Auth(configHandler))
http.HandleFunc("/admin/configure/users", user.Auth(configUsersHandler))
http.HandleFunc("/admin/configure/users/edit", user.Auth(configUsersEditHandler))
@@ -37,11 +41,11 @@ func Run() {
}
staticDir := filepath.Join(pwd, "cmd", "ponzu", "vendor", "github.com", "bosssauce", "ponzu", "system")
- http.Handle("/admin/static/", CacheControl(http.FileServer(http.Dir(staticDir))))
+ http.Handle("/admin/static/", CacheControl(http.FileServer(restrict(http.Dir(staticDir)))))
// API path needs to be registered within server package so that it is handled
// even if the API server is not running. Otherwise, images/files uploaded
// through the editor will not load within the admin system.
uploadsDir := filepath.Join(pwd, "uploads")
- http.Handle("/api/uploads/", CacheControl(http.StripPrefix("/api/uploads/", http.FileServer(http.Dir(uploadsDir)))))
+ http.Handle("/api/uploads/", CacheControl(http.StripPrefix("/api/uploads/", http.FileServer(restrict(http.Dir(uploadsDir))))))
}
diff --git a/system/admin/static/dashboard/css/admin.css b/system/admin/static/dashboard/css/admin.css
index 3cffc5d..8d2fb89 100644
--- a/system/admin/static/dashboard/css/admin.css
+++ b/system/admin/static/dashboard/css/admin.css
@@ -154,7 +154,7 @@ footer p {
color: #9e9e9e;
}
-.post-controls .save-post {
+.post-controls .save-post, .post-controls .approve-post {
margin-left: 10px;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-08-08 06:33:34 +0000