discourse/app/controllers/admin/users_controller.rb

require_dependency 'user_destroyer'
require_dependency 'admin_user_index_query'

class Admin::UsersController < Admin::AdminController

  before_filter :fetch_user, only: [:suspend,
                                    :unsuspend,
                                    :refresh_browsers,
                                    :log_out,
                                    :revoke_admin,
                                    :grant_admin,
                                    :revoke_moderation,
                                    :grant_moderation,
                                    :approve,
                                    :activate,
                                    :deactivate,
                                    :block,
                                    :unblock,
                                    :trust_level,
                                    :trust_level_lock,
                                    :add_group,
                                    :remove_group,
                                    :primary_group,
                                    :generate_api_key,
                                    :revoke_api_key]

  def index
    query = ::AdminUserIndexQuery.new(params)
    render_serialized(query.find_users, AdminUserSerializer)
  end

  def show
    @user = User.find_by(username_lower: params[:id])
    raise Discourse::NotFound.new unless @user
    render_serialized(@user, AdminDetailedUserSerializer, root: false)
  end

  def delete_all_posts
    @user = User.find_by(id: params[:user_id])
    @user.delete_all_posts!(guardian)
    render nothing: true
  end

  def suspend
    guardian.ensure_can_suspend!(@user)
    @user.suspended_till = params[:duration].to_i.days.from_now
    @user.suspended_at = DateTime.now
    @user.save!
    StaffActionLogger.new(current_user).log_user_suspend(@user, params[:reason])
    render nothing: true
  end

  def unsuspend
    guardian.ensure_can_suspend!(@user)
    @user.suspended_till = nil
    @user.suspended_at = nil
    @user.save!
    StaffActionLogger.new(current_user).log_user_unsuspend(@user)
    render nothing: true
  end

  def log_out
    @user.auth_token = nil
    @user.save!
    render nothing: true
  end

  def refresh_browsers
    refresh_browser @user
    render nothing: true
  end

  def revoke_admin
    guardian.ensure_can_revoke_admin!(@user)
    @user.revoke_admin!
    render nothing: true
  end

  def generate_api_key
    api_key = @user.generate_api_key(current_user)
    render_serialized(api_key, ApiKeySerializer)
  end

  def revoke_api_key
    @user.revoke_api_key
    render nothing: true
  end

  def grant_admin
    guardian.ensure_can_grant_admin!(@user)
    @user.grant_admin!
    render_serialized(@user, AdminUserSerializer)
  end

  def revoke_moderation
    guardian.ensure_can_revoke_moderation!(@user)
    @user.revoke_moderation!
    render nothing: true
  end

  def grant_moderation
    guardian.ensure_can_grant_moderation!(@user)
    @user.grant_moderation!
    render_serialized(@user, AdminUserSerializer)
  end

  def add_group
    group = Group.find(params[:group_id].to_i)
    return render_json_error group unless group && !group.automatic
    group.users << @user
    render nothing: true
  end

  def remove_group
    group = Group.find(params[:group_id].to_i)
    return render_json_error group unless group && !group.automatic
    group.users.delete(@user)
    render nothing: true
  end


  def primary_group
    guardian.ensure_can_change_primary_group!(@user)
    @user.primary_group_id = params[:primary_group_id]
    @user.save!
    render nothing: true
  end

  def trust_level
    guardian.ensure_can_change_trust_level!(@user)
    level = params[:level].to_i


    if !@user.trust_level_locked && [0,1,2].include?(level) && Promotion.send("tl#{level+1}_met?", @user)
      @user.trust_level_locked = true
      @user.save
    end

    if !@user.trust_level_locked && level == 3 && Promotion.tl3_lost?(@user)
      @user.trust_level_locked = true
      @user.save
    end

    @user.change_trust_level!(level, log_action_for: current_user)

    render_serialized(@user, AdminUserSerializer)
  rescue Discourse::InvalidAccess => e
    render_json_error(e.message)
  end

  def trust_level_lock
    guardian.ensure_can_change_trust_level!(@user)

    new_lock = params[:locked].to_s
    unless new_lock =~ /true|false/
      return render_json_error I18n.t('errors.invalid_boolaen')
    end

    @user.trust_level_locked = new_lock == "true"
    @user.save

    unless @user.trust_level_locked
      p = Promotion.new(@user)
      2.times{ p.review }
      p.review_tl2
      if @user.trust_level == 3 && Promotion.tl3_lost?(@user)
        @user.change_trust_level!(2, log_action_for: current_user)
      end
    end

    render nothing: true
  end

  def approve
    guardian.ensure_can_approve!(@user)
    @user.approve(current_user)
    render nothing: true
  end

  def approve_bulk
    User.where(id: params[:users]).each do |u|
      u.approve(current_user) if guardian.can_approve?(u)
    end
    render nothing: true
  end

  def activate
    guardian.ensure_can_activate!(@user)
    @user.activate
    render nothing: true
  end

  def deactivate
    guardian.ensure_can_deactivate!(@user)
    @user.deactivate
    refresh_browser @user
    render nothing: true
  end

  def block
    guardian.ensure_can_block_user! @user
    UserBlocker.block(@user, current_user)
    render nothing: true
  end

  def unblock
    guardian.ensure_can_unblock_user! @user
    UserBlocker.unblock(@user, current_user)
    render nothing: true
  end

  def reject_bulk
    d = UserDestroyer.new(current_user)
    success_count = 0
    User.where(id: params[:users]).each do |u|
      success_count += 1 if guardian.can_delete_user?(u) and d.destroy(u, params.slice(:context)) rescue UserDestroyer::PostsExistError
    end
    render json: {success: success_count, failed: (params[:users].try(:size) || 0) - success_count}
  end

  def destroy
    user = User.find_by(id: params[:id].to_i)
    guardian.ensure_can_delete_user!(user)
    begin
      if UserDestroyer.new(current_user).destroy(user, params.slice(:delete_posts, :block_email, :block_urls, :block_ip, :context))
        render json: {deleted: true}
      else
        render json: {deleted: false, user: AdminDetailedUserSerializer.new(user, root: false).as_json}
      end
    rescue UserDestroyer::PostsExistError
      raise Discourse::InvalidAccess.new("User #{user.username} has #{user.post_count} posts, so can't be deleted.")
    end
  end

  def badges
  end

  def tl3_requirements
  end

  def ip_info
    params.require(:ip)
    ip = params[:ip]

    # should we cache results in redis?
    location = Excon.get("http://ipinfo.io/#{ip}/json", read_timeout: 30, connect_timeout: 30).body rescue nil

    render json: location
  end

  private

    def fetch_user
      @user = User.find_by(id: params[:user_id])
    end

    def refresh_browser(user)
      MessageBus.publish "/file-change", ["refresh"], user_ids: [user.id]
    end

end
Add ability to destroy a user with 0 posts 2013-04-11 16:04:20 -04:00			`require_dependency 'user_destroyer'`
extract Admin::UsersController#index to its own query class - move query to its own class - use postgres ILIKE case insensitive - removed duplicated list of trust levels 2013-06-19 12:11:04 -04:00			`require_dependency 'admin_user_index_query'`
Add ability to destroy a user with 0 posts 2013-04-11 16:04:20 -04:00
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`class Admin::UsersController < Admin::AdminController`

Used the term suspended instead of banned. 2013-11-07 13:53:32 -05:00			`before_filter :fetch_user, only: [:suspend,`
			`:unsuspend,`
Support for per-user API keys 2013-10-22 15:53:08 -04:00			`:refresh_browsers,`
FEATURE: log_out endpoint for admins 2014-06-05 23:02:52 -04:00			`:log_out,`
Support for per-user API keys 2013-10-22 15:53:08 -04:00			`:revoke_admin,`
			`:grant_admin,`
			`:revoke_moderation,`
			`:grant_moderation,`
			`:approve,`
			`:activate,`
			`:deactivate,`
			`:block,`
			`:unblock,`
			`:trust_level,`
FEATURE: Allow admins to lock users from TL3 promotion/demotion Also, update the display logic for the leader promotion screen to account for the demotion grace period. 2014-09-13 16:55:26 -04:00			`:trust_level_lock,`
Improved Group Member Management on User Administration Allows for a quick and easy group membership management on the user-administration page. Uses the select2 UI component to autosuggest other groups, remove existing ones and lock in automatic groups. 2014-07-13 14:11:38 -04:00			`:add_group,`
			`:remove_group,`
FEATURE: Admin selector to choose a primary group for a user, display it and apply a CSS class to their posts. 2014-02-10 16:59:36 -05:00			`:primary_group,`
Support for per-user API keys 2013-10-22 15:53:08 -04:00			`:generate_api_key,`
			`:revoke_api_key]`
Automatically flag someone as a spammer if their posts get at least X spam flags from N users while their trust level is 'new user'. Staff can clear and set this status from the user record in admin. 2013-05-31 11:41:40 -04:00
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`def index`
extract Admin::UsersController#index to its own query class - move query to its own class - use postgres ILIKE case insensitive - removed duplicated list of trust levels 2013-06-19 12:11:04 -04:00			`query = ::AdminUserIndexQuery.new(params)`
			`render_serialized(query.find_users, AdminUserSerializer)`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

			`def show`
Perform the where(...).first to find_by(...) refactoring. This refactoring was automated using the command: bundle exec "ruby refactorings/where_dot_first_to_find_by/app.rb" 2014-05-06 09:41:59 -04:00			`@user = User.find_by(username_lower: params[:id])`
Raise 404 from Admin::UsersController#show if no user found [Fixes #353] 2013-03-05 17:02:23 -05:00			`raise Discourse::NotFound.new unless @user`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`render_serialized(@user, AdminDetailedUserSerializer, root: false)`
			`end`

added delete all posts button wired up the ability to enable all themes 2013-02-07 02:11:56 -05:00			`def delete_all_posts`
Perform the where(...).first to find_by(...) refactoring. This refactoring was automated using the command: bundle exec "ruby refactorings/where_dot_first_to_find_by/app.rb" 2014-05-06 09:41:59 -04:00			`@user = User.find_by(id: params[:user_id])`
added delete all posts button wired up the ability to enable all themes 2013-02-07 02:11:56 -05:00			`@user.delete_all_posts!(guardian)`
			`render nothing: true`
			`end`
Work in Progress: Content Editing in Admin Section 2013-04-04 12:59:44 -04:00
Used the term suspended instead of banned. 2013-11-07 13:53:32 -05:00			`def suspend`
			`guardian.ensure_can_suspend!(@user)`
			`@user.suspended_till = params[:duration].to_i.days.from_now`
			`@user.suspended_at = DateTime.now`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`@user.save!`
Used the term suspended instead of banned. 2013-11-07 13:53:32 -05:00			`StaffActionLogger.new(current_user).log_user_suspend(@user, params[:reason])`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`render nothing: true`
			`end`

Used the term suspended instead of banned. 2013-11-07 13:53:32 -05:00			`def unsuspend`
			`guardian.ensure_can_suspend!(@user)`
			`@user.suspended_till = nil`
			`@user.suspended_at = nil`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`@user.save!`
Used the term suspended instead of banned. 2013-11-07 13:53:32 -05:00			`StaffActionLogger.new(current_user).log_user_unsuspend(@user)`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`render nothing: true`
			`end`

FEATURE: log_out endpoint for admins 2014-06-05 23:02:52 -04:00			`def log_out`
			`@user.auth_token = nil`
			`@user.save!`
			`render nothing: true`
			`end`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`def refresh_browsers`
FIX: deactivated users shouldn't be able to log in 2014-04-28 13:46:28 -04:00			`refresh_browser @user`
add render nothing to refresh_browsers method 2013-03-23 17:37:37 -04:00			`render nothing: true`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

			`def revoke_admin`
Automatically flag someone as a spammer if their posts get at least X spam flags from N users while their trust level is 'new user'. Staff can clear and set this status from the user record in admin. 2013-05-31 11:41:40 -04:00			`guardian.ensure_can_revoke_admin!(@user)`
			`@user.revoke_admin!`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`render nothing: true`
			`end`

Support for per-user API keys 2013-10-22 15:53:08 -04:00			`def generate_api_key`
			`api_key = @user.generate_api_key(current_user)`
			`render_serialized(api_key, ApiKeySerializer)`
			`end`

			`def revoke_api_key`
			`@user.revoke_api_key`
			`render nothing: true`
			`end`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`def grant_admin`
			`guardian.ensure_can_grant_admin!(@user)`
automatic group infrustructure 2013-05-06 00:49:56 -04:00			`@user.grant_admin!`
Fix all the trailing whitespace 2013-02-07 10:45:24 -05:00			`render_serialized(@user, AdminUserSerializer)`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`

Adds grant and revoke moderation buttons so admins can make users moderators 2013-02-12 17:58:08 -05:00			`def revoke_moderation`
Automatically flag someone as a spammer if their posts get at least X spam flags from N users while their trust level is 'new user'. Staff can clear and set this status from the user record in admin. 2013-05-31 11:41:40 -04:00			`guardian.ensure_can_revoke_moderation!(@user)`
			`@user.revoke_moderation!`
Adds grant and revoke moderation buttons so admins can make users moderators 2013-02-12 17:58:08 -05:00			`render nothing: true`
			`end`

			`def grant_moderation`
			`guardian.ensure_can_grant_moderation!(@user)`
automatic group infrustructure 2013-05-06 00:49:56 -04:00			`@user.grant_moderation!`
Adds grant and revoke moderation buttons so admins can make users moderators 2013-02-12 17:58:08 -05:00			`render_serialized(@user, AdminUserSerializer)`
			`end`

Improved Group Member Management on User Administration Allows for a quick and easy group membership management on the user-administration page. Uses the select2 UI component to autosuggest other groups, remove existing ones and lock in automatic groups. 2014-07-13 14:11:38 -04:00			`def add_group`
			`group = Group.find(params[:group_id].to_i)`
			`return render_json_error group unless group && !group.automatic`
			`group.users << @user`
			`render nothing: true`
			`end`

			`def remove_group`
			`group = Group.find(params[:group_id].to_i)`
			`return render_json_error group unless group && !group.automatic`
			`group.users.delete(@user)`
			`render nothing: true`
			`end`


FEATURE: Admin selector to choose a primary group for a user, display it and apply a CSS class to their posts. 2014-02-10 16:59:36 -05:00			`def primary_group`
			`guardian.ensure_can_change_primary_group!(@user)`
			`@user.primary_group_id = params[:primary_group_id]`
			`@user.save!`
			`render nothing: true`
			`end`

Back end - temporary boosting of trust levels 2013-07-03 04:27:40 -04:00			`def trust_level`
			`guardian.ensure_can_change_trust_level!(@user)`
FEATURE: implement lock/unlock trust level mechanics 2014-09-29 23:12:33 -04:00			`level = params[:level].to_i`


			`if !@user.trust_level_locked && [0,1,2].include?(level) && Promotion.send("tl#{level+1}_met?", @user)`
			`@user.trust_level_locked = true`
			`@user.save`
			`end`

			`if !@user.trust_level_locked && level == 3 && Promotion.tl3_lost?(@user)`
			`@user.trust_level_locked = true`
			`@user.save`
			`end`

			`@user.change_trust_level!(level, log_action_for: current_user)`
BUGFIX: trust_level_0 group not including trust_level_1 BUGFIX: manual trust level change not adding user to groups BUGFIX: system not in correct trust level groups 2014-06-16 20:46:30 -04:00
Back end - temporary boosting of trust levels 2013-07-03 04:27:40 -04:00			`render_serialized(@user, AdminUserSerializer)`
FIX: Display proper error message when changing a trust level fails 2014-07-29 15:54:20 -04:00			`rescue Discourse::InvalidAccess => e`
			`render_json_error(e.message)`
Back end - temporary boosting of trust levels 2013-07-03 04:27:40 -04:00			`end`

FEATURE: Allow admins to lock users from TL3 promotion/demotion Also, update the display logic for the leader promotion screen to account for the demotion grace period. 2014-09-13 16:55:26 -04:00			`def trust_level_lock`
			`guardian.ensure_can_change_trust_level!(@user)`

FEATURE: implement lock/unlock trust level mechanics 2014-09-29 23:12:33 -04:00			`new_lock = params[:locked].to_s`
			`unless new_lock =~ /true\|false/`
FEATURE: Allow admins to lock users from TL3 promotion/demotion Also, update the display logic for the leader promotion screen to account for the demotion grace period. 2014-09-13 16:55:26 -04:00			`return render_json_error I18n.t('errors.invalid_boolaen')`
			`end`

FEATURE: implement lock/unlock trust level mechanics 2014-09-29 23:12:33 -04:00			`@user.trust_level_locked = new_lock == "true"`
FEATURE: Allow admins to lock users from TL3 promotion/demotion Also, update the display logic for the leader promotion screen to account for the demotion grace period. 2014-09-13 16:55:26 -04:00			`@user.save`
FEATURE: implement lock/unlock trust level mechanics 2014-09-29 23:12:33 -04:00
			`unless @user.trust_level_locked`
			`p = Promotion.new(@user)`
			`2.times{ p.review }`
			`p.review_tl2`
			`if @user.trust_level == 3 && Promotion.tl3_lost?(@user)`
			`@user.change_trust_level!(2, log_action_for: current_user)`
			`end`
			`end`

FEATURE: Allow admins to lock users from TL3 promotion/demotion Also, update the display logic for the leader promotion screen to account for the demotion grace period. 2014-09-13 16:55:26 -04:00			`render nothing: true`
			`end`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`def approve`
			`guardian.ensure_can_approve!(@user)`
			`@user.approve(current_user)`
			`render nothing: true`
			`end`

			`def approve_bulk`
			`User.where(id: params[:users]).each do \|u\|`
			`u.approve(current_user) if guardian.can_approve?(u)`
			`end`
			`render nothing: true`
			`end`

Add ability for admins and mods to send another activation email to a user, to activate an account, and deactivate an account 2013-05-07 21:58:34 -04:00			`def activate`
			`guardian.ensure_can_activate!(@user)`
			`@user.activate`
			`render nothing: true`
			`end`

			`def deactivate`
			`guardian.ensure_can_deactivate!(@user)`
			`@user.deactivate`
FIX: deactivated users shouldn't be able to log in 2014-04-28 13:46:28 -04:00			`refresh_browser @user`
Add ability for admins and mods to send another activation email to a user, to activate an account, and deactivate an account 2013-05-07 21:58:34 -04:00			`render nothing: true`
			`end`

Automatically flag someone as a spammer if their posts get at least X spam flags from N users while their trust level is 'new user'. Staff can clear and set this status from the user record in admin. 2013-05-31 11:41:40 -04:00			`def block`
			`guardian.ensure_can_block_user! @user`
Refactor user blocking code; hide the Block button in admin 2013-07-02 14:42:30 -04:00			`UserBlocker.block(@user, current_user)`
Automatically flag someone as a spammer if their posts get at least X spam flags from N users while their trust level is 'new user'. Staff can clear and set this status from the user record in admin. 2013-05-31 11:41:40 -04:00			`render nothing: true`
			`end`

			`def unblock`
			`guardian.ensure_can_unblock_user! @user`
Refactor user blocking code; hide the Block button in admin 2013-07-02 14:42:30 -04:00			`UserBlocker.unblock(@user, current_user)`
Automatically flag someone as a spammer if their posts get at least X spam flags from N users while their trust level is 'new user'. Staff can clear and set this status from the user record in admin. 2013-05-31 11:41:40 -04:00			`render nothing: true`
			`end`

Add reject option to pending users page 2013-08-16 11:42:24 -04:00			`def reject_bulk`
			`d = UserDestroyer.new(current_user)`
			`success_count = 0`
			`User.where(id: params[:users]).each do \|u\|`
			`success_count += 1 if guardian.can_delete_user?(u) and d.destroy(u, params.slice(:context)) rescue UserDestroyer::PostsExistError`
			`end`
			`render json: {success: success_count, failed: (params[:users].try(:size) \|\| 0) - success_count}`
			`end`

Add ability to destroy a user with 0 posts 2013-04-11 16:04:20 -04:00			`def destroy`
FEATURE: flag dispositions normalization All flags should end up in one of the three dispositions - Agree - Disagree - Defer In the administration area, the active flags section displays 4 buttons - Agree (hide post + send PM) - Disagree - Defer - Delete Clicking "Delete" will open a modal that offer to - Delete Post & Defer Flags - Delete Post & Agree with Flags - Delete Spammer (if available) When the flag has a list associated, the list will now display 1 response and 1 reply and a "show more..." link if there are more in the conversation. Replying to the conversation will NOT give a disposition. Moderators must click the buttons that does that. If someone clicks one buttons, this will add a default moderator message from that moderator saying what happened. The old flags section now displays the proper dispositions and is super duper fast (no more N+9999 queries). FIX: the old list includes deleted topics FIX: the lists now properly display the topic states (deleted, closed, archived, hidden, PM) FIX: flagging a topic that you've already flagged the first post 2014-07-28 13:17:37 -04:00			`user = User.find_by(id: params[:id].to_i)`
Add ability to destroy a user with 0 posts 2013-04-11 16:04:20 -04:00			`guardian.ensure_can_delete_user!(user)`
add a way to delete posts and topics when deleting a user with UserDestroyer 2013-07-24 13:48:55 -04:00			`begin`
Add screening by IP address. When deleting a user as a spammer, block all signups from the same IP address. 2013-10-21 14:49:51 -04:00			`if UserDestroyer.new(current_user).destroy(user, params.slice(:delete_posts, :block_email, :block_urls, :block_ip, :context))`
add a way to delete posts and topics when deleting a user with UserDestroyer 2013-07-24 13:48:55 -04:00			`render json: {deleted: true}`
			`else`
			`render json: {deleted: false, user: AdminDetailedUserSerializer.new(user, root: false).as_json}`
			`end`
			`rescue UserDestroyer::PostsExistError`
			`raise Discourse::InvalidAccess.new("User #{user.username} has #{user.post_count} posts, so can't be deleted.")`
Add ability to destroy a user with 0 posts 2013-04-11 16:04:20 -04:00			`end`
			`end`
Initial release of Discourse 2013-02-05 14:16:51 -05:00
Interface for granting/revoking badges from admin user page. 2014-03-19 10:27:21 -04:00			`def badges`
			`end`

Rename 'leader' -> 'tl3' 2014-09-24 20:19:26 -04:00			`def tl3_requirements`
More work on trust level 3 requirements page 2014-01-23 16:40:10 -05:00			`end`

BUGFIX: IP lookup wasn't working when using HTTPS REFACTOR: the ip locator into a ip-lookup component 2014-07-07 16:18:18 -04:00			`def ip_info`
			`params.require(:ip)`
			`ip = params[:ip]`

			`# should we cache results in redis?`
			`location = Excon.get("http://ipinfo.io/#{ip}/json", read_timeout: 30, connect_timeout: 30).body rescue nil`

			`render json: location`
			`end`
Automatically flag someone as a spammer if their posts get at least X spam flags from N users while their trust level is 'new user'. Staff can clear and set this status from the user record in admin. 2013-05-31 11:41:40 -04:00
			`private`

			`def fetch_user`
Perform the where(...).first to find_by(...) refactoring. This refactoring was automated using the command: bundle exec "ruby refactorings/where_dot_first_to_find_by/app.rb" 2014-05-06 09:41:59 -04:00			`@user = User.find_by(id: params[:user_id])`
Automatically flag someone as a spammer if their posts get at least X spam flags from N users while their trust level is 'new user'. Staff can clear and set this status from the user record in admin. 2013-05-31 11:41:40 -04:00			`end`

FIX: deactivated users shouldn't be able to log in 2014-04-28 13:46:28 -04:00			`def refresh_browser(user)`
			`MessageBus.publish "/file-change", ["refresh"], user_ids: [user.id]`
			`end`

Add ability to destroy a user with 0 posts 2013-04-11 16:04:20 -04:00			`end`