Commit a5481993 authored by poslovitch's avatar poslovitch
Browse files

Added Modify User (admin only) route

parent 6e102fa0
......@@ -248,7 +248,7 @@ $app->get('/api/users/{username}', function( Request $request, Response $respons
$token = get_token_infos($request);
if (!$token->admin) {
// response : 403 : not Found
// response : 403 : denied
$response->getBody()->write('{"error": {"msg": "Access denied."}}');
return $response->withHeader('Content-Type', 'application/json')->withStatus(403);
}
......@@ -284,6 +284,93 @@ $app->get('/api/users/{username}', function( Request $request, Response $respons
return $response->withHeader('Content-Type', 'application/json')->withStatus(200);
});
/**
* Modify User : admin only (see documentation)
*/
$app->put('/api/users/{username}', function( Request $request, Response $response){
$token = get_token_infos($request);
$username = $request->getAttribute('username');
if (!$token->admin) {
// response : 403 : denied
$response->getBody()->write('{"error": {"msg": "Access denied."}}');
return $response->withHeader('Content-Type', 'application/json')->withStatus(403);
}
$dbconn = new DB\DBConnection();
// Check user exists in database
try {
$db = $dbconn->connect();
// query
$sql = "SELECT * FROM users WHERE (username='" . $username . "')";
$stmt = $db->query( $sql );
$users = $stmt->fetchAll( PDO::FETCH_OBJ );
$db = null; // clear db object
// Check if the user does not exist
if (sizeof($users) != 1) {
// response : 404 : not Found
$response->getBody()->write('{"error": {"msg": "Could not find user."}}');
return $response->withHeader('Content-Type', 'application/json')->withStatus(404);
}
$user = $users[0];
}
catch( PDOException $e ) {
echo $e;
// response : 500 : PDO Error (DB)
$response->getBody()->write('{"error": {"msg": "' . $e->getMessage() . '"}}');
return $response->withHeader('Content-Type', 'application/json')->withStatus(500);
}
// The user exists
// Prevent the user from modyfing their id or username
if (array_key_exists("id", $request->getParsedBody()) || array_key_exists("username", $request->getParsedBody())) {
// response : 400 : Bad Request
$response->getBody()->write('{"error": {"msg": "Cannot modify ID or Username"}}');
return $response->withHeader('Content-Type', 'application/json')->withStatus(400);
}
// Prevent having an empty array
if (sizeof($request->getParsedBody()) == 0) {
// response : 400 : Bad Request
$response->getBody()->write('{"error": {"msg": "No changes were requested"}}');
return $response->withHeader('Content-Type', 'application/json')->withStatus(400);
}
// On forge la requête sql
$sql = "UPDATE users SET";
if (array_key_exists("first_name", $request->getParsedBody())) {
$sql = $sql . " first_name='" . $request->getParsedBody()["first_name"] . "',"; //FIXME: les virgules ou les espaces?
}
if (array_key_exists("last_name", $request->getParsedBody())) {
$sql = $sql . " last_name='" . $request->getParsedBody()["last_name"] . "'";
}
if (array_key_exists("password", $request->getParsedBody())) {
$sql = $sql . " password='" . $request->getParsedBody()["password"] . "'";
}
$sql = $sql . " WHERE (id='" . $user->id . "')";
// Apply the change
try {
$db = $dbconn->connect();
$stmt = $db->query( $sql );
$db = null; // clear db object
}
catch( PDOException $e ) {
echo $e;
// response : 500 : PDO Error (DB)
$response->getBody()->write('{"error": {"msg": "' . $e->getMessage() . '"}}');
return $response->withHeader('Content-Type', 'application/json')->withStatus(500);
}
// response : 200 : OK
return $response->withHeader('Content-Type', 'application/json')->withStatus(200);
});
/**
* Function which parse token, decode user infos from this token and Throws
* UnauthenticatedException if Authentication Issue.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment