diff options
Diffstat (limited to 'models/user/search.go')
-rw-r--r-- | models/user/search.go | 178 |
1 files changed, 178 insertions, 0 deletions
diff --git a/models/user/search.go b/models/user/search.go new file mode 100644 index 00000000..04c434e4 --- /dev/null +++ b/models/user/search.go @@ -0,0 +1,178 @@ +// Copyright 2021 The Gitea Authors. All rights reserved. +// SPDX-License-Identifier: MIT + +package user + +import ( + "context" + "fmt" + "strings" + + "code.gitea.io/gitea/models/db" + "code.gitea.io/gitea/modules/container" + "code.gitea.io/gitea/modules/optional" + "code.gitea.io/gitea/modules/structs" + + "xorm.io/builder" + "xorm.io/xorm" +) + +// SearchUserOptions contains the options for searching +type SearchUserOptions struct { + db.ListOptions + + Keyword string + Type UserType + UID int64 + LoginName string // this option should be used only for admin user + SourceID int64 // this option should be used only for admin user + OrderBy db.SearchOrderBy + Visible []structs.VisibleType + Actor *User // The user doing the search + SearchByEmail bool // Search by email as well as username/full name + + SupportedSortOrders container.Set[string] // if not nil, only allow to use the sort orders in this set + + IsActive optional.Option[bool] + IsAdmin optional.Option[bool] + IsRestricted optional.Option[bool] + IsTwoFactorEnabled optional.Option[bool] + IsProhibitLogin optional.Option[bool] + IncludeReserved bool + + ExtraParamStrings map[string]string +} + +func (opts *SearchUserOptions) toSearchQueryBase(ctx context.Context) *xorm.Session { + var cond builder.Cond + if opts.Type == UserTypeIndividual { + cond = builder.In("type", UserTypeIndividual, UserTypeRemoteUser) + } else { + cond = builder.Eq{"type": opts.Type} + } + if opts.IncludeReserved { + if opts.Type == UserTypeIndividual { + cond = cond.Or(builder.Eq{"type": UserTypeUserReserved}).Or( + builder.Eq{"type": UserTypeBot}, + ).Or( + builder.Eq{"type": UserTypeRemoteUser}, + ) + } else if opts.Type == UserTypeOrganization { + cond = cond.Or(builder.Eq{"type": UserTypeOrganizationReserved}) + } + } + + if len(opts.Keyword) > 0 { + lowerKeyword := strings.ToLower(opts.Keyword) + keywordCond := builder.Or( + builder.Like{"lower_name", lowerKeyword}, + builder.Like{"LOWER(full_name)", lowerKeyword}, + ) + if opts.SearchByEmail { + keywordCond = keywordCond.Or(builder.Like{"LOWER(email)", lowerKeyword}) + } + + cond = cond.And(keywordCond) + } + + // If visibility filtered + if len(opts.Visible) > 0 { + cond = cond.And(builder.In("visibility", opts.Visible)) + } + + cond = cond.And(BuildCanSeeUserCondition(opts.Actor)) + + if opts.UID > 0 { + cond = cond.And(builder.Eq{"id": opts.UID}) + } + + if opts.SourceID > 0 { + cond = cond.And(builder.Eq{"login_source": opts.SourceID}) + } + if opts.LoginName != "" { + cond = cond.And(builder.Eq{"login_name": opts.LoginName}) + } + + if opts.IsActive.Has() { + cond = cond.And(builder.Eq{"is_active": opts.IsActive.Value()}) + } + + if opts.IsAdmin.Has() { + cond = cond.And(builder.Eq{"is_admin": opts.IsAdmin.Value()}) + } + + if opts.IsRestricted.Has() { + cond = cond.And(builder.Eq{"is_restricted": opts.IsRestricted.Value()}) + } + + if opts.IsProhibitLogin.Has() { + cond = cond.And(builder.Eq{"prohibit_login": opts.IsProhibitLogin.Value()}) + } + + e := db.GetEngine(ctx) + if !opts.IsTwoFactorEnabled.Has() { + return e.Where(cond) + } + + // 2fa filter uses LEFT JOIN to check whether a user has a 2fa record + // While using LEFT JOIN, sometimes the performance might not be good, but it won't be a problem now, such SQL is seldom executed. + // There are some possible methods to refactor this SQL in future when we really need to optimize the performance (but not now): + // (1) add a column in user table (2) add a setting value in user_setting table (3) use search engines (bleve/elasticsearch) + if opts.IsTwoFactorEnabled.Value() { + cond = cond.And(builder.Expr("two_factor.uid IS NOT NULL")) + } else { + cond = cond.And(builder.Expr("two_factor.uid IS NULL")) + } + + return e.Join("LEFT OUTER", "two_factor", "two_factor.uid = `user`.id"). + Where(cond) +} + +// SearchUsers takes options i.e. keyword and part of user name to search, +// it returns results in given range and number of total results. +func SearchUsers(ctx context.Context, opts *SearchUserOptions) (users []*User, _ int64, _ error) { + sessCount := opts.toSearchQueryBase(ctx) + defer sessCount.Close() + count, err := sessCount.Count(new(User)) + if err != nil { + return nil, 0, fmt.Errorf("count: %w", err) + } + + if len(opts.OrderBy) == 0 { + opts.OrderBy = db.SearchOrderByAlphabetically + } + + sessQuery := opts.toSearchQueryBase(ctx).OrderBy(opts.OrderBy.String()) + defer sessQuery.Close() + if opts.PageSize > 0 { + sessQuery = db.SetSessionPagination(sessQuery, opts) + } + + // the sql may contain JOIN, so we must only select User related columns + sessQuery = sessQuery.Select("`user`.*") + users = make([]*User, 0, opts.PageSize) + return users, count, sessQuery.Find(&users) +} + +// BuildCanSeeUserCondition creates a condition which can be used to restrict results to users/orgs the actor can see +func BuildCanSeeUserCondition(actor *User) builder.Cond { + if actor != nil { + // If Admin - they see all users! + if !actor.IsAdmin { + // Users can see an organization they are a member of + cond := builder.In("`user`.id", builder.Select("org_id").From("org_user").Where(builder.Eq{"uid": actor.ID})) + if !actor.IsRestricted { + // Not-Restricted users can see public and limited users/organizations + cond = cond.Or(builder.In("`user`.visibility", structs.VisibleTypePublic, structs.VisibleTypeLimited)) + } + // Don't forget about self + return cond.Or(builder.Eq{"`user`.id": actor.ID}) + } + + return nil + } + + // Force visibility for privacy + // Not logged in - only public users + return builder.In("`user`.visibility", structs.VisibleTypePublic) +} |