controllers: add new /api/v1/users/:user_id/admin route

This provides an admin-only view of a user, including otherwise
sensitive information such as their e-mail address and account lock
status.

Author: LawnGnome

src/controllers/user.rs

@@ -1,3 +1,4 @@
+pub mod admin;
 pub mod email_notifications;
 pub mod email_verification;
 pub mod me;

src/controllers/user/admin.rs

@@ -0,0 +1,75 @@
+use axum::{extract::Path, Json};
+use crates_io_database::schema::{emails, users};
+use diesel::{pg::Pg, prelude::*};
+use diesel_async::{AsyncConnection, RunQueryDsl};
+use http::request::Parts;
+
+use crate::{
+    app::AppState, auth::AuthCheck, models::User, sql::lower, util::errors::AppResult,
+    views::EncodableAdminUser,
+};
+
+/// Find user by login, returning the admin's view of the user.
+///
+/// Only site admins can use this endpoint.
+#[utoipa::path(
+    get,
+    path = "/api/v1/users/{user}/admin",
+    params(
+        ("user" = String, Path, description = "Login name of the user"),
+    ),
+    tags = ["admin", "users"],
+    responses((status = 200, description = "Successful Response")),
+)]
+pub async fn get(
+    state: AppState,
+    Path(user_name): Path<String>,
+    req: Parts,
+) -> AppResult<Json<EncodableAdminUser>> {
+    let mut conn = state.db_read_prefer_primary().await?;
+    AuthCheck::only_cookie()
+        .require_admin()
+        .check(&req, &mut conn)
+        .await?;
+
+    get_user(
+        |query| query.filter(lower(users::gh_login).eq(lower(user_name))),
+        &mut conn,
+    )
+    .await
+    .map(Json)
+}
+
+/// A helper to get an [`EncodableAdminUser`] based on whatever filter predicate
+/// is provided in the callback.
+///
+/// It would be ill advised to do anything in `filter` other than calling
+/// [`QueryDsl::filter`] on the given query, but I'm not the boss of you.
+async fn get_user<Conn, F>(filter: F, conn: &mut Conn) -> AppResult<EncodableAdminUser>
+where
+    Conn: AsyncConnection<Backend = Pg>,
+    F: FnOnce(users::BoxedQuery<'_, Pg>) -> users::BoxedQuery<'_, Pg>,
+{
+    let query = filter(users::table.into_boxed());
+
+    let (user, verified, email, verification_sent): (User, Option<bool>, Option<String>, bool) =
+        query
+            .left_join(emails::table)
+            .select((
+                User::as_select(),
+                emails::verified.nullable(),
+                emails::email.nullable(),
+                emails::token_generated_at.nullable().is_not_null(),
+            ))
+            .first(conn)
+            .await?;
+
+    let verified = verified.unwrap_or(false);
+    let verification_sent = verified || verification_sent;
+    Ok(EncodableAdminUser::from(
+        user,
+        email,
+        verified,
+        verification_sent,
+    ))
+}

src/router.rs

@@ -61,6 +61,7 @@ pub fn build_axum_router(state: AppState) -> Router<()> {
         .routes(routes!(team::find_team))
         .routes(routes!(user::me::get_authenticated_user))
         .routes(routes!(user::me::get_authenticated_user_updates))
+        .routes(routes!(user::admin::get))
         .routes(routes!(token::list_api_tokens, token::create_api_token))
         .routes(routes!(token::find_api_token, token::revoke_api_token))
         .routes(routes!(token::revoke_current_api_token))

src/snapshots/crates_io__openapi__tests__openapi_snapshot.snap

@@ -1,7 +1,6 @@
 ---
 source: src/openapi.rs
 expression: response.json()
-snapshot_kind: text
 ---
 {
   "components": {},
@@ -1650,6 +1649,33 @@ snapshot_kind: text
           "users"
         ]
       }
+    },
+    "/api/v1/users/{user}/admin": {
+      "get": {
+        "description": "Only site admins can use this endpoint.",
+        "operationId": "get",
+        "parameters": [
+          {
+            "description": "Login name of the user",
+            "in": "path",
+            "name": "user",
+            "required": true,
+            "schema": {
+              "type": "string"
+            }
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Successful Response"
+          }
+        },
+        "summary": "Find user by login, returning the admin's view of the user.",
+        "tags": [
+          "admin",
+          "users"
+        ]
+      }
     }
   },
   "servers": [

src/tests/routes/users/admin.rs

@@ -0,0 +1,45 @@
+use http::StatusCode;
+use insta::{assert_json_snapshot, assert_snapshot};
+
+use crate::tests::util::{RequestHelper, TestApp};
+
+mod get {
+    use super::*;
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn get() {
+        let (app, anon, user) = TestApp::init().with_user().await;
+        let admin = app.db_new_admin_user("admin").await;
+
+        // Anonymous users should be forbidden.
+        let response = anon.get::<()>("/api/v1/users/foo/admin").await;
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
+        assert_snapshot!("anonymous-found", response.text());
+
+        let response = anon.get::<()>("/api/v1/users/bar/admin").await;
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
+        assert_snapshot!("anonymous-not-found", response.text());
+
+        // Regular users should also be forbidden, even if they're requesting
+        // themself.
+        let response = user.get::<()>("/api/v1/users/foo/admin").await;
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
+        assert_snapshot!("non-admin-found", response.text());
+
+        let response = user.get::<()>("/api/v1/users/bar/admin").await;
+        assert_eq!(response.status(), StatusCode::FORBIDDEN);
+        assert_snapshot!("non-admin-not-found", response.text());
+
+        // Admin users are allowed, but still can't manifest users who don't
+        // exist.
+        let response = admin.get::<()>("/api/v1/users/bar/admin").await;
+        assert_eq!(response.status(), StatusCode::NOT_FOUND);
+        assert_snapshot!("admin-not-found", response.text());
+
+        // Admin users are allowed, and should get an admin's eye view of the
+        // requested user.
+        let response = admin.get::<()>("/api/v1/users/foo/admin").await;
+        assert_eq!(response.status(), StatusCode::OK);
+        assert_json_snapshot!("admin-found", response.json());
+    }
+}

src/tests/routes/users/mod.rs

@@ -1,3 +1,4 @@
+mod admin;
 mod read;
 mod stats;
 pub mod update;

src/tests/routes/users/snapshots/crates_io__tests__routes__users__admin__get__admin-found.snap

@@ -0,0 +1,17 @@
+---
+source: src/tests/routes/users/admin.rs
+expression: response.json()
+---
+{
+  "avatar": null,
+  "email": "[email protected]",
+  "email_verification_sent": true,
+  "email_verified": true,
+  "id": 1,
+  "is_admin": false,
+  "lock": null,
+  "login": "foo",
+  "name": null,
+  "publish_notifications": true,
+  "url": "https://github.com/foo"
+}

src/tests/routes/users/snapshots/crates_io__tests__routes__users__admin__get__admin-not-found.snap

@@ -0,0 +1,5 @@
+---
+source: src/tests/routes/users/admin.rs
+expression: response.text()
+---
+{"errors":[{"detail":"Not Found"}]}

src/tests/routes/users/snapshots/crates_io__tests__routes__users__admin__get__anonymous-found.snap

@@ -0,0 +1,5 @@
+---
+source: src/tests/routes/users/admin.rs
+expression: response.text()
+---
+{"errors":[{"detail":"this action requires authentication"}]}

src/tests/routes/users/snapshots/crates_io__tests__routes__users__admin__get__anonymous-not-found.snap

@@ -0,0 +1,5 @@
+---
+source: src/tests/routes/users/admin.rs
+expression: response.text()
+---
+{"errors":[{"detail":"this action requires authentication"}]}