mattermost/server/channels/api4/view.go

// Copyright (c) 2015-present Mattermost, Inc. All Rights Reserved.
// See LICENSE.txt for license information.

package api4

import (
	"encoding/json"
	"net/http"

	"github.com/mattermost/mattermost/server/public/model"
	"github.com/mattermost/mattermost/server/public/shared/mlog"
)

func (api *API) InitView() {
	if api.srv.Config().FeatureFlags.IntegratedBoards {
		api.BaseRoutes.ChannelViews.Handle("", api.APISessionRequired(createView)).Methods(http.MethodPost)
		api.BaseRoutes.ChannelViews.Handle("", api.APISessionRequired(getViewsForChannel)).Methods(http.MethodGet)
		api.BaseRoutes.ChannelView.Handle("", api.APISessionRequired(getView)).Methods(http.MethodGet)
		api.BaseRoutes.ChannelView.Handle("", api.APISessionRequired(updateView)).Methods(http.MethodPatch)
		api.BaseRoutes.ChannelView.Handle("", api.APISessionRequired(deleteView)).Methods(http.MethodDelete)
		api.BaseRoutes.ChannelView.Handle("/sort_order", api.APISessionRequired(updateViewSortOrder)).Methods(http.MethodPost)
		api.BaseRoutes.ChannelViewPosts.Handle("", api.APISessionRequired(getPostsForView)).Methods(http.MethodGet)
	}
}

func createView(c *Context, w http.ResponseWriter, r *http.Request) {
	connectionID := r.Header.Get(model.ConnectionId)

	c.RequireChannelId()
	if c.Err != nil {
		return
	}

	var view *model.View
	if err := json.NewDecoder(r.Body).Decode(&view); err != nil || view == nil {
		c.SetInvalidParamWithErr("view", err)
		return
	}

	channel, appErr := c.App.GetChannel(c.AppContext, c.Params.ChannelId)
	if appErr != nil {
		c.Err = appErr
		return
	}

	if channel.DeleteAt != 0 {
		c.Err = model.NewAppError("createView", "api.view.create.deleted_channel.app_error", nil, "channel has been deleted", http.StatusNotFound)
		return
	}

	view.ChannelId = c.Params.ChannelId
	view.CreatorId = c.AppContext.Session().UserId

	auditRec := c.MakeAuditRecord(model.AuditEventCreateView, model.AuditStatusFail)
	defer c.LogAuditRec(auditRec)
	model.AddEventParameterAuditableToAuditRec(auditRec, "view", view)

	if !checkViewWritePermission(c, channel) {
		return
	}

	created, appErr := c.App.CreateView(c.AppContext, view, connectionID)
	if appErr != nil {
		c.Err = appErr
		return
	}

	auditRec.Success()
	auditRec.AddEventResultState(created)
	auditRec.AddEventObjectType("view")
	c.LogAudit("")

	w.WriteHeader(http.StatusCreated)
	if err := json.NewEncoder(w).Encode(created); err != nil {
		c.Logger.Warn("Error while writing response", mlog.Err(err))
	}
}

func getViewsForChannel(c *Context, w http.ResponseWriter, r *http.Request) {
	c.RequireChannelId()
	if c.Err != nil {
		return
	}

	channel, appErr := c.App.GetChannel(c.AppContext, c.Params.ChannelId)
	if appErr != nil {
		c.Err = appErr
		return
	}

	if channel.DeleteAt != 0 {
		c.Err = model.NewAppError("getViewsForChannel", "api.view.list.deleted_channel.app_error", nil, "channel has been deleted", http.StatusNotFound)
		return
	}

	hasPermission, isMember := c.App.SessionHasPermissionToReadChannel(c.AppContext, *c.AppContext.Session(), channel)
	if !hasPermission {
		c.SetPermissionError(model.PermissionReadChannelContent)
		return
	}

	auditRec := c.MakeAuditRecord(model.AuditEventListViewsForChannel, model.AuditStatusSuccess)
	defer c.LogAuditRec(auditRec)
	model.AddEventParameterToAuditRec(auditRec, "channel_id", c.Params.ChannelId)
	if !isMember {
		model.AddEventParameterToAuditRec(auditRec, "non_channel_member_access", true)
	}

	opts := model.ViewQueryOpts{
		Page:    c.Params.Page,
		PerPage: c.Params.PerPage,
	}

	views, appErr := c.App.GetViewsForChannel(c.AppContext, c.Params.ChannelId, opts)
	if appErr != nil {
		c.Err = appErr
		return
	}

	if c.Params.IncludeTotalCount {
		totalCount, appErr := c.App.GetViewsCountForChannel(c.AppContext, c.Params.ChannelId, opts)
		if appErr != nil {
			c.Err = appErr
			return
		}
		vwc := &model.ViewsWithCount{
			Views:      views,
			TotalCount: totalCount,
		}
		if err := json.NewEncoder(w).Encode(vwc); err != nil {
			c.Logger.Warn("Error while writing response", mlog.Err(err))
		}
		return
	}

	if err := json.NewEncoder(w).Encode(views); err != nil {
		c.Logger.Warn("Error while writing response", mlog.Err(err))
	}
}

func getView(c *Context, w http.ResponseWriter, r *http.Request) {
	c.RequireChannelId().RequireViewId()
	if c.Err != nil {
		return
	}

	channel, appErr := c.App.GetChannel(c.AppContext, c.Params.ChannelId)
	if appErr != nil {
		c.Err = appErr
		return
	}

	if channel.DeleteAt != 0 {
		c.Err = model.NewAppError("getView", "api.view.get.deleted_channel.app_error", nil, "channel has been deleted", http.StatusNotFound)
		return
	}

	hasPermission, isMember := c.App.SessionHasPermissionToReadChannel(c.AppContext, *c.AppContext.Session(), channel)
	if !hasPermission {
		c.SetPermissionError(model.PermissionReadChannelContent)
		return
	}

	auditRec := c.MakeAuditRecord(model.AuditEventGetView, model.AuditStatusSuccess)
	defer c.LogAuditRec(auditRec)
	model.AddEventParameterToAuditRec(auditRec, "view_id", c.Params.ViewId)
	if !isMember {
		model.AddEventParameterToAuditRec(auditRec, "non_channel_member_access", true)
	}

	view, appErr := c.App.GetView(c.AppContext, c.Params.ViewId)
	if appErr != nil {
		c.Err = appErr
		return
	}

	if view.ChannelId != c.Params.ChannelId {
		c.Err = model.NewAppError("getView", "api.view.get.channel_mismatch.app_error", nil, "", http.StatusNotFound)
		return
	}

	auditRec.AddEventResultState(view)
	auditRec.AddEventObjectType("view")

	if err := json.NewEncoder(w).Encode(view); err != nil {
		c.Logger.Warn("Error while writing response", mlog.Err(err))
	}
}

func updateView(c *Context, w http.ResponseWriter, r *http.Request) {
	connectionID := r.Header.Get(model.ConnectionId)

	c.RequireChannelId().RequireViewId()
	if c.Err != nil {
		return
	}

	var patch *model.ViewPatch
	if err := json.NewDecoder(r.Body).Decode(&patch); err != nil || patch == nil {
		c.SetInvalidParamWithErr("viewPatch", err)
		return
	}

	channel, appErr := c.App.GetChannel(c.AppContext, c.Params.ChannelId)
	if appErr != nil {
		c.Err = appErr
		return
	}

	if channel.DeleteAt != 0 {
		c.Err = model.NewAppError("updateView", "api.view.update.deleted_channel.app_error", nil, "channel has been deleted", http.StatusNotFound)
		return
	}

	auditRec := c.MakeAuditRecord(model.AuditEventUpdateView, model.AuditStatusFail)
	defer c.LogAuditRec(auditRec)
	model.AddEventParameterToAuditRec(auditRec, "view_id", c.Params.ViewId)

	if !checkViewWritePermission(c, channel) {
		return
	}

	view, appErr := c.App.GetView(c.AppContext, c.Params.ViewId)
	if appErr != nil {
		c.Err = appErr
		return
	}

	if view.ChannelId != c.Params.ChannelId {
		c.Err = model.NewAppError("updateView", "api.view.update.channel_mismatch.app_error", nil, "", http.StatusNotFound)
		return
	}

	auditRec.AddEventPriorState(view.Clone())

	updated, appErr := c.App.UpdateView(c.AppContext, view, patch, connectionID)
	if appErr != nil {
		c.Err = appErr
		return
	}

	auditRec.Success()
	auditRec.AddEventResultState(updated)
	auditRec.AddEventObjectType("view")
	c.LogAudit("")

	if err := json.NewEncoder(w).Encode(updated); err != nil {
		c.Logger.Warn("Error while writing response", mlog.Err(err))
	}
}

func deleteView(c *Context, w http.ResponseWriter, r *http.Request) {
	connectionID := r.Header.Get(model.ConnectionId)

	c.RequireChannelId().RequireViewId()
	if c.Err != nil {
		return
	}

	channel, appErr := c.App.GetChannel(c.AppContext, c.Params.ChannelId)
	if appErr != nil {
		c.Err = appErr
		return
	}

	if channel.DeleteAt != 0 {
		c.Err = model.NewAppError("deleteView", "api.view.delete.deleted_channel.app_error", nil, "channel has been deleted", http.StatusNotFound)
		return
	}

	auditRec := c.MakeAuditRecord(model.AuditEventDeleteView, model.AuditStatusFail)
	defer c.LogAuditRec(auditRec)
	model.AddEventParameterToAuditRec(auditRec, "view_id", c.Params.ViewId)

	if !checkViewWritePermission(c, channel) {
		return
	}

	view, appErr := c.App.GetView(c.AppContext, c.Params.ViewId)
	if appErr != nil {
		c.Err = appErr
		return
	}

	if view.ChannelId != c.Params.ChannelId {
		c.Err = model.NewAppError("deleteView", "api.view.delete.channel_mismatch.app_error", nil, "", http.StatusNotFound)
		return
	}

	auditRec.AddEventPriorState(view)

	if appErr := c.App.DeleteView(c.AppContext, view, connectionID); appErr != nil {
		c.Err = appErr
		return
	}

	auditRec.Success()
	auditRec.AddEventResultState(view)
	auditRec.AddEventObjectType("view")
	c.LogAudit("")

	ReturnStatusOK(w)
}

func updateViewSortOrder(c *Context, w http.ResponseWriter, r *http.Request) {
	connectionID := r.Header.Get(model.ConnectionId)

	c.RequireChannelId().RequireViewId()
	if c.Err != nil {
		return
	}

	var newSortOrder int64
	if err := json.NewDecoder(r.Body).Decode(&newSortOrder); err != nil {
		c.SetInvalidParamWithErr("viewSortOrder", err)
		return
	}

	if newSortOrder < 0 {
		c.SetInvalidParam("viewSortOrder")
		return
	}

	channel, appErr := c.App.GetChannel(c.AppContext, c.Params.ChannelId)
	if appErr != nil {
		c.Err = appErr
		return
	}

	if channel.DeleteAt != 0 {
		c.Err = model.NewAppError("updateViewSortOrder", "api.view.update_sort_order.deleted_channel.app_error", nil, "channel has been deleted", http.StatusNotFound)
		return
	}

	auditRec := c.MakeAuditRecord(model.AuditEventUpdateViewSortOrder, model.AuditStatusFail)
	defer c.LogAuditRec(auditRec)
	model.AddEventParameterToAuditRec(auditRec, "view_id", c.Params.ViewId)

	if !checkViewWritePermission(c, channel) {
		return
	}

	views, appErr := c.App.UpdateViewSortOrder(c.AppContext, c.Params.ViewId, c.Params.ChannelId, newSortOrder, connectionID)
	if appErr != nil {
		c.Err = appErr
		return
	}

	for _, v := range views {
		if v.Id == c.Params.ViewId {
			auditRec.AddEventResultState(v)
			auditRec.AddEventObjectType("view")
			break
		}
	}
	auditRec.Success()
	c.LogAudit("")

	if err := json.NewEncoder(w).Encode(views); err != nil {
		c.Logger.Warn("Error while writing response", mlog.Err(err))
	}
}

// checkViewWritePermission checks that the user has permission to write (create/update/delete) views
// in the given channel. Returns true if permission is granted, false otherwise (with c.Err set).
func checkViewWritePermission(c *Context, channel *model.Channel) bool {
	if ok, _ := c.App.SessionHasPermissionToChannel(c.AppContext, *c.AppContext.Session(), channel.Id, model.PermissionCreatePost); !ok {
		c.SetPermissionError(model.PermissionCreatePost)
		return false
	}
	return true
}

func getPostsForView(c *Context, w http.ResponseWriter, r *http.Request) {
	c.RequireChannelId().RequireViewId()
	if c.Err != nil {
		return
	}

	channel, appErr := c.App.GetChannel(c.AppContext, c.Params.ChannelId)
	if appErr != nil {
		c.Err = appErr
		return
	}

	if channel.DeleteAt != 0 {
		c.Err = model.NewAppError("getPostsForView", "api.view.get_posts.deleted_channel.app_error", nil, "channel has been deleted", http.StatusNotFound)
		return
	}

	hasPermission, isMember := c.App.SessionHasPermissionToReadChannel(c.AppContext, *c.AppContext.Session(), channel)
	if !hasPermission {
		c.SetPermissionError(model.PermissionReadChannelContent)
		return
	}

	auditRec := c.MakeAuditRecord(model.AuditEventGetPostsForView, model.AuditStatusFail)
	defer c.LogAuditRec(auditRec)
	model.AddEventParameterToAuditRec(auditRec, "channel_id", c.Params.ChannelId)
	model.AddEventParameterToAuditRec(auditRec, "view_id", c.Params.ViewId)
	if !isMember {
		model.AddEventParameterToAuditRec(auditRec, "non_channel_member_access", true)
	}

	view, appErr := c.App.GetView(c.AppContext, c.Params.ViewId)
	if appErr != nil {
		c.Err = appErr
		return
	}

	if view.ChannelId != c.Params.ChannelId {
		c.Err = model.NewAppError("getPostsForView", "api.view.get_posts.channel_mismatch.app_error", nil, "", http.StatusNotFound)
		return
	}

	// TODO: In the future, this will filter posts based on the view's configuration
	// (e.g., property values, sort order). For now, it returns all posts in the channel.
	options := model.GetPostsOptions{
		ChannelId: c.Params.ChannelId,
		Page:      c.Params.Page,
		PerPage:   c.Params.PerPage,
		UserId:    c.AppContext.Session().UserId,
	}

	list, appErr := c.App.GetPostsForView(c.AppContext, options)
	if appErr != nil {
		c.Err = appErr
		return
	}

	clientPostList := c.App.PreparePostListForClient(c.AppContext, list)
	clientPostList, isMemberForAllPreviews, appErr := c.App.SanitizePostListMetadataForUser(c.AppContext, clientPostList, c.AppContext.Session().UserId)
	if appErr != nil {
		c.Err = appErr
		return
	}

	if !isMemberForAllPreviews {
		model.AddEventParameterToAuditRec(auditRec, "non_channel_member_access_on_previews", true)
	}
	auditRec.Success()

	if err := clientPostList.EncodeJSON(w); err != nil {
		c.Logger.Warn("Error while writing response", mlog.Err(err))
	}
}