From 64f7ff2e2f6e5ba2b4fa21e8560c425619711bc7 Mon Sep 17 00:00:00 2001
From: Hayden <64056131+hay-kot@users.noreply.github.com>
Date: Wed, 12 Oct 2022 12:35:30 -0800
Subject: [PATCH] disable password when in demo mode

---
 backend/app/api/routes.go          | 89 +++++++++++++++---------------
 backend/app/api/v1/controller.go   | 11 +++-
 backend/app/api/v1/v1_ctrl_user.go |  5 ++
 3 files changed, 59 insertions(+), 46 deletions(-)

diff --git a/backend/app/api/routes.go b/backend/app/api/routes.go
index 3b131b2..5fc8c40 100644
--- a/backend/app/api/routes.go
+++ b/backend/app/api/routes.go
@@ -42,58 +42,59 @@ func (a *app) newRouter(repos *repo.AllRepos) *chi.Mux {
 	// API Version 1
 
 	v1Base := v1.BaseUrlFunc(prefix)
-	v1Ctrl := v1.NewControllerV1(a.services, v1.WithMaxUploadSize(a.conf.Web.MaxUploadSize))
-	{
-		r.Get(v1Base("/status"), v1Ctrl.HandleBase(func() bool { return true }, v1.Build{
-			Version:   Version,
-			Commit:    Commit,
-			BuildTime: BuildTime,
-		}))
+	v1Ctrl := v1.NewControllerV1(a.services,
+		v1.WithMaxUploadSize(a.conf.Web.MaxUploadSize),
+		v1.WithDisablePasswordChange(a.conf.Demo), // Disable Password Change in Demo Mode
+	)
+	r.Get(v1Base("/status"), v1Ctrl.HandleBase(func() bool { return true }, v1.Build{
+		Version:   Version,
+		Commit:    Commit,
+		BuildTime: BuildTime,
+	}))
 
-		r.Post(v1Base("/users/register"), v1Ctrl.HandleUserRegistration())
-		r.Post(v1Base("/users/login"), v1Ctrl.HandleAuthLogin())
+	r.Post(v1Base("/users/register"), v1Ctrl.HandleUserRegistration())
+	r.Post(v1Base("/users/login"), v1Ctrl.HandleAuthLogin())
 
-		// Attachment download URl needs a `token` query param to be passed in the request.
-		// and also needs to be outside of the `auth` middleware.
-		r.Get(v1Base("/items/{id}/attachments/download"), v1Ctrl.HandleItemAttachmentDownload())
+	// Attachment download URl needs a `token` query param to be passed in the request.
+	// and also needs to be outside of the `auth` middleware.
+	r.Get(v1Base("/items/{id}/attachments/download"), v1Ctrl.HandleItemAttachmentDownload())
 
-		r.Group(func(r chi.Router) {
-			r.Use(a.mwAuthToken)
-			r.Get(v1Base("/users/self"), v1Ctrl.HandleUserSelf())
-			r.Put(v1Base("/users/self"), v1Ctrl.HandleUserSelfUpdate())
-			r.Delete(v1Base("/users/self"), v1Ctrl.HandleUserSelfDelete())
-			r.Put(v1Base("/users/self/password"), v1Ctrl.HandleUserUpdatePassword())
-			r.Post(v1Base("/users/logout"), v1Ctrl.HandleAuthLogout())
-			r.Get(v1Base("/users/refresh"), v1Ctrl.HandleAuthRefresh())
-			r.Put(v1Base("/users/self/change-password"), v1Ctrl.HandleUserSelfChangePassword())
+	r.Group(func(r chi.Router) {
+		r.Use(a.mwAuthToken)
+		r.Get(v1Base("/users/self"), v1Ctrl.HandleUserSelf())
+		r.Put(v1Base("/users/self"), v1Ctrl.HandleUserSelfUpdate())
+		r.Delete(v1Base("/users/self"), v1Ctrl.HandleUserSelfDelete())
+		r.Put(v1Base("/users/self/password"), v1Ctrl.HandleUserUpdatePassword())
+		r.Post(v1Base("/users/logout"), v1Ctrl.HandleAuthLogout())
+		r.Get(v1Base("/users/refresh"), v1Ctrl.HandleAuthRefresh())
+		r.Put(v1Base("/users/self/change-password"), v1Ctrl.HandleUserSelfChangePassword())
 
-			r.Post(v1Base("/groups/invitations"), v1Ctrl.HandleGroupInvitationsCreate())
+		r.Post(v1Base("/groups/invitations"), v1Ctrl.HandleGroupInvitationsCreate())
 
-			r.Get(v1Base("/locations"), v1Ctrl.HandleLocationGetAll())
-			r.Post(v1Base("/locations"), v1Ctrl.HandleLocationCreate())
-			r.Get(v1Base("/locations/{id}"), v1Ctrl.HandleLocationGet())
-			r.Put(v1Base("/locations/{id}"), v1Ctrl.HandleLocationUpdate())
-			r.Delete(v1Base("/locations/{id}"), v1Ctrl.HandleLocationDelete())
+		r.Get(v1Base("/locations"), v1Ctrl.HandleLocationGetAll())
+		r.Post(v1Base("/locations"), v1Ctrl.HandleLocationCreate())
+		r.Get(v1Base("/locations/{id}"), v1Ctrl.HandleLocationGet())
+		r.Put(v1Base("/locations/{id}"), v1Ctrl.HandleLocationUpdate())
+		r.Delete(v1Base("/locations/{id}"), v1Ctrl.HandleLocationDelete())
 
-			r.Get(v1Base("/labels"), v1Ctrl.HandleLabelsGetAll())
-			r.Post(v1Base("/labels"), v1Ctrl.HandleLabelsCreate())
-			r.Get(v1Base("/labels/{id}"), v1Ctrl.HandleLabelGet())
-			r.Put(v1Base("/labels/{id}"), v1Ctrl.HandleLabelUpdate())
-			r.Delete(v1Base("/labels/{id}"), v1Ctrl.HandleLabelDelete())
+		r.Get(v1Base("/labels"), v1Ctrl.HandleLabelsGetAll())
+		r.Post(v1Base("/labels"), v1Ctrl.HandleLabelsCreate())
+		r.Get(v1Base("/labels/{id}"), v1Ctrl.HandleLabelGet())
+		r.Put(v1Base("/labels/{id}"), v1Ctrl.HandleLabelUpdate())
+		r.Delete(v1Base("/labels/{id}"), v1Ctrl.HandleLabelDelete())
 
-			r.Get(v1Base("/items"), v1Ctrl.HandleItemsGetAll())
-			r.Post(v1Base("/items/import"), v1Ctrl.HandleItemsImport())
-			r.Post(v1Base("/items"), v1Ctrl.HandleItemsCreate())
-			r.Get(v1Base("/items/{id}"), v1Ctrl.HandleItemGet())
-			r.Put(v1Base("/items/{id}"), v1Ctrl.HandleItemUpdate())
-			r.Delete(v1Base("/items/{id}"), v1Ctrl.HandleItemDelete())
+		r.Get(v1Base("/items"), v1Ctrl.HandleItemsGetAll())
+		r.Post(v1Base("/items/import"), v1Ctrl.HandleItemsImport())
+		r.Post(v1Base("/items"), v1Ctrl.HandleItemsCreate())
+		r.Get(v1Base("/items/{id}"), v1Ctrl.HandleItemGet())
+		r.Put(v1Base("/items/{id}"), v1Ctrl.HandleItemUpdate())
+		r.Delete(v1Base("/items/{id}"), v1Ctrl.HandleItemDelete())
 
-			r.Post(v1Base("/items/{id}/attachments"), v1Ctrl.HandleItemAttachmentCreate())
-			r.Get(v1Base("/items/{id}/attachments/{attachment_id}"), v1Ctrl.HandleItemAttachmentToken())
-			r.Put(v1Base("/items/{id}/attachments/{attachment_id}"), v1Ctrl.HandleItemAttachmentUpdate())
-			r.Delete(v1Base("/items/{id}/attachments/{attachment_id}"), v1Ctrl.HandleItemAttachmentDelete())
-		})
-	}
+		r.Post(v1Base("/items/{id}/attachments"), v1Ctrl.HandleItemAttachmentCreate())
+		r.Get(v1Base("/items/{id}/attachments/{attachment_id}"), v1Ctrl.HandleItemAttachmentToken())
+		r.Put(v1Base("/items/{id}/attachments/{attachment_id}"), v1Ctrl.HandleItemAttachmentUpdate())
+		r.Delete(v1Base("/items/{id}/attachments/{attachment_id}"), v1Ctrl.HandleItemAttachmentDelete())
+	})
 
 	r.NotFound(notFoundHandler())
 	return r
diff --git a/backend/app/api/v1/controller.go b/backend/app/api/v1/controller.go
index c3e7b4b..5fa7460 100644
--- a/backend/app/api/v1/controller.go
+++ b/backend/app/api/v1/controller.go
@@ -13,9 +13,16 @@ func WithMaxUploadSize(maxUploadSize int64) func(*V1Controller) {
 	}
 }
 
+func WithDisablePasswordChange(disablePasswordChange bool) func(*V1Controller) {
+	return func(ctrl *V1Controller) {
+		ctrl.disablePasswordChange = disablePasswordChange
+	}
+}
+
 type V1Controller struct {
-	svc           *services.AllServices
-	maxUploadSize int64
+	svc                   *services.AllServices
+	maxUploadSize         int64
+	disablePasswordChange bool
 }
 
 type (
diff --git a/backend/app/api/v1/v1_ctrl_user.go b/backend/app/api/v1/v1_ctrl_user.go
index 4c6b71c..765f54d 100644
--- a/backend/app/api/v1/v1_ctrl_user.go
+++ b/backend/app/api/v1/v1_ctrl_user.go
@@ -136,6 +136,11 @@ type (
 // @Security  Bearer
 func (ctrl *V1Controller) HandleUserSelfChangePassword() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		if ctrl.disablePasswordChange {
+			server.RespondError(w, http.StatusForbidden, nil)
+			return
+		}
+
 		var cp ChangePassword
 		err := server.Decode(r, &cp)
 		if err != nil {