From 70a42c9df240333d88339e6084daa3a4f1de79a9 Mon Sep 17 00:00:00 2001
From: ReAnzu <anzu@reanzu.com>
Date: Tue, 27 Feb 2018 18:34:37 -0600
Subject: [PATCH] Resolved the logout issue for when users:create:any is
 executed. * Resolved an issue where user_tokens:*:any permissions didn't
 operate on the correct user. * Updated user_token -> user_tokens permissions
 to mirror other permissions.

---
 client/js/controllers/user_controller.js      |  8 ++++----
 .../user_registration_controller.js           | 19 ++++++++++++++-----
 config.yaml.dist                              | 19 ++++++++++---------
 server/szurubooru/api/user_token_api.py       | 16 ++++++++--------
 4 files changed, 36 insertions(+), 26 deletions(-)

diff --git a/client/js/controllers/user_controller.js b/client/js/controllers/user_controller.js
index a684f1de..4b02657f 100644
--- a/client/js/controllers/user_controller.js
+++ b/client/js/controllers/user_controller.js
@@ -73,10 +73,10 @@ class UserController {
                 canEditRank: api.hasPrivilege(`users:edit:${infix}:rank`),
                 canEditAvatar: api.hasPrivilege(`users:edit:${infix}:avatar`),
                 canEditAnything: api.hasPrivilege(`users:edit:${infix}`),
-                canListTokens: api.hasPrivilege(`userToken:list:${infix}`),
-                canCreateToken: api.hasPrivilege(`userToken:create:${infix}`),
-                canEditToken: api.hasPrivilege(`userToken:edit:${infix}`),
-                canDeleteToken: api.hasPrivilege(`userToken:delete:${infix}`),
+                canListTokens: api.hasPrivilege(`userTokens:list:${infix}`),
+                canCreateToken: api.hasPrivilege(`userTokens:create:${infix}`),
+                canEditToken: api.hasPrivilege(`userTokens:edit:${infix}`),
+                canDeleteToken: api.hasPrivilege(`userTokens:delete:${infix}`),
                 canDelete: api.hasPrivilege(`users:delete:${infix}`),
                 ranks: ranks,
                 tokens: userTokens,
diff --git a/client/js/controllers/user_registration_controller.js b/client/js/controllers/user_registration_controller.js
index cc224ced..78b94024 100644
--- a/client/js/controllers/user_registration_controller.js
+++ b/client/js/controllers/user_registration_controller.js
@@ -29,13 +29,22 @@ class UserRegistrationController {
         user.name = e.detail.name;
         user.email = e.detail.email;
         user.password = e.detail.password;
+        const isLoggedIn = api.isLoggedIn();
         user.save().then(() => {
-            // TODO: Support the flow where an admin creates a user. Don't log them out...
-            api.forget();
-            return api.login(e.detail.name, e.detail.password, false);
+            if (isLoggedIn) {
+                return Promise.resolve();
+            } else {
+                api.forget();
+                return api.login(e.detail.name, e.detail.password, false);
+            }
         }).then(() => {
-            const ctx = router.show(uri.formatClientLink());
-            ctx.controller.showSuccess('Welcome aboard!');
+            if (isLoggedIn) {
+                const ctx = router.show(uri.formatClientLink('users'));
+                ctx.controller.showSuccess('User added!');
+            } else {
+                const ctx = router.show(uri.formatClientLink());
+                ctx.controller.showSuccess('Welcome aboard!');
+            }
         }, error => {
             this._view.showError(error.message);
             this._view.enableForm();
diff --git a/config.yaml.dist b/config.yaml.dist
index d7085d0d..8f3e6a32 100644
--- a/config.yaml.dist
+++ b/config.yaml.dist
@@ -70,7 +70,8 @@ default_rank: regular
 
 
 privileges:
-    'users:create':                 anonymous
+    'users:create:self':            anonymous # Registration permission
+    'users:create:any':             administrator
     'users:list':                   regular
     'users:view':                   regular
     'users:edit:any:name':          moderator
@@ -86,14 +87,14 @@ privileges:
     'users:delete:any':             administrator
     'users:delete:self':            regular
 
-    'user_token:list:any':          administrator
-    'user_token:list:self':         regular
-    'user_token:create:any':        administrator
-    'user_token:create:self':       regular
-    'user_token:edit:any':          administrator
-    'user_token:edit:self':         regular
-    'user_token:delete:any':        administrator
-    'user_token:delete:self':       regular
+    'user_tokens:list:any':          administrator
+    'user_tokens:list:self':         regular
+    'user_tokens:create:any':        administrator
+    'user_tokens:create:self':       regular
+    'user_tokens:edit:any':          administrator
+    'user_tokens:edit:self':         regular
+    'user_tokens:delete:any':        administrator
+    'user_tokens:delete:self':       regular
 
     'posts:create:anonymous':       regular
     'posts:create:identified':      regular
diff --git a/server/szurubooru/api/user_token_api.py b/server/szurubooru/api/user_token_api.py
index 887bf33c..345a0af5 100644
--- a/server/szurubooru/api/user_token_api.py
+++ b/server/szurubooru/api/user_token_api.py
@@ -16,8 +16,8 @@ def _serialize(
 def get_user_tokens(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Response:
     user = users.get_user_by_name(params['user_name'])
     infix = 'self' if ctx.user.user_id == user.user_id else 'any'
-    auth.verify_privilege(ctx.user, 'user_token:list:%s' % infix)
-    user_token_list = user_tokens.get_user_tokens(ctx.user)
+    auth.verify_privilege(ctx.user, 'user_tokens:list:%s' % infix)
+    user_token_list = user_tokens.get_user_tokens(user)
     return {
         "results": [_serialize(ctx, token) for token in user_token_list]
     }
@@ -27,8 +27,8 @@ def get_user_tokens(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Resp
 def create_user_token(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Response:
     user = users.get_user_by_name(params['user_name'])
     infix = 'self' if ctx.user.user_id == user.user_id else 'any'
-    auth.verify_privilege(ctx.user, 'user_token:create:%s' % infix)
-    user_token = user_tokens.create_user_token(ctx.user)
+    auth.verify_privilege(ctx.user, 'user_tokens:create:%s' % infix)
+    user_token = user_tokens.create_user_token(user)
     return _serialize(ctx, user_token)
 
 
@@ -36,8 +36,8 @@ def create_user_token(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Re
 def edit_user_token(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Response:
     user = users.get_user_by_name(params['user_name'])
     infix = 'self' if ctx.user.user_id == user.user_id else 'any'
-    auth.verify_privilege(ctx.user, 'user_token:edit:%s' % infix)
-    user_token = user_tokens.get_user_token_by_user_and_token(ctx.user, params['user_token'])
+    auth.verify_privilege(ctx.user, 'user_tokens:edit:%s' % infix)
+    user_token = user_tokens.get_user_token_by_user_and_token(user, params['user_token'])
     versions.verify_version(user_token, ctx)
     versions.bump_version(user_token)
     return _serialize(ctx, user_token)
@@ -47,8 +47,8 @@ def edit_user_token(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Resp
 def delete_user_token(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
     user = users.get_user_by_name(params['user_name'])
     infix = 'self' if ctx.user.user_id == user.user_id else 'any'
-    auth.verify_privilege(ctx.user, 'user_token:delete:%s' % infix)
-    user_token = user_tokens.get_user_token_by_user_and_token(ctx.user, params['user_token'])
+    auth.verify_privilege(ctx.user, 'user_tokens:delete:%s' % infix)
+    user_token = user_tokens.get_user_token_by_user_and_token(user, params['user_token'])
     if user_token is not None:
         ctx.session.delete(user_token)
         ctx.session.commit()