olemd/favoritter
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
favoritter/internal/handler/profile.go
Ole-Morten Duesund aa5ab6b415 fix: address code review findings for Phase 7-8 
Bugs fixed:
- Renderer.Error set WriteHeader before Content-Type, causing
  the header to be silently dropped. Now sets Content-Type first.
- truncate template function operated on bytes, not runes — could
  split multi-byte UTF-8 characters (Norwegian æøå). Now uses
  []rune for correct Unicode handling.

Performance:
- Skip session DB lookup (2 queries) on /static/ and /uploads/
  requests — these never use user context.

UX consistency:
- Replace all http.NotFound and http.Error("Forbidden") in
  handler layer with styled error pages via Renderer.Error.
- Add notFound/forbidden helper methods on Handler.

Deployment fixes:
- Remove false libc6/glibc deps from nfpm.yaml (binary is
  statically linked with CGO_ENABLED=0).
- Add CGO_ENABLED=0 to Makefile build target for consistency.
- Add .dockerignore to exclude .git, dist/, data/ from build
  context.
- Remove phantom 'lint' from Makefile .PHONY.
- Document ProtectSystem=strict constraint in systemd service.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 16:39:10 +02:00

212 lines
6.5 KiB
Go
Raw Blame History

// SPDX-License-Identifier: AGPL-3.0-or-later
package handler
import (
"errors"
"log/slog"
"net/http"
"strings"
"kode.naiv.no/olemd/favoritter/internal/image"
"kode.naiv.no/olemd/favoritter/internal/middleware"
"kode.naiv.no/olemd/favoritter/internal/model"
"kode.naiv.no/olemd/favoritter/internal/render"
"kode.naiv.no/olemd/favoritter/internal/store"
)
// handlePublicProfile shows a user's public profile and their public faves.
func (h *Handler) handlePublicProfile(w http.ResponseWriter, r *http.Request) {
username := r.PathValue("username")
profileUser, err := h.deps.Users.GetByUsername(username)
if err != nil {
if errors.Is(err, store.ErrUserNotFound) {
h.notFound(w, r)
return
}
slog.Error("get user error", "error", err)
http.Error(w, "Internal error", http.StatusInternalServerError)
return
}
if profileUser.Disabled {
h.notFound(w, r)
return
}
// Check if the viewing user is the profile owner.
viewer := middleware.UserFromContext(r.Context())
isOwner := viewer != nil && viewer.ID == profileUser.ID
page := queryInt(r, "page", 1)
offset := (page - 1) * defaultPageSize
var faves []*model.Fave
var total int
if isOwner {
faves, total, err = h.deps.Faves.ListByUser(profileUser.ID, defaultPageSize, offset)
} else {
faves, total, err = h.deps.Faves.ListPublicByUser(profileUser.ID, defaultPageSize, offset)
}
if err != nil {
slog.Error("list faves error", "error", err)
http.Error(w, "Internal error", http.StatusInternalServerError)
return
}
if err := h.deps.Faves.LoadTags(faves); err != nil {
slog.Error("load tags error", "error", err)
}
totalPages := (total + defaultPageSize - 1) / defaultPageSize
h.deps.Renderer.Page(w, r, "profile", render.PageData{
Title: profileUser.DisplayNameOrUsername() + " sine favoritter",
Data: map[string]any{
"ProfileUser": profileUser,
"IsOwner": isOwner,
"IsLimited": profileUser.ProfileVisibility == "limited" && !isOwner,
"Faves": faves,
"Page": page,
"TotalPages": totalPages,
"Total": total,
},
})
}
// handleSettingsGet shows the user settings page.
func (h *Handler) handleSettingsGet(w http.ResponseWriter, r *http.Request) {
user := middleware.UserFromContext(r.Context())
h.deps.Renderer.Page(w, r, "settings", render.PageData{
Title: "Innstillinger",
Data: map[string]any{
"SettingsUser": user,
},
})
}
// handleSettingsPost processes the settings form.
func (h *Handler) handleSettingsPost(w http.ResponseWriter, r *http.Request) {
user := middleware.UserFromContext(r.Context())
if err := r.ParseForm(); err != nil {
h.flash(w, r, "settings", "Ugyldig forespørsel.", "error", settingsData(user))
return
}
displayName := strings.TrimSpace(r.FormValue("display_name"))
bio := strings.TrimSpace(r.FormValue("bio"))
profileVisibility := r.FormValue("profile_visibility")
defaultFavePrivacy := r.FormValue("default_fave_privacy")
if profileVisibility != "public" && profileVisibility != "limited" {
profileVisibility = user.ProfileVisibility
}
if defaultFavePrivacy != "public" && defaultFavePrivacy != "private" {
defaultFavePrivacy = user.DefaultFavePrivacy
}
if err := h.deps.Users.UpdateProfile(user.ID, displayName, bio, profileVisibility, defaultFavePrivacy); err != nil {
slog.Error("update profile error", "error", err)
h.flash(w, r, "settings", "Noe gikk galt. Prøv igjen.", "error", settingsData(user))
return
}
h.flash(w, r, "settings", "Innstillingene er lagret.", "success", settingsData(user))
}
// handleSettingsPasswordPost handles password change from the settings page.
func (h *Handler) handleSettingsPasswordPost(w http.ResponseWriter, r *http.Request) {
user := middleware.UserFromContext(r.Context())
if err := r.ParseForm(); err != nil {
h.flash(w, r, "settings", "Ugyldig forespørsel.", "error", settingsData(user))
return
}
currentPassword := r.FormValue("current_password")
newPassword := r.FormValue("new_password")
confirmPassword := r.FormValue("confirm_password")
// Verify current password.
if _, err := h.deps.Users.Authenticate(user.Username, currentPassword); err != nil {
h.flash(w, r, "settings", "Nåværende passord er feil.", "error", settingsData(user))
return
}
if len(newPassword) < 8 {
h.flash(w, r, "settings", "Nytt passord må være minst 8 tegn.", "error", settingsData(user))
return
}
if newPassword != confirmPassword {
h.flash(w, r, "settings", "Passordene er ikke like.", "error", settingsData(user))
return
}
if err := h.deps.Users.UpdatePassword(user.ID, newPassword); err != nil {
slog.Error("update password error", "error", err)
h.flash(w, r, "settings", "Noe gikk galt. Prøv igjen.", "error", settingsData(user))
return
}
// Invalidate other sessions, keep current one.
if delErr := h.deps.Sessions.DeleteAllForUser(user.ID); delErr != nil {
slog.Error("session cleanup error", "error", delErr)
}
token, err := h.deps.Sessions.Create(user.ID)
if err != nil {
slog.Error("session create error", "error", err)
http.Redirect(w, r, h.deps.Config.BasePath+"/login", http.StatusSeeOther)
return
}
h.setSessionCookie(w, r, token)
h.flash(w, r, "settings", "Passordet er endret.", "success", settingsData(user))
}
// handleAvatarPost handles avatar upload.
func (h *Handler) handleAvatarPost(w http.ResponseWriter, r *http.Request) {
user := middleware.UserFromContext(r.Context())
if err := r.ParseMultipartForm(h.deps.Config.MaxUploadSize); err != nil {
h.flash(w, r, "settings", "Filen er for stor.", "error", settingsData(user))
return
}
file, header, err := r.FormFile("avatar")
if err != nil {
h.flash(w, r, "settings", "Velg et bilde å laste opp.", "error", settingsData(user))
return
}
defer file.Close()
result, err := image.Process(file, header, h.deps.Config.UploadDir)
if err != nil {
slog.Error("avatar process error", "error", err)
h.flash(w, r, "settings", "Kunne ikke behandle bildet. Sjekk at filen er et gyldig bilde.", "error", settingsData(user))
return
}
// Delete old avatar if there was one.
if user.AvatarPath != "" {
if delErr := image.Delete(h.deps.Config.UploadDir, user.AvatarPath); delErr != nil {
slog.Error("avatar delete error", "error", delErr)
}
}
if err := h.deps.Users.UpdateAvatar(user.ID, result.Filename); err != nil {
slog.Error("update avatar error", "error", err)
h.flash(w, r, "settings", "Noe gikk galt. Prøv igjen.", "error", settingsData(user))
return
}
h.flash(w, r, "settings", "Profilbildet er oppdatert.", "success", settingsData(user))
}
func settingsData(user *model.User) map[string]any {
return map[string]any{"SettingsUser": user}
}
Reference in a new issue View git blame Copy permalink