kato/warpbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(models): add alert and box models

Browse Source 
Adds comprehensive data structures for Alert and Box functionality across models.
This commit is contained in:
Daniel Legt
2026-04-30 19:45:22 +03:00
parent 2714907ff4
commit e103829870
16 changed files with 2359 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

386
lib/server/account_alerts.go Normal file
View File

@@ -0,0 +1,386 @@
package server
import (
"encoding/json"
"fmt"
"log"
"net/http"
"strings"
"github.com/gin-gonic/gin"
"warpbox/lib/metastore"
)
type AlertPageView struct {
PageTitle string
WindowTitle string
WindowIcon string
PageScripts []string
AccountNav AccountNavView
CSRFToken string
Filters AlertFiltersView
Stats AlertStatsView
Alerts []AlertRowView
SelectedAlert *AlertRowView
Groups []string
CanManageAlerts bool
}
type AlertFiltersView struct {
Query string
Severity string
Status string
Group string
Sort string
}
type AlertStatsView struct {
Open int
Acknowledged int
Closed int
High int
Medium int
Low int
}
type AlertRowView struct {
ID string
Title string
Description string
Severity string
Status string
Code string
Trace string
Group string
MetadataPretty string
CreatedAt string
UpdatedAt string
}
func (app *App) handleAccountAlerts(ctx *gin.Context) {
actor, ok := currentAccountUser(ctx)
if !ok {
ctx.Redirect(http.StatusSeeOther, "/account/login")
return
}
page, err := app.ListAlerts(ctx, actor, accountAlertFiltersFromRequest(ctx))
if err != nil {
ctx.String(http.StatusForbidden, "Permission denied")
return
}
ctx.HTML(http.StatusOK, "account_alerts.html", page)
}
func (app *App) handleAccountAlertAcknowledge(ctx *gin.Context) {
app.handleAccountAlertAction(ctx, func(actor metastore.User, id string) error {
return app.AcknowledgeAlert(ctx, actor, id)
})
}
func (app *App) handleAccountAlertClose(ctx *gin.Context) {
app.handleAccountAlertAction(ctx, func(actor metastore.User, id string) error {
return app.CloseAlert(ctx, actor, id)
})
}
func (app *App) handleAccountAlertBulkAcknowledge(ctx *gin.Context) {
app.handleAccountAlertBulkAction(ctx, func(actor metastore.User, ids []string) error {
return app.BulkAcknowledgeAlerts(ctx, actor, ids)
})
}
func (app *App) handleAccountAlertBulkClose(ctx *gin.Context) {
app.handleAccountAlertBulkAction(ctx, func(actor metastore.User, ids []string) error {
return app.BulkCloseAlerts(ctx, actor, ids)
})
}
func (app *App) handleAccountAlertsExport(ctx *gin.Context) {
actor, ok := currentAccountUser(ctx)
if !ok {
ctx.Redirect(http.StatusSeeOther, "/account/login")
return
}
page, err := app.ListAlerts(ctx, actor, accountAlertFiltersFromRequest(ctx))
if err != nil {
ctx.String(http.StatusForbidden, "Permission denied")
return
}
ctx.Header("Content-Disposition", `attachment; filename="warpbox-alerts.json"`)
ctx.JSON(http.StatusOK, gin.H{"alerts": page.Alerts, "filters": page.Filters, "stats": page.Stats})
}
func (app *App) handleAccountAlertAction(ctx *gin.Context, action func(metastore.User, string) error) {
actor, ok := currentAccountUser(ctx)
if !ok {
ctx.Redirect(http.StatusSeeOther, "/account/login")
return
}
if err := action(actor, ctx.Param("id")); err != nil {
ctx.String(http.StatusForbidden, err.Error())
return
}
ctx.Redirect(http.StatusSeeOther, "/account/alerts")
}
func (app *App) handleAccountAlertBulkAction(ctx *gin.Context, action func(metastore.User, []string) error) {
actor, ok := currentAccountUser(ctx)
if !ok {
ctx.Redirect(http.StatusSeeOther, "/account/login")
return
}
if err := action(actor, ctx.PostFormArray("alert_ids")); err != nil {
ctx.String(http.StatusForbidden, err.Error())
return
}
ctx.Redirect(http.StatusSeeOther, "/account/alerts")
}
func (app *App) CreateAlert(ctx *gin.Context, actor metastore.User, input metastore.AlertInput) (metastore.Alert, error) {
if err := app.requireAlertManage(ctx); err != nil {
return metastore.Alert{}, err
}
if input.CreatedBy == "" {
input.CreatedBy = actor.Username
}
return app.store.CreateAlert(input)
}
func (app *App) ListAlerts(ctx *gin.Context, actor metastore.User, filters metastore.AlertFilters) (AlertPageView, error) {
if err := app.requireAlertView(ctx); err != nil {
return AlertPageView{}, err
}
alerts, err := app.store.ListAlerts(filters)
if err != nil {
return AlertPageView{}, err
}
rows := make([]AlertRowView, 0, len(alerts))
stats := AlertStatsView{}
groupSet := map[string]bool{}
for _, alert := range alerts {
row := alertRowView(alert)
rows = append(rows, row)
groupSet[row.Group] = true
switch alert.Status {
case metastore.AlertStatusAcknowledged:
stats.Acknowledged++
case metastore.AlertStatusClosed:
stats.Closed++
default:
stats.Open++
}
switch alert.Severity {
case metastore.AlertSeverityHigh:
stats.High++
case metastore.AlertSeverityMedium:
stats.Medium++
default:
stats.Low++
}
}
groups := make([]string, 0, len(groupSet))
for group := range groupSet {
groups = append(groups, group)
}
if len(groups) == 0 {
groups = []string{"system"}
}
nav := app.accountNavView(ctx, "alerts")
nav.AlertCount, nav.AlertSeverity = app.openAlertSummary()
var selected *AlertRowView
if len(rows) > 0 {
selected = &rows[0]
}
return AlertPageView{
PageTitle: "WarpBox Alerts",
WindowTitle: "WarpBox Alerts",
WindowIcon: "!",
PageScripts: []string{"/static/js/account-alerts.js"},
AccountNav: nav,
CSRFToken: app.currentCSRFToken(ctx),
Filters: AlertFiltersView{Query: filters.Query, Severity: filters.Severity, Status: filters.Status, Group: filters.Group, Sort: filters.Sort},
Stats: stats,
Alerts: rows,
SelectedAlert: selected,
Groups: groups,
CanManageAlerts: currentAccountPermissions(ctx).AdminAccess,
}, nil
}
func (app *App) AcknowledgeAlert(ctx *gin.Context, actor metastore.User, id string) error {
if err := app.requireAlertManage(ctx); err != nil {
return err
}
return app.store.AcknowledgeAlert(id)
}
func (app *App) CloseAlert(ctx *gin.Context, actor metastore.User, id string) error {
if err := app.requireAlertManage(ctx); err != nil {
return err
}
return app.store.CloseAlert(id)
}
func (app *App) BulkAcknowledgeAlerts(ctx *gin.Context, actor metastore.User, ids []string) error {
if err := app.requireAlertManage(ctx); err != nil {
return err
}
for _, id := range uniqueNonEmpty(ids) {
if err := app.store.AcknowledgeAlert(id); err != nil {
return err
}
}
return nil
}
func (app *App) BulkCloseAlerts(ctx *gin.Context, actor metastore.User, ids []string) error {
if err := app.requireAlertManage(ctx); err != nil {
return err
}
for _, id := range uniqueNonEmpty(ids) {
if err := app.store.CloseAlert(id); err != nil {
return err
}
}
return nil
}
func (app *App) EmitSystemAlert(code string, severity string, title string, description string, trace string, metadata any) error {
raw, err := json.Marshal(metadata)
if err != nil {
log.Printf("alert metadata marshal failed: %v", err)
return err
}
_, err = app.store.CreateAlert(metastore.AlertInput{
Title: title,
Description: description,
Severity: severity,
Code: code,
Trace: trace,
Metadata: raw,
CreatedBy: "system",
})
if err != nil {
log.Printf("alert persistence failed: %v", err)
}
return err
}
func (app *App) requireAlertView(ctx *gin.Context) error {
if !currentAccountPermissions(ctx).AdminAccess {
return fmt.Errorf("permission denied")
}
return nil
}
func (app *App) requireAlertManage(ctx *gin.Context) error {
if !currentAccountPermissions(ctx).AdminAccess {
return fmt.Errorf("permission denied")
}
return nil
}
func accountAlertFiltersFromRequest(ctx *gin.Context) metastore.AlertFilters {
return metastore.AlertFilters{
Query: strings.TrimSpace(ctx.Query("q")),
Severity: emptyAsAll(ctx.Query("severity")),
Status: emptyAsAll(ctx.Query("status")),
Group: emptyAsAll(ctx.Query("group")),
Sort: emptyAsNewest(ctx.Query("sort")),
}
}
func emptyAsAll(value string) string {
value = strings.TrimSpace(value)
if value == "" {
return "all"
}
return value
}
func emptyAsNewest(value string) string {
value = strings.TrimSpace(value)
if value == "" {
return "newest"
}
return value
}
func alertRowView(alert metastore.Alert) AlertRowView {
return AlertRowView{
ID: alert.ID,
Title: alert.Title,
Description: alert.Description,
Severity: alert.Severity,
Status: alert.Status,
Code: alert.Code,
Trace: alert.Trace,
Group: alertGroupFromTrace(alert.Trace),
MetadataPretty: prettyAlertMetadata(alert.Metadata),
CreatedAt: formatAdminTime(alert.CreatedAt),
UpdatedAt: formatAdminTime(alert.UpdatedAt),
}
}
func prettyAlertMetadata(raw json.RawMessage) string {
if len(raw) == 0 {
return "{}"
}
var value any
if err := json.Unmarshal(raw, &value); err != nil {
return string(raw)
}
pretty, err := json.MarshalIndent(value, "", " ")
if err != nil {
return string(raw)
}
return string(pretty)
}
func alertGroupFromTrace(trace string) string {
trace = strings.TrimSpace(trace)
if trace == "" {
return "system"
}
before, _, found := strings.Cut(trace, ".")
if !found || before == "" {
return "system"
}
return strings.ToLower(before)
}
func (app *App) openAlertSummary() (int, string) {
alerts, err := app.store.ListAlerts(metastore.AlertFilters{Status: metastore.AlertStatusOpen})
if err != nil {
return 0, "ok"
}
severity := "ok"
for _, alert := range alerts {
if alert.Severity == metastore.AlertSeverityHigh {
return len(alerts), "danger"
}
if alert.Severity == metastore.AlertSeverityMedium {
severity = "warning"
} else if severity == "ok" {
severity = "info"
}
}
return len(alerts), severity
}
func uniqueNonEmpty(values []string) []string {
seen := map[string]bool{}
out := []string{}
for _, value := range values {
value = strings.TrimSpace(value)
if value == "" || seen[value] {
continue
}
seen[value] = true
out = append(out, value)
}
return out
}

155
lib/server/account_alerts_test.go Normal file
View File

@@ -0,0 +1,155 @@
package server
import (
"encoding/json"
"net/http"
"net/http/httptest"
"net/url"
"strings"
"testing"
"warpbox/lib/metastore"
)
func TestAccountAlertsPageListsAndFiltersAlerts(t *testing.T) {
app, user := setupAccountTestApp(t)
router := setupAccountTestRouter(t, app)
session := createAccountTestSession(t, app, user)
createTestAlert(t, app, "601", metastore.AlertSeverityMedium, "thumbnail.generate.failed")
createTestAlert(t, app, "701", metastore.AlertSeverityHigh, "storage.connector.health_failed")
request := httptest.NewRequest(http.MethodGet, "/account/alerts?severity=high", nil)
request.AddCookie(&http.Cookie{Name: accountSessionCookie, Value: session.Token})
response := httptest.NewRecorder()
router.ServeHTTP(response, request)
if response.Code != http.StatusOK {
t.Fatalf("expected alerts page, got %d body=%s", response.Code, response.Body.String())
}
body := response.Body.String()
if !strings.Contains(body, "storage.connector.health_failed") {
t.Fatal("expected high severity alert")
}
if strings.Contains(body, "thumbnail.generate.failed") {
t.Fatal("did not expect medium severity alert in high filter")
}
}
func TestAccountAlertAcknowledgeAndClose(t *testing.T) {
app, user := setupAccountTestApp(t)
router := setupAccountTestRouter(t, app)
session := createAccountTestSession(t, app, user)
alert := createTestAlert(t, app, "601", metastore.AlertSeverityMedium, "thumbnail.generate.failed")
response := postAlertAction(router, session, "/account/alerts/"+alert.ID+"/acknowledge", nil)
if response.Code != http.StatusSeeOther {
t.Fatalf("expected acknowledge redirect, got %d", response.Code)
}
updated, ok, err := app.store.GetAlert(alert.ID)
if err != nil || !ok {
t.Fatalf("GetAlert returned ok=%v err=%v", ok, err)
}
if updated.Status != metastore.AlertStatusAcknowledged {
t.Fatalf("expected acknowledged alert, got %s", updated.Status)
}
response = postAlertAction(router, session, "/account/alerts/"+alert.ID+"/close", nil)
if response.Code != http.StatusSeeOther {
t.Fatalf("expected close redirect, got %d", response.Code)
}
updated, ok, err = app.store.GetAlert(alert.ID)
if err != nil || !ok {
t.Fatalf("GetAlert returned ok=%v err=%v", ok, err)
}
if updated.Status != metastore.AlertStatusClosed {
t.Fatalf("expected closed alert, got %s", updated.Status)
}
}
func TestAccountAlertManagePermissionDenied(t *testing.T) {
app, _ := setupAccountTestApp(t)
regular, err := app.store.CreateUserWithPassword("regular-alerts", "regular-alerts@example.test", "secret", nil)
if err != nil {
t.Fatalf("CreateUserWithPassword returned error: %v", err)
}
router := setupAccountTestRouter(t, app)
session := createAccountTestSession(t, app, regular)
alert := createTestAlert(t, app, "601", metastore.AlertSeverityMedium, "thumbnail.generate.failed")
response := postAlertAction(router, session, "/account/alerts/"+alert.ID+"/acknowledge", nil)
if response.Code != http.StatusForbidden {
t.Fatalf("expected permission denied, got %d", response.Code)
}
}
func TestDashboardUsesRealAlertCount(t *testing.T) {
app, user := setupAccountTestApp(t)
router := setupAccountTestRouter(t, app)
session := createAccountTestSession(t, app, user)
createTestAlert(t, app, "601", metastore.AlertSeverityMedium, "thumbnail.generate.failed")
request := httptest.NewRequest(http.MethodGet, "/account", nil)
request.AddCookie(&http.Cookie{Name: accountSessionCookie, Value: session.Token})
response := httptest.NewRecorder()
router.ServeHTTP(response, request)
if response.Code != http.StatusOK {
t.Fatalf("expected dashboard, got %d", response.Code)
}
if !strings.Contains(response.Body.String(), "1 alerts") {
t.Fatal("expected dashboard alert chip/count")
}
if !strings.Contains(response.Body.String(), "Thumbnail alert") {
t.Fatal("expected dashboard alert preview")
}
}
func TestAccountAlertsExportJSON(t *testing.T) {
app, user := setupAccountTestApp(t)
router := setupAccountTestRouter(t, app)
session := createAccountTestSession(t, app, user)
createTestAlert(t, app, "601", metastore.AlertSeverityMedium, "thumbnail.generate.failed")
request := httptest.NewRequest(http.MethodGet, "/account/alerts/export.json", nil)
request.AddCookie(&http.Cookie{Name: accountSessionCookie, Value: session.Token})
response := httptest.NewRecorder()
router.ServeHTTP(response, request)
if response.Code != http.StatusOK {
t.Fatalf("expected export success, got %d", response.Code)
}
var payload map[string]any
if err := json.Unmarshal(response.Body.Bytes(), &payload); err != nil {
t.Fatalf("Unmarshal returned error: %v", err)
}
if _, ok := payload["alerts"]; !ok {
t.Fatal("expected alerts export shape")
}
}
func createTestAlert(t *testing.T, app *App, code string, severity string, trace string) metastore.Alert {
t.Helper()
alert, err := app.store.CreateAlert(metastore.AlertInput{
Title: "Thumbnail alert",
Description: "Alert test description.",
Severity: severity,
Code: code,
Trace: trace,
Metadata: json.RawMessage(`{"box":"box-1","file":"photo.jpg"}`),
CreatedBy: "system",
})
if err != nil {
t.Fatalf("CreateAlert returned error: %v", err)
}
return alert
}
func postAlertAction(router http.Handler, session metastore.Session, path string, values url.Values) *httptest.ResponseRecorder {
if values == nil {
values = url.Values{}
}
values.Set("csrf_token", session.CSRFToken)
request := httptest.NewRequest(http.MethodPost, path, strings.NewReader(values.Encode()))
request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
request.AddCookie(&http.Cookie{Name: accountSessionCookie, Value: session.Token})
response := httptest.NewRecorder()
router.ServeHTTP(response, request)
return response
}

12
lib/server/account_auth.go
View File

@@ -28,6 +28,18 @@ func (app *App) registerAccountRoutes(router *gin.Engine) {
protected.POST("/settings/reset", app.handleAccountSettingsReset)
protected.GET("/settings/export.json", app.handleAccountSettingsExport)
protected.POST("/settings/import.json", app.handleAccountSettingsImport)
protected.GET("/alerts", app.handleAccountAlerts)
protected.GET("/alerts/export.json", app.handleAccountAlertsExport)
protected.POST("/alerts/bulk/acknowledge", app.handleAccountAlertBulkAcknowledge)
protected.POST("/alerts/bulk/close", app.handleAccountAlertBulkClose)
protected.POST("/alerts/:id/acknowledge", app.handleAccountAlertAcknowledge)
protected.POST("/alerts/:id/close", app.handleAccountAlertClose)
protected.GET("/boxes", app.handleAccountBoxes)
protected.GET("/boxes/export.csv", app.handleAccountBoxesExport)
protected.POST("/boxes/bulk/expire", app.handleAccountBoxesBulkExpire)
protected.POST("/boxes/bulk/delete", app.handleAccountBoxesBulkDelete)
protected.POST("/boxes/bulk/bump-expiry", app.handleAccountBoxesBulkBumpExpiry)
protected.POST("/boxes/delete-largest", app.handleAccountBoxesDeleteLargest)
}
func (app *App) handleAccountLogin(ctx *gin.Context) {

454
lib/server/account_boxes.go Normal file
View File

@@ -0,0 +1,454 @@
package server
import (
"bytes"
"encoding/csv"
"fmt"
"net/http"
"strconv"
"strings"
"time"
"github.com/gin-gonic/gin"
"warpbox/lib/boxstore"
"warpbox/lib/helpers"
"warpbox/lib/metastore"
"warpbox/lib/models"
)
type BoxIndexView struct {
PageTitle string
WindowTitle string
WindowIcon string
AccountNav AccountNavView
CSRFToken string
Filters BoxFiltersView
Rows []BoxRowView
Stats BoxIndexStats
Page int
PageSize int
Total int
TotalPages int
HasPrev bool
HasNext bool
PrevURL string
NextURL string
CanManage bool
PolicySummary string
Error string
}
type BoxFiltersView struct {
Query string
Owner string
Status string
Flag string
Sort string
PageSize int
}
type BoxIndexStats struct {
Visible int
Total int
Expired int
Storage string
}
type BoxRowView struct {
ID string
Owner string
Status string
FileCount int
Size string
CreatedAt string
ExpiresAt string
Flags string
Policy string
CanManage bool
ManageURL string
OpenURL string
}
func (app *App) handleAccountBoxes(ctx *gin.Context) {
actor, ok := currentAccountUser(ctx)
if !ok {
ctx.Redirect(http.StatusSeeOther, "/account/login")
return
}
view, err := app.ListBoxes(ctx, actor, boxFiltersFromRequest(ctx), boxPageFromRequest(ctx))
if err != nil {
ctx.String(http.StatusForbidden, "Permission denied")
return
}
ctx.HTML(http.StatusOK, "account_boxes.html", view)
}
func (app *App) handleAccountBoxesBulkExpire(ctx *gin.Context) {
app.handleAccountBoxesBulkAction(ctx, app.ExpireBoxes)
}
func (app *App) handleAccountBoxesBulkDelete(ctx *gin.Context) {
app.handleAccountBoxesBulkAction(ctx, app.DeleteBoxes)
}
func (app *App) handleAccountBoxesBulkBumpExpiry(ctx *gin.Context) {
app.handleAccountBoxesBulkAction(ctx, func(ctx *gin.Context, actor metastore.User, ids []string) error {
seconds := parsePositiveInt64Default(ctx.PostForm("bump_seconds"), app.config.BoxOwnerMaxRefreshAmountSeconds)
return app.BumpBoxExpiries(ctx, actor, ids, seconds)
})
}
func (app *App) handleAccountBoxesDeleteLargest(ctx *gin.Context) {
actor, ok := currentAccountUser(ctx)
if !ok {
ctx.Redirect(http.StatusSeeOther, "/account/login")
return
}
filters := boxFiltersFromRequest(ctx)
filters.Sort = "largest"
page := metastore.BoxPageRequest{Page: 1, PageSize: 25}
boxPage, err := app.visibleBoxRecords(ctx, actor, filters, page)
if err != nil {
ctx.String(http.StatusForbidden, err.Error())
return
}
ids := make([]string, 0, 10)
for _, row := range boxPage.Rows {
if len(ids) == 10 {
break
}
ids = append(ids, row.ID)
}
if err := app.DeleteBoxes(ctx, actor, ids); err != nil {
ctx.String(http.StatusForbidden, err.Error())
return
}
ctx.Redirect(http.StatusSeeOther, "/account/boxes")
}
func (app *App) handleAccountBoxesExport(ctx *gin.Context) {
actor, ok := currentAccountUser(ctx)
if !ok {
ctx.Redirect(http.StatusSeeOther, "/account/login")
return
}
page, err := app.visibleBoxRecords(ctx, actor, boxFiltersFromRequest(ctx), metastore.BoxPageRequest{Page: 1, PageSize: 100})
if err != nil {
ctx.String(http.StatusForbidden, err.Error())
return
}
var buffer bytes.Buffer
writer := csv.NewWriter(&buffer)
_ = writer.Write([]string{"id", "owner", "status", "file_count", "total_size", "created_at", "expires_at", "flags"})
for _, record := range page.Rows {
_ = writer.Write([]string{record.ID, record.OwnerUsername, boxStatus(record), strconv.Itoa(record.FileCount), strconv.FormatInt(record.TotalSize, 10), record.CreatedAt.Format(time.RFC3339), record.ExpiresAt.Format(time.RFC3339), boxFlags(record)})
}
writer.Flush()
ctx.Header("Content-Disposition", `attachment; filename="warpbox-boxes.csv"`)
ctx.Data(http.StatusOK, "text/csv; charset=utf-8", buffer.Bytes())
}
func (app *App) handleAccountBoxesBulkAction(ctx *gin.Context, action func(*gin.Context, metastore.User, []string) error) {
actor, ok := currentAccountUser(ctx)
if !ok {
ctx.Redirect(http.StatusSeeOther, "/account/login")
return
}
if err := action(ctx, actor, ctx.PostFormArray("box_ids")); err != nil {
ctx.String(http.StatusForbidden, err.Error())
return
}
ctx.Redirect(http.StatusSeeOther, "/account/boxes")
}
func (app *App) ListBoxes(ctx *gin.Context, actor metastore.User, filters metastore.BoxFilters, page metastore.BoxPageRequest) (BoxIndexView, error) {
boxPage, err := app.visibleBoxRecords(ctx, actor, filters, page)
if err != nil {
return BoxIndexView{}, err
}
rows := make([]BoxRowView, 0, len(boxPage.Rows))
stats := BoxIndexStats{Visible: len(boxPage.Rows), Total: boxPage.Total}
totalSize := int64(0)
for _, record := range boxPage.Rows {
totalSize += record.TotalSize
if boxExpired(record) {
stats.Expired++
}
rows = append(rows, app.boxRowView(ctx, actor, record))
}
stats.Storage = helpers.FormatBytes(totalSize)
nav := app.accountNavView(ctx, "boxes")
nav.AlertCount, nav.AlertSeverity = app.openAlertSummary()
return BoxIndexView{
PageTitle: "WarpBox Boxes",
WindowTitle: "WarpBox Boxes",
WindowIcon: "B",
AccountNav: nav,
CSRFToken: app.currentCSRFToken(ctx),
Filters: BoxFiltersView{Query: filters.Query, Owner: filters.Owner, Status: filters.Status, Flag: filters.Flag, Sort: filters.Sort, PageSize: boxPage.PageSize},
Rows: rows,
Stats: stats,
Page: boxPage.Page,
PageSize: boxPage.PageSize,
Total: boxPage.Total,
TotalPages: boxPage.TotalPages,
HasPrev: boxPage.HasPrev,
HasNext: boxPage.HasNext,
PrevURL: boxPageURL(ctx, boxPage.PrevPage),
NextURL: boxPageURL(ctx, boxPage.NextPage),
CanManage: currentAccountPermissions(ctx).AdminBoxesView,
PolicySummary: app.boxPolicySummary(),
}, nil
}
func (app *App) ExpireBoxes(ctx *gin.Context, actor metastore.User, ids []string) error {
records, err := app.authorizedBoxRecords(ctx, actor, ids)
if err != nil {
return err
}
now := time.Now().UTC().Add(-time.Second)
for _, record := range records {
manifest, err := boxstore.ReadManifest(record.ID)
if err == nil {
manifest.ExpiresAt = now
_ = boxstore.WriteManifest(record.ID, manifest)
}
record.ExpiresAt = now
if err := app.store.UpsertBoxRecord(record); err != nil {
return err
}
}
return nil
}
func (app *App) DeleteBoxes(ctx *gin.Context, actor metastore.User, ids []string) error {
records, err := app.authorizedBoxRecords(ctx, actor, ids)
if err != nil {
return err
}
for _, record := range records {
if err := boxstore.DeleteBox(record.ID); err != nil {
return err
}
if err := app.store.DeleteBoxRecord(record.ID); err != nil {
return err
}
}
return nil
}
func (app *App) BumpBoxExpiries(ctx *gin.Context, actor metastore.User, ids []string, seconds int64) error {
if seconds <= 0 {
return fmt.Errorf("bump expiry requires a positive duration")
}
if !app.config.BoxOwnerRefreshEnabled {
return fmt.Errorf("box owner refresh policy is disabled")
}
if app.config.BoxOwnerMaxRefreshAmountSeconds > 0 && seconds > app.config.BoxOwnerMaxRefreshAmountSeconds {
return fmt.Errorf("bump expiry exceeds maximum refresh amount")
}
records, err := app.authorizedBoxRecords(ctx, actor, ids)
if err != nil {
return err
}
for _, record := range records {
if record.OneTimeDownload {
return fmt.Errorf("one-time boxes cannot be refreshed")
}
if app.config.BoxOwnerMaxRefreshCount > 0 && record.RefreshCount >= app.config.BoxOwnerMaxRefreshCount {
return fmt.Errorf("box refresh count limit reached")
}
base := record.ExpiresAt
if base.IsZero() || time.Now().UTC().After(base) {
base = time.Now().UTC()
}
newExpiry := base.Add(time.Duration(seconds) * time.Second)
if app.config.BoxOwnerMaxTotalExpirySeconds > 0 && !record.CreatedAt.IsZero() && newExpiry.After(record.CreatedAt.Add(time.Duration(app.config.BoxOwnerMaxTotalExpirySeconds)*time.Second)) {
return fmt.Errorf("bump expiry exceeds maximum total expiry")
}
manifest, err := boxstore.ReadManifest(record.ID)
if err == nil {
manifest.ExpiresAt = newExpiry
_ = boxstore.WriteManifest(record.ID, manifest)
}
record.ExpiresAt = newExpiry
record.RefreshCount++
if err := app.store.UpsertBoxRecord(record); err != nil {
return err
}
}
return nil
}
func (app *App) visibleBoxRecords(ctx *gin.Context, actor metastore.User, filters metastore.BoxFilters, page metastore.BoxPageRequest) (metastore.BoxRecordPage, error) {
perms := currentAccountPermissions(ctx)
if !perms.AdminBoxesView {
filters.Owner = actor.ID
}
return app.store.ListBoxRecords(filters, page)
}
func (app *App) authorizedBoxRecords(ctx *gin.Context, actor metastore.User, ids []string) ([]metastore.BoxRecord, error) {
ids = uniqueNonEmpty(ids)
if len(ids) == 0 {
return nil, fmt.Errorf("no boxes selected")
}
perms := currentAccountPermissions(ctx)
records := make([]metastore.BoxRecord, 0, len(ids))
for _, id := range ids {
record, ok, err := app.store.GetBoxRecord(id)
if err != nil {
return nil, err
}
if !ok {
return nil, fmt.Errorf("box %s not found", id)
}
if !perms.AdminBoxesView && record.OwnerID != actor.ID {
return nil, fmt.Errorf("permission denied")
}
if !perms.AdminBoxesView && !app.config.BoxOwnerEditEnabled {
return nil, fmt.Errorf("box owner edit policy is disabled")
}
records = append(records, record)
}
return records, nil
}
func (app *App) boxRowView(ctx *gin.Context, actor metastore.User, record metastore.BoxRecord) BoxRowView {
owner := record.OwnerUsername
if owner == "" {
owner = "guest"
}
return BoxRowView{
ID: record.ID,
Owner: owner,
Status: boxStatus(record),
FileCount: record.FileCount,
Size: helpers.FormatBytes(record.TotalSize),
CreatedAt: formatAdminTime(record.CreatedAt),
ExpiresAt: formatAdminTime(record.ExpiresAt),
Flags: boxFlags(record),
Policy: app.boxRecordPolicy(record),
CanManage: currentAccountPermissions(ctx).AdminBoxesView || record.OwnerID == actor.ID,
ManageURL: "/account/boxes/" + record.ID,
OpenURL: "/box/" + record.ID,
}
}
func (app *App) indexBoxFromManifest(boxID string) {
manifest, err := boxstore.ReadManifest(boxID)
if err != nil {
return
}
_ = app.store.UpsertBoxRecord(boxRecordFromManifest(boxID, manifest))
}
func boxRecordFromManifest(boxID string, manifest models.BoxManifest) metastore.BoxRecord {
total := int64(0)
names := make([]string, 0, len(manifest.Files))
for _, file := range manifest.Files {
total += file.Size
names = append(names, file.Name)
}
return metastore.BoxRecord{
ID: boxID,
OwnerID: manifest.OwnerID,
OwnerUsername: manifest.OwnerUsername,
FileNames: names,
FileCount: len(manifest.Files),
TotalSize: total,
CreatedAt: manifest.CreatedAt,
ExpiresAt: manifest.ExpiresAt,
PasswordProtected: boxstore.IsPasswordProtected(manifest),
OneTimeDownload: manifest.OneTimeDownload,
DisableZip: manifest.DisableZip,
}
}
func boxFiltersFromRequest(ctx *gin.Context) metastore.BoxFilters {
return metastore.BoxFilters{
Query: strings.TrimSpace(ctx.Query("q")),
Owner: emptyAsAll(ctx.Query("owner")),
Status: emptyAsAll(ctx.Query("status")),
Flag: emptyAsAll(ctx.Query("flag")),
Sort: emptyAsNewest(ctx.Query("sort")),
}
}
func boxPageFromRequest(ctx *gin.Context) metastore.BoxPageRequest {
page, _ := strconv.Atoi(ctx.DefaultQuery("page", "1"))
pageSize, _ := strconv.Atoi(ctx.DefaultQuery("page_size", "25"))
return metastore.BoxPageRequest{Page: page, PageSize: pageSize}
}
func boxStatus(record metastore.BoxRecord) string {
if boxExpired(record) {
return "expired"
}
if record.ExpiresAt.IsZero() {
return "pending"
}
return "active"
}
func boxExpired(record metastore.BoxRecord) bool {
return !record.ExpiresAt.IsZero() && time.Now().UTC().After(record.ExpiresAt)
}
func boxFlags(record metastore.BoxRecord) string {
flags := []string{}
if record.PasswordProtected {
flags = append(flags, "password")
}
if record.OneTimeDownload {
flags = append(flags, "one-time")
}
if record.DisableZip {
flags = append(flags, "zip disabled")
}
if boxExpired(record) {
flags = append(flags, "expired")
}
if len(flags) == 0 {
return "normal"
}
return strings.Join(flags, ", ")
}
func (app *App) boxRecordPolicy(record metastore.BoxRecord) string {
if record.OneTimeDownload {
return "one-time: no refresh"
}
if !app.config.BoxOwnerEditEnabled {
return "owner edits disabled"
}
if !app.config.BoxOwnerRefreshEnabled {
return "editable, no refresh"
}
return fmt.Sprintf("editable, refresh %d/%d", record.RefreshCount, app.config.BoxOwnerMaxRefreshCount)
}
func (app *App) boxPolicySummary() string {
if !app.config.BoxOwnerEditEnabled {
return "Owners cannot edit boxes by default."
}
if !app.config.BoxOwnerRefreshEnabled {
return "Owners can edit boxes but cannot refresh expiry."
}
return fmt.Sprintf("Owners can edit and refresh up to %d times by %s.", app.config.BoxOwnerMaxRefreshCount, formatDurationForSettings(app.config.BoxOwnerMaxRefreshAmountSeconds))
}
func boxPageURL(ctx *gin.Context, page int) string {
query := ctx.Request.URL.Query()
query.Set("page", strconv.Itoa(page))
return "/account/boxes?" + query.Encode()
}
func parsePositiveInt64Default(raw string, fallback int64) int64 {
value, err := strconv.ParseInt(strings.TrimSpace(raw), 10, 64)
if err != nil || value <= 0 {
return fallback
}
return value
}

220
lib/server/account_boxes_test.go Normal file
View File

@@ -0,0 +1,220 @@
package server
import (
"net/http"
"net/http/httptest"
"net/url"
"os"
"path/filepath"
"strings"
"testing"
"time"
"warpbox/lib/boxstore"
"warpbox/lib/metastore"
"warpbox/lib/models"
)
func TestAccountBoxesAdminListsBoxes(t *testing.T) {
app, user := setupAccountTestApp(t)
router := setupAccountTestRouter(t, app)
session := createAccountTestSession(t, app, user)
createIndexedBox(t, app, "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "", "", 10, false)
response := getAccountBoxes(router, session, "/account/boxes")
if response.Code != http.StatusOK {
t.Fatalf("expected boxes page, got %d body=%s", response.Code, response.Body.String())
}
if !strings.Contains(response.Body.String(), "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa") {
t.Fatal("expected indexed box in admin list")
}
}
func TestAccountBoxesRegularUserSeesOnlyOwnBoxes(t *testing.T) {
app, _ := setupAccountTestApp(t)
user, err := app.store.CreateUserWithPassword("box-user", "box-user@example.test", "secret", nil)
if err != nil {
t.Fatalf("CreateUserWithPassword returned error: %v", err)
}
router := setupAccountTestRouter(t, app)
session := createAccountTestSession(t, app, user)
createIndexedBox(t, app, "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb", user.ID, user.Username, 10, false)
createIndexedBox(t, app, "cccccccccccccccccccccccccccccccc", "other", "other", 20, false)
response := getAccountBoxes(router, session, "/account/boxes")
if response.Code != http.StatusOK {
t.Fatalf("expected boxes page, got %d", response.Code)
}
body := response.Body.String()
if !strings.Contains(body, "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb") {
t.Fatal("expected own box")
}
if strings.Contains(body, "cccccccccccccccccccccccccccccccc") {
t.Fatal("did not expect other user's box")
}
}
func TestAccountBoxesFiltersSortAndPagination(t *testing.T) {
app, user := setupAccountTestApp(t)
router := setupAccountTestRouter(t, app)
session := createAccountTestSession(t, app, user)
createIndexedBox(t, app, "11111111111111111111111111111111", "", "", 10, false)
createIndexedBox(t, app, "22222222222222222222222222222222", "", "", 1000, true)
createIndexedBox(t, app, "33333333333333333333333333333333", "", "", 500, false)
response := getAccountBoxes(router, session, "/account/boxes?flag=password&sort=largest&page_size=25")
if response.Code != http.StatusOK {
t.Fatalf("expected boxes page, got %d", response.Code)
}
body := response.Body.String()
if !strings.Contains(body, "22222222222222222222222222222222") {
t.Fatal("expected password filtered box")
}
if strings.Contains(body, "11111111111111111111111111111111") {
t.Fatal("did not expect unfiltered box")
}
page, err := app.store.ListBoxRecords(metastore.BoxFilters{Sort: "largest"}, metastore.BoxPageRequest{Page: 1, PageSize: 25})
if err != nil {
t.Fatalf("ListBoxRecords returned error: %v", err)
}
if len(page.Rows) != 3 || page.Rows[0].ID != "22222222222222222222222222222222" {
t.Fatalf("expected largest sort first, got %#v", page.Rows)
}
}
func TestAccountBoxesBulkExpireAndDelete(t *testing.T) {
app, user := setupAccountTestApp(t)
router := setupAccountTestRouter(t, app)
session := createAccountTestSession(t, app, user)
id := "dddddddddddddddddddddddddddddddd"
createIndexedBox(t, app, id, "", "", 10, false)
values := url.Values{"box_ids": []string{id}}
response := postAccountBoxesForm(router, session, "/account/boxes/bulk/expire", values)
if response.Code != http.StatusSeeOther {
t.Fatalf("expected expire redirect, got %d", response.Code)
}
record, ok, err := app.store.GetBoxRecord(id)
if err != nil || !ok {
t.Fatalf("GetBoxRecord returned ok=%v err=%v", ok, err)
}
if record.ExpiresAt.After(time.Now().UTC()) {
t.Fatal("expected box to be expired")
}
response = postAccountBoxesForm(router, session, "/account/boxes/bulk/delete", values)
if response.Code != http.StatusSeeOther {
t.Fatalf("expected delete redirect, got %d", response.Code)
}
if _, ok, err := app.store.GetBoxRecord(id); err != nil || ok {
t.Fatalf("expected deleted record, ok=%v err=%v", ok, err)
}
if _, err := os.Stat(boxstore.BoxPath(id)); !os.IsNotExist(err) {
t.Fatalf("expected box directory deleted, stat err=%v", err)
}
}
func TestAccountBoxesBulkDeletePermissionDenied(t *testing.T) {
app, _ := setupAccountTestApp(t)
user, err := app.store.CreateUserWithPassword("box-limited", "box-limited@example.test", "secret", nil)
if err != nil {
t.Fatalf("CreateUserWithPassword returned error: %v", err)
}
router := setupAccountTestRouter(t, app)
session := createAccountTestSession(t, app, user)
id := "eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee"
createIndexedBox(t, app, id, "other", "other", 10, false)
response := postAccountBoxesForm(router, session, "/account/boxes/bulk/delete", url.Values{"box_ids": []string{id}})
if response.Code != http.StatusForbidden {
t.Fatalf("expected permission denied, got %d", response.Code)
}
}
func TestAccountBoxesBumpExpiryPolicyRejection(t *testing.T) {
app, user := setupAccountTestApp(t)
app.config.BoxOwnerRefreshEnabled = false
router := setupAccountTestRouter(t, app)
session := createAccountTestSession(t, app, user)
id := "ffffffffffffffffffffffffffffffff"
createIndexedBox(t, app, id, "", "", 10, false)
response := postAccountBoxesForm(router, session, "/account/boxes/bulk/bump-expiry", url.Values{"box_ids": []string{id}, "bump_seconds": []string{"60"}})
if response.Code != http.StatusForbidden {
t.Fatalf("expected policy rejection, got %d", response.Code)
}
}
func TestAccountBoxesDeleteLargest(t *testing.T) {
app, user := setupAccountTestApp(t)
router := setupAccountTestRouter(t, app)
session := createAccountTestSession(t, app, user)
small := "12345123451234512345123451234512"
large := "99999999999999999999999999999999"
createIndexedBox(t, app, small, "", "", 10, false)
createIndexedBox(t, app, large, "", "", 1000, false)
response := postAccountBoxesForm(router, session, "/account/boxes/delete-largest", nil)
if response.Code != http.StatusSeeOther {
t.Fatalf("expected delete-largest redirect, got %d", response.Code)
}
if _, ok, err := app.store.GetBoxRecord(large); err != nil || ok {
t.Fatalf("expected largest deleted, ok=%v err=%v", ok, err)
}
}
func createIndexedBox(t *testing.T, app *App, id string, ownerID string, ownerUsername string, size int64, password bool) {
t.Helper()
if err := os.MkdirAll(boxstore.BoxPath(id), 0755); err != nil {
t.Fatalf("MkdirAll returned error: %v", err)
}
filename := "file-" + id[:4] + ".txt"
if err := os.WriteFile(filepath.Join(boxstore.BoxPath(id), filename), []byte(strings.Repeat("x", int(size))), 0644); err != nil {
t.Fatalf("WriteFile returned error: %v", err)
}
manifest := models.BoxManifest{
OwnerID: ownerID,
OwnerUsername: ownerUsername,
Files: []models.BoxFile{{
ID: "abcdabcdabcdabcd",
Name: filename,
Size: size,
Status: models.FileStatusReady,
}},
CreatedAt: time.Now().UTC().Add(-time.Duration(size) * time.Second),
ExpiresAt: time.Now().UTC().Add(time.Hour),
RetentionSecs: 3600,
}
if password {
manifest.PasswordHash = "hash"
manifest.AuthToken = "token"
}
if err := boxstore.WriteManifest(id, manifest); err != nil {
t.Fatalf("WriteManifest returned error: %v", err)
}
if err := app.store.UpsertBoxRecord(boxRecordFromManifest(id, manifest)); err != nil {
t.Fatalf("UpsertBoxRecord returned error: %v", err)
}
}
func getAccountBoxes(router http.Handler, session metastore.Session, path string) *httptest.ResponseRecorder {
request := httptest.NewRequest(http.MethodGet, path, nil)
request.AddCookie(&http.Cookie{Name: accountSessionCookie, Value: session.Token})
response := httptest.NewRecorder()
router.ServeHTTP(response, request)
return response
}
func postAccountBoxesForm(router http.Handler, session metastore.Session, path string, values url.Values) *httptest.ResponseRecorder {
if values == nil {
values = url.Values{}
}
values.Set("csrf_token", session.CSRFToken)
request := httptest.NewRequest(http.MethodPost, path, strings.NewReader(values.Encode()))
request.Header.Set("Content-Type", "application/x-www-form-urlencoded")
request.AddCookie(&http.Cookie{Name: accountSessionCookie, Value: session.Token})
response := httptest.NewRecorder()
router.ServeHTTP(response, request)
return response
}

31
lib/server/account_pages.go
View File

@@ -119,6 +119,12 @@ func (app *App) GetAccountDashboard(ctx *gin.Context, actor metastore.User) (Acc
ActiveBoxes: activeBoxes,
StorageUsedLabel: helpers.FormatBytes(totalSize),
}
alertPreview := []accountAlertPreviewRow{}
if perms.AdminAccess {
stats.AlertCount, nav.AlertSeverity = app.openAlertSummary()
nav.AlertCount = stats.AlertCount
alertPreview = app.accountDashboardAlertPreview()
}
showUsersStat := perms.AdminUsersManage
if showUsersStat {
@@ -144,7 +150,7 @@ func (app *App) GetAccountDashboard(ctx *gin.Context, actor metastore.User) (Acc
CSRFToken: app.currentCSRFToken(ctx),
Stats: stats,
Statuses: app.accountDashboardStatuses(),
Alerts: accountPlaceholderAlerts(),
Alerts: alertPreview,
RecentBoxes: recentBoxes,
RecentActivity: accountPlaceholderActivity(actor, ctx),
ShowUsersStat: showUsersStat,
@@ -164,14 +170,23 @@ func (app *App) accountDashboardStatuses() []accountStatusRow {
}
}
func accountPlaceholderAlerts() []accountAlertPreviewRow {
return []accountAlertPreviewRow{
{
Severity: "info",
Title: "Alerts system pending",
Detail: "Dedicated alert storage arrives in the alerts implementation pass.",
},
func (app *App) accountDashboardAlertPreview() []accountAlertPreviewRow {
alerts, err := app.store.ListAlerts(metastore.AlertFilters{Status: metastore.AlertStatusOpen, Sort: "severity"})
if err != nil {
return nil
}
rows := make([]accountAlertPreviewRow, 0, minInt(len(alerts), 6))
for _, alert := range alerts {
if len(rows) == 6 {
break
}
rows = append(rows, accountAlertPreviewRow{
Severity: alert.Severity,
Title: alert.Title,
Detail: alert.Description,
})
}
return rows
}
func accountPlaceholderActivity(actor metastore.User, ctx *gin.Context) []accountActivityRow {

4
lib/server/uploads.go
View File

@@ -45,6 +45,7 @@ func (app *App) handleCreateBox(ctx *gin.Context) {
ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
app.indexBoxFromManifest(boxID)
ctx.JSON(http.StatusOK, gin.H{"box_id": boxID, "box_url": "/box/" + boxID, "files": files})
}
@@ -80,6 +81,7 @@ func (app *App) handleManifestFileUpload(ctx *gin.Context) {
ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
app.indexBoxFromManifest(boxID)
ctx.JSON(http.StatusOK, gin.H{"box_id": boxID, "box_url": "/box/" + boxID, "file": savedFile})
}
@@ -116,6 +118,7 @@ func (app *App) handleFileStatusUpdate(ctx *gin.Context) {
ctx.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
return
}
app.indexBoxFromManifest(boxID)
ctx.JSON(http.StatusOK, gin.H{"file": file})
}
@@ -231,6 +234,7 @@ func (app *App) handleLegacyUpload(ctx *gin.Context) {
savedFiles = append(savedFiles, savedFile)
}
app.indexBoxFromManifest(boxID)
ctx.JSON(http.StatusOK, gin.H{"box_id": boxID, "box_url": "/box/" + boxID, "files": savedFiles})
}