mirror/tea
1
1
Fork 0
mirror of https://gitea.com/gitea/tea synced 2026-05-04 06:00:40 +02:00
Code Issues Activity
Files
main
tea/cmd/admin/users/create.go
T
ghainer 22ff601988 feat: add additional admin users subcommands (#842) 
## Summary

Adds admin user management commands to the tea CLI, enabling admins to create, edit, and delete user accounts.

## Features Added

### Admin User Management Commands

- **Create users**: `tea admin users create` - Create new user accounts with configurable options
- **Edit users**: `tea admin users edit <username>` - Update user properties including password, permissions, and profile settings
- **Delete users**: `tea admin users delete <username>` - Remove user accounts with confirmation prompt

### Implementation Details

#### Create Command (`admin users create`)
- Required: username
- Optional: email, full name, password
- Flags: admin, restricted, prohibit-login, visibility
- Password input: command-line flag, file, stdin, or interactive prompt with confirmation
- Default: users must change password on first login (use `--no-must-change-password` to skip)
- Post-creation updates for admin/restricted/prohibit-login (not available during creation)

#### Edit Command (`admin users edit`)
- Updates only explicitly provided fields (partial updates)
- Password change support with the same input methods as create
- Editable fields:
  - Profile: email, full name, description, website, location
  - Permissions: admin/restricted/active status
  - Settings: visibility, max repo creation limits
  - Advanced: git hooks, local imports, organization creation
- Default: password changes require password change on next login (use `--no-must-change-password` to skip)

#### Delete Command (`admin users delete`)
- Confirmation prompt by default
- `--confirm` flag to skip confirmation
- Displays user details before deletion

### Security Features

- Secure password input via interactive prompts (hidden input)
- Multiple password input methods: flag, file, stdin, interactive
- Password confirmation for interactive mode
- Whitespace trimming for file/stdin inputs

### Password Input Methods

1. **Command-line flag**: `--password <value>`
2. **File input**: `--password-file <file>` - Read from file
3. **Stdin input**: `--password-stdin` - Read from stdin
4. **Interactive prompt**: Automatically prompts if password not provided (with confirmation)

For edit command: Use `--password=""` to trigger interactive prompt.

## Usage Examples

```bash
# Create a new user
tea admin users create --username john --email john@example.com --admin --no-must-change-password

# Create with interactive password prompt
tea admin users create jane --email jane@example.com

# Edit user properties
tea admin users edit john --email newemail@example.com --restricted

# Change user password (will prompt if not provided)
tea admin users edit john --password=""
tea admin users edit john --password-file /path/to/password.txt

# Delete a user (with confirmation)
tea admin users delete olduser

# Delete without confirmation
tea admin users delete olduser --confirm
```

## Related Issue

Resolves #161

## Testing

- Unit tests for all commands
- Flag validation and default value tests
- Password input method tests (file, stdin, interactive)
- Test coverage for all user option structures
- Confirmation logic tests for delete command

## Technical Details

- Uses Gitea SDK `AdminCreateUser`, `AdminEditUser`, and `AdminDeleteUser` APIs
- Follows existing tea CLI patterns and conventions
- Handles fields not available during creation via post-creation updates
- Partial update support for edit command (only updates explicitly set fields)
- Consistent with other tea commands (webhooks, secrets) in password handling and confirmation patterns

All tests pass and the implementation integrates with existing tea CLI infrastructure.

---------

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://gitea.com/gitea/tea/pulls/842
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: ghainer <gehainer@gmail.com>
Co-committed-by: ghainer <gehainer@gmail.com>
2026-05-02 23:50:36 +00:00

221 lines
5.7 KiB
Go
Raw Permalink Blame History

// Copyright 2025 The Gitea Authors. All rights reserved.
// SPDX-License-Identifier: MIT
package users
import (
stdctx "context"
"fmt"
"io"
"os"
"strings"
"syscall"
"code.gitea.io/tea/cmd/flags"
"code.gitea.io/tea/modules/context"
"code.gitea.io/tea/modules/print"
"code.gitea.io/sdk/gitea"
"github.com/urfave/cli/v3"
"golang.org/x/term"
)
// CmdUserCreate represents a sub command of users to create a user
var CmdUserCreate = cli.Command{
Name: "create",
Aliases: []string{"add", "new"},
Usage: "Create a new user",
Description: "Create a new user account",
ArgsUsage: " ", // command does not accept arguments
Action: RunUserCreate,
Flags: append([]cli.Flag{
&cli.StringFlag{
Name: "username",
Aliases: []string{"u"},
Usage: "Username for the new user (required)",
Required: true,
},
&cli.StringFlag{
Name: "password",
Aliases: []string{"p"},
Usage: "Password for the new user (will prompt if not provided)",
},
&cli.StringFlag{
Name: "password-file",
Usage: "Read password from file",
},
&cli.BoolFlag{
Name: "password-stdin",
Usage: "Read password from stdin",
},
&cli.StringFlag{
Name: "email",
Aliases: []string{"e"},
Usage: "Email address for the new user (required)",
Required: true,
},
&cli.StringFlag{
Name: "full-name",
Usage: "Full name for the new user",
},
&cli.BoolFlag{
Name: "admin",
Usage: "Make the user an administrator",
},
&cli.BoolFlag{
Name: "restricted",
Usage: "Make the user restricted",
},
&cli.BoolFlag{
Name: "prohibit-login",
Usage: "Prohibit the user from logging in",
},
&cli.BoolFlag{
Name: "no-must-change-password",
Usage: "Don't require the user to change password on first login (default: password change required)",
},
&cli.StringFlag{
Name: "visibility",
Usage: "Visibility of the user profile (public, limited, private)",
Value: "public",
},
}, flags.AllDefaultFlags...),
}
// RunUserCreate creates a new user
func RunUserCreate(_ stdctx.Context, cmd *cli.Command) error {
ctx, err := context.InitCommand(cmd)
if err != nil {
return err
}
username := ctx.String("username")
password := ctx.String("password")
email := ctx.String("email")
fullName := ctx.String("full-name")
isAdmin := ctx.Bool("admin")
restricted := ctx.Bool("restricted")
prohibitLogin := ctx.Bool("prohibit-login")
noMustChangePassword := ctx.Bool("no-must-change-password")
visibility := ctx.String("visibility")
// Get password from various sources in priority order
if password == "" {
if ctx.String("password-file") != "" {
// Read from file
content, err := os.ReadFile(ctx.String("password-file"))
if err != nil {
return fmt.Errorf("failed to read password file: %w", err)
}
password = strings.TrimSpace(string(content))
} else if ctx.Bool("password-stdin") {
// Read from stdin
content, err := io.ReadAll(os.Stdin)
if err != nil {
return fmt.Errorf("failed to read password from stdin: %w", err)
}
password = strings.TrimSpace(string(content))
} else {
// Interactive prompt (hidden input)
fmt.Printf("Enter password for '%s': ", username)
bytePassword, err := term.ReadPassword(int(syscall.Stdin))
if err != nil {
return fmt.Errorf("failed to read password: %w", err)
}
fmt.Println() // Add newline after hidden input
password = string(bytePassword)
if password == "" {
return fmt.Errorf("password cannot be empty")
}
// Confirm password (only for interactive mode)
fmt.Printf("Confirm password for '%s': ", username)
bytePasswordConfirm, err := term.ReadPassword(int(syscall.Stdin))
if err != nil {
return fmt.Errorf("failed to read password confirmation: %w", err)
}
fmt.Println() // Add newline after hidden input
passwordConfirm := string(bytePasswordConfirm)
if password != passwordConfirm {
return fmt.Errorf("passwords do not match")
}
}
}
if password == "" {
return fmt.Errorf("password cannot be empty")
}
if email == "" {
return fmt.Errorf("email is required")
}
client := ctx.Login.Client()
// Build create options
createOpts := gitea.CreateUserOption{
LoginName: username,
Username: username,
Password: password,
Email: email,
FullName: fullName,
SendNotify: false,
}
// Set must change password flag (pointer to bool required)
// By default, require user to change password on first login
// Only set to false if --no-must-change-password flag is explicitly set
mustChangePassword := !noMustChangePassword
createOpts.MustChangePassword = &mustChangePassword
vis, err := parseUserVisibility(visibility)
if err != nil {
return err
}
createOpts.Visibility = vis
// Create the user
user, _, err := client.AdminCreateUser(createOpts)
if err != nil {
return err
}
// Admin, Restricted, and ProhibitLogin cannot be set during user creation
// We need to update them via AdminEditUser after creation if any of these flags are set
if isAdmin || restricted || prohibitLogin {
editOpts := gitea.EditUserOption{
LoginName: username, // Required field
}
if isAdmin {
editOpts.Admin = &isAdmin
}
if restricted {
editOpts.Restricted = &restricted
}
if prohibitLogin {
editOpts.ProhibitLogin = &prohibitLogin
}
// Update user with admin/restricted/prohibit-login settings
_, err = client.AdminEditUser(username, editOpts)
if err != nil {
return fmt.Errorf("user created but failed to update admin/restricted/prohibit-login status: %w", err)
}
// Refresh user info to reflect the changes
user, _, err = client.GetUserInfo(username)
if err != nil {
return fmt.Errorf("user updated but failed to retrieve updated user info: %w", err)
}
}
print.UserDetails(user)
return nil
}
View Git Blame Copy Permalink